I’ll bet there have been times when you heard about some big explosion at a refinery or chemical plant or whatever, and you wondered what the cause was. Or you’ve heard some TV announcer say something like, “Investigators at the scene are trying to determine the cause…” But have you ever considered the possibility that it might have resulted from a chain of events, not just one, and that if even one of those events had not occurred, the explosion would not have happened?
Well, I have. I learned a long time ago that explosions sometimes happen exactly like that. The ones I’m going to tell you about occurred several years ago. A refinery slop oil tank blew up, releasing boiling hydrocarbon liquid and volatile gases. They formed a huge explosive cloud that exploded several minutes later
Refineries have slop oil from spills, off-test products and whatnot. It is captured in the wastewater treatment unit by a separator that operates on the simple principle that oil floats on water. The oil is decanted off from the separator and heated to 250-300 degrees Fahrenheit to lower its viscosity, making it easier to pump. They pump it to a slop oil tank, and from there they feed it back into the refining process.
You might be wondering why a slop oil tank would blow up. I mean, it’s an uncommon thing to happen. You might be wondering why boiling liquid was involved. You might even begin to suspect that something other than slop oil was in the tank. You would be right. It turns out that the refinery was using the slop oil tanks temporarily to store highly volatile hydrocarbon liquids produced by the cat cracker.
The catalytic cracking unit is a major processing plant in an oil refinery. It is commonly referred to as the cat cracker, or the cat unit. It breaks up long-chain petroleum molecules and converts them into propane, butane, and a variety of intermediate liquid products used to make gasoline, jet fuel, and heating oil.
Propylene and butylene are cat unit products. These compounds are called olefins (which is merely a generic label for organic compounds with one or more double carbon-carbon bonds). Typically, these particular olefins are used as feedstock for the alkylation unit. The “alky” plant, as it is typically called, chemically combines the olefins with butane to make iso-octane, which is a key component of gasoline.
The alky plant at this refinery used hydrofluoric acid as a catalyst. (Some alky plants use sulfuric acid.) For a couple of days prior to the explosions, the acid pump seals kept failing and shutting the plant down. The acid was disintegrating the pump seals and spewing out all over the place.
Now think about what’s going on here – the pump seals fail, and the plant shuts down. They replace the seals with the same type, and start up the plant again. The seals fail again, and the plant shuts down again. They replace the seals again with the same type, and start up the plant again. And they do this repeatedly, apparently expecting different results each time they do it. Duh?
Well, surprise -- it later turned out that the seals were no good for acid service. Someone purchased the wrong type. This could have been a purchasing error. Or it could have been that these seals were cheaper than the right kind. Anyway, this was the first event in the chain. The second was when the people installing the seals did not catch the error.
With the alky plant out of commission, there was no place to put the cat unit olefins. The refinery manager was not about to shut down the cat unit. Instead, he decided to put the olefins into railroad tank cars. This worked out kind of okay until he ran out of tank cars. Then he decided to pump out the slop oil tanks, and put the olefins there for the time being. He also had a written order entered into the wastewater treatment plant manager’s log, saying not to pump any slop oil to the slop oil tanks until further notice.
Now, slop oil tanks are vented to the atmosphere. At atmospheric pressure, propylene and butylene boil at temperatures well below zero degrees Fahrenheit. Consequently, the olefins in the slop oil tanks were boiling, and the vapors were being vented. Moisture in the air froze on the outer surface of the tanks below the liquid level. Ice coated the exterior surface of the tank from the ground to the liquid level.
Meanwhile, down at the wastewater treatment plant, things were getting dicey. Slop oil piling up in the separator would soon start overflowing into the river. The plant manager wasn’t about to get fired for letting that happen and getting hit with huge cleanup costs and EPA fines for killing the fish, not to mention for losing product. So, he ordered one of his men to drive over to the tank farm and look at the ice on the slop oil tanks to see if there was any space left in either of them (there were two slop oil tanks).
Take note here, that the wastewater treatment plant manager has no clue as to what might happen if he pumps 250-300 degree slop oil in with the olefins. He knows the ice forms on the tank because the olefins in it are boiling, but he doesn’t equate that knowledge with anything other than how full the tanks are. He’s thinking only in terms of how much room there might be left in the tanks.
Anyway, when the wastewater treatment man got to the slop oil tanks, he radioed back to his plant manager that there was about four feet of room still left in the top of one of them. So, the wastewater treatment plant manager – with complete disregard for the refinery manager’s written order – started pumping the hot slop oil to the slop oil tanks at about 200 gallons per minute.
Now, any given volume of propylene expands approximately 300 times when it boils into gas at atmospheric pressure, and butylene expands about 200 times. When the hot slop oil reached the tank, it quickly vaporized huge amounts of the olefins. The tank vents were woefully undersized to accommodate the enormous volume of gas suddenly being created inside the tank. The vents were designed to handle normal tank “breathing,” not something like this. The resulting sudden overpressure blew the roof off, releasing an enormous volume of boiling hydrocarbon liquid and volatile gases.
You probably know that the range of concentrations of hydrocarbon gases in air that form an explosive mixture is typically fairly narrow. For example, gasoline vapor will not ignite unless there is at least about 1.4% gasoline vapor in air. On the high end, gasoline vapor will not ignite if there is more than about 7.6% gasoline vapor in air. So, the “explosive envelope” for gasoline is about 1.4-7.6% in air. Corresponding values for propylene are 2.0% and 11.1%.
Thus, for the gas to be explosive, it must be diluted tenfold or more with air. To put this into perspective, suppose that one cubic foot of liquid propylene forms 300 cubic feet of propylene gas. This is diluted with air to form between 2,700 and 15,000 cubic feet of explosive gas-air mixture, depending on the dilution factor (300/0.111 = 2,727, and 300/0.02 = 15.000).
So, the olefin vapor cloud floated out over the refinery, with air diluting it as it went. By the time the cloud contained enough air to make it explosive, it was enormous, and it was searching for a competent source of ignition. It found it about 300 yards away, where three men were working with welding equipment, and a tremendous explosion occurred.
All four men died -- the wastewater treatment man at the slop oil tank and the three men in the welding crew. Several million dollars worth of refinery equipment was destroyed.
These explosions clearly illustrate what I said in the first place; namely, that explosions may result from a chain of events instead of just one. Neither one of these explosions would have occurred if any one of the following things had not:
• The purchase of alky plant pump seals that were not appropriate for acid service;
• The failure to catch the error when the seals were first installed;
• Repeatedly installing the same type seals while expecting different results;
• The decision to store olefins in the slop oil tanks; and,
• The decision to disregard a special written order and pump hot slop oil into the tanks while they contained olefins.
Monday, March 1, 2010
Subscribe to:
Post Comments (Atom)
7 comments:
Fascinating. One reader might say unfettered profit motive caused the error. Another might say fear of retribution caused the error. Another (like me) might say that this is the same old story of Environmental always taking precedence over Health and Safety in the EHS pyramid. They'd all be wrong and right at the same time, but each requires a "moral" point of view rather than a systems point of view.
But, it's nifty how nicely these failures match up with these four tools for accident avoidance.
1. Technology - The purchase of alky plant pump seals that were not appropriate for acid service;
2. Proficiency - The failure to catch the error when the seals were first installed; and Repeatedly installing the same type seals while expecting different results;
3. Standard Operating Procedures - The decision to store olefins in the slop oil tanks; and, the decision to disregard a special written order, and
4. Judgement - pump hot slop oil into the tanks while they contained olefins.
All four of these tools had to fail to go bang. This web page summarizes the four tools in a novel way: http://shivafactor.com/
So how do you respond to those who say "safety is just common sense"? IMO - how could any process this involved, with so many confounding variables happening in real time, come down to common sense?
When Greed, Ignorance, Fear, and Insubordination come together, disaster often follows.
The same thing happens in the IT field. For instance, we lost the entire company's knowledgebase this way one year. This is a database where all the company's stored knowledge was located; stuff we had learned, the locations of certain elements, circuit IDs, customer site idiosyncrasies, and so on. It was a database with a web server front end. The line of failure went this way:
1. The KB was originally on a machine we'll call SRV1. The KB became very popular as the company grew, but it was maintained by only one man.
2. When the KB got too big for the machine, the "owner" decided to put the database part on a faster machine. He didn't get a new machine, because the guy in charge of that was cheap. So he found an older machine just off lease and used that. That older machine he called KBDB1, but it was still labeled something else on the front, we'll say PROJ-FU2, because it used to be part of Project Fu. SRV1 still served the web pages, but it got its data from KBDB1.
3. The owner did not record this, because he was tired of the guy in charge of machines being stingy and not getting back to him for requests. He was afraid this guy would have a hissy fit that he "stole" PROJ-FU2, even though it was in a disused junk pile.
4. Years went by, and the KB ran just great. Eventually, the guy in charge of backups (me) asked, "are we backing this up?" The policy stated that SRV1 was being backed up. I felt that the backup size was rather low, but I was told that the database back end was taken care of by the new guy who took over the project from the first owner. What nobody told me was that KBDB1 was a different machine, not a part of a larger company database pool. It was a "rogue server."
5. Eventually, a new project was formed, and the software engineering group needed some "older servers" to use for a prototype. The guy in charge of servers, again, was being stingy and didn't want to buy newer hardware.
6. In the meeting, they were told to use any server labeled PROJ-FU[x] as that project was now years old and the servers on the floor of the lab were not needed for anything.
7. In the meeting, one person noted, PROJ-FU2 was in a lab rack and powered on. Was this being used for anything? The guy in charge of the KB was sick that day, so he wasn't there to say, "Oh, it's the database back end for the KB." When he came back, he was asked if "the database was being backed up." I was in charge of backups, so he asked me, and I said yes, because I thought he was speaking of the master database anyway.
8. A few months went by before the new "Project Bar" started. Software engineering had been told, "take any server named PROJ-FU[x] on the front," so they told this to the other admin in my group. So he took PROJ-FU2 down.
9. A few hours later, someone mentioned the KB was timing out. But we had been having network issues in the lab, so for hours it was assumed this was related. Meanwhile, the other admin reformatted the server and build a new(er) system with it. He ripped off the PROJ-FU2 label, and put PROJ-BAR1 on the front.
10. Eventually, when the network team said the lab network was fine, the guy who owned the KB found out that the database connection was down. Quickly, he found the database server was physically missing. This was odd, because this was a locked down lab. So they went through the security tapes, and saw the other admin take it out.
11. The other admin was caught with the server, but he had already reloaded a new operating system and was installing Project Bar software.
In the end, to restore the database, we had to send the server to a special company that retrieves data from hard drives. Luckily, they were able to get most of the database restored from a dump also on that drive. But it cost the company $6000 for the service.
Thinking of the chain reaction of events that lead to disasters like these is frightening, isn't it? Just making the wrong choice is already a grave error; making a couple more of them is definitely a reason for an accident. On the topic of oil tanks, they should be handled properly whether they're for commercial or residential use. You never know when one single misstep can lead to an unfortunate accident.
Core Environmental Services, LLC
Thanks fro sharing
Nice articles and your information valuable and good articles thank for the sharing information slop oil uses
Nice articles and your information valuable and good articles thank for the sharing information slop oil
Post a Comment