IOSH forums home
»
Our public forums
»
OSH discussion forum
»
Major Hazard Accidents - importance of liquid level control
Rank: Guest
|
Posted By jom In the last decade, the world's petrochem industry has suffered three major, high profile accidents involving loss of containment of hydrocarbons and fire.
Longford, Australia, 1998 Texas City, USA, 2005 Buncefield, UK, 2005
These are by no means the only major accident in the process industries in that period, but they stand out because they have been intensely investigated in public fashion. The investigation outcomes have been influential in advancing Process Safety.
Much focus has been on the deficiencies of management in delivering Process Safety at these plants, and on organisational failings, rather than technical or engineering failings.
That is valid and important, but I've wondered if it takes our attention away from more simple things - the "nuts and bolts" issues of engineering, operation and maintenance.
For each of these three accidents, a critical and essential step in the accident process was loss of control of the level of a liquid hydrocarbon in a vessel.
In each case, physical components of the level control system had failed or were disabled, and this was known at the time.
What if the level control systems had been fully functional? The accidents would not have occurred.
The Process Industries pay great attention to pressures in vessels - the dangers are obvious. Perhaps liquid level control should be elevated to a level of importance alongside pressure control.
The ways in which loss of liquid level control leads to a catastrophic accident can be varied and subtle, but these three accidents tell us how terrible the consequences can be.
Perhaps we should have regulations that make it illegal to operate certain vessels without fully functional level control systems.
Interested in any thoughts....
John.
|
|
|
|
Rank: Guest
|
Posted By jom Just come across a new phrase:
"significant patterns of meaning"
Brilliant!
John.
|
|
|
|
Rank: Guest
|
Posted By Jay Joshi It is pointless to have all manner of prescriptive legislation based on an immediate cause of the accidents that had a multitude of root causes--where does one stop??
One should not concentrate on a single control parameter, but on the "system". It is all about HAZOP/FMEA etc and most importantly, recognising even with a high degree of automation, there will be humans involved. It is the human interface that matters.
|
|
|
|
Rank: Guest
|
|
|
|
|
Rank: Guest
|
Posted By Jay Joshi If anyone has indeed been involved in process plant control systems, it will be obvious that there will be instances when some measurement/control parameter may not be "fully functional". In most cases, there will be identification of "crtical systems" and procedures in place if the critical system is either taken offline or not fully functional. Many critical systems have in built redundancy so that if one level sensor fails, another independent one is available and so on. That is why the HSE Human Factors Inspectors have take action at Fawley Refining and Chemical Complex--refer to:- http://www.dailyecho.co....s_at_fawley_refinery.php
|
|
|
|
Rank: Guest
|
Posted By Guderian We do have legislation to cover level switches in hydrocarbon tanks etc...its called the Health & Safety at Work Act
Safe plant & equipment Safe systems of work Safe maintenance etc.
You then need to work to current recognised best practice for your industry following (in this case) probably API guides or IP guides, HSE guidance etc.
Obviously COMAH/DSEAR etc as well
As if you didn't know this of course
Hazops are ok, but time consuming and quality can vary a lot depending up the skills/experience of the team members taking part etc Oh and also the cash for the recommended process improvements afterwards
|
|
|
|
Rank: Guest
|
Posted By Pete48 With respect to previous replies. We need to remember that not all contributors work in the UK. I read John's question as being about raising the stakes on liquid level control and he gave pressure controls as the comparator. I think that is an interesting question to pose. We all know that we have engineering standards and laws that govern all such manner of things and we also know that they fail for all sorts of reasons. What may not be so apparent, to those who do not operate large capacity, high volume, multi-feed storage facilities such as Buncefield once was, is that almost total reliance has come to be placed on what are really quite mundane, or at least mechanically simple level controls cross linked into computer software. Control room staff, sometimes hundreds of miles away, work without seeing or feeling the systems other than on their PC screens. they often have little or no acrtivity other than safety critical interventions. Nothing wrong with that, per se, but have safety critical standards really kept pace on liquid level instrumentation and operational procedures? Perhaps a strengthening of the regulations in this regard would at least make it less likely that cost and other expediencies do not erode the application of the engineering integrity standards. After all, in the UK we have a history and many examples of specific regulation on matters relating to inspection and thorough examination of safety critical kit.
|
|
|
|
Rank: Guest
|
Posted By jom Jay,
Thanks for replying. I understand mauch of what you say. But we are still stuck with the quandary of why these three accidents happened to totally competent and safety conscious companies.
It's worth exploring new ideas, don't you think?
>It is pointless to have all manner of >prescriptive legislation based on an >immediate cause of the accidents that had a >multitude of root causes--where does one stop??
Actually, when you put it as simply as that, the answer is "YES". If we identify the immediate causes of accidents, why wouldn't we choose to introduce specific regulations addressing those causes?
>One should not concentrate on a single >control parameter, but on the "system".
But failure of liquid level control was implicated in all three of these accidents. Doesn't it follow that we should focus on that control parameter?
John.
|
|
|
|
Rank: Guest
|
Posted By Tony abc jprhdnMurphy Jom
I worked on Petro Chem project after the Texas incident and was asked to comment on the significant findings. I was also asked to undertake a review and comment on general perceptions and learning patterns. What I found amazing was that people situated inside the blast zone/critical area had no need to be there. Consequently there was a recommendation made where administrators and other non critical personnel should be housed in safe areas, and taken inside these critical areas only when necessary. In fact given the level of IT technology there is absolutely no need for people to be anywhere near the site, unless their remit calls for it. When I spoke to the client he could not comprehend this simple assessment and said that it would be easier to build blast resilient buildings. I no longer work in Petro Chem
|
|
|
|
Rank: Guest
|
Posted By Robert K Lewis jom
Theere is already a requirement to adequately maintain in the UK and i suspect other jurisdictions have similar requirements. Failures are therefore always as a result of a breach.
In the UK the Buncefield case is interesting as the HSE did issue "a warning" concerning the mannner in which the level alarms were maintained and put back into service. Apparently the mechanism was not being padlocked back into place as specified by the manufacturers with the consequent false low reading/non-reading. The HSE have issued formal guidance concerning competence management in the design, manufacture, installation, maintenance, repair, management and ownership of ALL safety critical and computer operated safety control systems. Unfortunately only the draft was circulating pre-Buncefield.
I might suggest that if such a system had been in place then the level failure would have not occurred. One will never know. certainly the probability of failure would have been significantly reduced.
Bob
|
|
|
|
Rank: Guest
|
Posted By anon1234 Tend to agree with Jay, properly conduced HAZOP and FMEA should ensure these issues are identified and appropriate controls/redundancy put in place. I guess that then leaves the question about disabling interlocks/controls due to faults with the system i.e. should you operate the process when a known control mechanism is not working (be it level controls, alarms, interlocks, etc). The number of suystems you can allow to be non functioning is then related to the number of redundant systems avaialble and the severity of the consequences - i.e. it is nearly a case by case basis. However, as an absolute minimum, using level control as the example - if level control is a critical safety requirement then you must ahve a functioning level controller and independant level alarm/interlock/shutdown
|
|
|
|
Rank: Guest
|
Posted By Robert K Lewis Strange thing about Buncefield is that a simple mass audit by the refinery feeding the tank would have said that something is wrong as they had pumped more than the tank volume without the level changing.
Was it simply wishful thinking that there was a tank of infinite volume to which they were feeding. We have heard an awful lot about the post overflow - prevention of fire - detection of vapours but very little about prevention of overflow.
The management of tank filling operations was sadly deficient, even with the failed level alarms the incident was totally detectable and thus avoidable. HSE however seemed too concerned about possible fallout to say this too loudly.
Bob
|
|
|
|
Rank: Guest
|
Posted By Pete48 Bob, I totally agree with your last comment. However, the number of operating companies and boundaries were very relevant with regard to your points. This was not a simple "in/out measure it" situation. Buncefield was a multi-feed, multi operator site supplied by pipeline networks operated by others. No doubt much of the control would be vested in computer aided control systems with a varying degree of operator interventions at various points along the transfer route. The fact that a supercritical safety device such as the high-level emergency shut off system did not work when required does strongly suggest that a number of lower status controls must have: been poorly designed (which I doubt) failed on demand, been out of service, over-ridden or ignored, been compromised by pressure on costs or time.
|
|
|
|
Rank: Guest
|
Posted By Pete48 Sorry pushed the wrong button and lost this bit of my last posting.
So even though the failure of the safety shutdown system was the final cause of the overspill I agree that much has yet to be explained as to why it was called to operate. I can better understand why the control room staff would not have necessarily had "alarm" bells ringing in their minds if not on their control panels. Some of the movements can be quite complex and take place over hundreds of miles into many receiving stations, therefore there is a natural reliance on the technology to "wake up" the control room staff when they need to do something.
|
|
|
|
Rank: Guest
|
Posted By jom Is it likely that a report completely detailing the accident process will be made public?
Is there any legislated requirement to do so?
John.
|
|
|
|
Rank: Guest
|
Posted By garyh I have a different track to go down.
Buncefield was a higher tier COMAH site; it would have had a safety report accepted by the competent authority (HSE / EA).
As posters above have stated the DISASTER (not the initiating incident) had a number of causal factors.
Therefore, either
- The COMAH report was inadequate (in which case why did the HSE / EA not spot this) or - Buncefield was operated in a different way to that contained in the COMAH report (but this brings us back to redundancy in sytems and predicted failure rates, part of the COMAH process) - The COMAH process has not in fact done the business.
At the end of the day, prime responsibility is with the operator. However, we never hear about any accountability from HSC/HSE/EA re the regs themselves or the way that they have enforced them.
As for specific regs re level controls, IMHO, NO NO NO NO NO NO!!!
We should never advocate knee jerk fixes like this. Having produced COMAH safety reports myself, it is precisely this type of issue that you have to address in the COMAH report process. Something went wrong in the COMAH process itself.
Who really thinks that another reg (concerning level devices) would have actually made a difference? Not all regs are complied with!
I believe that we need less regs, not more, that should be focused and enforced by experienced and (helpful) HSE and EA personnel. More regulation,IMHO, does not lead to better safety.
|
|
|
|
Rank: Guest
|
Posted By jom "We should never advocate knee jerk fixes like this."
Gary,
With respect, these three accidents are now years in our past, so discussing level control failure now is hardly a knee-jerk response, is it?
Perhaps it doesn't matter if regs are applied or other rules are enforced.
Let's boil it down to a simple proposition:
A process vessel containing hydrocarbons has non-functioning level control components, and this is known.
Do you tell the operators it is okay to operate that vessel?
John.
|
|
|
|
Rank: Guest
|
Posted By Robert K Lewis Pete48
Yes there were many feed lines and operators. However the transmiting control room knew precisely the tank they were filling, had a relay of the level alarms and indicators at their end of the pipeline and knew how much they were pumping and for what length of time. No movement on level indicators should have indicated a problem, pumping twice the total volume of the tank should also have provided a good indication that the situation needed to be formally reviewed before continuing to pump to that tank.
Over reliance on alarms can take away the vital need for human intervention. Trained monkeys cannot run petrochem facilities there is always a need to check and evaluate the information provided by the instrumentation. If a situation occurs that is not built into the normal alarm programmes then automatic control will not function. The Flixborough Inquiry evidenced strange temperature and pressure fluctuations during the final start up sequence on the S25 plant. It was not in the manual, as indeed the adaptation was not there either, so there was no guide to the reason. Unfortunately at Flixboro operative attempts to control it were not enough. At Buncefield the situation was not even seen.
Bob
|
|
|
|
Rank: Guest
|
Posted By Jay Joshi There was a learning for all, (including regulators) from Buncefield regarding the systematic assessment of Safety Integrity Level Assessments of critical systems using. This will ensure that the COMAH Refer to :- http://www.hse.gov.uk/co...ield/bstgfinalreport.pdfPage 13 Minimum expected good practice COMAH five-year periodic reviews of safety reports should incorporate a demonstration that: ? the overall systems for tank filling control are of high integrity, with sufficient independence to ensure timely and safe shutdown to prevent tank overflow; and ? the overall systems for tank filling control meet BS EN 61511:2004.2 Where the SIL assessment results in a change to the safety management system that could have significant repercussions with respect to the prevention of major accidents or the limitation of their consequences, operators of top-tier sites should review their safety reports under the provisions of COMAH regulation 8(c). I do not subscribe to the proposition that it is that clear cut whether or not a vessel is safe to operate in context of level control systems. For example, it is possible that due to a malfunction of an automatic level control system, one can control the level within safe parameters manually as long as there is a means of monitoring the level and there are monitoring checks by personnel, the frequency of which can depend upob specific circumstances. In simple systems, where the input is fairly constant (say there is a fixed diameter orifice), one can also depend to a limited extent on the input parameters such as flow rate etc. Last, but not least, for how long is it acceptable to continue without the automatic control aslo comes into play. If the malfunction occurs in a shift and can be safely manually controlled, but can be repaired in thge next shoft, does it require a shut down?? This is why Jom, to what extent can you legislate for a "fully functioning" level control system??
|
|
|
|
Rank: Guest
|
Posted By jom Jay,
I guess my proposition was simplistic. It can be helpful to approach a complex problem this way. You've nominated some criteria for when it may be tolerable to work with faulty level control components. I think you are saying faulty components are tolerable so long as the liquid level is still under control through other means and devices.
In each of these three accidents that didn't occur, did it? The level control components were non-functioning and the level was out of control with catastrophic consequences.
Has the new CSB DVD on Texas City being widely viewed in the UK? It's brilliant.
It poses a host of challenges for the industry. Proposed solutions focus on the high level management systems. That's fine, but I wonder if sometimes "quicker" future prevention might be found at lower levels.
For example, if the level control system is not fully-functional, then the vessel is not to be operated. If it is to be operated, then somebody certifies it is acceptably safe to do so, the conditions to apply and period of time the permit applies.
It's not acceptable to operate a boiler with non-functioning pressure relief valves, is it?
Look at the collossal damages from these three accidents. I'm just suggesting liquid level control ma need to be treated as cautiously as pressure control. Perhaps we are being thwarted by the complex and subtle ways loss of liquid level control can deliver us a catastrophic accident.
John.
|
|
|
|
Rank: Guest
|
Posted By Robert K Lewis Jay
My only problem with reliance on standards and Hazops etc is that they assume always a functional and adequately maintained set of controls and a plant properly maintained fr integrity. The LOR blowout in the pipe bend near the steam injection point shows how easily degradation of systems occur because decisions are made or not made by not adequately competent persons.
A managed sytem of competence for maintenance, plant re-design, plant maintenance mean that there is ongoing review and oversight of the competency of the persons undertaking the work. I have yet to see a fully defined system operational as yet. The nuclear sector probasbly comes closest but gaps still exist.
Bob
|
|
|
|
IOSH forums home
»
Our public forums
»
OSH discussion forum
»
Major Hazard Accidents - importance of liquid level control
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.