At 1.23 pm on Sunday, 24 July 1994, twenty-six people were injured when an explosion erupted through an oil refinery in an otherwise quiet corner of South Wales in the United Kingdom. The site was occupied by two companies: Texaco’s Pembroke Refinery and the Pembroke Cracking Company (PCC), a joint venture between Texaco and Gulf Oil. The incident started just before 9 am, when an electrical storm in the area caused lightning to strike the crude distillation unit that provided feed to the PCC units. This resulted in a fire that caused disturbances which affected the vacuum distillation, alkylation and butamer units, as well as the fluidised catalytic cracking unit (FCCU).
What followed was a cascade of failures that highlighted severe shortcomings in the plant’s safety and control systems. The report produced by the UK’s Health and Safety Executive (HSE) following an investigation into the events concluded: “The direct cause of the explosion that occurred some five hours later was a combination of failures in management, equipment and control systems during the plant upset. These led to the release of about 20 tonnes of flammable hydrocarbons from the outlet pipe of the flare knock-out drum of the FCCU. The released hydrocarbons formed a drifting cloud of vapour and droplets that found a source of ignition about 110 metres from the flare drum. The force of the consequent explosion was calculated to be the equivalent of at least four tonnes of high explosive. This caused a major hydrocarbon fire at the flare drum outlet itself and a number of secondary fires.”
The HSE investigation found several causes of the incident: a control valve was shut when the control system indicated it was open; control panel graphics did not provide the necessary process overviews; a modification had been carried out without assessing all the consequences; staff attempted to keep the unit running when it should have been shut down; and the company failed to take the necessary overall perspective, concentrating instead on the local, immediate symptoms rather than looking for the underlying cause. The 14 subsequent recommendations that were given included everything from improved safety management systems, human factors, protection systems, plant layout, inspection systems and emergency planning.
Two things stood out in the HSE report. The first relates to human factors, where it mentions that “display systems should be configured to provide an overview of the condition of the process”. The second relates to protection systems, where it explains that “the use and configuration of alarms should be such that: safety critical alarms, including those for flare systems, are distinguishable from other operational alarms; alarms are limited to the number that an operator can effectively monitor; and ultimately plant safety should not rely on operator response to a control system alarm”.
Update your alarms
Part of the planning to meet these recommendations is that plant managers employ the relevant technical measures to control the process and prevent the loss of containment of dangerous substances. In part, this can be achieved through safety instrumented systems, and alarm systems that include fire and gas detection. The problem is that, while many plants have visualised alarms in their control systems, their physical alarm annunciators are severely out of date – many in use today were installed more than 30 years ago – so may not meet current IEC 61508 safety integrity levels (SIL).
Because operator response times are an important part of this rating, it is vital that alarms maximise, rather than impede, the operator’s ability to respond quickly. Managing a mix of critical and non-critical alarms in a control system interface can quickly become overwhelming, so physical alarm annunciators must be up to date. They must also only display the safety, health and environmental alarms that the plant operators need to respond to.
It is important to hardwire alarms into the process. Sensors that detect tank levels and are designed to protect against overfill can be hardwired to high priority alarms. In emergencies, these alarms give visual indication and provide a horn output before a fuel leak has the chance to vaporise and become an ignition source. Plant and safety managers updating their alarm annunciators should check for a few key things. They should ensure that the alarm annunciator is hardwired into the sensor, and that it has a panel of windows permanently dedicated to specific processes to enhance situational awareness for the operator.
Each alarm should be well justified and suitably prioritised, and each window should be colour coded to match the severity of the alarm. Additional benefits to look out for include the ability to network the alarms to scada systems and the cloud, and to benefit from SMS and GSM alerts, so everyone onsite can be immediately notified in the event of imminent danger. By taking suitable precautions, tank farm managers can learn from the past and give themselves the best chance of preventing such disasters from happening again.
| Tel: | +27 31 207 7466 |
| Email: | [email protected] |
| www: | www.omniflex.com |
| Articles: | More information and articles about Omniflex Remote Monitoring Specialists |
© Technews Publishing (Pty) Ltd | All Rights Reserved
printer friendly version