Professional Documents
Culture Documents
STEPHEN DE HAAN
VICE PRESIDENT
LUMMUS TECHNOLOGY
BARBARA STANCATO
MANAGER
LUMMUS TECHNOLOGY
BRIAN K. SULLIVAN
MANAGER
LUMMUS TECHNOLOGY
Abstract: Many similar safety incidents occur in ethylene plants throughout the world.
While these should be well known to plant operators, our paper reviews these safety incidents
along with their root causes. The paper then discusses the following three less common
safety incidents in detail:
The above incidents were related to or caused by problems in the control system. Some
occurred because the operators did not use or fully understand the control system. Others
resulted from faulty configuration or a lack of understanding of the process by the control
engineer.
We believe these particular incidents are important because they can potentially occur in
any ethylene facility. Also, they involve the control system, which is often treated as a black
box. As such, it represents a gap in the knowledge of some operators and engineers.
Incident analysis techniques are then addressed and a list of key factors based on our
experience is provided.
Introduction
The processing industry places a major emphasis on operating safely and avoiding
incidents. However, there are inherent risks in processing large amounts of hydrocarbons.
Process safety management programs are intended to mitigate but cannot completely
eliminate these risks.
Process safety management has many facets, including:
Designing plants for safe operation, including specific HAZOPs and safety reviews;
Sophisticated monitoring, control, interlock, and safety instrumented systems (SIS);
Proper maintenance, management of change, and periodic safety reviews;
Hiring and training of qualified supervisory, maintenance, and operating personnel;
Accurate, well-thought-out operating and maintenance procedures; and
Incident investigation and directed remedial actions.
treated as somewhat of a black box. As such, it represents a gap in the knowledge of some
operators and engineers.
Various examples are used in this paper to illustrate situations in which the design,
configuration, and/or operation of a control system has contributed to or increased the
severity of a safety incident. The non-essential details of specific incidents have been modified
or removed to generate these examples to avoid identifying the specific plants where they
occurred. In some cases, these incidents have occurred in multiple plants and a composite
example was created to present the key principles and details.
To learn from safety incidents, they need to be thoroughly investigated and properly
understood. Assuring impartiality and accuracy are vital. In addition to describing several
safety incidents, this paper will take the reader through a fault tree analysis of one of the
incidents to depict how the root causes were determined.
Incident Investigation
The discussions of the safety incidents in this paper are the result of incident
investigations. Before describing the incidents themselves, a few words will be said about the
investigation process.
After an incident is reported, a diverse group should be assembled to conduct the
investigation. The group should include a process engineer familiar with the design, an
operator/engineer familiar with the specific plant operations involved, a process control
engineer, an instrument engineer, and a coordinator who has a wide range of
operations/design experience.
There are four basic steps in an incident investigation:
1. Recognizing that an incident has occurred
2. Gathering data
3. Analyzing the cause of the incident
4. Preparing the report
It is important to avoid pre-judging the incident or jumping to conclusions. Certain
structured techniques can be vital in avoiding this pitfall.
There are over 25 specific techniques listed in the literature(3) that might be relevant to
incidents in petrochemical plants. Basically, they are broken down into the following
categories:
Brainstorming
Timeline / sequence diagram
Causal factor identification
Checklists
Pre-defined trees
Logic trees
While many methods can be successful, the following stepwise approach appears to work
well for the type of incidents the industry deals with:
Brainstorming
Timeline / sequence diagram
Fault tree analysis
Final timeline / sequence diagram
Report and recommendations
A relatively simple incident (Incident 1) is analyzed below using this approach. The incident
resulted in a fire underneath a heater, which caused significant damage. Additionally, three
other incidents are described in less detail to demonstrate the role of the automation system in
plant safety incidents.
Feed
BFW
Dilution
Steam
Steam
TCV
QO
TIC
TLV
Effluent
Decoke
Valve
15
20
26
Minutes
The incident began with the observation of smoke from a heater stack and smoke in
the area of the TLE platform. The operator tried adjusting the damper but the smoke
continued. Assuming that there was a coil rupture or some other significant problem, the
feedstock was withdrawn from the heater in preparation for isolation and shutdown.
The board operator closed the temperature control valves that fed quench oil (QO) to
the heater quench nozzles. He then asked the field operator to close the QO block valve.
However, the field operator could not reach the local push button because of the smoky
conditions.
The QO flow still showed a low positive reading so the operator checked that the
control valve outputs were zero. The outputs were -5%, so he assumed the flow rate shown
was the result of a calibration error. He and his supervisor then decided to proceed with the
shutdown and isolation of the heater.
The main transferline valve (TLV) was normally interlocked with the QO block valve, but
because this interlock had caused issues on this heater due to valve positioner problems on
the TLV, it was disabled. The operator was therefore able to close the TLV with the QO valve
open, resulting in the opening of the decoke valve. A short period later the field operators
reported a fire under the heater. Recognizing the possibility that QO might still be flowing to
the fitting and then to grade through the firebox, the operator opened the TLV again.
Eventually the plant was shut down and the QO pumps were tripped.
A fault tree diagram was constructed for this incident, and is shown below.
FIRE UNDER
HEATER
POSITIVE FBX
PRESSURE
DAMPER
CLOSED
FAN STOPPED
LIQUID AT
GRADE
REDUCED FAN
SPEED
LEAK FROM
TANK
QUENCH OIL
LEAK TO GRADE
LIQUID FEED
LEAK
LIQUID FUEL TO
BURNER
LIQUID LEAK
INTO FUEL
SYSTEM
QUENCH OIL
AVAILABLE
HOLE IN PIPE
CORROSION
PATH TO FIRE
LEAK IN FLANGE
INVENTORY
QUENCH OIL ON
QUENCH OIL
TCV OPEN
QUENCH OIL
BLOCK VALVE
OPEN
MECHANICAL
DAMAGE
PUMP ON
CONTROL SYS
OPENS VALVE
APPEARS
CLOSED BUT IS
MISCALIBRATED
VALVE IS
DAMAGED
PATH TO
FIREBOX
EXTERNAL TUBE
LEAKS
A
RADIANT TUBE
RUPTURE
DECOKE LINE
DECOKE VALVE
OPEN
AGE
CGC TRIP
TLV + DECOKE
CLOSED
OVERHEAT
OVERPRESSURE
TLE TUBE
BLOCKED
TRIP
DV LEAK
THERMAL
SHOCK
RADIANT TUBE
BLOCKED
DS DRUM
OVERFLOWS
WATER TO
HEATER
The ultimate incident was a fire under the heater. This event therefore became the
starting point for the fault tree. The first step was to determine what type of fire occurred. The
seemingly obvious conclusion that the fire resulted from QO was initially discarded to ensure a
thorough investigation.
A fire observed under a heater could be a liquid fire or gas flames emanating from the
firebox as the result of positive pressure. The fire box pressure was slightly positive near the
top of the box, causing smoke to be emitted in the TLE area. However, substantial flames
from the heater bottom would require a full positive box. No induced draft (ID) fan or other
issues were detected. Based on this analysis and the operator descriptions, it was concluded
that the fire was caused by liquid under the heater.
Five causes for flammable liquid under the heater were considered. Three were quickly
discarded and only a quench oil leak and a liquid feed leak were pursued further. The feed
leak option was soon eliminated, leaving a QO leak as the most likely cause.
For a QO leak to have caused the observed fire, two things had to be true:
1. The quench would have to be on (pressurized); and
2. A path would need to exist for QO to reach grade under the heater.
For the QO to be on, all of the following had to be true:
Initially, the last item appeared to be false. QO would flow if any of the following were true:
The TCVs leaked because they had been eroded by coke fines in the QO; or
The control system had been switched back into automatic causing the TCVs to open;
or
The system was mis-calibrated so the valve was, in fact, open when the controller
output was zero or even less.
The last item was found to be true. The TCVs passed about 10% of the QO flow when
indicating closed as a result of a calibration error. The QO block valve had always been used
on previous shutdowns, so this had not been noticed earlier.
Having established that the QO was flowing, the next step was to determine a path to the
bottom of the heater. Following the fault tree branch marked path to fire leads to two
possible routes:
1. An external QO pipe rupture or leak; or
2. Through the firebox via a tube rupture or other route.
An external leak was considered using the same logic as the branch marked A under
liquid feed leak and discarded as a cause.
The QO could reach the firebox through a radiant tube rupture or via the decoking line. All
reasons for a radiant tube rupture were discarded except overpressure and thermal shock.
Overpressure and/or thermal shock were apparently the result of a TLE tube leak.
However, the other path (through the decoke valve) was also available later in the
incident. Based on the timing of the fire, the decoke valve was the actual path for the QO to
the firebox and ultimately to grade.
15
20
26
Minutes
A leak occurred in a transferline exchanger (TLE) allowing boiler feed water (BFW) to
enter the inlet cone, placing back pressure on the furnace coils feeding that TLE. The higher
back pressure persisted for over a shift but went unnoticed by the operators. The leak
worsened, causing a furnace radiant tube to rupture as a result of back pressure and/or
thermal shock.
Hydrocarbon vapors back-flowed from the process into the firebox via the ruptured
tube, causing a smoky condition in the heater area. The vapor flow rate was, however,
insufficient to entrain QO, which continued to drain forward into the main transferline.
When the board operator closed the TLV, this automatically opened the decoking valve
leading to the firebox. The QO ignited in the firebox and flowed to grade.
The investigation showed that the QO valves were calibrated incorrectly, so while the
distributed control system (DCS) indicated that the valves were closed, they were not. If the
QO flow had been stopped, the damage would have been limited to the ruptured coil. The
pool fire that resulted from the backflow of QO caused much more significant damage.
The lessons learned or reinforced are:
QO and TLVs should have local and remote push buttons. The wiring should be suitably
fire resistant.
Assuming tight shut-off using only process valves is risky. Calibration errors, as in this
case, or erosion can allow substantial flow to continue.
Even when there is actually no flow, flow meters sometimes show readings. These false
readings should be investigated and fixed. False readings of any type can train
operators to ignore important information.
Actions normally prohibited by interlocks should not be undertaken even if the interlock
is temporarily out of service.
Experience with incident analysis at Lummus has shown that no method can replace
knowledge, experience, and thoroughness. However, structured methods can help even the
most expert teams stay organized and focused. Overall, incident investigation remains a
difficult task with no simple formula for success. At the risk of reducing a complex subject to a
list of simple key dos and donts, the following lessons learned are offered:
Do explain all variations from normal. Declaring data as bad is too often a substitute
for thinking.
Do investigate all possibilities, even those that may seem remote at first.
Heater
Firebox
ToPrimary
BurnerTips
FromAvg.COT
Controller
HeatDuty
Calculation
QY
SP
PV
QC
>
QY
FI
Fuel
AI
Note 2
Emergency
ShutoffValve
PC
Emergency
ShutoffValve
LowFuel
Pressure
Override
Controller
HeatDuty
Controller
Note 1
ToSecondary
BurnerTips
Control
Valve
Note 1: the fuel gas flow is compensated for temperature and pressure. If the AI is a molecular weight measurement, then the FI
Is also compensated for MW.
Note 2: The AI may be either a Wobbe meter or a molecular weight measurement.
The fired duty (which is a function of the fuel flow rate and the fuel heating value) is
adjusted to maintain the desired coil outlet temperature. The fuel control strategy includes a
low pressure override controller that is intended to prevent the fuel heat duty controller from
reducing the fuel pressure at the burner to a value that is less than the fuel pressure required
for flame stability.
The flow of fuel to the burners is split (after the low pressure override measurement)
between primary burner tips and secondary burner tips in order to stage the combustion of
the fuel to produce lower NOx emissions. Typically, the primary fuel represents approximately
1/3 of the total hearth fuel duty. (Note that some heaters also have wall burners that provide
additional duty.)
There is an emergency shutoff valve on the total hearth burner fuel, but there is also an
emergency shutoff valve on the secondary fuel line. This additional emergency shutoff valve
allows the heater to trip to a low-firing condition by closing secondary fuel. This partial trip
consists of:
A partial trip occurs under certain circumstances to maintain the heater in a hot state for
a rapid restart.
This incident was initiated when the secondary fuel emergency shutoff valve shut due to a
malfunction. This lead to the following sequence of events:
The heater coil outlet temperatures (COTs) decreased due to the lower firing
rate, which caused the temperature controller to increase the set-point to the
heat duty controller.
As the output of the heat duty controller increased (in an attempt to increase the
fuel flow and maintain COT), the output of the low pressure override controller
tracked the increase. DCS signal selectors normally are configured with a
tracking feature (typically called external feedback) that forces the non-selected
controller output to track the output of the selected controller (see figure below).
This is done to prevent the non-selected controller output from "winding up or
down." Therefore, the non-selected controller is always able to respond quickly if
an override is required.
Upon seeing that the COTs were dropping while the heat duty controller output
was increasing, the operator mistakenly assumed that the firebox was starved
for oxygen and opened the ID fan damper.
The sudden increase in air from opening the damper caused a sudden increase
in air flow to the firebox, pushing hot gases from the firebox into the convection
section that increased the steam superheater outlet temperature. This caused
the high steam temperature interlock to initiate a partial trip sequence for the
heater.
Feed was stopped, the dilution steam flow went to high steam standby
conditions, and the set-point of the heat duty controller was reduced to partial
trip firing rate. When the heat duty set-point was changed dramatically from a
normal value to the low partial trip value, the heat duty controller output
decreased dramatically also. The output of the low fuel pressure override
controller, which had tracked up to a value of 100%, was selected by the
override selector.
The low fuel pressure override controller was incorrectly tuned very slowly with
very little integral action. As a result, its output remained near 100% and only
decreased slowly. Therefore, the heater continued firing at a rate that was far
too high for the partial trip conditions with no feed.
The heater coils overheated and one ruptured due to high temperature. Backflow of process gases from the transferline into the fire box provided even more
energy and then overheated the convection section. This resulted in significant
damage to the heater.
In this specific example, while the improper tuning of the low fuel pressure override
controller did not initiate the incident, the analysis showed that improper tuning of the
controller contributed to the severity of the event.
The lesson learned is that even something as seemingly innocuous as the tuning
constants of a controller can result in or contribute to a disaster if the full implications of the
control loop objectives and operation are not properly understood.
Lummus Technologys Plant Performance Improvement (PPI) Group has performed
numerous control system rectifications (i.e., controller retuning, configuration testing and
correction, etc.). Lummus has found override controllers to be improperly tuned, or improperly
configured (i.e., no external feedback leading to windup and slow override response), or
simply turned off. While most of these cases result in limited exposure to risk, as this example
illustrates, it is essential to operate the plant controls in the manner in which they were
intended to ensure that risk is minimized.
This incident was initiated when a furnace was in high steam standby mode and an
operator was trying to increase the COT prior to bringing in the hydrocarbon feed. The
operator adjusted the fuel control valve in manual mode to try to speed up the procedure.
During this operation, there was an unrelated upset in the plant. A low temperature safety
system at the coldbox outlet tripped and flared the plant-produced fuel, which caused a high
molecular weight back-up fuel to replace the normal fuel gas.
Higher molecular weight fuels have higher heating values. Since the fuel valve was in
manual mode, the valve opening remained constant thus letting in the same volume of fuel,
resulting in a higher mass flow for the back-up fuel gas. The combination of these effects
resulted in almost tripling the firing rate. At the same time, the operators were now distracted
by a plant-wide upset.
The heater operator reduced the fuel valve output. However, since he was not fully
aware of the coldbox upset, distracted by upsets in other furnaces, and did not know that the
plant was now on 100% back-up fuel, he did not reduce the firing rapidly enough. In
addition, when the back-up fuel entered the furnace, there was not sufficient air to burn all
the fuel and we suspect that the operators saw smoke. At that point, it appears (the data are
incomplete) that he opened the damper and the COT started increasing very rapidly. The
furnace over-fired for about 10 minutes. Both the radiant coil and convection section were
damaged. No injuries occurred.
Manual operation of the fuel gas valve is particularly dangerous during any steam-only
operation. During steam standby or decoking operation, the furnace is operating with high
excess air due to limitations in turndown of the control dampers. At this time, there is
generally enough excess air to burn substantially more fuel than required and there is no
hydrocarbon in the coil to absorb the additional heat input by cracking. However, manual
operation of the fuel gas valve is also dangerous during normal operation. In this case, there is
typically insufficient air to ignite all the fuel in the burners. Unburned fuel may ignite in the
convection section where there is air leakage, resulting in locally intense temperatures.
The graphs below provide an accounting of the sequence of events:
2500
-2
2000
-4
1500
Firing NM3
-6
Draft
1000
-8
500
-10
-12
0
10
15
20
25
36
1300
34
1200
32
1100
30
1000
MW
28
900
COT
26
800
24
700
22
600
20
500
0
10
15
20
25
The furnace should be operated with the Wobbe Meter or molecular weight analyzer as
an active part of the control system.
When it is absolutely necessary for the operator to take direct control of the furnace
firing, this should be done by breaking the TIC to heat duty controller (QIC) cascade
and inputting a set-point into the QIC. Should the fuel composition change, the control
system will attempt to maintain the heat input specified by the operator.
The one exception to the recommendation above would occur when the firing rate is
below the acceptable turndown for the fuel flow measurement (i.e., the fuel flow
measurement is not reliable). In this case, the fuel should be controlled on pressure (to
protect against fluctuations in fuel gas pressure and non-linearity of the fuel gas valve)
and the operator should closely monitor the fuel heating value measurement.
An alarm should be provided to indicate when the back-up fuel has begun to flow and
the operators should be trained to understand all the potential issues.
Once the liquid level reaches the top tap, the level instrument will not register any
further rise in level. As the level rises above the top tap, the increase in pressure caused by
the weight of the liquid will cause the pressure at the top and bottom tap to rise by the same
amount. The differential pressure will not change and the instrument will interpret this as no
change in level. Therefore, the instrument will maintain a constant reading while the vessel is
actually over-filling. This is illustrated in the diagram below.
The reading that will be displayed will depend on the calibration of the level indicator.
For example, assume that the level was calibrated to read 100% when the top tap was
reached based on a liquid specific gravity of 0.5. If the actual liquid gravity were 0.45, the
level would read 90% when the level reached the top tap. If the level continued to rise, the
reading would remain essentially constant at 90%. This is depicted in the figure above. Note
that some drift is possible (see explanation below). If the actual liquid had a higher specific
gravity than the calibration basis of the level indicator, the reading would exceed 100%.
If the density of the liquid between the taps changes as the result of heating or cooling,
the level reading would rise or drop in response. These changes would normally be small but
could be interpreted by the operator as the level indicator functioning normally.
The following diagram illustrates a simulated trend display for a level measurement
that exceeds its top measurement tap. The telltale sign of this condition is the abrupt change
in slope of the line from horizontal to nearly vertical as the level passes the top tap. In reality,
the level is changing according to the red line, but the DCS is only capable of displaying the
blue line. This can be misleading for the operators. If you have observed a level trend that
looks similar to the blue line, it is likely that you may have a level that has exceeded its top
tap. If the trend remains horizontal and near its high end of range for a long period of time,
then this would indicate that the true level might be significantly higher than you think.
Operating levels well beyond their intended limits can lead to safety issues.
120
110
Level (%)
100
90
80
70
60
63
61
59
57
55
53
51
49
47
45
43
41
39
37
35
33
31
29
27
25
23
21
19
17
15
13
11
50
Time (minutes)
Displayed
Actual
The combination of added mass flow overhead and the two-phase flow resulted in
back-pressure on the tower that caused the PSVs to lift. No equipment damage or injuries
occurred.
High liquid levels have occurred in many ethylene plant towers as a result of similar
phenomena. While most were non-events, a few have resulted in tray damage.
CONCLUSION
Hundreds of incidents have been analyzed and much data amassed on causes and
prevention. Experts in the field have offered substantive advice on prevention of incidents. The
role of the process control systems have not been emphasized enough in the literature. The
purpose of this paper is to show the importance of a full understanding of the various control
systems by the plant engineers and operators as well as the need to use a structured
approach to incident analysis.
Notes:
1. C. MacKenzie and D. Hohnstrom, Investigating Beyond the Human Machinery A Closer Look at
True Accident Causation in High Hazard Industries, AIChE EPC April, 2008
2. D. Gent, Reflections on 20 Years of EPC Safety, AIChE EPC April, 2008
3. Guideline for Investigating Chemical Process Incidents, Second Edition, CCPS (Center for
Chemical Process Safety), copyright 2003