In 1999, an electrical failure (without the loss of steam pressure) caused an alumina slurry digestion and flash system to lose power and catastrophically overpressure. The event triggered a boiling liquid expanding vapor explosion (BLEVE) that ruptured a vessel. The BLEVE shockwave and hot caustic liquid released from the vessel injured 29 people. The incident caused tens of millions of dollars in damage.
The plant was designed with multiple layers of protection, but on the day of the accident, several were not working:
- The pressure control system was in manual mode, which allowed the operator to apply additional pressure to the slurry to push it through the system before it solidified.
- The high-pressure interlock was in bypass mode, furthering the operator’s ability to exceed the design pressure.
- The pressure relief valves had been disabled, in response to leakage from previous valve openings.
These layers of protection were not in place because the site had a habit of bypassing and disabling safeguards to maintain production. Personnel rationalized these actions because the process tended to solidify if it was not kept moving (by steam pressure). When the partial power trip occurred, the system pressure increased to a dangerous level because the pressure interlock was bypassed and too many relief valves were disabled.
It is important to operate equipment within its limits at all times — with all safeguards in place. This is so important that CCPS made it one of the 20 elements of its risk-based process safety (RBPS) program.
Did You Know?
- High-pressure shutdown systems and other safety-related protective measures should never be bypassed without following standard operating procedures or using temporary management of change (MOC) systems.
- Relief valves are susceptible to failure and may not reseat completely after they have performed their critical function.
- Closing the block valve under a relief device can significantly increase risk and should only be considered after careful evaluation of all mitigation options. Typical safety system impairment standards require following administrative measures such as tagging, logging, and communicating with facility management.
- Safeguard systems are typically intended to be challenged by a real process demand less than once per year. If a safety system is being activated more often, there may be an issue with the process design.
What Can You Do?
- Understand the major hazards at your plant.
- Know the critical safeguards for these hazards and test that they work properly.
- Report to management if you regularly have to operate with impaired or bypassed critical safeguards.
- Do not place automatic controls in manual mode, bypass interlocks, or disable relief valves.
- During maintenance and repair, use temporary MOC procedures to manage safety systems that must be disabled or impaired for a short time if other options are unavailable. Inform all personnel affected by the changes.
- Consider unreliable controls and safeguards during process hazard analysis (PHA) reviews.Temporary MOCs may be used to manage bypasses for a short time while a component is repaired, as long as other temporary measures are in place to reduce risk.
Safety is built in layers. Make sure they are in place.
©AIChE 2019. All rights reserved. Reproduction for non-commercial, educational purposes is encouraged. However, reproduction for any commercial purpose without express written consent of AIChE is strictly prohibited. Contact us at ccps_beacon@aiche.org or 646-495-1371.
Copyright Permissions
Would you like to reuse content from CEP Magazine? It’s easy to request permission to reuse content. Simply click here to connect instantly to licensing services, where you can choose from a list of options regarding how you would like to reuse the desired content and complete the transaction.