CREEPING CHANGES CAUSES AN INCIDENT

The Fluidised Catalytic Cracker Unit (FCCU) was shut down on the 29 th May 2000 following the power distribution failure and was being restarted after an 11-day shutdown. On 10 th June 2000 during start-up a significant leak of hydrocarbons was discovered, creating a vapour cloud which ignited resulting in a serious fire. Workers escaped before the blast, nobody got injured in the incident.
Key learning points
The leak was as a result of failure of a tee-piece connection at the base of the debutaniser column which found a source of ignition nearby. The tee-piece connection which had originally been installed in the 1950’s was correctly specified but incorrectly fitted, and then hidden by lagging. There was no subsequent amendment to the plant layout drawings to identify that change.
Since the 1950’s, sections of the FCCU had been significantly modified. Prior to the modifications in 1986, changes had been made to the pipework at the base of the column and a valve had been removed. This resulted in there being inadequate support for the remaining pipework and the tee-piece connection. Between 1996 and 1998 the FCCU had been experiencing considerable difficulties and did not operate consistently. This resulted in an increase in the number of start-up/shutdown cycles for the plant and pipework. 

An incident occurred in 1999 during a prolonged start-up on the FCCU. It resulted in an ignition
of a torch oil vapour cloud. Contrary to plant operating instructions in the master operating manual, the torch oil had been admitted to the regenerator when the unit was at too low a temperature. As a result, ignition of the torch oil did not occur in the regenerator. Although ignition had not been verified, a considerable further quantity of torch oil was injected, and it is believed that hot spots in the slumped catalyst bed vapourised the torch oil. The provision of a temperature interlock had previously been considered and discounted, as it was decided that operating procedures alone provided enough control.
In the 11 weeks preceding the incident in 2000, 19 start-up attempts had been made and only 7 were
successful. Failure of the tee-piece connection pipework was probably caused by a combination of the incorrectly fitted tee-piece connection, the inadequately supported pipework and the cyclic
stresses/vibration caused by the increased number of start-up/shutdown activities on the plant. Eventually these led to fatigue failure of the pipework in the vicinity of the welded connection. The company reviewed the FCCU to find out why it did not operate properly but the findings were never implemented or communicated properly. The safety report failed to reflect the reality of the condition of the FCCU. The 1997/98 revision concluded that “hardware and software controls in place on the FCCU are adequate to prevent the occurrence of a major accident”. 

Incidents with vibration of the transfer line had occurred over the two years prior to the
explosion. These events were not reported or investigated. There were two incidents preceded the blast on 10 th June, a power distribution failure on 29th May 2000 and the medium pressure steam main rupture on 7th June 2000. Construction of a new facility had started in early 2000. The company hired a sub-contractor for the underground works and the sub-contractor sub-contracted the actual excavation work to an excavation contractor. The company also engaged a main electrical sub-contractor for the electrical and instrumentation work to be carried out. The electrical subcontractor further contracted the laying of the cable in the excavated trench to a cable-laying contractor. The schedule for the excavation and cable laying was very complicated and supervision of the excavation work was limited. On the 25th May a cable-laying operative from the cable-laying contractor observed a damaged tile and cable in preparation for laying a cable but he did not report the damaged cable in the belief that it was dead and it had already been reported. Before that, on 20th April an excavation contractor had been found using a clayspade to the trench at a depth greater than the instructions from the toolbox talks. The earth fault was caused by physical damage to the cable from a clayspade. This case is not a standalone event related to creeping changes. For example, the 2006 Royal Air Force Nimrod crash, Texas City refinery explosion, Buncefield, Shell Moerdijk, the Columbia space shuttle disaster, Bhopal or the Herald of Free Enterprise are cases similar in nature.

Source:IChemE 

 

ACID ATTACK ON CONCRETE CAUSES AN INCIDENT

On 4 February, 2005, a storage tank containing 16,300 tons of 96 % sulphuric acid ruptured. The content of the reservoir spilled out into the bund and then the dock. The remaining 2,000 tons of acid in the bund came into contact with salt water that created an exothermic reaction, which produced an acid cloud consisting of hydrogen chloride. The vapour cloud drifted along the coastline and mostly over the sea. No one was affected by the event.
Key learning points
The incident was caused by a leak in the cooling water supply pipe passing under the tank farm. The leak undermined the ground under the foundations of a tank which then ruptured because of the uneven weight distribution resulting in the sudden release of the acid. The bund was filled with salt water when the rupture occurred and that caused the formation of hydrochloric acid. The pipe was made of concrete and came into use in the early 1960s. The only damage noted to the pipe was a leak at the pumping station in 1999. The inspection of the failed pipe following the incident detected little or no internal corrosion, but heavy external corrosion to the concrete. In certain parts of the pipe the concrete has corroded so severely that the reinforcing steel had also been exposed. It suggests that the corrosion was as a result of an acid attack on the concrete. According to the standards, a strong acid attack on concrete occurs if the pH level in surrounding water is < 5.5 and a very strong attack if the pH level is < 4.5. The company drew the conclusion that the pH level measured as 4 in the shallow groundwater in 1989 entailed risks for strong acid attack on the concrete. However, there was no risk assessment conducted.

Source:IChemE 

 

IMPORTANCE OF ASSET INTEGRITY AND SUBJECT MATTER EXPERTS

 On 6 August, 2012, a catastrophic loss of containment occurred on an 8-inch diameter piping associated with the gas-oil side-draw on an atmospheric crude distillation column in a refinery. The pipe ruptured, releasing flammable hydrocarbon process fluid to the environment. The flammable liquid partially vaporized into a large vapor cloud engulfing nineteen employees. After two minutes the flammable portion of the vapor cloud ignited. All of the employees escaped, narrowly avoiding serious injury.

Key learning points

The underlying cause of the pipe rupture appears to be poor maintenance procedure in regard to mechanical integrity. Subsequent testing determined that the rupture was due to pipe wall thinning caused by sulphidation corrosion. In fact, over a period of nearly 35 years, the 52-inch long piping component had lost on average, 90 percent of its original wall thickness in the area near the rupture. Although the company employed experts in sulphidation corrosion, they were not consulted on any key decisions associated with potential sulphidation risk of the crude distillation unit. The crude distillation unit is one of the processes most associated with sulphidation corrosion in petroleum refineries. However, the process hazard analysis of the crude unit did not consider the potential for sulphidation corrosion. The pipe in question was made of carbon steel which had a tendency to corrode from sulphidation faster than typical higher chromium-containing steels. In addition to that,  carbon steel also experiences significant variation in corrosion rates due to possible variances in silicon content, a component used in the steel manufacturing process. Carbon steel piping containing silicon content less than 0.10 weight percent can corrode at accelerated rates, up to 16 times faster than carbon steel piping containing higher percentages of silicon. This should be considered in the risk assessment

Source:IChemE

2 KILLED DUE TO IMPROPER CLEARANCE

In a crude oil distillation unit, tests showed that the flare system valve was not providing effective isolation and would require eventual removal for overhaul at a scheduled shutdown of the flare. A ‘cold work’ permit to work was issued two days prior to the incident. Alternate flange bolts were removed and the other bolts lubricated as a standard practice to save time. Sufficient bolts remained at all times to retain the flange seals. There was at that time no need to verify line conditions. Two contractors wearing breathing apparatus completed the work. When almost all the bolts were undone, liquid leaked from the gap between the flanges and gas escaped from the top of the joint.
The men stopped work, came down to ground level and sought advice. The supervisor checked the
platform and saw gas issuing from the top and liquid leaking from the bottom of the flange. He concluded that neither was under pressure and that the quantity of liquid was small. Without any further tests assured the contractors that it was safe for work to continue. The fitters remained concerned, thus asked and received 'spark proof' tools. Liquid continued to leak as more bolts were removed then, as the last bolt was undone and the crane took the strain and started to lift the valve, the spacer suddenly sprang upwards. A large quantity of liquid was released, a flammable vapour cloud formed and ignited by the nearby compressor. Two workers died in the incident.
Key learning points
A tower scaffold with a working platform and access ladder had been erected for work on the valve but due to access restrictions, it was necessary to climb over or under it. This seriously limited the route of escape. Work on the valve should not started prior to verification of the isolation and should not have continued after the first leak occurred until all doubt about the safety of the situation had been resolved. The absence of the spark arrester on the compressor was not known of until after the incident.

Source:IChemE