USING BOTH COMPRESSORS DURING SHIP UNLOADING CAUSES AN INCIDENT

At 6:55 am, a propane ship unloaded its cargo into 2 mounded spherical storage tanks at a Seveso plant. At 8:50 that evening, the liquid phase had been completely unloaded and the vessel’s pumps were turned off. Unloading of the gaseous phase via the ship’s compressors began a few minutes later. At 9:35 pm, the 2 relief valves on one of the tanks opened at their calibration level (10.9 bar) for 30 seconds. The on-duty pump operator stopped the transfer and connected the 2 spheres in order to lower the pressure, steadying it at 9.8 bar. The plant manager and ship captain jointly decided to halt the unloading operation and monitor pressure of both tanks every 30 minutes. According to the site operator, the sphere’s pressure rise from 9.2 to 10.9 bar in 35 min was due to the simultaneous use of both propane ship compressors to accelerate unloading. The installation inspection revealed that pressure alarm thresholds on the sphere had been set at a higher value than the valve calibration pressure. Subsequent to the incident, the pre-alarm levels (visual and sound) and sphere alarm were calibrated at 10.4 and 10.7 bar, respectively, i.e. below the valve tripping values. The effective closure of the sphere filling valve and opening of the spraying valve were both prominently displayed on the control room displays

Source: Aria ACCIDENT ANALYSIS OF INDUSTRIAL AUTOMATION

LOOK ALIKES IN CONTROL ROOM CAUSES AN INCIDENT

Inside a petrochemical unit, a steam supply problem encountered at the site’s steam production plant caused activation of the cracked gas compressor. The steam cracker was immediately shut down and the gases routed to the flare, resulting in the flaring of 800 tonnes of a hydrocarbon mix between Saturday evening and Sunday end of the afternoon. The unit’s supply was being provided by 2 boilers, one serving as a backup to the other. During the incident, one of the boilers was taken off-line for maintenance, leaving just a single boiler running. The idle boiler had undergone numerous safety tests, one of which called for closing the intake valve. The test operator mistakenly closed the fuel intake valve on the operating boiler from the control panel, causing a significant and sudden drop in steam supply to the units. With the steam cracker shutting down immediately, the installations were degassed and the flare network used as a backup for hydrocarbon ignition. To mitigate this type of error, the site operator improved boiler differentiation appearing on the control room’s graphic interfaces.

Source: Aria ACCIDENT ANALYSIS OF INDUSTRIAL AUTOMATION

FAULTY LEVEL INDICATIONS CAUSES FIRE

 A fire broke out on the vacuum distillation unit in a refinery during its shutdown. The unit had been restarted the day before following the acceptance of the work, while other job sites were still underway at the site. The reheating operation had begun during the night, and the unit was still in the power build-up phase. At around 9.15 am, thick black smoke was observed coming from the stack (fire in the furnace), with flames shooting from the open explosion vents. This situation was preceded by hammering in the pipes and rising pressure in the tower increase and the opening of valves: hydrocarbons began spilling outside. Following the inquiry, it appears that erroneous level indicators caused the tower to be overfilled then the backflow of liquid into the furnace via the vacuum system (backflow of incondensable materials). A brief summary of the findings: the local levels were not visible, the chain associated with the control levels in the bottom of the tower had not been completely checked (card), and the configuration of the system and notably the extraction levels were not correct.

Source: Aria ACCIDENT ANALYSIS OF INDUSTRIAL AUTOMATION

TRIP BYPASS WITHOUT APPROVAL CAUSES INCIDENT

 Subsequent to a tube break inside a refinery, fire ignited on a furnace. The emergency shutoff system was tripped and the unit became depressurised via the tube that broke inside the furnace. During this incident, the unit was on a return path to its nominal flow rate. Roughly 24 hours prior to the break, following another incident, the reforming unit was operating at an extremely low flow rate over a 3-hour period. The low flow rate safety system had been bypassed without implementing any compensatory measures. The next day, this information was not even relayed to the daytime shift, with the abnormal situation leading to the quick coking of the tubes and accelerating their creep. The fire had originated from overheated tubes tied to an internal coking operation, caused by operating at an insufficient flow rate (in a breach of safety rules). In underestimating the incident occurring the previous day, the subsequent shift had not been properly informed. The environmental agency requested strengthening the refinery’s safety management rules and verifying their strict implementation, in addition to installing an alarm management system. The agency also requested: formalising both the resources to be notified in the event of a process-related incident outside of plant operating hours and the rules for overseeing unplanned shutdowns and corresponding start-ups; revising the periodic safety test acceptance protocol; and expanding training and recycling programmes thanks to the Company’s new tools, in emphasising furnaces and incident management.

Source: Aria ACCIDENT ANALYSIS OF INDUSTRIAL AUTOMATION

HUMAN ERROR IN ENTERING DCS INPUT CAUSES AN INCIDENT

 At 9:03 pm, the control room operator responsible for the catalyst section of a refinery’s fluid catalytic cracking (FCC) unit entered an erroneous opening value for the atmospheric relief valve at the discharge of a compressor blowing the air needed to suspend a catalyst inside the regenerator. This valve deviated some air flow to the compressor discharge in order to protect the compressor from pumping phenomena. The operator on duty had input, then validated, an erroneous valve opening control value (less than 10%), when he actually wanted to lower the value from 20% to 19.5%. This instruction wound up increasing air flow to the regenerator and subsequently tripping the safety mechanism for the compressor and then for the entire unit. The 15-minute unit decompression caused flare emissions, followed by a gradual shutdown. The facility management brought the unit back online incrementally between 11 pm and 5 am, resulting in new flare emissions. The updated guideline requested the panel operator to no longer enter a value, but instead solely use the «up» or «down» arrow commands to increment the initial value by 0.5% or max 1%.

Source: Aria ACCIDENT ANALYSIS OF INDUSTRIAL AUTOMATION