the longford gas plant explosion
TRANSCRIPT
exida ®The Longford Gas Plant Explosion; Could Alarm Management Have Prevented this Accident?
By Edward M. Marszal, Principal Engineer, Exida
Introduction The purpose of a well designed alarm system is to inform a plant operator that a situation has occurred which needs his attention, with sufficient time to allow him to perform corrective action. The advent of computer-based control systems -which allow a virtually infinite number of alarms to be presented to operators at very little incremental cost per alarm - has (in some cases) actually made operator response more difficult than older systems with hard-wired annunciators. The problems generated by the unmanageably large amount of unnecessary and redundant alarms lead operators to develop their own rules to deal with these “alarm floods”, in some cases ignoring alarms that they perceive to be unnecessary. Unfortunately, ignoring some of these alarms might result in severe consequences.
In the case of the Longford gas plant, experts concluded that some alarms were routinely ignored by operators because their activation had not previously resulted in any adverse impact. In addition, some analysts suggest that operators were not aware of the proper response to these alarms, or the ultimate consequence that could occur if the situation that generated the alarm was severe.
In order to ensure that an operator’s job is manageable, it is important to manage a plant’s alarm system so that every alarm is important, prioritized, recognizable, and the proper response to the alarm is documented and included in operator training. These are some of the cornerstones of the Exida Alarm Management Solution™.
The Incident The information presented here is derived from a detailed description of the event contain in the text Lessons from Longford – The Esso Gas Plant Explosion, by Andrew Hopkins (2000: CCH Australia Limited). The reader is encouraged to review this material for numerous insights and lessons learned that are outside the scope of alarm management.
The Longford site processes oil and gas which comes ashore from the Bass Straits. The gas plant in question processed gas by removing water, condensate, and hydrogen sulfide. In addition, the plant removed some condensable liquid by using a refrigerated lean oil absorption process.
1
Figure 1 shows the process components that are relevant to this discussion.
Figure 1 – Longford Lean Oil Absorption Process (Partial)
GP 905 Reboiler
Gas (Post Absorption)
Cold Lean Oil In
Rich Oil Out
Other Processing Equipment
Other Processing Equipment
OtherProcessingEquipment
Hot Lean Oil
Cold Lean Oil
Condensate Out
On the night prior to the incident, there was a larger than usual flow of liquids, including condensate, into the plant. As a result, the level of condensate in the absorber (shown in figure 1) steadily built up. For reasons that are described by Hopkins, the level of condensate was not brought down, and liquids exceeded the level measurement at the bottom of the columns (measurement of greater than 100%). Eventually, the condensate level become so high that it started flowing into the rich oil draw tray, and out with the rich oil stream. This caused the rich oil stream to become much colder than usual.
2
Two of the heat exchangers processing the rich oil became extremely cold, as evidenced by a frost occurring on the outside of the exchanger and pipework. Eventually, operators were able to restart pumps feeding hot oil to these exchangers. Because the exchangers had been subject to temperatures below their Ductile-Brittle Transition Temperature (DBTT), this resulted in fracturing and catastrophic failure of one of the heat exchangers. The rapid and sudden rise and temperature produced stresses that exceeded the vessel’s degraded mechanical integrity limits.
While there are a large number of factors that contributed to this accident, Hopkins concludes that one key item is that the high level alarm on the condensate level in the absorber was essentially ignored by operations. In fact, evidence suggested that this was not the first time that this alarm was present for very long periods of time with no action being taken that brought the absorber level back down below the alarm limit. In the terminology of alarm management this is a standing alarm, which is an indicator that either an alarm is unnecessary or a design problem exists that prevents the equipment from being used effectively in the current operating environment.
Alarm System Problems As discussed previously, modern alarm systems have great capabilities. Unfortunately, poor design practices have resulted in a large number of unnecessary alarms that make a process plant very difficult to manage during a major process upset. Some of the problems that Exida has identified in alarm systems include.
• Alarm Floods
• Nuisance Alarms
• Chattering Alarms
• Standing Alarms
• Correlated Alarms
• Disabled Alarms
All of these issues can be identified and corrected by employing a sound alarm management system that begins by prioritizing each alarm in order to establish how it will be used, including the proper operator response, and then progresses to statistical analysis of actual performance on a regular basis to determine if there are any additional alarm issues. This analysis will yield opportunities to improve operability and safety of the plant by eliminating the issues shown above and improving operator performance.
3
In the case of Longford, a statistical analysis of alarm activation might have detected standing alarms. Each of these standing alarms could then have been explored by engineers who are very familiar with the process and its hazards. Exida’s Alarm Management Solution™ provides a framework to analyze alarm issues; including standing alarms where the ultimate consequence could be hazardous. In the case of Longford, the ultimate consequence of overfilling the absorber bottoms was dangerously cold temperatures in downstream equipment. Exida’s Alarm Management Solution™ allows engineers to develop action plans that improve the operability of the plant so that routine alarms do not occur, and when they occur they are dealt with appropriately.
Conclusion Alarm systems can be a very effective means of safeguarding a process against unwanted accidents and also a tool for improving plant efficiency. Unfortunately, the ease with which large numbers of alarms can be generated in modern control systems has lead to large and unmanageable floods of alarms of questionable importance. Analysis of alarm system operation, when done properly can identify problems in both alarm system design and process design. These design problems can then be addressed by a plants continual improvement process to lead to a safer and more efficient plant.
4
How Exida Can Help Exida can help prevent both catastrophic incidents, like the one described here, and the large amount of frequent and small upsets that routinely occur in process
plants by implementing our Alarm Management Solution™. This set of services follows our Alarm Management Lifecycle™, which is shown here.
Start
Procedure for Alarm Prioritization
Conduct Alarm Prioritization
DCS Configuration Changes
Update Operating Procedures
Update Training
Yes Major Modification?
Periodic Compilation of Alarm Data
Alarm Data Analysis
New Alarm issues
identified?
Alarm FloodsNuisance AlarmsChattering AlarmsStanding Alarms
Correlated AlarmsDisabled Alarms
NoStop
No
Yes
Start
Procedure for Alarm Prioritization
Conduct Alarm Prioritization
DCS Configuration Changes
Update Operating Procedures
Update Training
Yes Major Modification?
Periodic Compilation of Alarm Data
Alarm Data Analysis
New Alarm issues
identified?
Alarm FloodsNuisance AlarmsChattering AlarmsStanding Alarms
Correlated AlarmsDisabled Alarms
NoStop
No
Yes
This process includes development of site specific procedures for alarm prioritization. Decisions that need to be made are whether or not an alarm should be implemented, its priority, its set point, and what actions the operator should take to confirm the alarm condition and bring the process back to a safe state.
After initial prioritization, periodic review of the system to identify opportunities for improvement can be undertaken. Using statistical tools to review the alarm system’s actual performance and compare it to site metrics for good performance, Exida can identify areas where both the alarm system and the process equipment can be improved to make the plant safer and more operable.
5
6
References: Hopkins, Andrew (2000), Lessons from Longford – The Esso Gas Plant
Explosion, (CCH Australia Limited: Sydney, NSW, Australia)