This Month’s Puzzler
Our refinery suffered an incident that nearly led to a fire. It occurred after the board operator started the isobutanes pump on an alkylation unit surge tank (see Figure 1). The pressure safety valve popped, the flow switch in the vent tripped and so did the unit interlock on the high-high level switch.
This happened while a field operator was busy walking down one of the alkylation towers looking for leaks. That operator remembers the light on the pump station being off and assumed the low-level switch stopped the pump.
I work in a different part of the refinery and have been assigned to investigate the incident. I found the hand-operated actuator set to “off” instead of “hand” as the field operator was instructed. The display in the control room is supposed to show the pump in gray when it’s in off or hand mode to indicate that the board operator isn’t in control of the pump; the board operator doesn’t recall it being gray.
This problem involves a larger issue, though. Both the board and field operator don’t trust the automatic controls: the dP level transmitter always reads high. The board operator has compiled rough records of level based on flow meters that indicate a disparity. During the last turnaround, two years ago, the operator complained that he and the instrument technician thought the dP’s dry leg (upper) element was in the wrong place. Nothing was done then — our refinery was bought by an investment bank four years ago and maintenance has gone downhill — and the tech doesn’t work at the site anymore.
So, the board operator relies on alarms from the high and low level switches — and gets the field operator to manually shut off the pump in the case of a low-limit-level warning.
Both operators had complained to their new supervisor about the problem and were told it would be addressed during a turnaround in six weeks.
Now, rumor has it the superintendent is blaming the field operator for not being more careful.
I don’t want to rub the superintendent the wrong way; he’s politically powerful. How should I approach this problem? What do you think was the root cause of this incident?
Consider Several Potential Culprits
For the pressure safety valve (PSV) to trip, the design pressure of the vessel was exceeded, which can come from upstream valve failure at high pressure, downstream blockage assuming the pump was working, over-filling or rate of inflow not equal to outflow. I think the setting is 5 psi or 5% — whichever is higher — between the high-high pressure switch (PSHH) value and the PSV set point.
The PSHH/safety instrumented system/interlock system should have tripped the inlet emergency shutdown/shutdown valve or the high level switch (LSH) to start the pump before flow gets to a dangerous level. For both to fail at the same time raises credibility issues about the control configuration wiring and the programmable logic controller (PLC) programming.
Also, given the pump was found to be “off,” it is possible that an LSH switch/relay conveyed a message to the pump but, because it was not available, the buildup went on to pop the PSV.
A comparison between the level gauge and level transmitter (LT) would show if there are real discrepancies and if a false signal can misinform the pump. However, it is not likely in this case as the pump was reported to be in the off position. Retrain the operators and develop a standard operating procedure to forestall such occurrence in the future.
Dennis Omenka, process engineer
Petrogas Systems Engineering Ltd.,
Lagos, Nigeria
Diffuse Responsibility
Although saving your career should be secondary, it may be possible to do a competent, fair investigation without impaling yourself. The superintendent sounds scary but it may be that his power doesn’t extend to corporate engineering. You have to know who your friends are and who his are. By friends, I mean ones that can keep your confidences.
Your first strategic move is to get an outside team. That’s what corporate staffs are about. If possible, try to demote yourself to technical expert rather than facilitator of the team. If you’re stuck in the facilitator role, it’s imperative the team be as far away as possible from the superintendent’s influence. You don’t want spies on the team. I once got burned by a vindictive superintendent who was good friends with my boss. I couldn’t divert his wrath because I was the only one investigating the problem. Sacrificing an engineer for politics is poor corporate management but unfortunately happens.
First things first: get the unit up again. The steps are: 1) inspect the pump; 2) replace the PSV — usually it’s mandatory; 3) pull the LT — wet leg, dry leg — inspect the impulse lines for plugging, freezing, leaks, etc.; 4) pull the level switch that works with the distributed control system (DCS) — if you can; 5) test the pump logic and check the wiring — especially the DCS/PLC and hand-off-automatic (HOA) controls; 6) inspect the heat tracing on the vent; 7) check the DCS faceplate for the pump; and lastly 8) inspect the piping, relief nozzle and header, and vessel.
Schedule a drum inspection during the turnaround. Keep good records and take lots and lots of photos. Ensure all team members appear as co-authors of the report on the findings; this will help diffuse responsibility. The superintendent can’t declare war on everyone!
Document as you go is the best policy with photos: keep the originals untouched but add notes to lower-resolution pictures you can easily share via email. Add orientation pictures showing the tank and pumps and surroundings. Document as though you’re communicating with outsiders.
Next, divide the investigation into instrumentation and human error. I am assuming the vessel and other equipment check out. I speculate that the dry leg of the LT is plugged: this explains the high reading and also could be affecting the level switch. Try installing a purge and calibrate the transmitter to account for any pressure drop in the mesh pad. You might move the dry leg during the turnaround. Then, check the motor wiring. Perhaps the relay that clicks the pump starter on has failed. It’s probably best to test the spare pump by running it while the pump involved in the incident, its seals, motor, starter and controls are inspected and tested.
Finally, make sure the lights work in the pump station. This could be a serious problem.
As for human error, I think it lies with the company managers. If the operators ran the unit as required by procedures, then they can’t reasonably be faulted. With this said, the issue of the HOA occurs more often than we’d like — as does the obvious lack of communication and failure of attention span between operators.
Finding the HOA switch set at off intrigues me.
“Off” means the motor is isolated. “Hand” means the pump is operated manually by the field operator, who can select on or off from the pump control box. “Auto” means the pump is controlled exclusively by the board operator in the control room. Operators are taught to leave things alone unless they’re going to watch them: I doubt the field operator switched the HOA. It’s also possible that someone after the incident could have monkeyed with the HOA. Another cause of the accident could have been the board operator forgetting to turn the pump on.
Another concern is the pressure switches. Unless the tank pressure is stable, and it’s generally not with hydrocarbons, the switches will be unrealiable.
Now, let’s move on the unspoken problem: the vent. Why would a PSV open with a vented tank? I did a calculation some years ago on an alkylation drum; it showed that all was well as long as the wet gas in the tank did not condense. A calculation of condensate formed indicated the tank would quickly over-pressure because the vent was half-filled with liquid. My recommendation at the time was for heat tracing monitoring. This also could affect the PSV performance if condensate could build up in the inlet.
Dirk Willard, consultant
Wooster, Ohio
March’s Puzzler
We’re trying to complete our functional acceptance test for a centrifuge for recovering solids after pharmaceutical fermentation. In our process, fermentation mash goes through a bead mill, then to disc centrifuges, a steam sterilizer, and a spray dryer. We’ve run into a few glitches: 1) initially, the motor on the variable-frequency-drive control trips out within a few seconds; 2) batches seem to run for a shorter period than desired before we have to switch to another centrifuge; 3) we seem to see carry-over into our spray dryer; and 4) we have trouble meeting our riboflavin testing. I went back to the scale-up design report that was used by an engineering contractor to design and build our fermentation process. It shows that a tubular bowl centrifuge was used to develop data — but we went with a disc, split-bowl centrifuge for the full-scale operation. How much of an issue is this? Is there a workaround to allow us to get the desired performance from our centrifuge?
Send us your comments, suggestions or solutions for this question by February 10, 2017. We’ll include as many of them as possible in the March 2017 issue and all on ChemicalProcessing.com. Send visuals — a sketch is fine. E-mail us at [email protected] or mail to Process Puzzler, Chemical Processing, 1501 E. Woodfield Rd., Suite 400N, Schaumburg, IL 60173. Fax: (630) 467-1120. Please include your name, title, location and company affiliation in the response.
And, of course, if you have a process problem you’d like to pose to our readers, send it along and we’ll be pleased to consider it for publication.
