Embed Size (px)
Citation preview
BP TEXAS CITY REFINERY DISASTER
ACCIDENT & PREVENTION REPORT
Chinedu Charles Isiadinso
April 23, 2015
Contents
1 INTRODUCTION 2
2 KLETZ-TYPE PREVENTION TABLE 3
3 ANALYSIS 6
4 CONCLUSION 9
1
1 INTRODUCTION
On Wednesday, March 23 2005, numerous explosions, and a fire, occurred at BP Texas Cityrefinery, Texas, USA. The explosions and fire occurred during start-up of an isomerization unitat the refinery. The disaster resulted in 15 fatalities, over 150 injuries, and financial lossesexceeding $1.5 billion (USD)[1].
Details of the Accident
BP had begun a lengthy maintenance project at their Texas city refinery, which required over1000 contractors on site along with employees. A number of trailers had been set up, close tothe blow-down stack (see figure 1), to serve as offices and meeting rooms for the contractors.In the early hours of Wednesday, March 23 2005, workers began the start-up process of anisomerization unit by pumping highly flammable liquid into to a raffinate splitter tower (seefigure 1), which would, normally, have ≈ 2m (6.5ft) of liquid at its base. Liquid height sensorand two alarm systems, for heights of 2m, (6.5ft) and 3m, (10ft), were installed to measureand report the height of liquid in the tower to operators, and raise alarms if the liquid reached2m and 3m respectively. However, the sensor was designed to measure heights up to 3m, andthus there was no way to tell the amount of liquid in the tower beyond that point. As workerspumped liquid into the splitter tower, the liquid reached, and exceeded, the 3m mark, settingoff the 2m alarm but not the 3m. As the liquid feed exceeded 3m, when the feed was stopped,and the height sensor reported 3m, while in actual fact, the tower is believed to have reached4m, (13ft)[2].
Figure 1: Raffinate section of Isomerization unit[1]
Following a shift change, and very poor communication, operators recommenced the start-upprocess, adding more liquid to the overfull splitter tower. While liquid was being pumped in,no liquid was being pumped out, as specified in the start up procedure[5], due to a level controlvalve being left closed. About 10 minutes later, as part of the normal process, operator litburners in the furnace to heat up the liquid being fed to the splitter tower. With the levelcontrol valve still closed, the tower liquid level rose, and the heigh meter reported a height ofunder 3m; however, calculations show that the liquid reached 42m[1].
At 1 pm, the level control valve was opened, following a high pressure alarm that caused amanual relief valve to be opened; this stabilized liquid level. However, liquid leaving the tower
2
was at a very high temperature, and on exiting the heat exchanger (which was not designed tocool down very hot liquid), induced a temperature rise (over 150o[1]) in liquid being fed to thetower. This caused liquid in the tower to boil and expand causing the liquid level in the tower torise. Minutes later, the 52m, (170ft)[5], 586, 100l[7] capacity splitter tower was completely full,and liquid flowed through a overhead pipe, down 45m, (148ft), and forced open all 3 safety reliefvalves near the base of the tower; these valves redirected over 200, 000l of flammable liquid tothe blow-down drum of significantly lower capacity. Similar to the tower, the blow-down drumwas fitted with a liquid height sensor and an alarm, but when the drum overfilled, the alarmfailed to alert operators, who continued redirecting flow to the drum. Minutes later, there wasan eruption of very hot highly flammable liquid, from the top of the blow-down stack[3], whichfell to the ground creating a highly flammable vapour cloud that covered the entire refinery,especially the trailers housing the contractors. Ignition of the cloud, by backfire from an idlingdiesel truck at about 1:20 pm, caused a number explosions and fires, and sent shock-waves formiles in all directions.
Figure 2: BP Texas City Refinery Layout[1]
2 KLETZ-TYPE PREVENTION TABLE
Table 1: Kletz-Type prevention table
Events Immediate Steps Avoiding Hazard Management System
Explosions and Fire Truck driver shouldhave turned engine offafter eruption
Idling diesel truckbackfires, ignitesvapour cloud
Do not idle truck afew meters from haz-ardous equipment
Create dedicatedparking space
Always know wherevehicles on plot are
Vapour Cloud formsand expands across re-finery
Sound alarm Install disaster alertsystem
Train staff for dis-asters, the CSBreport[1] showedthat staff where notproperly trained forabnormal situations
3
Table 2: Kletz-Type prevention table
Events Immediate Steps Avoiding Hazard Management System
Blow-down stack overfills and liquid erupts
Carry out disasterprotocol
Install blow-downdrum of equal capac-ity as tower. Installmodern blow-downstack, to eliminatepossibility of overflow
Train staff fordisasters[9]
Liquid in blow-downdrum reaches max.capacity; high levelalarm does not sound
Tower is overfull, ex-pect the drum alarmto sound, and act ifthere’s no sound
Emergency purge sys-tem when drum overfills
Regular equipmentinspection, due tocost cutting tech-niques, less moneywas available toinspect and repairfaulty equipment[1]
High pressure liquidforce open all 3 safetyrelief valves; liquidis redirected to theblow-down drum
Turn off feed, andpurge systems
Install another set ofhigh pressure alarmsfor the over head pipes
Tower overfills; liquidflows through over-head pipe towards re-lief valves 45m below
Install overflow detec-tor to shut down pro-cess if tower overfills
Liquid fed to towercauses boiling; liquidlevel rises to 43m, sen-sor shows decline
Design location basedtemperature detector
Regular equipment in-spection and repairs
Hot liquid, from towerbase, heats up towerfeed
Design system to mea-sure temperature ofliquid in key areas(e.g. tower outlet)and alert operator ofproblems
Operators worryabout lack of outflow,level control valve isopen
The process had beenrunning for over 3hours, check whathappened to liquidfed
Design system toshow valve status
A supervisor must al-ways be present
Tower high pressurealarm sound; oper-ators open manualrelief valve (auto-matic emergencyvalves failed)
Check informationabout flow into andout of tower and seeif there discrepancies.
Regular equipment in-spection
Improperly calibratedlevel indicator showsliquid as 2.6m andfalling; liquid is at30m
Show flow into andout of tower on samescreen and work outin tower volume basedon these
Equipment inspectionand repairs
4
Table 3: Kletz-Type prevention table
Events Immediate Steps Avoiding Hazard Management System
Supervisor leaves dueto family emergency,there is no replace-ment
Request replacementsupervisor
Enforce requirementof at least one tech-nical staff at alltimes
Conflicting infor-mation about levelcontrol valve is re-ceived by operator,valve is left closed
Request clarification Design system toshow valve status
Start-up recom-mences, more liquidis added to alreadyoverfull tower, liquidlevel increases
Carry out pre-startupprocedure
Improve system toallow operators seeflows in and out oftower
Ensure pre-startup iscompleted ans suc-cessful
Night shift operatorleaves, day shift oper-ator takes over; stateof start-up process isbadly communicated
Make better use oflogbooks
Enforce BP sign overprotocol, especiallyduring hazardousprocesses
Sensor reads 3m (ac-tual height is 4m),feed is stopped
Improve sensor design
First tower high levelalarm sounds, secondfails
Stop after first alarm Regular equipment in-spection
Operators ignore 2mrecommended heightand fill to 3m max.height
Follow safety recom-mendation
Enforce safety re-quirements
Contract workers intrailers are not in-formed about start-upprocess
Inform all personnelabout hazardous pro-cesses
Ensure everyone is outof harms way beforestarting hazardousprocesses
Isomerization start-upbegins, liquid is fedinto splitter tower
Evacuate all non-essential staff
Ensure pre-startup iscompleted
Safety culture
Lengthy maintenanceprocess; trailers areset-up close to isomer-ization unit
Setup trailers at safedistance
Should have followedCSB trailer citing rec-ommendations
5
3 ANALYSIS
The accident could be blamed on a wide range of failures, from mechanical to human to process,however, the entire accident could be put down to human error. Starting at the very beginningwith the location of the trailers. From figure 3, it can be seen that the trailers where set upin, potentially, the most dangerous part of the site. Trailers where setup between the catalystwarehouse and the isomerization unit (close to the blow-down drum and staff), separated fromthe unit by a rack of pipes carrying highly flammable liquid. Not only was this citing warnedagainst by safety experts[1], but from figure 2, it can be seen that permanent office structureswhere erected reasonably far away from hazardous material and equipment, at the other end ofthe refinery; no deaths occurred at these permanent structures. A reasonable location, for thetrailers, would have been next to the control room in the blue section of figure 2.
Figure 3: Trailer area and adjacent Isomerization unit[1]
Second, employees, and maintenance workers knew how hazardous the isomerization start-upprocess was, but no alerted the contracts (who where in the trailers) about the start-up, as suchcontracts where unaware of of what was happening until the eruption and explosion. Deathscould have easily been prevented if trailer staff where informed, or better still, removed fromharmsway until the start-up process was complete; there was a safety meeting that day, over300 people (employees and contractors) where in attendance and nothing was said about thestartup about to begin[3].
While immediately it would not have been possible for the night shift operator to have knowthe second alarm had failed, a better logbook entry could have been left for the day shift operatorto work on. The logbook entry gave no indication of previous pumping level and alarm sound,instead it read ”ISOM brought in so raff to unit, to pack raff with”[1].
Operators usually neglected key safety requirements, like the pre-startup checks, which wouldhave confirmed the position of the level control valve, removed non-essential personnel from the
6
site, and potentially noticed, and dealt with, the idling truck. It could have also alerted staffto the faulty alarms and indicator, as it required manual liquid level confirmation, via a sightglass at the base of the tower; it is worth noting, that the sight glass had not been cleaned forlonger than recommended and as such dark liquid had covered the glass making it unuseable.
Poor communication saw the situation on the ground being badly transmitted from groundoperators to board staff, which lead to a one of the most obvious causes of the disaster, the levelvalve was left closed for over 3 hours while liquid as fed. The valve was later opened, but staffshould have instigated the location of hours of pumped liquid; if there was no liquid outflow,then there must have been a build up of liquid in the tower, this would have brought the faultyindicator (which read 2.6m and falling instead of 30m), to their attention and they could havestopped the feed and drained the tower. Following the departure of the only technically trainedstaff on site that day, due to a family emergency, and contrary to BP standard procedure,there was no replacement supervisor assigned to over see the startup process; this left one lowexperience operator (not qualified to run an entire refinery without supervision) alone to manageall 3 units at the refinery, including the iszomerizaion unit.
On one end of Kletz’s spectrum, we have ways of preventing the hazard. In this case, thehazard could have been prevented had the level indicator had been designed to accommodatethe full 52m height of the tower. Looking at it from the point of view of what is necessary,the level was never meant to exceed 3m, however, if operators did not stop the feed exactlywhen the 3m alarm was heard, they would overshoot and not know how much by. The systemcould have been fool-proofed by designing an automatic system that shut off liquid feed whenthe level reached 3m instead of just an alarm. A similar system in the blow-down drum couldautomatically open the sewer block valve (see figure 4) to drain the drum if it overfills; thesewould help prevent any instances where there’s human failure.
Figure 4: Blow-down drum and gooseneck[1]
7
A similar system was already operational in the emergency relief valve, which failed to open onoperator’s command, but opened when pressure exceeded maximum allowed, and this preventeda different accident of a burst pipe.
In figure 3, cars can be seen parked around very dangerous equipment, there where moresuitable locations for a car park than between a catalyst warehouse and a rack of pipes.
Also, the CSB’s report noted poor operator display designs. The control unit did have displayfor amount of liquid flowing into and out of the tower, but these when on different screens, andthus meant that unless the operator suspected discrepancies in the flow, they would not checkto see if the number matched. A better design would have been to have both flows on thesame screen, but also to workout the different the alert the operator, or trigger an automaticsprotection system, if the difference exceeds an acceptable tolerance range.
On the other end of Kletz’s spectrum, failures of the management, such as lack of regularequipment inspection and repairs, lead to key safety devices and instruments, level indicators,alarms and even the emergency pressure relief systems, failing to alert operators of danger; thesepiece of equipment where know by management to be faulty but nothing was done to repair orreplace them[3]. Staff where not adequately trained and protections where not put in place toprevent catastrophic failures, the likes of which, had bee predicted as early as 1992[9]. Therewhere no real automatic systems that would act immediately in and emergency, all systemsrequired the intervention of an operator, and while BP required operators to work in pairs andalways have one person in the control room at all times, cases of desertion where very common;on the day of the accident, an operator deserted his post hours before his replacement arrived.
Management had also consistently failed to address re-occurring unsafe practices, e.g. startupwithout fully completed pre-startup checks, that had previously (on February 12, 1994) leadto a similar situation where the tower was overfilled. Also, reports show management failedto invest in hazard prevention and safeguard. Furthermore, huge cost cutting tactics saw theisomerization unit grossly under staffed during startup.
Management had a responsibility to ensure a safe working environment for everyone on site,but years of limited funding and a growing unsafe culture saw mandated processes being ig-nored, and near misses being left uninvestigated. The main cause of the disaster was a lack ofproperly implemented pre-emptive measures, which would have completely prevented not onlythis incidence, but future ones as well.
Lessons Learned
The following lessons could be drawn and generalized from is disaster;
1. Follow recommend procedure: Operators should not deviate from their training, but also,managers, and supervisors should ensure protocol is strictly adhered to.
2. Alert people of potential danger: Contractors and uninvolved staff, e.g. the two in theidling truck, where not aware of the hazardous process that was going on very close tothem. This could also be extended to members of the public, for example, constructionsite must tell, not only their employees about dangers, but passers-by that could be hurtas well.
3. Check design by Hazop: Safety equipment, in the refinery, where not designed to eliminatehazard, rather they where designed to alert of potentially dangerous situations, and thus
8
where highly susceptible to human error. Safety devices should be designed to make italmost impossible to hurt yourself and others, e.g. automatic speed limiters on high speedtrains (Santiago de Compostela rail disaster)[11].
4 CONCLUSION
In conclusion, the disaster at Texas City was completely preventable. Key immediate steps byoperators on the day could have prevented the accident, however, the key cause of the disasterwas a continuous failure to learn from near misses, an absence of safety culture, and persistentabsence of hazard prevention by management staff, even after numerous near misses on numer-ous machines. Also misplaced priorities could be blamed for the disaster, as investments insafety and hazard prevention where not made following BP’s acquisition of Amoco’s outdated(even at the time of acquisition) refinery, instead job cuts and poor maintenance culture, whichsaved BP hundreds of thousands of dollars, where priority.
References
[1] U.S. CHEMICAL SAFETY AND HAZARD INVESTIGATION BOARD. INVESTIGA-TION REPORT REFINERY EXPLOSION AND FIRE. Rep. no. 2005-04-I-TX. Texas City:U.S. CHEMICAL SAFETY AND HAZARD INVESTIGATION BOARD, 2007. Print.
[2] U.S. CHEMICAL SAFETY BOARD. ”Anatomy of a Disaster.” csb.gov. U.S. ChemicalSafety Board, 11 Jan. 2008. Web. 11 Mar. 2015.
[3] Schorn, Daniel. ”The Explosion At Texas City.” CBSNews. CBS Interactive, 26 Oct. 2006.Web. 11 Mar. 2015.
[4] Broadribb, Mike. ”Lessons from Texas City.” Lessons from Texas City (2008): 1-26.hse.gov.uk. Bp, 8 May 2008. Web. 12 Mar. 2015.
[5] Michael, Jo-Anne. ”Texas City Incident Human Factor Aspects.” Hse.gov.uk. Health andSafety Executive, n.d. Web. 12 Mar. 2015.
[6] Wikipedia contributors. ”Texas City Refinery explosion.” Wikipedia, The Free Encyclope-dia. Wikipedia, The Free Encyclopedia, 1 Mar. 2015. Web. 12 Mar. 2015.
[7] Kalantarnia, Maryam, Faisal Khan, and Kelly Hawboldt. ”Modelling of BP Texas CityRefinery Accident Using Dynamic Risk Assessment Approach.” Process Safety and Environ-mental Protection 88.3 (2010): 191-99. ScienceDirect. ELSEVIER, 1 Feb. 2010. Web. 12 Mar.2015.
[8] Dean, L. E., H. R. Harris, D. H. Belden, and Vladimir Haensel. ”The Penex Process forPentane Isimerisation.” Platinum Metals Review 3.1 (1959): 9-11. Print.
[9] Cappiello, Dina, and Anne Belli. ”OSHA Warned Refinery about Danger in 1992.” HoustonChronicle. Houston Chronicle, 8 Apr. 2005. Web. 12 Mar. 2015.
[10] Hopkins, Andrew. Failure to Learn: The BP Texas City Refinery Disaster. Sydney, N.S.W.:CCH Australia, 2008. Print.
[11] Wikipedia contributors. ”Santiago de Compostela rail disaster.” Wikipedia, The Free En-cyclopedia. Wikipedia, The Free Encyclopedia, 5 Mar. 2015. Web. 13 Mar. 2015.
9
