DOMINO EFFECTS DUE TO POWER NON AVAILABILITY NOT CONSIDERED DURING DESIGN

 In a Seveso chemical plant, a fire broke out at 12:59 pm in a substation supplying a hydrazine hydrate unit. An electrical fault on a cooling water pump caused a generalised short circuit on an electrical tower. The fire alarm was triggered at 1.00 pm. The fire spread to the other towers of the panel through the subfloor. The 400 V circuit breaker located upstream was blocked and did not function. The fault current passed through the 13,000 / 400 V transformer, there was overpressure and an oil leak followed by a primary side homopolar fault causing the 13 kV circuit breaker to trip. The absence of voltage caused the diesel generator set to stop but the switchover to the emergency system failed as the automatism was damaged by the fire. The smoke spread to the UPS room whose door remained opened. The UPS stopped when a high temperature (> 40 °C) was reached causing the loss of control and command on the process. The component switched over to safety mode. Due to the lack of power supply, the cooling system, agitation and the internal and external emergency plan siren were no longer functional. Since the ongoing reaction was exothermic, the reactor temperature and pressure increased. Several measures are taken such as designing an emergency cooling circuit, improving circuit breaker maintenance, sectoring UPS system, electric boards, generator sets, etc.

Source: Aria ACCIDENT ANALYSIS OF INDUSTRIAL AUTOMATION

BYPASSING A SAFETY SYSTEM CAUSES A DETONATION

 A leak of over-pressurised and overheated glycol water occurred at a chemical plant after the rupture of a pipe joint. At 2 am, a control room operator recorded a drop in coolant temperature (150°C), preventing vacuum drying operations from continuing. On-call staff diagnosed a loss of communication link between the plant’s utilities automated system and the plant’s process automated system. A specialist in such systems confirmed the defect of a card on the utilities automated system, whose replacement had been postponed until the next morning. Once the specialist left the premises and confident of his diagnosis, the on-call maintenance operator decided to restart the unit. He short-circuited all of the safety mechanisms for hot fluid monitored by the process system, and replicated the corresponding settings in manual mode. Called by another workshop an hour later, the operator abandoned the post for 30 min. Upon his return, the hot fluid had exceeded 180°C, and a noise resembling a detonation shook the plant. After joint rupture, the glycol water vaporised on the premises, which were closed immediately thereafter.

Source: Aria ACCIDENT ANALYSIS OF INDUSTRIAL AUTOMATION

INADEQUATE DESIGN PHILOSOPHY CAUSES AN INCIDENT

 At a facility producing carbonate and sodium bicarbonate, fire broke out at 7 am in an electrical cabinet containing transmission cables for the liquid part of the process. The blaze caused a complete loss of control for 2 hours and a shutdown of the process responsible for releasing 2 to 8 kg of gaseous ammonia (NH3) into the atmosphere, subsequent to the sudden stoppage of the gas scrubber. In addition, ammonium hydroxide was released into the plant’s accidental pollution retention basin following discharge of a brine tank; this water made its way into the nearby river given that retention basin controls and monitoring installations had become unresponsive. This discharge wound up causing the death of some 400_kg of fish. According to the facility operator, the heating of electrical cables, traced to worn insulation, had triggered the incident. The control system, composed of control stations, a connecting bus and an automated system programmed to monitor the process, had been designed with a critical point in the form of a «node» at the time of creating the site’s 1st control system (26 years prior), through which all automated system cables were routed. Whereas all electrical component supply lines had been backed up, the automated system cables ran through a single cable tray in the electrical cabinet.

Source: Aria ACCIDENT ANALYSIS OF INDUSTRIAL AUTOMATION

A process control system can in no way be equated with a safety system

 Inside a chemical plant, a sulphur dichloride (SCl2) leak on a pipeline supplying the boiler tube of a distillation column hydrolysed, thereby generating a strong emission of hydrogen chloride (HCl). 50 ppm of HCl were recorded inside the building. Operating losses were valued at Euros 270,000 (the downstream unit stayed idle for 18 days). A pressure sensor was undergoing maintenance; it had been diagnosed as defective after indicating a reading of 108 mbar of pressure at the boiler tube output, thus triggering closure of the valves controlling SCl2 supply and regulating the vapour heating the boiler tube. Since the sensor was not «fail safe», its electrical disconnection caused the vapour regulation valve to open, thus heating the boiler tube, whose temperature rose from 24° to 120°C in 30 min, and causing the emission of SCl2. Several measures were adopted as part of the feedback provided: monitoring and intervention procedures in a degraded operating mode, modification of the sectional valve / pressure sensor assembly, introduction of a positive safety loop independent of the regulation, thereby prohibiting any automatic restart once the high pressure threshold had been reached. This accident demonstrates that a process control system can in no way be equated with a safety system. More specifically, industrial automation satisfy a rationale and criteria that are not all known by response teams and that do not necessarily incorporate degraded modes and lockouts situations.

Source: Aria ACCIDENT ANALYSIS OF INDUSTRIAL AUTOMATION

INCORRECT DESIGN OF SAFETY SYSTEM CAUSES AN INCIDENT

 Dimethyl sulphate (DMS) began leaking around 11 am at a chemical plant as the product was being loaded. The connection between the DMS container and the loading station consisted of disassembling the solid flanges, replacing the joint by a new part and reconnecting the container flanges to the unit’s pipe flanges. After initiating DMS loading in the control room, the field operator climbed down to inspect the container and, at that point, identified a leak on the flange connecting the container to the loading pipeline. He sounded the siren and the emergency light before pressing the emergency stop button. The next day, the plant operator concluded that the leak had been caused by poor clamping of the loading flange while the container was connected to the loading station. Moreover, the safety automated system was not activated because the pushbutton had not been held down long enough for its cycle length (1/10th of a second). All emergency stop pushbuttons were replaced by locking buttons throughout the site.

Source: Aria ACCIDENT ANALYSIS OF INDUSTRIAL AUTOMATION