On July 24, 1994, around 8 a.m., an electrical storm affected the power system at the Milford Haven oil refinery in the United Kingdom. In the hours following up to 1:23 p.m., operators tried to keep the cracker running, aided by signals from the plant instrumentation system and VDU displays.
At 1:23 pm, some 20 metric tons of liquid hydrocarbon burst through a pipe leading to the flare stack, forming a vapour cloud and exploding. Twenty-six people suffered minor injuries, and a van just missed entering an area that became enveloped in the fireball. Had it not been Sunday, multiple deaths would have occurred in the plant, and injuries would have occurred in an area two miles away where shop windows were blown in.
Costs were staggering: Repairs were estimated in excess of $80 million and loss of production at several times that amount. An inquiry by the U.K. Health and Safety Executive revealed that the incident could have been prevented -- had the operators diagnosed that the debutaniser outlet valve was stuck closed. However, signal outputs in the control room wrongly indicated it had opened. Other flow signals implied it was closed, but the operators failed to identify the inconsistency. This was due, in part, to the fact that while a number of detailed graphics for individual sections of the plant were provided, there were no overviews of the complete process. Alarms were coming in every two or three seconds, making it hard to troubleshoot the rapidly changing situation.
As disasters go, this was a small one, but its lessons prompt us to look at practices and specific techniques applicable to the heat processing workplace.
"I could have told you something like that was going to happen." This could be you talking, whether from management, engineering, procurement, plant design and manufacture, process technology, maintenance, production or plant operations. Any one of you could be in the line of fire when the coroner asks, "Do you talk to each other? Did you report your concern?"
Transparency is vital at all levels of the operation -- including cooperation of all of the above-mentioned personnel during specification, design, documentation, construction and start-up. The Milford Haven plant now has an $800,000 process simulator to train operators and give them hands-on experience about how the plant feels and responds in normal -- and abnormal -- situations.
To prevent disaster at your plant, there are several steps you can take:
- Make sure that your instrumentation provides both an overview and detailed information about the plant's operating condition.
- Have access to layout and schematic drawings and descriptions of wiring, equipment and piping with identification of plant items. Use them to evaluate the control and safety implications.
- Place identification labels on indicators, controls, internal cabinet wiring, terminals, piping and components. Labeling should include such simple matters as which switch position is "off" and which way is "increase" on a manual controls.
- Put in place procedures and priority rankings to be observed when responding to plant alarms and off-normal events.
- Post stickers on cabinets and plant items showing manufacturer's or outside supplier's service phone numbers.
Specific ExamplesI'll try to be specific by referring to some well-used techniques and examples. This involves applying your knowledge of your process, its instrumentation and monitoring to the challenge of heading off predictable hazards. I'll start with sensors.
Temperature Sensor Location. Ensure that your thermocouples or RTDs are located where they can "see" the temperatures of interest to you and that the wiring is sound. A misplaced or pulled-out-of-place sensor, or one whose wiring is shorted, can lead to overheating of the process.
Broken Temperature Sensor. In most processes, you want a broken or burnt out (open-circuit) sensor to trip your controller default to a high reading or "broken sensor" message and turn the heat off. (This is sometimes called "upscale burnout.") If you don't specify otherwise, controllers normally comes configured this way.
But, some processes may require a broken sensor to default to full power or some predefined percentage of full power. (This is called "downscale burnout." It commonly is used to heat trace an outdoor pipe or a vessel that must not be allowed to cool off.) If a downscale burnout controller is used, be sure that the controller is properly configured and that this type is not mixed with upscale burnout controllers.
Reversed Thermocouple. Thermocouple wires often are crossed when a process is being rewired or commissioned. This normally would send the controller indication downscale and call for full heat, perhaps damaging your equipment or making scrap product. Some controllers can recognize this as an unrealistic low temperature and default to power off or to the level of power that you specify.
Replacing Thermocouples. Some plants have a mixture of different sensors, and it is easy to take a Type R thermocouple off the spares shelf and install it where a Type K came out. This would make the controller drive the temperature up to some three or four times setpoint. Identify and label spare thermocouples and controllers by thermocouple type to prevent improper replacement.
In the next issue, I'll look at process alarms.