INADEQUATE DESIGN PHILOSOPHY CAUSES AN INCIDENT

 At a facility producing carbonate and sodium bicarbonate, fire broke out at 7 am in an electrical cabinet containing transmission cables for the liquid part of the process. The blaze caused a complete loss of control for 2 hours and a shutdown of the process responsible for releasing 2 to 8 kg of gaseous ammonia (NH3) into the atmosphere, subsequent to the sudden stoppage of the gas scrubber. In addition, ammonium hydroxide was released into the plant’s accidental pollution retention basin following discharge of a brine tank; this water made its way into the nearby river given that retention basin controls and monitoring installations had become unresponsive. This discharge wound up causing the death of some 400_kg of fish. According to the facility operator, the heating of electrical cables, traced to worn insulation, had triggered the incident. The control system, composed of control stations, a connecting bus and an automated system programmed to monitor the process, had been designed with a critical point in the form of a «node» at the time of creating the site’s 1st control system (26 years prior), through which all automated system cables were routed. Whereas all electrical component supply lines had been backed up, the automated system cables ran through a single cable tray in the electrical cabinet.

Source: Aria ACCIDENT ANALYSIS OF INDUSTRIAL AUTOMATION

A process control system can in no way be equated with a safety system

 Inside a chemical plant, a sulphur dichloride (SCl2) leak on a pipeline supplying the boiler tube of a distillation column hydrolysed, thereby generating a strong emission of hydrogen chloride (HCl). 50 ppm of HCl were recorded inside the building. Operating losses were valued at Euros 270,000 (the downstream unit stayed idle for 18 days). A pressure sensor was undergoing maintenance; it had been diagnosed as defective after indicating a reading of 108 mbar of pressure at the boiler tube output, thus triggering closure of the valves controlling SCl2 supply and regulating the vapour heating the boiler tube. Since the sensor was not «fail safe», its electrical disconnection caused the vapour regulation valve to open, thus heating the boiler tube, whose temperature rose from 24° to 120°C in 30 min, and causing the emission of SCl2. Several measures were adopted as part of the feedback provided: monitoring and intervention procedures in a degraded operating mode, modification of the sectional valve / pressure sensor assembly, introduction of a positive safety loop independent of the regulation, thereby prohibiting any automatic restart once the high pressure threshold had been reached. This accident demonstrates that a process control system can in no way be equated with a safety system. More specifically, industrial automation satisfy a rationale and criteria that are not all known by response teams and that do not necessarily incorporate degraded modes and lockouts situations.

Source: Aria ACCIDENT ANALYSIS OF INDUSTRIAL AUTOMATION

INCORRECT DESIGN OF SAFETY SYSTEM CAUSES AN INCIDENT

 Dimethyl sulphate (DMS) began leaking around 11 am at a chemical plant as the product was being loaded. The connection between the DMS container and the loading station consisted of disassembling the solid flanges, replacing the joint by a new part and reconnecting the container flanges to the unit’s pipe flanges. After initiating DMS loading in the control room, the field operator climbed down to inspect the container and, at that point, identified a leak on the flange connecting the container to the loading pipeline. He sounded the siren and the emergency light before pressing the emergency stop button. The next day, the plant operator concluded that the leak had been caused by poor clamping of the loading flange while the container was connected to the loading station. Moreover, the safety automated system was not activated because the pushbutton had not been held down long enough for its cycle length (1/10th of a second). All emergency stop pushbuttons were replaced by locking buttons throughout the site.

Source: Aria ACCIDENT ANALYSIS OF INDUSTRIAL AUTOMATION

USING BOTH COMPRESSORS DURING SHIP UNLOADING CAUSES AN INCIDENT

At 6:55 am, a propane ship unloaded its cargo into 2 mounded spherical storage tanks at a Seveso plant. At 8:50 that evening, the liquid phase had been completely unloaded and the vessel’s pumps were turned off. Unloading of the gaseous phase via the ship’s compressors began a few minutes later. At 9:35 pm, the 2 relief valves on one of the tanks opened at their calibration level (10.9 bar) for 30 seconds. The on-duty pump operator stopped the transfer and connected the 2 spheres in order to lower the pressure, steadying it at 9.8 bar. The plant manager and ship captain jointly decided to halt the unloading operation and monitor pressure of both tanks every 30 minutes. According to the site operator, the sphere’s pressure rise from 9.2 to 10.9 bar in 35 min was due to the simultaneous use of both propane ship compressors to accelerate unloading. The installation inspection revealed that pressure alarm thresholds on the sphere had been set at a higher value than the valve calibration pressure. Subsequent to the incident, the pre-alarm levels (visual and sound) and sphere alarm were calibrated at 10.4 and 10.7 bar, respectively, i.e. below the valve tripping values. The effective closure of the sphere filling valve and opening of the spraying valve were both prominently displayed on the control room displays

Source: Aria ACCIDENT ANALYSIS OF INDUSTRIAL AUTOMATION

LOOK ALIKES IN CONTROL ROOM CAUSES AN INCIDENT

Inside a petrochemical unit, a steam supply problem encountered at the site’s steam production plant caused activation of the cracked gas compressor. The steam cracker was immediately shut down and the gases routed to the flare, resulting in the flaring of 800 tonnes of a hydrocarbon mix between Saturday evening and Sunday end of the afternoon. The unit’s supply was being provided by 2 boilers, one serving as a backup to the other. During the incident, one of the boilers was taken off-line for maintenance, leaving just a single boiler running. The idle boiler had undergone numerous safety tests, one of which called for closing the intake valve. The test operator mistakenly closed the fuel intake valve on the operating boiler from the control panel, causing a significant and sudden drop in steam supply to the units. With the steam cracker shutting down immediately, the installations were degassed and the flare network used as a backup for hydrocarbon ignition. To mitigate this type of error, the site operator improved boiler differentiation appearing on the control room’s graphic interfaces.

Source: Aria ACCIDENT ANALYSIS OF INDUSTRIAL AUTOMATION