Posted By jom
In the last decade, the world's petrochem industry has suffered three major, high profile accidents involving loss of containment of hydrocarbons and fire.

Longford, Australia, 1998
Texas City, USA, 2005
Buncefield, UK, 2005

These are by no means the only major accident in the process industries in that period, but they stand out because they have been intensely investigated in public fashion. The investigation outcomes have been influential in advancing Process Safety.

Much focus has been on the deficiencies of management in delivering Process Safety at these plants, and on organisational failings, rather than technical or engineering failings.

That is valid and important, but I've wondered if it takes our attention away from more simple things - the "nuts and bolts" issues of engineering, operation and maintenance.

For each of these three accidents, a critical and essential step in the accident process was loss of control of the level of a liquid hydrocarbon in a vessel.

In each case, physical components of the level control system had failed or were disabled, and this was known at the time.

What if the level control systems had been fully functional? The accidents would not have occurred.

The Process Industries pay great attention to pressures in vessels - the dangers are obvious. Perhaps liquid level control should be elevated to a level of importance alongside pressure control.

The ways in which loss of liquid level control leads to a catastrophic accident can be varied and subtle, but these three accidents tell us how terrible the consequences can be.

Perhaps we should have regulations that make it illegal to operate certain vessels without fully functional level control systems.

Interested in any thoughts....

John.

Posted By Jay Joshi
It is pointless to have all manner of prescriptive legislation based on an immediate cause of the accidents that had a multitude of root causes--where does one stop??

One should not concentrate on a single control parameter, but on the "system". It is all about HAZOP/FMEA etc and most importantly, recognising even with a high degree of automation, there will be humans involved. It is the human interface that matters.

Posted By Jay Joshi
If anyone has indeed been involved in process plant control systems, it will be obvious that there will be instances when some measurement/control parameter may not be "fully functional".

In most cases, there will be identification of "crtical systems" and procedures in place if the critical system is either taken offline or not fully functional.

Many critical systems have in built redundancy so that if one level sensor fails, another independent one is available and so on.

That is why the HSE Human Factors Inspectors have take action at Fawley Refining and Chemical Complex--refer to:-

http://www.dailyecho.co....s_at_fawley_refinery.php

Posted By Pete48
With respect to previous replies.
We need to remember that not all contributors work in the UK.
I read John's question as being about raising the stakes on liquid level control and he gave pressure controls as the comparator. I think that is an interesting question to pose.
We all know that we have engineering standards and laws that govern all such manner of things and we also know that they fail for all sorts of reasons.
What may not be so apparent, to those who do not operate large capacity, high volume, multi-feed storage facilities such as Buncefield once was, is that almost total reliance has come to be placed on what are really quite mundane, or at least mechanically simple level controls cross linked into computer software. Control room staff, sometimes hundreds of miles away, work without seeing or feeling the systems other than on their PC screens. they often have little or no acrtivity other than safety critical interventions. Nothing wrong with that, per se, but have safety critical standards really kept pace on liquid level instrumentation and operational procedures? Perhaps a strengthening of the regulations in this regard would at least make it less likely that cost and other expediencies do not erode the application of the engineering integrity standards. After all, in the UK we have a history and many examples of specific regulation on matters relating to inspection and thorough examination of safety critical kit.

Posted By Tony abc jprhdnMurphy
Jom

I worked on Petro Chem project after the Texas incident and was asked to comment on the significant findings. I was also asked to undertake a review and comment on general perceptions and learning patterns.
What I found amazing was that people situated inside the blast zone/critical area had no need to be there. Consequently there was a recommendation made where administrators and other non critical personnel should be housed in safe areas, and taken inside these critical areas only when necessary. In fact given the level of IT technology there is absolutely no need for people to be anywhere near the site, unless their remit calls for it. When I spoke to the client he could not comprehend this simple assessment and said that it would be easier to build blast resilient buildings.
I no longer work in Petro Chem

Posted By anon1234
Tend to agree with Jay, properly conduced HAZOP and FMEA should ensure these issues are identified and appropriate controls/redundancy put in place. I guess that then leaves the question about disabling interlocks/controls due to faults with the system i.e. should you operate the process when a known control mechanism is not working (be it level controls, alarms, interlocks, etc). The number of suystems you can allow to be non functioning is then related to the number of redundant systems avaialble and the severity of the consequences - i.e. it is nearly a case by case basis. However, as an absolute minimum, using level control as the example - if level control is a critical safety requirement then you must ahve a functioning level controller and independant level alarm/interlock/shutdown

Posted By Pete48
Bob, I totally agree with your last comment. However, the number of operating companies and boundaries were very relevant with regard to your points. This was not a simple "in/out measure it" situation. Buncefield was a multi-feed, multi operator site supplied by pipeline networks operated by others. No doubt much of the control would be vested in computer aided control systems with a varying degree of operator interventions at various points along the transfer route.
The fact that a supercritical safety device such as the high-level emergency shut off system did not work when required does strongly suggest that a number of lower status controls must have:
been poorly designed (which I doubt)
failed on demand,
been out of service, over-ridden or ignored,
been compromised by pressure on costs or time.

Posted By jom
Is it likely that a report completely detailing the accident process will be made public?

Is there any legislated requirement to do so?

John.

Posted By jom
"We should never advocate knee jerk fixes like this."

Gary,

With respect, these three accidents are now years in our past, so discussing level control failure now is hardly a knee-jerk response, is it?

Perhaps it doesn't matter if regs are applied or other rules are enforced.

Let's boil it down to a simple proposition:

A process vessel containing hydrocarbons has non-functioning level control components, and this is known.

Do you tell the operators it is okay to operate that vessel?

John.

Posted By Jay Joshi
There was a learning for all, (including regulators) from Buncefield regarding the systematic assessment of Safety Integrity Level Assessments of critical systems using.
This will ensure that the COMAH

Refer to :-
http://www.hse.gov.uk/co...ield/bstgfinalreport.pdf

Page 13

Minimum expected good practice

COMAH five-year periodic reviews of safety reports should incorporate a demonstration that:

? the overall systems for tank filling control are of high integrity, with sufficient independence to ensure timely and safe shutdown to prevent tank overflow; and

? the overall systems for tank filling control meet BS EN 61511:2004.2


Where the SIL assessment results in a change to the safety management system that could have significant repercussions with respect to the prevention of major accidents or the limitation of their consequences, operators of top-tier sites should review their safety reports under the provisions of COMAH regulation 8(c).

I do not subscribe to the proposition that it is that clear cut whether or not a vessel is safe to operate in context of level control systems. For example, it is possible that due to a malfunction of an automatic level control system, one can control the level within safe parameters manually as long as there is a means of monitoring the level and there are monitoring checks by personnel, the frequency of which can depend upob specific circumstances. In simple systems, where the input is fairly constant (say there is a fixed diameter orifice), one can also depend to a limited extent on the input parameters such as flow rate etc. Last, but not least, for how long is it acceptable to continue without the automatic control aslo comes into play. If the malfunction occurs in a shift and can be safely manually controlled, but can be repaired in thge next shoft, does it require a shut down??

This is why Jom, to what extent can you legislate for a "fully functioning" level control system??

Posted By Robert K Lewis
Jay

My only problem with reliance on standards and Hazops etc is that they assume always a functional and adequately maintained set of controls and a plant properly maintained fr integrity. The LOR blowout in the pipe bend near the steam injection point shows how easily degradation of systems occur because decisions are made or not made by not adequately competent persons.

A managed sytem of competence for maintenance, plant re-design, plant maintenance mean that there is ongoing review and oversight of the competency of the persons undertaking the work. I have yet to see a fully defined system operational as yet. The nuclear sector probasbly comes closest but gaps still exist.

Bob