7. LACK OF HAZID (HAZard IDentification)
The incidents described in this section indicate the consequences of not having put
in place some form of formal hazard identification, HAZID, and risk assessment
process. The four cases demonstrate different scenarios:
•
Compromising a safe design (Titanic)
•
Invalidating a safe design (P-36), although the location of the tank that
ruptured created a hazard in its own right
•
Not carrying out a formal HAZOP on the original plant design and any
modifications (Longford)
•
Carrying out mass production before fully understanding product behavior
in different situations (reactive chemicals) or not passing this information
from the research laboratory to designers of the production plant.
In all cases, the consequences represented a worst-case situation, although the
loss of life could certainly have been higher in some cases. The worst-case concept
has been repeatedly challenged over the years in favour of a more risk-based
approach. There is no doubt that the concept of ALARP (as low as reasonably
practicable) is valid, provided the risk assessments are based on well founded data.
The very fact that a ship/platform floats means that it can sink. A process unit
operating with materials that can flash to give very low temperatures means that it
will be possible to obtain these temperatures under distress conditions. Mitigating
measures need to be robust and not vulnerable to a common mode form of failure
that renders them all ineffective simultaneously. Consideration of human factors
where mitigation is sought through procedural means must be carefully examined to
ensure the right levels of checks and balances. Refer to Exxon Valdez incident
description.
Developing a safe design using tried and tested codes and standards is not as
easy as it seems as every experienced design engineer knows. There are always
compromises to be made, not least in terms of space available and the interaction
with other facilities. These can be overcome using sound engineering judgement
applied by competent people, confirmed through proper risk assessment. However,
there are other pressures that can arise, not least financial and programme. It is the
role of the Project Manager to ensure that commercial and programme pressures do
not detract from developing and implementing a safe design. In order to do this the
project manager needs to have expert advice to guide him or her through the
programme of safety studies and review necessary to achieve a safe design and
149
150
INCIDENTS THAT DEFINE PROCESS SAFETY
commissioning. Equally, Project and Business Boards need to have some form of
independent assurance process to confirm that the design process has produced a
safe plant.
Safe operation of a process unit or other facility that has been designed to a safe
standard is dependent on the integrity of operation. Operators must understand the
characteristics of their plant together with the consequences of invalidating safety
critical devices. The most apparent safety critical devices are process trips and
pressure relief devices, but in many cases this extends down to operating
procedures. Failure to operate equipment in the right sequence can lead to disaster.
In many cases, the designer aims to engineer human error out of the equation, but
this cannot always be done. In other cases, difficulty with maintaining steady
operation where safety critical devices fail due to equipment or process problems can
lead to the arbitrary disconnection with disastrous results, as seen at the
Grangemouth Hydrocracker. Competent people must thoroughly review any change
to any safety critical device through a rigorous management of change process.
The fatal accident at BP’s Texas City ISOM unit that occurred on March 23,
2005 demonstrates the dangers of accepting previous hazard identification studies at
face value. In this incident 15 people were killed in a trailer park located adjacent to
an atmospheric vent of a process unit blowdown stack. The area in which the trailers
were located had been identified some years earlier as a safe location for these
temporary facilities, installed to service a turnaround on an adjacent unit. This has
seemingly ignored the fact that the blowdown drum vent was only 150 ft (45 metres)
away. The opportunity to review this situation had occurred immediately before the
incident as each trailer location was subject to a Management of Change Review.
In today’s facilities, the Process Safety Management programme is becoming
the norm. This calls for regular review of process hazards analysis, which includes
HAZOP, HAZID, FMEA (failure modes and effects analysis) and any other form of
review appropriate to the process or equipment. The reasons for this are twofold,
firstly to confirm that proper management of change routines have been applied to
changes that have been made since the previous review, typically 3 to 5 years
before, and secondly to ensure that lessons learned from incidents within the site or
within the industry have been applied. A process safety or plant integrity committee
made up of process safety and engineering, operations, maintenance, and
inspection specialists, chaired by a senior manager, is an effective way to provide
oversight to this process.
Finally, appropriate training in hazard recognition and risk assessment is
essential at all levels of the organisation, and should be part of everybody’s training
plan.
7. LACK OF HAZID (HAZard Identification)
151
SINKING OF THE TITANIC, NORTH ATLANTIC, April 15, 1912
At around 02:20 on
Monday, April 15, 1912,
the liner “Titanic” sank
after hitting an iceberg
at 23:40 the same night,
with the loss of over
1,500 lives. Titanic was
built for the White Star
Line, which was in
strong competition with
Cunard and other shipping companies on the
lucrative cross Atlantic
routes for upper class
and business travel in
first and second class
accommodation, and
emigrants travelling third class. The ship was 50% larger than her nearest
competitors, all of which had a reputation for luxury and speed. The design of the
ship included 44 watertight compartments giving rise to a perception that the ship
was unsinkable and in the event of an accident would be its own lifeboat.
However, during her construction two safety critical decisions were taken. The
first of these was to stop the vertical watertight bulkheads at “E” deck – two levels
below the exterior deck – to allow much greater freedom of movement for
passengers and crew. The second was to reduce the number of lifeboats from 64
to 16 to remove what the owners considered to be an unsightly and unnecessary
feature, particularly as regulations at that time did not require every person on
board to have a seat on a lifeboat.
Titanic was launched on May 31, 1911, passing her sea trails on April 2,
1912 after which she immediately set sail for Southampton to prepare for her
maiden voyage to New York. In the drive to get away on time and because of a
coal strike, the ship sailed with only sufficient coal to reach New York travelling at
22 knots with 10% margin for safety. The ship was in first class condition; the
only significant fault was heat damage to the bulkhead between boiler rooms 5
and 6 caused by a fire in a bunker, which had been previously extinguished.
Titanic departed Southampton on April 10, at 12:00 noon, travelling to pick up
additional passengers at Cherbourg followed by Queenstown, Ireland, before
starting her first Atlantic crossing on April 11.
152
INCIDENTS THAT DEFINE PROCESS SAFETY
The Titanic was under the command of Captain Edward J. Smith, the most
senior of the White Star Line’s captains. Captain Smith had had a chequered
career having previously grounded three ships, all without significant injury or
damage, had been involved in a collision with a Royal Navy cruiser in 1911 while
in charge of “Olympic” (Titanic’s sister ship of a similar size), and a near collision
with the liner “New York” as he left Southampton at the start of this voyage. The
groundings had all been written off as occupational hazards, while the collision
and near collision had been caused by driving his very large ships close to
stationary smaller vessels which were in turn drawn into the larger vessel through
the effects of Bernoulli’s Principle. He was considered to be over confident in his
seamanship and the invincibility of his ship. Nevertheless he was a seaman of
considerable experience of the north Atlantic routes particularly in respect of
winter ice.
The ship sailed on her maiden voyage with J. Bruce Ismay, the managing
director of White Star Line on board. Ismay was a forthright person whose main
objective was to ensure that Titanic and her sister ships built up and maintained a
strong reputation over their competitors, which were for the most part faster. Titanic
was scheduled to dock in New York on Wednesday, April 17, but there is evidence
to suggest that Ismay intended the ship to arrive on the afternoon of April 16, by
driving the ship at over 24 knots for the final 24 hours of the crossing. It is also
clear that he was involved in discussing tactics directly with the chief engineer,
bypassing the captain’s authority. In reality this meant that a committee of two
strong personalities, each with different agendas, was commanding the ship.
Warnings that an ice field with icebergs was lying across Titanic’s course
began to be received on April 12, and continued at an increasing frequency
during April 14. One ship reported damaged bows, and another was stuck in the
pack ice only a few miles from where the Titanic eventually struck an iceberg.
Radio communication was in its infancy at the time and there is some confusion
over whether message protocols were correctly followed. However, it is clear that
those commanding the Titanic were aware that they were approaching an ice
hazard both from the messages that did get through and from meteorological
observations taken on board – the air temperature had dropped to 31°F (-0.5°C)
since sunset with virtually no wind and a calm sea.
At no time did the captain give an order to slow down although the ship was
undoubtedly travelling through floating pack ice at the time. Titanic had two
lookouts stationed in the “crows nest” some 95 feet (29 metres) above the water
who had come on duty at 22:00 on April 14. A slight haze on the water hampered
visibility, and although there was provision to store binoculars in the crow’s nest,
none had been provided. Every time they looked forward from behind their
protective enclosure the lookouts were exposed to a cold wind created by the
7. LACK OF HAZID (HAZard Identification)
153
ship’s forward motion of 22 knots. They had been briefed to look out for
“growlers” — icebergs that were difficult to see as having recently been upended
showed smooth, dark surfaces. Lack of sea swell meant that there would be no
waves breaking against an iceberg, compounding the visibility problem. The first
report from the lookouts that there was a “dark mass” on the horizon directly in
the ship’s path came at around 23:33. At that time the ship was traveling at 22
knots on a heading of 266° with the iceberg an estimated 2.9 nautical miles
away. However, it was only at 23:40 that an alarm call was made “iceberg
directly ahead”. The delay in interpreting “dark mass” to be an iceberg has not
been satisfactorily explained, but it could well be the result of there being a lot of
floating ice around at the time with hazy conditions on a dark, moonless night.
The Captain was having dinner with passengers when the ship struck the
iceberg, with First Officer William Murdoch having taken the watch at 22:00.
When the alarm call was eventually made, Murdoch gave the order to put the
helm hard over to starboard causing the bow to swing to the left. At the same
time he gave the order to stop engines. It quickly became clear that while the
bow would miss the iceberg, the stern would swing into it causing considerable
damage. To counteract this, Murdoch ordered the steering to be put hard over to
port as the ship began to pass the ice. Timing of this manoeuvre was critical and
unfortunately he started his turn too soon. The bows of the ship hit the iceberg,
with the bottom of the starboard (right hand) of the ship running over an
undersea shelf of ice. As contact was made, Murdoch ordered the watertight
doors between vertical bulkheads to be closed.
154
INCIDENTS THAT DEFINE PROCESS SAFETY
The assessment of damage after the ship had come to a stop was confused.
The Fourth Officer went below and reported that there was no damage to the
forward passenger accommodation. The Ship’s Carpenter reported that the ship
was making water with the mailroom rapidly filling. The Captain went below to
see for himself with the Titanic’s chief designer who was also on board,
whereupon it became clear that the forepeak, three cargo holds and boiler rooms
5 and 6 had sustained damage. Pumping could prevent the water level rising in
boiler room 5 but the other compartments were lost.
7. LACK OF HAZID (HAZard Identification)
155
According to the ship’s designer, the ship should have remained afloat for
some considerable time with the watertight doors holding and the water level in
boiler room 5 kept under control by pumping. The Chief Engineer concurred with
this view. Watertight doors aft of boiler room 5 were opened to facilitate the
rigging of hoses to keep the water level down. Boiler rooms 1 to 4 could be kept
in operation sufficient to maintain light and heat. The ship should, therefore, have
fulfilled its ambition to be it’s own lifeboat.
However, at 23:52 the order was given to restart the engines. It is thought
that this resulted from pressure by Ismay to head for the nearest port of Halifax,
Nova Scotia. Messages sent by wireless from Titanic resulted in newspaper
articles reporting the accident and that all aboard were on their way to safety. To
have the passengers rescued by another ship would have caused great damage
to the reputation of Titanic and the White Star Line. Captain Smith’s belief in the
invincibility of Titanic was too strong to challenge his managing director before a
thorough review of all damage had been completed, which was against the basic
principles of good seamanship and common sense. The result was to cause
even greater damage to the riveted seams below the waterline, allowing
increasing amounts of water to enter the affected compartments. As the ship
moved forward at half speed, water entering the damaged compartments caused
156
INCIDENTS THAT DEFINE PROCESS SAFETY
the bow to sink further. Eventually, the water rose to above the level of the
watertight bulkheads that terminated at the level of E deck.
Water then poured over successive bulkheads as each compartment filled
and the bow settled further. The weakened bulkhead between boiler rooms 5 and
6 eventually failed. At 00:19 on April 15, the order was given to stop engines for
the last time. The ship finally sank two hours later.
The shortage of lifeboats made it was inevitable that there would be
large-scale loss of life. This
may have featured in the
mind of the captain who
refused to give a general
order to abandon ship in
order to prevent panic
resulting in an even greater
loss of life. The first lifeboats away were not full
and it was only when about
half of them had been
launched, that there was any sense of urgency to get off the ship. The Captain,
First Officer, Chief Engineer and Chief Designer went down with their ship. Their
managing director, J Bruce Ismay, never lived down the shame of throwing
himself in the last lifeboat to leave. He died, a recluse, in London in 1937.
Although Titanic had launched distress rockets from around 00:35, these
were misconstrued or ignored by the nearest ship “Californian”, which was
trapped in the ice pack about 10 miles away awaiting daylight before attempting
to move on. Another liner, “Carpathia”, had received distress messages by
wireless from Titanic and raced 38 miles through the icepack to reach the scene
later that morning. By that time, 1503 persons had died.
Integrity Management
Hazard Evaluation and Management – to meet the requirement to be unsinkable,
the integrity of the watertight compartments was paramount. In the original
design the bulkheads separating the compartments rose to the level of the
weather deck allowing the compartments to be totally enclosed by the shutting of
watertight doors and hatches. A design change had been made which terminated
the bulkheads two level below the weather deck in order to allow greater freedom
of movement below decks. However, it would appear that the consequences of
7. LACK OF HAZID (HAZard Identification)
157
this design change were not assessed. A simple review of the consequences of
the ship hitting any object would be that water would enter the bow
compartments causing the bow to drop. Simple geometry would show that once
the angle of pitch had increase above a critical value, the sequential flooding of
compartments was unstoppable making it inevitable that the ship would sink. The
only mitigation measure would be to pump out the damaged compartments
before the critical angle was reached. But, what if the pumps were of insufficient
capacity or failed for whatever reason? Some may say that it is not reasonable to
consider double jeopardy. But what if there is some form of common mode and
the consequence is the total loss of the unsinkable ship?
Major Accident Potential – the worst case scenario for any ship is that it sinks. In
the case of the Titanic the ship was considered to be unsinkable, even to the
extent that under any foreseeable emergency situation it would remain afloat to
be its own lifeboat until help arrived. Sadly, the fallacy of this approach was only
finally realised when the Captain failed to give a general order to abandon ship
as he realised the inevitability of the situation.
Management of Change – the major management of change issue was the
lowering of the heights of the bulkheads separating the watertight compartments.
Pressure from senior managers to make the ship as passenger friendly as
possible had prevailed. Similarly, the reduction in the number of lifeboats was
made for cosmetic reasons.
Engineering Authorities – in this case this role is clearly that of the ship’s chief
designer. He had initiated a design to build an unsinkable ship. However, he
unwittingly allowed the customer to get what he wanted even though the integrity
of his design had been compromised.
Plant Integrity – with the exception of the issues discussed above, the ship had
been built to robust engineering standards. There has been some public debate
over the lack of ductility at low temperatures of the steel used in the construction
of the ship’s hull. While it may not have been to today’s standards, it was the best
available and countless other ships have operated safely under extreme cold
conditions using the same material. What the Captain clearly did not understand
was the inherent property of damaged riveted seams to “unzip” when placed
under the type of stresses created when the ship was restarted. The perception
of invincibility overcame good practice and common sense with catastrophic
results.
Competent Personnel and Procedures – the Captain and his crew were certainly
experienced seamen, but from the accounts of his previous groundings and near
misses, it is clear that the Captain had no understanding of the characteristics of
big ships when manoeuvring near to smaller vessels. The Captain had a hidden
158
INCIDENTS THAT DEFINE PROCESS SAFETY
personal agenda to retire at the top of his profession, which may well have
influenced his behaviour when he should have been challenging his managing
director in the face of orders that compromised the safety of the ship.
Incident Investigation – there was clearly no culture of near miss reporting to
prompt the investigation of events such as groundings, they were considered
inevitable. Even in a “no blame” culture the very act of learning lessons can move
individuals to consider how they may otherwise have acted and thus influence
their behaviour.
Emergency Response – the nearest ship to the Titanic was stopped in the ice
field awaiting daylight before proceeding. There is evidence to suggest that even
though the officers and crew knew the Titanic was in trouble they ignored this
and made no response. The ship that was the first to arrive at the scene travelled
38 miles though the ice field in the dark at maximum speed, exposing itself to the
very conditions that sank the Titanic. It is easy to condemn the former and praise
the latter. In reality the concept of the ship being able to sustain itself while
awaiting rescue is clearly flawed as the very conditions which led to its situation
will equally affect the rescuer. The emergency response factor that would have
made the biggest difference to preserving life aboard the Titanic would have
been the provision of lifeboat seats for everybody.
Incidents of a Similar Nature
Long Bolt Exposed Fittings
In 1990 concern was raised during an insurance audit of a facility in the USA
over the use of long bolt fittings. There are different from the conventional
flanged fittings, as they are sandwiched between pipework flanges, using long
bolts. Typical examples are Mission Duo-Chek non-return valves, and wafer type
butterfly valves as shown here. These valves provide
great savings in terms of cost and weight and in some
cases flow characteristics and sealing properties.
However, they are vulnerable to leakage in a fire
situation or other extreme thermal transient condition
(including application of thermal insulation when at
operating temperature) due to the length of the bolt
sandwiching the valve between piping flanges that is
exposed to ambient conditions.
One plant, the Gas Oil Hydrodesulphuriser at a French refinery, suffered a
number of leakages of this type of fitting since the unit had been commissioned
in 1963, culminating in a major fire in January 1995. A process temperature
control valve of the wafer type leaked badly immediately after a sudden
7. LACK OF HAZID (HAZard Identification)
159
hailstorm. Two further fires followed in 1996 on similar valves, which precipitated
a decision to replace these with conventionally flanged valves.
The link with the Titanic accident is in the way in which this type of valve was
introduced to hydrocarbon service. Traditionally, flanged valves were used where
the bolts are almost totally enclosed by the pipework and valve body flanges. The
move to the use of wafer valves was made primarily on cost grounds, although
where weight is a critical factor, this too favours the wafer design. What the
designers failed to realise was that what was previously a safe design was made
vulnerable under extreme conditions.
Some references to read more:
•
The Last Log of the Titanic, David G. Brown, McGraw-Hill, 2001, ISBN 0-07-136447-1
(both sketches)
160
INCIDENTS THAT DEFINE PROCESS SAFETY
SINKING OF THE PETROBRAS P-36 SEMI-SUBMERSIBLE
PRODUCTION VESSEL, RONCADOR FIELD,
BRAZIL, May 15, 2001
The Petrobras oil and gas production semi-submersible P-36 sank in 4,460 feet
(1,360 metres) of water on March 15, 2001 with the loss of 11 lives. P-36 was
claimed to be the world’s largest semi-submersible deep-water oil production rig
valued at $450 millions. It produced 6% of the daily production of the Brazilian
state oil company, Petrobras, and was located 150 km from the shore in the
Roncador Field.
P-36 was a conventional semi-submersible with four columns terminating in
two underwater pontoon hulls. The columns and pontoons provide the buoyancy
to keep the vessel afloat, and contain tanks that can be ballasted to submerge
the vessel to the required depth to maximize stability and minimize movement.
Semi-submersibles are used as floating production systems where water depths
are too great for the installation of a fixed structure.
P 36 had started production in March 2000 with an output of 80,000 bbl/day of oil
3
3
and 1.3 million m /day (36.6 million ft /day) of gas. On the day of the incident there
were 175 people on board, of whom 85 were crew.
7. LACK OF HAZID (HAZard Identification)
161
The sequence of events that led to the sinking started on February 10, when the
starboard emergency drain tank (EDT) pump was removed for repair. The EDT’s
were located in the port and starboard legs of the platform collecting wastewater
contaminated with oil, which was pumped to the platform’s oil production header and
hence into the processing plant. The EDT’s are designed for atmospheric pressure.
The atmospheric vent from the starboard EDT was blanked to prevent water from
entering it from an open drain tank as it already contained a considerable amount of
contaminated water. The starboard EDT was isolated from the port EDT by closed
valves. At 22:21 on March 14, attempts were being made to pump out the port EDT.
However, lack of positive isolation resulted in a back flow of production fluids into the
starboard EDT. At 00:22 the starboard EDT ruptured due to an internal overpressure
of about 10 bar g (150 psig). The physical effects of the rupture were to release
water and oil into the supporting leg, and to break an 18 inch (450 mm) diameter sea
water line next to it, causing flooding of the leg. This also caused the fire main to
depressurise leading to shutdown of the processing plant. Seawater pumps located
within the starboard legs were automatically started up when the fire main
depressured, adding to the flooding of the legs. However, flooding continued even
after the seawater pumps had been shutdown because the sea chest valves
connected to the ocean failed in their set position, i.e. they did not fail open or closed.
A release of flammable vapour spread upwards through the column as
ventilation dampers and watertight doors between levels in the leg had been
opened in preparation for an inspection of repair work to cracks found in the
stability box scheduled for the following day. Gas detectors were activated on the
deck. The vapour ignited 17 minutes after the tank rupture with the resultant
162
INCIDENTS THAT DEFINE PROCESS SAFETY
explosion killing 11 members of the emergency response team who had been
sent to open the hatch between the third and fourth level within the leg.
The situation was made more serious because the open ventilation dampers
and watertight doors/manhole allowed water to fill all the compartments including
the ballast tank, pump room and stability box. Exhaust and blower system
dampers, although not designed to be watertight, should have closed but their
actuators failed. The platform progressively listed as the spaces in the leg filled.
Water was deliberately admitted into the diametrically opposite pontoon to
contain the list, but the platform continued to sink.
Evacuation of non-essential personnel commenced about 80 minutes after
the explosion, with final abandonment at 06:03 the same morning. By 08:15 the
platform had listed by 16°,
sufficient for water to enter the
chain lockers and submerge
compartment vents. After that
point in time it was inevitable
that the platform would sink.
Attempts were made to
stabilise the sinking platform by
the injection of nitrogen and
compressed air into flooded compartments, but the progressive submersion
continued until the unit finally sank at 11:30 on March 20, 5 days later.
7. LACK OF HAZID (HAZard Identification)
163
3
At the time of the accident the platform contained about 1,200 m of diesel
3
fuel, and 350 m of crude oil in on-board storage and processing plant. In the first
3
24 hours after the sinking about 350 m of oil came to the surface, which was
partly recovered with the balance dispersed using chemicals.
Integrity Management
Hazard Evaluation and Management – the process diagram shows that even a
very simple HAZOP would have identified the potential for backflow of production
fluids into the EDT from the production header. It is not known whether the
atmospheric vent was designed to protect the tank should this occur, it certainly
should have been. Even so, this was a safety critical device certainly designed
for the external fire case (which could have happened at any time), and should
only be blanked off after the EDT was totally emptied of hydrocarbon with all
other connections blinded.
Major Accident Potential – the wisdom of locating a wastewater collection tank
inside a major supporting member. The very nature of the tank makes it highly likely
that a flammable atmosphere would exist within it at least some of the time, which if
ignited by whatever means would have compromised the safety of the platform.
Engineering Authority – isolation of equipment is one of the technical standards
on which the safe operation of any process facility depends.
Engineering Authorities have the responsibility to ensure compliance as well as
the technical excellence of the standard itself.
The location inside the platform support legs of equipment and tanks directly
connected to the process was allowed by classification societies under certain
circumstances. However, it must be recognised that engineering standards and
rules focus on individual systems and may not consider interfaces in any depth. An
Engineering Authority approach during design should have identified this as a
critical interface issue and sought a resolution based on rigorous risk assessment.
Protective Systems – ventilation dampers and watertight doors were safety critical
items that had been opened in preparation of an inspection the following day,
contrary to procedures. A similar situation arose on Piper Alpha when the fire
pumps were isolated to allow divers to inspect the underwater structure but not put
back onto “remote” when the inspection need was no longer there. Supervisors
and operators need to identify all of the safety critical items on their plants, together
with the consequences of bypassing them or rendering them inoperable.
Another protective system that compounded the problems faced on that day was
that the sea chest valves, used to route water into and out of the ballast tanks,
“failed set” as they were designed to do. Clearly, in other situations major problems
164
INCIDENTS THAT DEFINE PROCESS SAFETY
could have arisen if the sea chest valves had been designed to fail either open or
shut. In this case the situation was outside of the design assumptions supporting
the decision to install “fail set” valves for this duty. The implication in this is that
when carrying out the hazard studies to identify the correct mode of failure for
critical equipment, it is necessary to think “outside the box” to identify if there are
any other situations which need to be protected against.
Competent Personnel and Procedures – there were three areas of competence
raised in the investigation report.
•
The crew who isolated the starboard EDT by valves only and blanked the
vent. Anybody with rudimentary HAZOP training should have been able to
identify the hazard they were creating.
•
The persons who authorised the opening of the ventilation dampers and watertight
doors when there was no immediate need, breaking the platform rules.
•
Criticism was voiced at the conduct of the Bargemaster who allowed the
diametrically opposite ballast tanks to fill in an attempt to reduce the listing,
possibly hastening the inevitable.
Emergency Response – the people who died were the emergency response
team. Everyone else was rescued. The message is that emergency response
teams are the most vulnerable people in an incident. Their actions may put
themselves at particular risk.
There should be an assessment of all credible incidents which may occur on any
site and this should include a risk assessment of the activities requested from the
emergency response teams in the emergency response plans. In the event of an
incident, the ER teams should update that risk assessment taking into account
the specific circumstances of the incident and must be competent to do so. If no
prior risk assessment has been carried out, they should stop and think clearly
about the hazards and the risks to themselves. Above all, it should make it clear
that people are not expected to put their lives at risk to protect plant and
production. They may put themselves at risk to save the lives of others but only if
there is a realistic prospect of saving those lives.
Performance Management of Integrity Management and Learning – one of the
key recommendations from this incident is to implement an operational
Excellence Programme in this type of facility. The Brazilian National Petroleum
Agency Inquiry recommended that a standard should be applied in future
projects that tanks or equipment connected to the process should not be located
within support legs or pontoons.
7. LACK OF HAZID (HAZard Identification)
165
Incidents of a Similar Nature
Rupture of Liquid Nitrogen Tank, Japan, August 28, 1992
On August 28, 1992, there was a failure of a storage vessel containing liquefied
nitrogen at a manufacturing facility. The catastrophic failure of the vessel resulted
in the collapse of almost half of the factory, damage to the walls of 25 houses and
to some 39 different vehicles, all within a 400–metre (1300 ft) radius. Fragments of
the vessel were projected up to 350 metres (1150 ft), including part of the top head
of the outer shell, which was 1.5 metres wide and 8 mm thick. The estimated
property loss was 440 million yen (about $4.9 million or £3 million).
The vessel was filled on June 26, 1992, and was used for the following 2 days. It
3
3
was filled again on July 2 with 2,000 m to give total contents of 2,800 m
3
(99,000 ft ) — volume measured at standard state conditions. The vessel was
not used for the next 61 days up to the time of the rupture.
The inner vessel broke into seven fragments, with the fractures showing an
appearance typical of ductile fracture, indicating that the failure was due to
excessive pressure. The outer vessel of carbon steel broke into 11 main
fragments plus many other smaller pieces that were not recovered. Parts of the
fracture surface showed low temperature brittle fracture; but the majority showed
a ductile fracture that, again, indicated a failure due to excessive pressure.
The piping and valves connected to the inner and outer vessels were projected
away and had damage which was mainly ductile rupture, deformations, or dents.
By inspection and use of X–rays it was found that most valves were shut,
including the top liquid inlet valve M2, the delivery valve M4, the isolation valve
for the relief valve M5 and the bursting disc isolation valve M6. The vessel was,
therefore, under completely closed conditions at the time of the incident. An
inspection of the rupture disc showed that it had ruptured outwards despite the
closed inlet valve. Performance tests on a relief valve and a bursting disc of the
same type as involved in the incident showed that the actuation pressures were
10.4 bar g (150 psig) and 18.2 bar g (265 psig), respectively. These confirmed
the setting pressures and also showed that, if they had actuated, they would
have been noticed. A test on an isolation valve of the type used for the bursting
disc showed that it would satisfactorily isolate the disc without leakage up to a
pressure of 98.1 bar g (1,422 psig).
166
INCIDENTS THAT DEFINE PROCESS SAFETY
The investigation committee concluded that the inflow of heat under static
conditions was sufficient to build pressure inside the inner vessel sufficient for it to
rupture as the over pressure protection devices were isolated. The recommended
daily checking of the vessel pressure at the beginning and end of the day was
largely neglected and no safety instructions were given to employees, underlining a
general lack of basic knowledge of the facility. The company also did not maintain
any manuals describing the safe operation of the nitrogen storage vessel.
Some references to read more:
•
•
•
•
P 36 Accident analysis, ANC/DPC Inquiry Commission Report, Agência Nacional do
Petróleo/ Diretoria de Portos e Costas, July 2001. (Brazilian National Petroleum
Agency and Directorate of Port and Coasts joint report).
BP Safety communication “Lessons Learned from the Petrobras P-36 Sinking”,
August 2001
Considerations with respect to DNV classification rules and systematics By: Svein
Flogeland, DNV Head of section, classed units in operation, Presentation at NPD /
Petrobras seminar, Stavanger 2002-04-30
Ruptured Nitrogen Tank – “Loss Prevention Bulletin, Issue 123”, UK Institution of
Chemical Engineers, 1995.
7. LACK OF HAZID (HAZard Identification)
167
ESSO LONGFORD GAS PLANT EXPLOSION
Australia, September 25, 1998
A major explosion and fire
occurred at Esso’s Longford
gas processing site in
Victoria, Australia. Two
employees were killed and
eight others injured. The
incident
caused
the
destruction of Plant 1 and
shutdown of Plants 2 and 3
at the site. Gas supplies
were reduced to 5% of
normal, resulting in 250,000
workers being sent home
across the State as factories
and businesses were forced
to shutdown.
Product gas to sales
Arial photo Esso plant,
Photo courtesy of ABC Network
Lean oil inlet
The site receives crude oil and gas from
production platforms in the Bass Strait and
converts it into raw LPG, stabilized crude oil
SIMPLIFIED SCHEMATIC
OF ABSORBER
and sales gas (mainly ethane and methane).
The plant produces 6 million litres of LPG, 30
million litres of stabilized crude oil and 15
3
Rich oil to flash drum
million m of sales gas per day. Plant No. 1 is
a lean oil absorption plant, which separates
methane from LPG by stripping the incoming
Gas + liquid
gas
with a hydrocarbon stream called “lean
Liquid hydrocarbon condensate
oil”. Methane rises to the top of the towers,
with heavier hydrocarbons dissolving in the
descending lean oil. The oldest of the three plants, No.1 was commissioned in
1969. Plants 2 and 3 are cryogenic plants. They cool incoming gas until its LPG
component liquefies and the methane floats to the top.
The fire, which broke out following an explosion at 12:30 p.m. on September
25, burned for over two days before being declared extinguished on September 27.
Gas plant 1 was “severely damaged” by the fire, as was common piping and other
systems shared with plants 2 and 3. At shortly before 12:30 p.m. a plant supervisor
168
INCIDENTS THAT DEFINE PROCESS SAFETY
was checking on a hydrocarbon release that had been leaking for about 4 hours
when a huge blast sent a gas and oil cloud over the area, drenching workers in
liquid hydrocarbon. The cloud ignited 60–90 seconds later resulting in a massive
explosion and flashing back to envelope GP 905 reboiler heat exchanger. The gas
feed from the offshore platforms into the plant was cut. The plant supervisor was
killed in the explosion, as was a maintenance
supervisor.
A major part of the process in Gas Plant No: 1 was
a pair of Absorbers operating in parallel. A mixture of
gas and liquid hydrocarbons entered the Absorbers,
which both had a gas/liquid disengaging region at the
base with an absorption section above where gas was
contacted with a stripping oil to remove heavier
hydrocarbons. During the previous night shift, the
hydrocarbon condensate level had started to increase
in the knock out section in the bottom of Absorber B.
As the normal disposal of condensate to Gas Plant No:
2 was not available, the alternative condensate
disposal route was to a Condensate Flash Tank. Under this set of circumstances,
it was normal to increase the temperature at the base of the Absorber, but this
had not been done. The inlet to the Condensate Flash Tank was protected
against excessively low temperatures by an override on the Absorber level
controllers. The consequence, therefore, was that the disposal rate of
condensate from the Absorber became less than that in the inlet flow, resulting in
a build up of liquid condensate in the Absorber base.
7. LACK OF HAZID (HAZard Identification)
169
The condensate level rose in the Absorber to a point where it mixed with the
exiting rich stripping oil stream. Condensate mixed with rich oil passes flashed
over the rich oil level control valve resulting in a much reduced temperature in the
downstream Rich Oil Flash Tank. This caused temperatures to drop across the
plant as rich oil flowed through the recovery process where hydrocarbons where
stripped from the rich oil before returning it to the Absorbers as lean oil.
Eventually, the lean oil pumps tripped out, causing major thermal excursions on a
plant with a high degree of process and thermal integration. Loss of lean oil was
a critical event, but was not communicated to the supervisor until he returned
from the morning production meeting 1_ hours after the pumps had tripped.
Temperatures in parts of the plant fell to -48°C. At 08:30 a.m., a condensate
leak occurred on heat exchanger GP922. The absence of lean oil flow meant that
the condensate flowing through the rich oil system was not warmed as it entered
the recovery section. The reason for the leak was probably due an extreme
thermal gradient created while attempts were being made to re-establish the
process. Other parts of the process showed signs of extreme cold with ice
forming on uninsulated parts of heat exchangers and pipework.
At 10:50 the leak from GP922 was getting worse, and the Supervisor decided
to shutdown Gas Plant No: 1. By 12:15, two maintenance technicians had
170
INCIDENTS THAT DEFINE PROCESS SAFETY
completed retightening of the bolts on GP922 without making any appreciable
difference to the leak. It was decided that the only way to stop the leak was to
slowly warm GP922 by starting a flow of warm lean oil through it. However initial
attempts to restart the lean oil pumps were unsuccessful. Ten minutes later after
operating a hand switch to minimise flow through another heat exchanger,
GP905, that heat exchanger ruptured, releasing a cloud of gas and oil.
It is estimated that the cloud
traveled 170 metres before reaching
fired heaters where ignition occurred.
After flashing back to the point of
release flames impinged on piping,
which started to fail within minutes. A
large fireball was created when a
major pressure vessel failed one hour
after the fire had started. It took 2
days to isolate all hydrocarbon
streams and finally extinguish the fire.
The investigation concluded that the immediate cause of the incident was
loss of lean oil flow leading to a major reduction in temperature of GP905,
resulting in embrittlement of the steel shell, which was followed by introduction of
hot lean oil in an attempt to stop the hydrocarbon leak in GP922. Throughout the
whole sequence of events, operators and supervisors had not understood the
consequences of their actions to re-establish the plant.
A Royal Commission was set up to investigate the accident. This concluded
that Esso’s complex health and safety management system, Operation Integrity
Management System (OIMS), was difficult to understand and had become
divorced from the reality of operations in the field. Esso were subsequently fined
US$1 million for breach of occupational health and safety regulations. Although the
courts ruled against compensation for economic loss suffered by customers, claims
were allowed for those suffering property damage as a result of the incident.
Integrity Management
Hazard Evaluation and Management – a HAZOP study for this plant had never
been carried out prior to the accident. A HAZOP for Plant No: 1 had been
planned for 1995 but was never carried out despite being allowed for in Esso’s
budget for that year. One reason given for this was that it would have picked up
too many small items, but why this was perceived to be a problem was never
explained. If properly conducted, a HAZOP would have clearly identified the
7. LACK OF HAZID (HAZard Identification)
171
consequences of loss of lean oil to create dangerously low temperatures in the
process equipment.
Major Accident Potential – the Safety Case methodology adopted in Europe after
accidents at Flixborough and Seveso were applied by Esso to its offshore
facilities, which was a legal requirement. However, there was no legal obligation
to apply this approach to its onshore facilities. Legal requirements invariably
represent the lowest common denominator and even if there had been no legal
requirement to apply the methodology, it would have been prudent to do so in
what is clearly a high hazard plant with major consequences and liabilities in the
event of failure.
Management of Change – over the previous two years there had been a
relocation of experienced engineers away from the plant at Longford to the
company’s head office in Melbourne. Supervisors and operators were given
greater responsibility for day-to-day operations, including troubleshooting. There
was also a reduction in the number of plant supervisors and operators. As a
result, there were no experienced plant operators at the site at the time of this
incident.
A second management of change issue was identified. Modifications to the
condensate transfer system over previous years had recognised the potential to
carryover from the absorbers into the rich oil stream, but the impact on
downstream vessels was never subjected to any form of risk assessment.
Engineering Authorities – the plant was commissioned in 1969 but nobody had
seen the potential for this accident to happen, despite a number of experienced
engineers having been associated with the plant since that time. Engineering
Authorities have an essential role in defining safe operating envelopes together
with operations management, and need to ensure that their discipline engineers
allocated to individual process units are making the appropriate input.
On the day of the accident the one person who would have identified the hazard
of operating at extremely low temperatures would have been an experienced
engineer. However, all the technical staff had been moved offsite. Part of the role
of an Engineering Authority should be to ensure that adequate resources at all
levels are available to maintain integrity of operations. Specialist engineers
allocated to the Engineering Authority are sometimes called “Technical
Authorities”.
Plant Integrity – plant handling light hydrocarbon condensates and high pressure
gasses is vulnerable to extremely low temperatures in the event of an upset.
Steel used in the fabrication of the process equipment must be specially made if
it is to be able to retain its strength at much below 0°C. This is a safety critical
aspect of plant operation that all supervisors and operators need to know. In this
172
INCIDENTS THAT DEFINE PROCESS SAFETY
event, the only safe course of action would have been to shutdown the plant and
allow the process equipment to warm up naturally.
Criticism was also made in the Royal Commission report of the lack of regular
monitoring of process operations by senior personnel in a high pressure
hydrocarbon plant.
Protective Systems – there was evidence that it was common for a large number
of control room process alarms to be active at any one time. Many of these were
considered to be “nuisance alarms”. There was no clear identification of safety
critical alarms, which may explain why the operator failed to respond promptly to
the loss of lean oil flow.
Competent Personnel and Procedures – it is clear that supervisors and operators
did not know the dangers of operating process equipment at extremely low
temperatures. They also had not been trained nor had been exercised on the
implications of loss of lean oil flow. As a result, the operator failed to inform his
supervisor immediately after the lean pumps were lost.
Even after the supervisor had returned, it took almost another hour before the
supervisor ordered the shutdown of Gas Plant No: 1.
Incident Investigation – process accidents were rarely the subject of an incident
report unless they were accompanied by injury to people or damage to property,
despite near miss reporting being a requirement of Esso’s safety management
system.
Emergency response – while there was no criticism of the emergency response
made after the explosion and fire, there was clearly a major business interruption
consequence of losing the Longford plant. Longford supplied almost all of the
natural gas requirements of the State of Victoria. Business Continuity Planning
on the part of both Esso and their customers would have reduced the impact
from this incident.
Performance Management of Integrity Management and Learning – an external
assessment of the application of Esso’s OIMS at Longford had been carried out
6 months prior to the accident. The assessment report found that Esso had
successfully applied the OIMS programme at the plant. However, the Royal
Commission found that the observations made by the assessment team
appeared inconsistent with the Commission’s own findings concerning the
failure of Esso to implement it’s own systems particularly in relation to risk
identification, analysis and management, training, operating procedures,
documentation, data and communications. Assessments and audits need to be
carried out by knowledgeable and experienced personnel who explore the full
range of organisation and personnel to ensure that everybody understands
7. LACK OF HAZID (HAZard Identification)
173
health and safety management systems and the means by which they are
implemented at site.
Incidents of a Similar Nature
Grangemouth Hydrocracker explosion: see
detailed report in this book.
Triple Fatality at Polymers plant, USA,
Three employees were killed during the
unbolting of a cover plate on a 750 gallon
(2850 l) capacity polymer catch vessel during
preparations to open the vessel for cleaning.
The vessel had been cleaned three days
previously and the plant, which produced
partially aromatic polyamides, was then restarted for the next production run.
Part of the pre-start up procedure is to test run the extruder that handles the final
product, but this was not done. At the appropriate time in the start up sequence
attempts were made to start up the extruder, but it was found that the screws
would not turn. Preparations were then made to shut the unit down which
requires flushing with solvent butanediol and water over an extended period.
During the shutdown and flushing abnormal temperatures and pressure were
observed at various points in the process, but eventually plans were made to
open the polymer catch vessel to remove accumulated polymer. Lockout/tagout
procedures were put in place and a maintenance technician assisted by process
operators commenced removing the bolts attaching the cover plate to the catch
vessel. After about 22 bolts (half of the total) had been removed from one side of
the cover, the cover plate blew off, striking all three persons. Examination of the
vessel internals showed that there was a layer of polymer 3 to 5 inches
(75–125 mm) thick covering the entire internal surface, blocking all inlet and
outlet connections.
The investigation found that a HAZOP had been carried out only 2 years
previously that had recognised the potential for polymer blockage of process
pipework. However, during the HAZOP it had been assumed that existing
safeguards were adequate, including: procedures in place for proper valve
alignment, pressure relief valves and rupture discs fitted to protect against over
pressure, and hot oil jacketing of pipework and equipment installed to help
prevent blockage by polymer. What it had failed to recognise was the potential
for all safeguards to fail from polymer formation. The HAZOP also did not
address other aspects of design, specifically: drains, instrument tappings and
174
INCIDENTS THAT DEFINE PROCESS SAFETY
lines, block valves, and relief valve position/protection. The catch vessel relief
valve was located 7_ feet (2.3 metres) from the vessel and was full of polymer.
The investigation also found that although early research work had identified the
potential for decomposition products to be formed when polymer and solvent are
subjected to elevated temperatures, this hazard had not been addressed in the
operating and maintenance procedures.
The pre-start up checks had not been completed, which resulted in the start up
creating significant amounts of polymer before the condition of the extruder was
discovered.
Finally, the pattern of bolt removal is clearly against good practice and normal
line breaking procedures.
Texas City ISOM Explosion – particularly in respect of Performance Management
and Learning.
Some references to read more:
•
•
•
•
•
Arial photo of Esso plant, ABC Network
Report of the Royal Commission into the accident at Esso Longford.
Lessons from Longford, Andrew Hopkins, CCH Australia Ltd., ISBN 1 86468 422 4
The Journal of Occupational Health and Safety Australia and New Zealand, Volume
18(6), December 2002, Special Issue: Lessons from Longford: the trial by Andrew
Hopkins
BP Amoco Polymers, Inc. Augusta, Georgia, March 13, 2001 U.S. Chemical Safety
And Hazard Investigation Board, Investigation Report No. 2001-03-I-G, Issue Date:
June 2002
7. LACK OF HAZID (HAZard Identification)
175
EXPLOSION AT BP GRANGEMOUTH HYDROCRACKER,
March 22, 1987
At 07:00 a violent explosion,
heard up to 20 miles away
(30 km), occurred at the Hydrocracker Unit that completely
destroyed the LP (low pressure)
separator. A crane driver who had
just come onto the unit at the start
of his working day was killed, but
no other injuries occurred. A
major fire with flames up to 300 ft
(100 metres) in height followed
the explosion that took over 6
hours to control. Pieces of the LP separator weighing up to 3 tonnes were
scattered over a distance of over half a mile (1 km) away. Rebuilding took over
18 months and the total cost of the accident was in the region of $100 millions.
BP were prosecuted under the UK Health and Safety at Work Act and fined
£500,000 (c. $750,000).
The Hydrocracker Unit had been shutdown on March 13 due to a major
refinery shutdown that occurred as a result of the flare line incident. The
opportunity was taken to repair a defective weld, and the unit recommissioned on
March 21. At around 01:15 on Sunday, March 22, an automatic shutdown was
initiated by a spurious high temperature being indicated in one of the reactor
beds. After resolving the problem, the unit was held on gas circulation at
2100 psig (145 bar g) with the reactor beds at around 575°F (300°C) to await
reintroduction of feed later in the morning. A shift change occurred at 06:00
accompanied by the usual handover, which included a description of minor
problems with the recycle gas compressor and an instruction that the unit should
remain on gas circulation pending
the arrival of the day supervisor
to oversee reintroduction of feed.
The incoming shift crew then
made their normal start of shift
inspection rounds and returned to
the mess room for breakfast just
before 07:00.
At 07:00 a violent explosion
occurred, centred on the LP
Separator, a horizontal cylindrical
176
INCIDENTS THAT DEFINE PROCESS SAFETY
vessel 30 ft long and 10 ft in
diameter (10_3 metres) which was
constructed from 0.71 inch (18 mm)
steel plate. Large pieces of this
vessel up to 3 tonnes in weight were
thrown up to 0.62 mile (1 km) away.
The nucleonic level transmitter fitted
to the vessel was never found. The
investigation concluded that the
explosion
was
caused
by
introduction of high pressure gas
into the LP separator through the HP
Separator level control valve, which had been opened manually. Other scenarios
were examined in detail but discounted, including: hydrocarbon/oxygen
combustion inside the LP Separator, opening of the manual bypass around the
HP Separator level control valve, and spurious mechanical failure. There is no
evidence or reason to believe that this explosion was the result of sabotage,
rather that it was the result of an operational error made as attempts were being
made to lower the liquid inventory within the HP Separator in preparation for
start-up.
7. LACK OF HAZID (HAZard Identification)
177
Although the unit was on gas circulation, liquid feed and products were still
being carried forward from equipment, the amounts reducing with time. In cold
weather under no flow conditions, wax had been found to have solidified in the
pipework between the HP and LP Separators. It appears that an operating
practice had grown up to warm through the pipework and prove it was clear prior
to start up by manually opening the HP Separator level control valve and
observing the levels in the two vessels. The duty Boardman at the time of the
accident had not been trained in or nor had he practiced this technique. During
the investigation, an operator recalled an incident about 2 years previously when
gas was heard to be passing between the HP and LP Separators with the relief
valve lifting on the latter. However, no incident occurred as the control room
operator closed the level control valve manually – no near miss report was made
and, therefore, there was no investigation.
The LP Separator was designed for 150 psig (10 bar g) and protected from
overpressure by a single relief valve, designed to pass 12:25 tonnes/hour of gas
at 160 psig (10.7 bar g). The design cases for this relief valve included blocked
gas outlet and external fire situations, but not for high-pressure gas blow through
from the HP Separator. The blow through case had been considered in the
design with protection provided by two extra low level switches fitted, in parallel,
to the HP Separator. Activation of either of these switches would trip shut the
liquid level control valve. In addition to these two extra low level switches, the HP
Separator was originally provided with a conventional float type level detector
that provided both level indication and an audible alarm when the level fell to
20% of the operational range. The float chamber and extra low level switches
were mounted on a common level bridle designed to minimise the numbers of
nozzles in the shell of the large, high pressure, stress relieved HP Separator
vessel. This arrangement had proved problematic since commissioning due to
wax precipitation in the liquid phase within the HP Separator, particularly in cold
weather and/or when problems were experienced with steam tracing. A second
level indicator was provided of the nucleonic type that was not susceptible to
process conditions. However, this could only be installed at the level bridle; the
source strength required to detect the liquid level across the whole of the vessel
would have been far too high to allow normal operator access due to the 4 inch
(100 mm) wall thickness of the HP Separator itself. The same liquid level
problems existed within the LP Separator, but nucleonic detection across the
whole vessel was possible as the wall thickness was far lower at _ inch (18 mm).
Audits prior to the accident had recognised that the LP Separator relief valve
was not designed for the gas blow through case, confirming the safety critical
nature of the HP Separator extra low-level switches. They also acknowledged the
operational problems experienced in detection of the liquid level within that
vessel. Recommendations were made to duplicate the level bridle and to provide
178
INCIDENTS THAT DEFINE PROCESS SAFETY
independent tappings for the extra low level switches. These were never
implemented. In 1980 a flare and relief study performed on the unit recognised
the gas blow through case, but assumed that the extra low level switches would
function correctly. However, after the accident it was found that both extra lowlevel switches were inoperative, one through being assembled incorrectly and the
other due to blocked tappings. Even if the switches had operated properly the
protection was still not available as the electrical supply to the trip solenoid on the
HP Separator level control valve had been disconnected some years previously,
possibly because of spurious activation. Many of the operators were aware of
this and ignored spurious indications on the alarm console.
Calculations carried out after the accident showed that a pressure of
725 psig (50 bar g) would be sufficient to burst the LP Separator, and that this
would be achieved by gas blow through with the HP Separator level control valve
open by more than 38%.
Integrity Management
Hazard Evaluation and Management – the Hydrocracker had been built in the
late 1960’s well before HAZOP or any other form of process hazards analysis
was used in design. Process units were built against a background of standards,
many of which had been developed in the aftermath of major incidents. The
design cases for the LP Separator relief valve, for example, fully conformed to
the API Codes and Standards that existed at the time.
Subsequent to the accident, BP carried out a world-wide study of all HP/LP
interfaces to establish situations where there was insufficient downstream
overpressure protection. A significant number were found that were urgently
resolved. With the introduction of Process Safety Management, initial and regular
HAZOP studies will identify such situations that have pre-existed or been allowed
to creep in through an ineffective management of change programme.
Major Accident Potential – when the Grangemouth Hydrocracker was built it was
to “conventional” standards in respect of proximity of other process units and in
the design of control buildings and workshops. It was very fortunate in this case
that the control room and associated mess room and changing facilities, built in
the centre of the unit, survived. The control room had been built with large,
almost floor to ceiling, windows; the only protection being that they were fitted
with wired glass. Had the explosion been of the partially confined vapour cloud
type, the outcome could have been the complete destruction of the buildings with
the death or serious injury of the entire operating crew of 9 persons.
Management of Change – when the changes were made to the extra low level
protection systems on the HP Separator, including the electrical disconnection of
7. LACK OF HAZID (HAZard Identification)
179
the trip solenoid on the liquid level control valve, there was no formal risk
assessment process applied. Documentation of the changes was either nonexistent or, in one case, by hand written annotation on a drawing. A robust
management of change programme will identify many types of change, with
change to protective systems being one with the highest likely potential. Formal
management of change reviews take time to organise, with further time required to
implement action items. Sometimes, it is necessary to make changes at very short
notice, such as when a protective system shows signs of becoming inactive during
normal operations. The management of change programme must include the
measures to be taken in such an event together with the roles and responsibilities
of those at the scene, particularly outside of normal business hours.
Engineering Authorities – it was noted in the investigation report that the
refinery’s senior instrument engineer had commented on the electrical
disconnection of the trip solenoid on the liquid level control valve in a 1985 memo
– 2 years before the accident. However, nothing appears to have happened as a
result of this observation. The inference is that there was no clear line of
communication or responsibility for this aspect of plant safety.
Plant Integrity – the Hydrocracker was the highest pressure process unit that
had been installed in a BP UK refinery, with flange ratings and wall
thicknesses of pressure vessels and pipework well in excess of anything that
had been experienced before. The unit was also one of the largest of its kind
in the world when it was commissioned, designed to process far heavier
feedstock than previous smaller units in the USA had been designed for. It
was also a process that was highly exothermic, with the potential for heating
equipment well past its point of failure. Lessons from Hydrocracker disasters
in the USA had been conditioned along the lines of extreme exotherms
threatening mechanical integrity, and did not appear to include the hazards of
gas breaking through the HP/LP interface although this has happened before.
The initial operating period after commissioning was plagued with problems,
particularly phase separation within the HP Separator (which also contained a
water wash section to remove ammonia from the recycle gas), and the
deposition of wax. Although the unit underwent several revamps and
turnarounds, the emphasis appears to have been on achieving throughput
and performance, rather than enhancing plant integrity.
Protective Systems – the extra low level switches on the HP Separator were the
ultimate protection afforded to the LP Separator. Had that protection been in the
form of conventional pressure relief valves, they would have been tested at every
turnaround and replaced or repaired if found defective. From all of the evidence
coming out of the investigation into this incident, it is clear that the extra low level
180
INCIDENTS THAT DEFINE PROCESS SAFETY
switches and HP Separator level control valve trip systems had never been
tested since the original unit commissioning in 1972.
Competent Personnel and Procedures – the control room operator was not
experienced in blowing though the interconnecting pipework between the HP and
LP Separators, but on the day before the accident he had been in the control
room when a senior operator had blown through the line prior to that day’s start
up. It appears that this practice was not contained in the operating procedures for
the plant, nor was contained in the operator training package.
Incident Investigation – it is clear that from the evidence of another operator that
this was not the first time a blow through had occurred with the potential for a
major accident. The near miss, 2 years previously, was not recorded and,
accordingly, no investigation took place that could have resolved the problem
and addressed the lack of protection. Operators are the people best placed to
observe plant anomalies and report these for investigation and resolution.
However, to be successful the organisational culture must be right and should
reinforce this.
Emergency Response – the fire reached major proportions and extinguishing/cooling fire water was applied at some 13,000 gallons per minute
3
(3500 m /h). Approximately 20,000 gallons (over 90 tonnes) of foam concentrate
was used. The surface drainage system was unable to cope with these
quantities, and extensive flooding occurred. Hydrocarbons released from the unit
floated on the water, and although a foam blanket was applied a break in the
foam allowed a flash fire to occur. Attendance by the Refinery Fire Brigade and
the local authority Central Region Brigade was prompt and co-operation between
them was excellent throughout the incident. The pre-arranged call-out procedure
for contacting personnel worked well and key personnel arrived on the site
between 10 and 25 minutes after the incident. The Major Incident procedure was
activated with the nominated representatives meeting in the Police Station. It was
considered that this served an important and helpful function in arranging, for
example, additional supplies of foam concentrate and back-up equipment.
Performance Management of Integrity Management and Learning – a number of
external audits and reviews had identified the issue of plant safety, in particular
the HP/LP interface issue. The engineering issues associated with modifying the
HP Separator were immense, and potentially costly. This was a large, thick
walled alloy steel pressure vessel weighing over 100 tonnes that had been stress
relieved. Options were very limited on what could be done. However, nothing
significant was done as a result of the audit and review findings.
Audits and reviews are carried out with the aim of identifying unacceptable
situations. They are carried out by specialists who can introduce experience and
7. LACK OF HAZID (HAZard Identification)
181
knowledge from outside the locality to an organisation. As such, they should be
heeded with each recommendation and observation formally responded to by the
recipient management, who are ultimately responsible for the safety of the plant.
Incidents of a Similar Nature
Hydrocracker Feed Drum Explosion, US refinery
The feed drum on a Hydrocracker Unit exploded following a trip of the feed
pumps. The manway door flew through 2 tanks, before coming to rest inside a
third. A major fire resulted.
The cause of incident was the piping of the minimum flow return line from the
high pressure feed pumps back to the feed drum. Hydrocracker feed pumps
normally discharge in the range 2,500–3,000 psig (170–200 bar g). They are
unable to run against a closed head as friction of oil running between the small
internal clearances would result in a rapid build up of heat followed by seizure. A
minimum flow bypass is installed that automatically opens if the flow through the
pump falls below a pre-set value.
In the case of this unit, the minimum flow bypass was taken from downstream of
the pump discharge non-return (check) and block valves and fed directly back to
182
INCIDENTS THAT DEFINE PROCESS SAFETY
the feed drum. The relief valve on the feed drum, typically set at 100 psig
(7 bar g) was sized only for failure of the low pressure purge gas controller and
the external fire case.
When the feed pumps tripped, operators were unable to intervene before the
liquid feedstock had been pushed back from where it entered the reactors, which
were under normal processing pressure of around 2,500 psig (170 bar g).
A simple HAZOP would have identified a particularly dangerous situation.
Subsequent Hydrocracker designs installed the minimum flow return line
upstream of the pump non-return valves.
Some references to read more:
•
The Fires and Explosion at BP Oil (Grangemouth) Refinery Ltd, a report of the
investigations by the Health and Safety Executive into the fire and explosion at
Grangemouth and Dalmeny, Scotland, March 13, March 22 and June 11, 1987, HSE
Books 1989, ISBN: 0 1188 5493 3
7. LACK OF HAZID (HAZard Identification)
183
REACTIVE CHEMICALS
Note: this section is composed of 3 separate incident descriptions to show that
similar causes can lead to incidents in different situations: production, storage or
transport.
Road tanker explosion, Teeside Rohm & Haas plant, UK, January 3, 1976
On a Saturday afternoon, a parked road cistern containing approximately
14,500 kg (32,000 lbs) of water contaminated Glacial Acrylic Acid (GAA) violently
ruptured, injuring three nearby plant workers and destroying equipment in the
vicinity. Multiple small fires were started by falling ignited acrylic polymer and had
to be extinguished by the Municipal Fire Brigade.
General view of damage:
in the foreground, the
debris are what is left of a
small temporary building,
the road tanker was
located in the background,
in front of the piperack.
A GAA batch was produced over New-Year night. For multiple reasons, the
small batch was contaminated with water (0.58% for a 0.2% maximum
specification), but it received the proper quantity of inhibitor. The off-specification
GAA batch was loaded on the road tanker on the next Friday to take it to Seal
Sands storage to be downgraded to CAA (Crude Acrylic Acid). Unfortunately, the
time of delivery was past receiving hours and the storage facility sent the cistern
back to the plant for the weekend. To avoid freezing of the GAA (that solidifies at
14°C (57°F)), operators connected the truck heating coil to a warm water supply
(cold water was warmed from a conventional service tee with a mixture of steam
and water: there was no way to check water or GAA temperatures). 15 hours
after the tanker was connected to the warm water supply, operators noticed that
thick white vapours were blowing out the loosened top lid of the road cistern.
They shut off the steam water supply just before the explosion occurred.
184
INCIDENTS THAT DEFINE PROCESS SAFETY
The investigations carried out concluded that the road cistern was
overpressured by the rapid polymerization of the GAA (estimations were 300 psi
(20 bars)). Portions of the GAA polymer that had reached auto-ignition temperature
dispersed fires over a large area. However, some of the polymerized material
showed no indication of any ignition, confirming that there was a non-uniform
temperature distribution in the polymer mass in the cistern prior to the explosion.
The most probable mechanism for initiation of the polymerization was
attributed to a combination of local inhibitor deficiency and local overheating:
•
local inhibitor deficiency: the GAA at approximately 20°C (68°F)was
loaded in the cold road tanker (around 6°C (43°F)). Therefore the first
GAA to enter was probably cooled at or below its’ solidification
temperature, at the bottom of the tanker, near the heating coil that was
not in use at that time. Since the inhibitor is not soluble in the frozen
monomer, the layer of material immediately adjacent to the coil was
uninhibited: the inhibitor had migrated away from the solid GAA. This
freezing of the GAA could also have been accomplished by a first
circulation of only cold water at 6°C (43°F) in the heating coil when it was
connected to the steam-water tee.
•
local overheating: because of the single point of entry of the heating coil
in the cistern, the inlet temperature may well have been 60 or 70°C
(140–158°F), so that the now thawed but uninhibited GAA reached the
same temperature. Under this thermal stimulus, without inhibitor,
polymerization started and slowly raised the temperature of the bulk of
the GAA to a point where that even inhibitor presence could not prevent
a runaway polymerization.
Pesticide explosion during storage, Bartlo Packaging (BPS), Inc, May 8, 1997
A massive explosion and fire destroyed an
agricultural chemical packaging building in
West Helena, Arkansas. Three firefighters
were killed by the blast and 17 others
injured.
Among other products, BPS was
repackaging a pesticide (AZinphos Methyl —
AZM 50W) produced by Micro Flow
Company (MFC), from bulk to 1 lb bags.
During the morning of May 8, 1997, a truck of
26 bulk bags of 1,600 pounds each of AZM
7. LACK OF HAZID (HAZard Identification)
185
50W pesticide was unloaded into a new BPS warehouse. Some bags of AZM were
placed by forklift operators against a compressor header pipe located on a wall of the
new warehouse.
Repackaging operations required the use of two reciprocating air
compressors. The compressors were located in the southern portion of the
original building against which the new warehouse was built in 1995. The
compressors discharge pipes went through the new warehouse addition north
wall into a common header pipe. This header pipe (in red on drawing below) was
fifteen feet (4.5 m) long and nearly six feet (1.8 m) above the concrete floor. The
AZM bulk bags were stacked two-high. The top bags were listing so that they
were in contact with the wall (and the pipe).
After lunch break, a forklift operator noticed heavy smoke coming from the
new warehouse. He couldn’t enter the building due to density of the smoke. He
raised the alarm and told colleagues to evacuate. When firefighters arrived on
scene, they first made sure that all employees were accounted for and they
consulted MSDS with BPS management. As 4 firefighters were getting ready to
enter the building, an explosion occurred, collapsing a wall (room 9 & 10 side on
drawing above) on them and killing three.
EPA/OSHA investigation determined that:
186
INCIDENTS THAT DEFINE PROCESS SAFETY
•
Some AZM bags were located against the hot compressor header pipe.
Tests made on a similar installation showed that this pipe had a
temperature above 300°F (149°C).
•
AZM thermally decomposed, releasing yellow smoke and flammable
gases. Tests carried out after the incident showed that the product was
decomposing rapidly above 212°F (100°C) and almost instantaneously
above 338°F (170°C). MSDS for AZM didn’t indicate the potential for
flammable gases release.
•
Flammable gases accumulated in the warehouse and were ignited
resulting in an explosion, probably when the power was switched off by
the local electricity Company at Fire Department request.
The report also indicates that BPS did not have procedures to ensure
segregation of incompatible materials and was relying only on MSDS from
Manufacturers.
Napp Technologies, Inc., Lodi, New Jersey
When employee arrived on April 21, 1995 for the morning shift, they smelled a
strong rotten egg odor and puffs of white smoke were seen coming out of a
blender where sodium hydrosulfite, aluminium powder, potassium carbonate and
benzaldehyde had been mixed the previous day to produce a batch of
3
approximately 1,000 gallons (3.8 m ) of gold precipitating agent. The plant was
evacuated, but operators returned in the building to dump the batch, with some
plant fire brigade members with fire hoses as back-up. At 07:47, a hissing noise
was heard and a violent explosion occurred, killing 5 employees and injuring 4.
During firefighting operations, water run-off was contaminated with fluorescein (a
bright green dye) and other chemicals. Fish died up to 2 miles downstream.
Sodium hydrosulfite and aluminium powder react with water in an exothermic
reaction and their decomposition/oxidation can result in a deflagration. The EPA/
OSHA investigation team therefore concentrated on looking for water sources to
the blender. The blender used for that batch was fitted with a dual mixer (in
blue) / vacuum tube (in green) / feed line (purple pipe) that was connected to the
shell of the blender by a graphite seal (in red under arrow on left hand side)
cooled with water (see drawing below).
7. LACK OF HAZID (HAZard Identification)
187
The investigation team found that this seal had wear patterns that would
have allowed small quantities of water to slowly leak into the blender, starting a
series of exothermic reactions over a few hours. Early signs (unusual odors,
bubbling, pressure build-up, etc.) that something was going wrong were not
identified and employees attempted to correct the batch overnight when it should
have taken less than one hour. Decomposition of sodium hydrosulfite produced
sulfur dioxide, hydrogen sulfide and more water: the decomposition process,
once started, was self-sustaining. The reaction generated sufficient heat to cause
aluminium powder to react rapidly with the other ingredients and generate more
heat. During the emergency attempt to off-load the blender of its reacting
content, the materials ignited in contact with air and the explosion occurred.
Integrity Management
Hazard Evaluation and Management – the Rohm & Haas report on the GAA road
cistern explosion concludes that “there are several anomalies and gaps in our
knowledge. Further research and development work should be put in hand as
soon as possible to study this on an urgent basis.”
The EPA/OSHA report on BPS warehouse explosion states that “MFS (AZM
Manufacturer) and BPS did not have a full understanding of the hazards
associated with AZM”.
The EPA/OSHA report on Napp blender explosion indicates that “and inadequate
process hazard analysis was conducted and appropriate preventive actions were
not taken”.
Major Accident Potential – in all the examples above, the potential for a major
incident was grossly underestimated or completely ignored. Even in Napp
incident case, where the reactions of sodium hydrosulfite and aluminium powder
188
INCIDENTS THAT DEFINE PROCESS SAFETY
with water were known by employees and numerous incidents data available
(EPA/OSHA report lists dozens of these: however Napp did not appear to know
about them), no-one raised concerns about the use of a blender that
incorporated potential leak points of water (water cooled seal and cooling jacket).
Management of Change – when the changes were made to build the new
warehouse at BPS Inc., there was an opportunity to assess the potential hazards
of a hot pipe in an area where hazardous chemicals were to be stored, and to
develop procedures that address storage restrictions.
Protective Systems – in the Rohm & Haas GAA incident, there was no possibility
for operators to know what the water or GAA temperatures were. They could only
check that the water coming out of the heating coil was warm or not by touching
it. Even worse, a change in utility system pressures (either on the water or the
steam side) could affect the adjustment initially made by the operator, without
any alarm being triggered.
Competent Personnel and Procedures – in all cases described above, the fact
that the hazard analysis were incomplete or not done lead to operators using
inadequate procedures and having no or not enough training on the potential
problems that they may face. The Napp case is typical of operators attempting to
get deviations corrected without understanding the full potential of the situation
and without having clear instructions on when and how to trigger an adequate
emergency shut-down.
Emergency Response – in BPS warehouse explosion case, the EPA/OSHA
report questions the strategy implemented by the Fire Department to prepare for
entry into the building when no lives were threatened and too many unknown
factors (which chemicals were involved, what were the combustion product
hazards, etc.). On one side, an aggressive response is potentially placing
firefighter lives at risk to save an insured building; on the other hand it may
prevent escalation and sustain economic activity.
Similarly, the decision to dump reactor content in Napp incident was ill-advised
but there was no understanding that allowing contact with air could potentially
lead to an explosion.
Incidents of a Similar Nature
Sadly, hundreds of similar chemical incidents reports are available. The following
ones were chosen because they both clearly illustrate the need for good
communications between researchers who may have identified particular
hazards, and designers/operators. In these two incidents, hazards were clearly
7. LACK OF HAZID (HAZard Identification)
189
identified early on, but not included in the design, procedures and training, to
catastrophic outcomes.
Hydroxylamine plant explosions, US and Japan
On February 19, 1999, a violent
explosion destroyed the
Concept Sciences Inc. plant in
Pennsylvania. Five people were
killed and another 14 injured.
Operators were distilling an
aqueous solution of hydroxylamine and potassium sulfate to
produce the first batch of the
new facility.
Hydroxylamine is an oxygenated
derivative of ammonia and is
used in the semi-conductor manufacturing industry to clean circuits. It may ignite
spontaneously if a large surface is exposed or on contact with sulfate, metals and
oxidants. Hydroxylamine crystals and solutions can explosively decompose at
high concentrations (above 70% per Concept Sciences Inc. MSDS).
During the distillation process, high concentrations (above 86%) and
temperatures were reached, allowing decomposition, possibly accelerated by
contaminants. The Chemical Safety Board case study published on this incident
indicates that Concept Sciences Inc. showed deficiencies in process
knowledge/documentation and in process safety reviews for capital projects:
despite knowing that above 70%, a solution of hydroxylamine could decompose
explosively, this knowledge was not translated into the process design, as the
new plant was designed to concentrate hydroxylamine up to 85%. A simple
‘what-if’ process hazard analysis was carried out, without considering factors that
could lead to an explosion. A well-performed HAZOP would have identified
particularly dangerous situations.
On June 10, 2000, a similar explosion destroyed Nissin plant in Japan, killing 4
people and injuring 58 others: during a 5 hours temporary shut-down to replace
oil in a vacuum pump, concentration of hydroxylamine solution was allowed to
raise up to 85% when it detonated.
190
INCIDENTS THAT DEFINE PROCESS SAFETY
Morton International, Inc. plant explosion – April 8, 1998, USA:
During the manufacture of a
batch of Yellow 96 Dye
(petroleum fuel dying additive)
by mixing ortho-nitrochlorobenzene (o-NCB) and 2-ethylexylamine (2-EHA) a runaway
reaction occurred, overpressuring
the
r e a ctor vessel.
Flammable materials were
released and an explosion
occurred, injuring 9 employees.
The process to produce Yellow
96 Dye was designed to run at
approximately 150°C (302°F), first by external heating, then by self-heating using
the exothermic reaction: the reactor external envelope (‘jacket’) could receive
steam (for initial heating) or cold water (to slow reaction rate). This 150°C
temperature is very close to the decomposition temperature of the Dye, an
exothermic reaction initiated at 195°C (383°F). This undesired reaction was
identified by Morton researchers in the late 80s, but it seems that the Paterson
plant, where the explosion occurred, was not aware of this hazard.
3
The plant produced 25 batches of that Dye in 1,000 gallons (3.8 m ) reactors: 20%
of these showed some unexpected temperature rises, but these were not
investigated. In 1996, a decision was made to manufacture the following batches in
3
2,000 gallons (7.6 m ) reactors, without a Management of Change review that may
have shown that this change increased inventory and decreased by 10% the heat
transfer area that was used to cool down the reaction. 50% of the following batches
showed unexpected temperature rises, but again these were not investigated.
On the day of the incident, operators loaded warmer products than usual and
then left steam heating on for longer than usual. Once they saw the temperature
in the reactor increasing rapidly, they tried to stop the reaction by introducing cold
water in the jacket, but this was not enough. When rupture disks activated, the
temperature was rising rapidly to 260°C (500°F). Operators started their escape
just before the vessel ruptured. A large fireball went through the building roof and
subsequent fire had to be extinguished by the fire brigade.
Some references to read more:
•
“BPS Inc., West Helena Arkansas” EPA/OSHA chemical accident investigation report,
EPA 550-R99-003, April 1999.
7. LACK OF HAZID (HAZard Identification)
•
•
•
•
•
191
“Napp Technologies Inc., Lodi New Jersey” EPA/OSHA chemical accident
investigation report, EPA 550-R97-002, October 1997.
“Morton International Inc.”, Chemical Safety Board investigation report 1998-06-I-NJ.
“The explosion at Concept Sciences: hazards of Hydroxilamine”, Chemical Safety
Board case study 1999-13-C-PA, March 2002.
“A checklist for inherently safer chemical reaction process design and operation”,
Center for Chemical Process Safety, March 2004.
“How to prevent runaway reactions” EPA/CEPPO, EPA 550-F99-004, August 1999.