Loss-of-containment, a basic cause of process safety incidents
14 July 2016
In 1979, while covering a chemical plant operation during a strike, I was rudely awakened by a massive explosion. I quite literally fell out of bed, sleeping in a trailer located about 100 feet from the plant fence-line, shared with a petroleum product distribution tank farm. I grabbed my pants and went outside. The heat from the fire at a large storage tank next-door could be felt where I stood.
It turned out that a gasoline storage tank was being filled from a nearby ship and had overflowed into the surrounding dike. When operating personnel jumped into their truck to drive to the dock and stop the gasoline transfer, the truck became the ignition source, setting off a vapour-cloud explosion and pool fire. No one was hurt, but the fire burned for two days.
Many loss-of-containment incidents have occurred in the chemical process industries, CPI, over the period of my career (45 years, to date). The vapour cloud explosion at Flixborough, UK, in 1974 is still considered one of the most catastrophic CPI incidents in recent history. This event was initiated by a loss-of- containment of super-heated cyclohexane. The Bhopal toxic chemical disaster in 1984 is another example of what can happen when process safety is mismanaged, in the absence of a good safety culture, and highly hazardous materials are released.
More recently (22/10/09), gasoline was released at a Caribbean Petroleum (CAPECO) tank farm in Puerto Rico. The Chemical Safety Board, CSB, has released its report on this case, and the findings indicate that loss- of-containment is still causing disasters in the CPI. It has been said “Those who cannot remember the past are condemned to repeat it” (George Santayana (1863-1952)). For this reason, process safety personnel need to study past incidents in order to understand how the elements of PSM failed to prevent or mitigate the CAPECO disaster.
In the CAPECO case, a ship was being off- loaded into several on-shore storage tanks (since no available single tank had the capacity to handle the 10,000,000-gallon transfer volume). This operation was manually monitored, and tank level indicators were observed in the field hourly (however, some level transmitters were not functioning). Radio communications were maintained by ship-side and tank-area operators in charge of the transfer. The tank that was being filled was not equipped with overflow protection or a high-level alarm. When the tank overflowed into the tank dike area, a large vapour cloud was created. Subsequent delayed ignition of the cloud caused a catastrophic vapour-cloud explosion which ignited the pool of gasoline and caused several nearby tanks to collapse and the contents caught fire. Fortunately, there were no fatalities, and only three injuries.
A similar vapour-cloud explosion had occurred at the Buncefield storage depot in Hemel Hempstead, UK, on December 11, 2005, fortunately without loss of life, and regulations were changed to require independent overflow protection at petroleum storage facilities in that country.
The CSB concluded from its investigation of the CAPECO incident that current regulations did not provide for more than one layer of protection to prevent a tank overfill.
Unfortunately, another loss-of-containment incident – flow of gasoline from a pipeline valve from which parts had been removed – was essentially a lock-out failure. This vapour- cloud explosion incident occurred in Jaipur, India, on October 29, 2009 – with the loss of 12 lives, and injury to 200 persons – and just a few days after the CAPECO incident.
A major consideration in the implementation of an appropriate process safety management system must be the prevention of fires, explosions, and toxic releases. When processing and handling hazardous materials, appropriate process safety policies, procedures, and techniques must be followed to prevent and or mitigate the loss-of- containment of flammable or toxic materials.
A basic principle of process safety design is not to allow a single fault to lead to disaster. Defense-in-Depth is another way to consider this issue. In appropriate process safety management, this principle is applied in the risk analysis method LOPA (Layers of Protection Analysis). In the CAPECO tank farm overflow, only a single mechanism was in place to ensure that the highly flammable liquid transfer was successful, and that was operator-observed level indication. If either the operator or the level indicator failed, the spill-prevention system failed.
The tank was not equipped with a high level alarm or an independent high-high level safeguard. These were not required by NFPA or API standards at the time of construction. In addition, the potential for disaster was not recognised or considered in the site operation. The remote level indicator transmitter was not functioning, and this was an indication of less- than-adequate maintenance of safety-critical devices and systems. Such a measurement was not recognised to be safety-critical and, as a result, its importance was unappreciated.
It is not uncommon in the CPI when an overflow of a tank could result in a toxic, fire or explosion hazard to include two additional layers of protection of storage tanks. These would be a high-level alarm (commonly based on the primary level-control indicator), with appropriate operator response to the alarm, and an independent high-high level cut-off interlock. The interlock should be designed and maintained as a Safety Instrumented Function, SIF, as described in IEC 61511/ANSI/ISA 84.00.01.
The ISA 84 standard has been recognised by OSHA as RAGAGEP (Recognised and Generally Accepted Good Engineering Practice). Using the ISA 84 standard for the high-high level interlock allows this protection feature to be considered an Independent Protection Layer, IPL, in LOPA risk analysis. The figure below shows the typical overflow safeguards that should be considered when storage tanks are filled with highly hazardous materials. The safety integrity level, SIL, of the overflow interlock should be consistent with the LOPA risk analysis needs of the process but not less than 1 (failure on demand of one in ten demands).
Whenever a manufacturing site handles and/or processes combustible, flammable, unstable or reactive, or toxic materials, an effective process safety management system must be in place, and well-formulated procedures must be practiced and maintained. Investigation and review of learnings from “near-miss” and injury/loss incidents are important in focusing on process safety so that similar failings do not occur. History can repeat itself unless appropriate corrective measures are taken!
DEKRA Insight has a team of highly skilled process safety specialists that provide independent consulting advice on PSM and fire and explosion prevention and protection measures, and safety engineering. We have worked with many clients with regard to these issues and other issues that were identified as a result of OSHA inspections, including informal OSHA conferencing with respect to citations that have been written as a result of inspections. We can assist you in resolving issues and in the citation-abatement process.
About the author
David E. Kaelin, Sr., B.S.Ch.E., has over 25 years experience in the specialty chemical manufacturing industry and 15 years specialising as a Process Safety Engineer. He has participated in the design and construction of numerous chemical processing facilities and provided support and training in all areas of PSM. As a Process Safety Engineer he has led process hazard analysis, risk assessments and facility siting reviews. At the corporate level he has created and taught courses in PSM and hazard recognition methods.
Kaelin is an expert in the application of hazard recognition techniques including: HAZOP, FMEA. What-If, Fault Tree Analysis, Risk Screening and Checklist. He is an active member of AIChE, and NFPA.
Contact Details and Archive...