LOOK ALIKES CAUSE AN INCIDENT

On May 20, 2025, at approximately 8:15 a.m., approximately 8,000 pounds of toxic chlorine were released, seriously injuring one employee at a facility in  Texas . The community was ordered to shelter in place, and estimated that the incident resulted in approximately $23 million in property damage.

On the day of the incident, it was planned to replace a rupture disc (RD-217N) in the chlorine liquefication unit. This safety device protected the E-209A heat exchanger 

 

The company gave two contract maintenance workers the work package and a permit to replace the RD-217N rupture disc. At approximately 8:10 a.m., one of the maintenance workers began disassembling the RD-217N rupture disc holder using a battery-powered impact wrench. In addition to the standard protective equipment, the maintenance worker wore an air-supplying respirator with a 30-minute air bottle. At 8:15 a.m., liquid chlorine at a pressure of 100 pounds per square inch began releasing from the partially disassembled RD-217N rupture disc holder. The maintenance workers evacuated from the area. Alarm horns in the unit were activated after chlorine gas detectors identified the release. Local officials issued a shelter-in-place order for the cities. At 9:03 a.m., emergency responders closed Valve 1 to stop the release.
During the response to the incident, one emergency responder’s 30-minute air supply depleted. He switched to a cartridge-style escape respirator to exit the area, but the respirator likely became saturated with chlorine, causing him to inhale the toxic vapor. Other emergency responders then transported him to a hospital, where he was admitted for treatment.
The company's investigation found that although the work planning documents showed that RD-217N was to be replaced, its operations team had mistakenly isolated, cleared, and tagged a different but nearly identical piping system—heat exchanger E-209B—to replace a different rupture disc, RD-217S. As a result, the operations team did not isolate, clear, or tag the E-209A heat exchanger and the piping associated with RD-217N. This equipment was operating when it issued the contract workers a permit to replace the RD-217N rupture disc. The unit operator who issued the permit and the maintenance workers did not perform a field walk-through of the job. In addition, the contract workers did not review or sign the equipment isolation plan or the tag that identified the rupture disc holder to be opened. Seeking to do so should have revealed that RD-217N was in operation and had not been prepared for replacement.
Probable Cause
Based on the company's investigation, the CSB determined that the probable cause of the chlorine release was the mistaken disassembly of a rupture disc holder in an operating chlorine system. A breakdown in the equipment opening and control of work programs contributed to the incident, including the absence of a pre-job site walkthrough that should have allowed plant operators and the maintenance crew to verify the rupture disc had been prepared for replacement.

Source:CSB.gov 

IMPROPER LOTO CAUSES AN INCIDENT

On February 1, 2025, around 1:36 p.m., an explosion and fire occurred at a refinery in California. It was estimated that the incident caused approximately $924 million in property damage.
On February 1, 2025, the refinery tasked contract workers with installing an isolation blind at Flange A  to prepare a catalytic feed hydrotreater unit (“unit”) for turnaround maintenance. A yellow tag was placed between Valve 2 and Valve 3 to indicate the location of the blind installation. After completing a field walkthrough to verify that the piping segment between Valve 1 and Valve 2 was empty, an operator issued a permit to the supervisor of the contractor work crew at 11:30 a.m.

When the work started, two contract workers were on a scaffold that provided access to the elevated equipment. In addition to their standard protective equipment, the two workers wore supplied-air respirators. Two standby workers from a different contract company were at ground level to monitor the breathing air equipment and observe the flange opening work. At approximately 1:25 p.m., the two contract workers began unbolting Flange B. At this time, neither the workers’ supervisor nor the operator who issued the permit for the contractors to install the blind was present.
As Flange B was being unbolted, the contract workers’ supervisor returned to the work area. From his vantage point, the supervisor could not see which flange the crew was working on. Shortly thereafter, the supervisor observed and heard a pressurized release and recognized that something was wrong. One of the standby workers activated an air horn to stop the work. The two contract workers disconnected from their supplied-air hoses, jumped from the scaffold, and evacuated the area. At about 1:30 p.m., the flammable material ignited and exploded with flames erupting from the area. Hot (above 600 degrees Fahrenheit) hydrocarbon material continued to be released from Flange B, fueling the fire. The extent of the fire escalated over three days and involved other equipment until emergency responders extinguished the fire on February 4, 2025. The company reported that approximately 50,000 gallons of flammable hydrocarbon material were released over three days.
The company’s investigation found that the contract workers, hired specifically for the extra tasks during the turnaround, had not received training on the refinery’s equipment opening policies and procedures. Consequently, these workers were not aware of the company's tagging system for identifying which flange should be opened. The company’s investigation also revealed that installing this blind should have been treated as a “first break” (as written on the permit) under the refinery’s policies, because this was the initial equipment opening for this system. First breaks required a qualified operator to be present during the work to ensure that maintenance workers open the proper equipment. However, because of a miscommunication between the workers, the operator was not present when the contract workers disassembled Flange B.
The company required maintenance crews to attach their personal locks or tags to all valves used for equipment isolation. The contractor crew did not apply locks or tags to Valve 1 or Valve 2. If the crew had done so, they could have had the opportunity to better understand the existing hazards by participating in the lockout/tagout process for these valves. The permit issued to the contractor supervisor stated that the equipment was out of service. The supervisor believed that all the equipment was empty and was unaware of the active (operating) process adjacent to Valve 2.
Because the work was on a scaffold, laser pointers were used to highlight Flange A during the field walk-throughs involving the operator, contract workers, and the contractor’s supervisor. Although post-incident interviews with the operator and the contractor’s supervisor revealed that two of the four walkdown participants understood that the blind should be installed in Flange A, it is evident that the contract workers believed that Flange B was the correct location.
Following the incident, the company revised its permitting procedure. For permits that require an operator to be present, operators must now issue one permit per isolation blind only after the workers are at the job site and prepared to start the task. This change was made to help ensure an operator is present to confirm that work is performed on the correct equipment.
Probable Cause
Based on the company's investigation, the CSB determined that the probable cause of the incident was the opening of a flange that was connected to an active process containing pressurized flammable liquid hydrocarbon. When the flange was loosened, the flammable material was released and ignited (autoignition or static discharge), resulting in a large fire. The company could have prevented the incident by having a knowledgeable person present to ensure that workers unfamiliar with the equipment disassembled the correct flange and were aware of the existing hazards. Additionally, the company would benefit from improving its tagging practice to make it obvious which equipment workers should disassemble.

Source:CSB.gov 

RUPTURE OF AN AMMONIA CYLINDER DUE TO EXTERNAL HEATING

On October 8, 2024, at 8:15 p.m., a cylinder containing approximately 150 pounds of liquid anhydrous ammonia exploded, seriously injuring four employees at a facility in Louisiana.
On the day of the incident, it was planned to introduce anhydrous ammonia into equipment as part of a chemical treatment in preparation for turnaround maintenance work. To supply the ammonia, the company used a cylinder (DOT 4AA480) that contained approximately 150 pounds of liquid anhydrous ammonia (“cylinder”). The operations team wrapped the lower half of the cylinder with a rubber hose. This was done to allow steam to flow through the hose, enhancing heat transfer and preventing ice from forming on the cylinder’s external surface as the liquid ammonia inside vaporized. The steam supply was approximately 300 degrees Fahrenheit and had a pressure of about 70 pounds per square inch (psi). While the valve on the cylinder remained closed, one of the operators opened the steam supply valve to initiate steam flow through the hose while continuing preparations for the chemical treatment. As the workers continued the equipment setup, the cylinder exploded, seriously injuring three operators and an operations supervisor . Emergency responders transported the four injured employees to a hospital, where they were admitted for treatment.
The company's investigation determined that the procedure used for the chemical treatment did not cover critical safety details, such as not heating the cylinder when its outlet valve was closed. In addition, it was found that the cylinder was not protected by a pressure relief device. When the cylinder was heated, the pressure exerted by the liquid ammonia inside the cylinder significantly increased far above the cylinder’s service pressure of 480 psi, resulting in a boiling liquid expanding vapor explosion (BLEVE).
Probable Cause
Based on the company's investigation, the CSB determined that the probable cause of the incident was the uncontrolled external heating of a liquefied compressed gas cylinder without essential safeguards, including an emergency pressure-relief device. The uncontrolled heating generated tremendous internal pressure, causing the cylinder to explode. The company's process safety management systems contributed to the incident by not effectively evaluating and controlling the hazards presented by its anhydrous ammonia chemical treatment system.

Source:CSB.gov 

DO YOU HAVE CHECKS ON YOUR PREFERRED VENDOR WHEN IT OUTSOURCES COMPONENTS?

On February 22, 2024, at 4:20 a.m., a valve leaked hot liquid hydrocarbon, which ignited, resulting in a fire in refinery in Louisiana . It was estimated  that the fire caused $1.2 million in property damage.

On the morning of the incident, unit operators saw a decrease in the crude unit’s vacuum tower bottoms (VTB) flow. Field operators then found a fire near the flow control valve. Emergency responders extinguished the fire within minutes. It was reported that approximately 12,000 pounds of VTB material were released.
The comapny's investigation found that a recently installed 4-inch stainless steel globe valve in the VTB flow control station bypass piping had leaked at its pressure-retaining cover (bonnet). The valve had a Teflon (PTFE) bonnet gasket and Teflon packing, which were limited to 450 degrees Fahrenheit (℉), and were incompatible with the 650℉ VTB material. The valve was ordered in August 2023 and installed during a unit outage on February 16, 2024, six days before the incident.
The valve was equipped with two tags that provided conflicting information. When the company ordered the valve from its preferred vendor, the order included the refinery’s valve number, which specified a valve that met the process requirements by using graphite for the bonnet gasket and packing material. Teflon was not an acceptable material for this application.

The company's preferred vendor did not have this valve in its inventory, so it procured the valve from a third-party supplier. The manufacturer’s tag attached to the valve correctly indicated that it was equipped with Teflon components and stated that the valve’s maximum operating temperature was 450°F. However, the third-party supplier wired an additional tag stamped with the refinery’s valve number to the valve, incorrectly identifying the valve as having graphite components. Refinery personnel accepted and installed the valve based on the order and receipt documentation, along with the valve’s size, flange rating, and the refinery valve number.
Probable Cause
Based on the company's investigation, the CSB determined that the probable cause of the incident was the installation of a valve with Teflon components that could not withstand the process temperature. The company could have prevented the incident by confirming that the manufacturer’s tag indicated that the valve was assembled with the proper components and that the valve’s design temperature was compatible with the vacuum tower bottoms temperature. Contributing to the incident was the third-party supplier’s tag, which incorrectly identified the valve as having graphite components

Source:CSB.gov 

A CHANGE IN LEAK TESTING PROCEDURE CAUSES AN EXPLOSION

On December 10, 2023, at 3:38 p.m., two explosions and a fire occurred in a polymer reactor at a facility in Mt. Vernon, Indiana. Property damage was estimated at $3.5 million.
Three months prior to the incident, on September 18, the company had shut down its polybutylene terephthalate resin unit for scheduled maintenance. On the day of the incident, the maintenance work was nearing completion, and operators were preparing the unit’s reactor system for startup. At 3:38 p.m., a heat exchanger exploded, ejecting several equipment fragments, including one that landed approximately 505 feet away near the facility’s boundary along the Ohio River. A second explosion and flash fire soon followed, rupturing a reactor.
The company's investigation concluded that the initial explosion in the heat exchanger was caused by the rapid, energetic decomposition of unstable organic peroxide that had formed and accumulated inside the equipment. The second explosion and flash fire, which destroyed the reactor, was caused by heat from the first explosion igniting flammable tetrahydrofuran vapor inside the reactor.
The exchanger and reactor were interconnected, with no isolation between the two pressure vessels. The design of the reactor’s outlet piping retained liquid in the piping. Because the piping could not fully drain, it contained polybutylene terephthalate polymer, butanediol, and tetrahydrofuran when the unit was shut down on September 18, 2023.
On December 10, operators began pre-startup activities. At 3:16 a.m., hot oil was sent through the tracing used to heat the reactor’s outlet piping. As the piping heated, the residual hydrocarbon material also heated, evolving tetrahydrofuran vapor that flowed into the reactor and the heat exchanger. A 3-inch nozzle on the heat exchanger remained open to ambient air, allowing oxygen into the reactor system. The tetrahydrofuran vapor reacted with available oxygen to form an organic peroxide compound. The organic peroxide continued to form for another 12 hours, until it exploded in a rapid decomposition reaction at 3:38 p.m. The heat from the explosion ignited additional flammable tetrahydrofuran inside the reactor, triggering the second explosion and a flash fire.
The company's investigation found that the company’s historical practice of leaving residual hydrocarbon material in the reactor’s outlet piping during shutdown created hazards that were neither recognized nor controlled. The reaction of tetrahydrofuran with oxygen produced the explosive organic peroxide. Before the incident, personnel had assumed that the cooled, solidified material could remain in the reactor’s outlet piping because it was not hazardous, creating a false sense of safety.
The investigation also found that a change to the reactor’s leak-testing procedure contributed to the incident. Previously, the reactor was leak-tested online under vacuum. The company switched to using pressurized nitrogen and moved the test into the maintenance outage. A management of change review had been approved to allow a leak test of the reactor during pre-startup activities. However, the review did not assess how the leak test might adversely affect those activities.
When the hot oil heated the reactor’s outlet piping, the procedure required adding nitrogen to the reactor system. However, the nitrogen flow was omitted due to the modified leak test. The company’s investigation concluded that the risk of performing simultaneous tasks during startup had not been evaluated.
Probable Cause
Based on the company's investigation, the CSB determined that the probable cause of the incident was heating the reactor’s outlet piping containing solidified polybutylene terephthalate polymer, butanediol, and tetrahydrofuran while a nozzle on an interconnected heat exchanger was open, allowing oxygen (air) to enter the equipment. These conditions generated tetrahydrofuran vapor, which reacted with oxygen to form an explosive organic peroxide, and also created a flammable atmosphere in the equipment, which then ignited and exploded after the organic peroxide energetically decomposed. The management of change review conducted for the reactor’s leak testing did not assess how the leak testing might affect the simultaneous pre-startup tasks, contributing to the incident. As a result, there was no nitrogen flow through the reactor system, allowing unstable peroxide to form and developing flammable conditions within the equipment.

Source: CSB.gov