October 2018

Special Focus: Plant Safety and Environment

Building blocks of process safety

Major incidents continue to strike the oil and gas industry at regular intervals.

Dutta, H., Nayara Energy Ltd.

Major incidents continue to strike the oil and gas industry at regular intervals. Closer examinations and analyses of these incidents show that the root cause of many are alike and follow a pattern. Learnings from each of the major incidents have been circulated, documented and shared, yet failures of a similar nature continue to happen.

Process safety failures are rare, but their consequences are severe. The Bhopal Gas tragedy, Piper Alpha disaster, Deepwater Horizon, Buncefield terminal fire, Jaipur terminal fire, etc., are some of the tragic reminders of catastrophic process safety failures. Customers, stakeholders and society are impacted by consequences that include loss of property, loss of life and damage to the environment and to the reputation of the organization. One of the biggest setbacks of any major process safety incident is the demoralization of the workforce. It is paramount to learn from such incidents and take steps to avoid recurrence.

Causes of industrial accidents

Analyses of major global incidents indicate that accidents occur due to:

  • A focus on a zero lost time incident rate (LTIR) regime, but not on process safety
  • Normalization of risk, or the belief that major incidents will not occur
  • Reliance on lagging indicators
  • A production-first syndrome
  • Disregard for systems and procedures
  • Inadequate risk control (e.g., dysfunctional barriers)
  • Ignoring warning signals
  • Faulty work practices and ethics
  • Lessons unlearned.

Much of the industry remains preoccupied with how many accident-free labor hours of operation are achieved, focusing on a zero-LTIR regime and lagging indicators rather than analyzing leading indicators. Research shows that most organizations devote 80% of their time to reactive management (maintaining and updating hazard register, accident reporting, etc.) and only 20% to proactive issues, such as work methods, safe work practices, etc.

The false belief that an accident will not happen leads to complacency, which is one of the prime causes of major incidents.

Warning signals are often ignored, and operations continue beyond the safe operating envelope or with disfunctional protection barriers. Signals must be heeded, and competencies must be in place to catch and process those warning signals. Only those with adequate knowledge and expertise can ascertain the “noises” emanating from the plant.

The irresistible urge to achieve targets is another area that causes accidents. A “penny-wise, pound-foolish” mentality can be demonstrated, and sometimes little attention is paid to maintaining system discipline and respecting standard operating procedures (SOPs). In India, almost 80% of incidents take place due to a disregard for SOPs, violations of work permits and poor supervision.

The swiss-cheese model dictates that an accident takes place when holes in protection barriers become aligned; in other words, accidents happen due to several violations. However, some predominant reasons for accidents remain. This article illustrates some live cases where accidents took place due to:

  1. A production-first focus
  2. Ignoring warning signals
  3. Poor work ethics
  4. Complacency.

Production-first focus

Overt concern for production and achieving higher-than-designed throughput can be called “penny-wise, pound-foolish.” To achieve higher crude oil processing rates in primary crude oil distillation units, process heaters are subjected to hard firing. This results in the skin temperature of the heater tubes overshooting the safe operating limits. Continuing operations under such extreme conditions can ultimately result in furnace tube failure and accidents.

FIG. 1. Fire in the gasoil draw-off line from the crude distillation unit at the Richmond refinery in California.
FIG. 1. Fire in the gasoil draw-off line from the crude distillation unit at the Richmond refinery in California.

The fire in the gasoil draw-off line (FIG. 1) from the crude distillation unit at the Richmond refinery in California was caused primarily by the impatience to resume production post unit shutdown. During the maintenance shutdown, the inspection department observed considerable thinning of the gasoil draw-off line, necessitating line replacement. However, the replacement of the line would delay the startup and result in subsequent production loss. The decision was made to resume production.

The gasoil leak was noted in the insulated gasoil draw-off line; gasoil is drawn off from the column at approximately 300°C (572°F). The maintenance crew wanted a close look at the exact location of the leak. While they were removing the aluminium-cladded insulation with a metallic hook, the fire was sparked by friction. Smoke emanating from the incident surrounded the entire refinery and neighborhood. Luckily, there were no fatalities, but 1,500 residents in the local area did undergo hospital treatment (eye irritation caused by emanating smoke, etc.). The unit remained shut down for a considerable amount of time. After the incident, it was found that a 70% metal loss in the gasoil draw-off line was due to sulfonic acid corrosion.

The unit was designed to process low-sulfur crude but subsequently changed over to processing high-sulfur crude to improve gross refining margins (GRM). The original specification of the piping material for the gasoil draw-off line was carbon steel. High-sulfur crude processing required changing the pipe material from carbon steel to a higher metallurgy alloy steel, which was not done. The leak in the gasoil draw-off line is attributed to a phenomenon, sulfonation corrosion (i.e., sulfur corrosion at high temperature in carbon steel piping). It is worth mentioning that the inspection reported considerable thinning of the carbon steel pipeline. However, the most compelling reason for the failure was the impatience to resume production. Safety must not be subservient to achieving targets, but do incentive schemes encourage production at the cost of safety?

FIG. 2. The fire at the Jaipur oil terminal.
FIG. 2. The fire at the Jaipur oil terminal.

Ignoring warning signals

The multiple-fatality incident at the Jaipur Marketing Terminal in India occurred while fuel was being transferred via a 12-in.-diameter pipe from the Jaipur terminal to the terminal of another company (FIG. 2). Fuel from the finished product tank was planned for transfer from the depot. The positive isolation valve on the 12-in.-diameter transfer line required the hammer blind to be reversed for this operation. However, the motor-operated valve (MOV) on the transfer line upstream of the hammer blind was in the “open” condition, while the hammer blind was reversed. The operator was unaware that the MOV was open, as standard practice dictates that the MOV remain closed until the hammer blind is reversed. This resulted in a significant fuel spill in the tank farm area. Inhalation of the fuel vapors left the operator immobile. A nearby operator noticed this and informed the control room. This operator tried to assist the operator inside the tank dyke, but also became incapacitated after inhaling the fuel vapors.

A provision existed to close the MOV from the control room, but the instrument cable to the MOV had been cut/impaired for some time; this fact was known but ignored. As a result, control room personnel could not close the MOV and the fuel spill continued in the tank dyke. Fuel vapor soon engulfed the terminal and picked up a source of ignition nearby. A huge vapor cloud explosion took place, resulting in destruction of the facility, multiple fatalities and huge financial loss.

The incident occurred due to multiple factors, including:

  • Faulty operation
  • Disregard for SOPs
  • Use of obsolete equipment: the hammer blind bonnet has a large surface area and has since been replaced with double-block-and-bleed valves
  • Impaired instrument cable.

Continuing fuel transfer operations with impaired safety instrumentation (i.e., ignoring the fact that the cable was cut) was the prime cause of this disaster. A healthy cable would have allowed the control room personnel to close the MOV, considerably reducing the damages  and loss of life.

Poor work ethic

An incident in the high-pressure pipeline carrying natural gas at Tatipaka near Andhra Pradesh in India caused multiple fatalities and production loss. Natural gas from the wellhead station is delivered via a gas pipeline at a pressure of 50 bar to power plants, fertilizers and other industries. The natural gas from the well also contained traces of water and carbon dioxide (CO2). The wet natural gas flowing through the long-distance pipeline caused internal corrosion in the pipeline at the lowest elevation. The internal corrosion in the line was ascribed to weak carbonic acid corrosion. The natural gas containing traces of CO2 and moisture formed low-pH carbonic acid. Improper pigging of the gas pipeline caused the accumulation of carbonic acid in the lowest point of the gas pipeline.

FIG. 3. The explosion in a natural gas pipeline at Tatipaka, India was caused by leaks due to corrosion and subpar repair techniques.
FIG. 3. The explosion in a natural gas pipeline at Tatipaka, India was caused by leaks due to corrosion and subpar repair techniques.

The corrosion resulted in a leak in the natural gas pipeline. Each time a leak was detected, clamping (tightening with a metallic collar around the leaky area of the pipeline to arrest leakage) was used. When a more significant leak occurred, the natural gas vapor spread to the surrounding area and was ignited by a local tea shop. An explosion, followed by a massive fire, engulfed the entire area, resulting in multiple fatalities and loss of production (FIG. 3).

The primary cause of this major incident was attributed to the repeated clamping (an ad hoc measure to stop leakage) of the high-pressure natural gas line, as well as:

  • Failure to install a dryer before the natural gas was fed to the pipeline, as conceived in design
  • Improper pigging of the pipelines
  • Not analyzing the pig residue
  • Failure to close the remote-operated sectionalizing valves.

Analysis of pig residue would have clearly indicated the presence of iron, indicating corrosion in the line. While an intelligent pigging survey (IPS) study was conducted, the study was not properly reviewed. The IPS report indicated substantial thinning of the pipeline that necessitated the replacement of the corroded portion of the pipe section.

Why was a frequently leaking, high-pressure gas pipeline subjected to such poor repair and maintenance practices? The organization should have replaced the corroded portion of the pipeline and installed a gas dryer to ensure uninterrupted operation. A poor work ethic in any organization can prove disastrous.


The primary enemy of smooth and reliable operation is complacency. An organization with good safety performance records must realize that yesterday’s good performance does not guarantee tomorrow’s safe operations. Organizational leaders must remain vigilant against signs of complacency that creep into the organization and take timely action to safeguard against them.

Seeking lagging indicators at the cost of disregarding leading indicators results in process safety failures. The drive to achieve a million labor hours of accident-free operation, a lagging indicator, is admirable. However, organizations should not be content with that achievement as a milestone.

FIG. 4. The uncontrolled release of methyl mercaptan at a pesticide plant in La Porte, Texas resulted in four fatalities.
FIG. 4. The uncontrolled release of methyl mercaptan at a pesticide plant in La Porte, Texas resulted in four fatalities.

The fatal incident at a pesticide plant in La Porte, Texas (FIG. 4) suggests complacency as one of the prime reasons for the safety breach. The uncontrolled release of methyl mercaptan in the plant resulted in four fatalities. While starting up the plant, it was observed that the feed line to the reactor was choked due to the formation of methyl hydrate (methyl mercaptan and water). As per SOP, the operator began spraying hot water on the line to de-choke the hydrate. However, since the de-choking process is time consuming, the operator continued to spray hot water and left the work station, leaving the drain valves on the mercaptan line open to the sewer. By the time the operator returned to the plant, the choked line was completely free of hydrate and a significant amount of mercaptan had escaped through the open drain valve in the building. The operator inhaled the toxic mercaptan and fell unconscious. Subsequently, two more workers and a supervisor who tried to rescue the unconscious worker also met with the same fate.

None of the workers, nor the supervisor, were wearing breathing apparatus. An investigation of the incident also revealed that the exhaust system in the building had not been in working condition for several weeks. Among others, the root causes of the incident were the failure of personnel to wear proper breathing apparatus while working in a toxic environment, and the non-functional exhaust system in the building. Even the gas detection alarm limit was set above the permissible limit for workers.

Past facility safety performance records were excellent, leading the organization to become complacent. The simple step of having onsite personnel wear personal protective equipment (PPE) may have prevented the fatalities, but this was not done. Failure to attend to or repair non-functional exhaust fans is yet another example of the complacency that ultimately led to the safety breach. When it comes to safety, leaders with a sense of constant vigilance are needed.

Moving forward

The highly flammable and complex operations of the oil and gas industry demand that even weak or intermittent signals are processed and analyzed to ensure smooth, safe and reliable operation. These principles are what separate a highly-reliable organization from an ordinary one. A strong response to weak signals is the key, and any abnormal situation must receive the highest-priority attention and action. Plant equipment and machinery do not break down without making noises. Is attention paid to such noises? Are appropriate steps taken to analyze and correct such breakdowns, or do those noises and equipment abnormalities become the new “normal?”

Leaders in any organization must remain vigilant against complacency that might creep into their organization. Human errors are inevitable; blaming an individual for an error does as much good as suppressing systemic deficiencies. Even minor errors are due to failures in the systems. Root cause analysis and prevention go hand in hand. Leaders must lack any sense of complacency.

Processes and practices are driven by people. Leadership must ask the following questions: Are employees motivated? Are their voices heard? Are they engaged in the decision-making process? Are they inspired to work together as a team, or are they allowed to work in siloes? Are dissenting views valued when discussing potential improvements? Every facility’s safety culture can be improved, and leadership’s role in this is paramount. HP

The Author

Related Articles

From the Archive