Systematic Lessons Learned Analysis

Systematic Lessons Learned Analysis

for Oil and gas Plant

Version 3 Issue 1
January 2015
Systematic Lessons Learned Analysis
Systematic Lessons Learned Analysis

Systematic Lessons Learned Analysis for Oil and

Gas Plant

ITSA
Prunusvej 39,
3450 Allerød,
Denmark
Issue Date Author Approval Release
V3I1 Jan 2015 JRT
Systematic Lessons Learned Analysis
 Systematic Lessons Learned Analysis

Preface
This report was written because of concerns that many hazop and hazid workshops do not
capture all of the accident types which are known from experience. It covers the need for a
systematic way of utilising accident experience to supplement hazard identification methods
such as Hazop and Hazid.

J.R.Taylor
Abu Dhabi 2012
 Systematic Lessons Learned Analysis

Updating history

Issue Date Affected Change

Initial version Dec 2012 Initial release

V2 2013 Update with more cases for gas

plants

V3 2015 Update with more cases for oil

and gas plants
 Systematic Lessons Learned Analysis

Contents

1. Introduction ........................................................................................................................1
2. Index to Lessons Learned ...................................................................................................2
2.1 Case history index – case history titles .......................................................................2
2.2 Case history index – case history equipment types .....................................................5
2.3 Lessons learned ...........................................................................................................9
2.4 Design lessons learned ..............................................................................................16
2.5 Management of change lessons learned ....................................................................19
3. Case Histories and Lessons Learned ................................................................................21
Systematic Lessons Learned Analysis
 Systematic Lessons Learned Analysis

1. Introduction
One of the largest problems in hazard identification, such as with HAZOP, HAZID or What
If? processes, is to ensure that all significant accident types and threats are covered.
Typically even the best analyses only covers about 98% of the accidents which could occur
(see QRAQ report, ref 1). Some accidents are have such complex causality that it is difficult
to see how they could ever be predicted. Nevertheless, such accidents have occurred and
represent a significant part of process plant risk (see Ch xx).

In these circumstances, a lower objective than absolute completeness may be accepted.

However, a reasonable expectation when we analyse a plant is that the analysis should cover
the accidents which have occurred on the plant, or the accidents on similar plants elsewhere
which have been published.

There are many publications which describe accidents and give lessons learned. A short list
is:

One of the problems with such literature is that the lessons learned books need to be read, and
for practical purposes need to be memorised, in order that the lessons can be incorporated, for
example into a HAZOP report. In practical hazard identification work, it has been found that
even experienced professionals can only recall a fraction of the accidents which have
occurred around the world. Experienced plant operators can usually remember a large
fraction of the accidents which have occurred on their own plants.
 Systematic Lessons Learned Analysis

2. Index to Lessons Learned

2.1 Case history index – case history titles
Case Title
no.
1 UVCE after piping modification
2 Problem of galvanised stairs and platform walkways in fire
3 Layering in a liquefied gas accumulator lead to low temperatures and brittle fracture causing release
and VCE
4 Overfilling of propane storage vessel gave condensation hammer, vessel rupture and vapour cloud
explosion
5 Compressor gasket leak gave flash fire
6 Hammer in a multi product pipeline rupture the line, releasing fuel which flowed into a village and
burned
7 Fire on opening a pipe flange for valve maintenance
8 Blowby when liquid was drained from a separator allowing gas to discharge though te liquid line. The
LP separator ruptured
9 Damage to electrical power cables due to trench excavation
10 Condensate hammer caused a pipe rupture after a steam trap was disabled to allow confined space
entry
11 Inadequate pipe support and inadequate installation and thermal cycling caused pipe rupture and fire
12 Gasket displacement due to thermal cycling causes leak and explosion
13 Flange failure due to rapid heating of reactor, giving a dangerous flange fire.
17 Human factors error led to opening of a naphtha pump while pressurised, and a VCE
18 Procedural drift led to operation of a reactor outside the design envelope and a VCE
19 Premature start up and design errors led to column filling and overflow of naphtha to a vent
20 Freezing in a dead leg caused pipe cracking and a welding rod in a block valve allowed propane to
escape and a jet fire, with domino effects.
21 Crude oil release due to vibration fatigue pipe fracture
22 Chlorine release due to incorrect supply of material
23 Vessel overflow and hammer rupture of flare line
24 Problems in shift handover caused a compressor to be started although maintenance was not
complete and a blind flange was open, giving a large fire and domino effects
25 Methyl isocyanate storage was operated despite the vent scrubber being out of operation. Water
ingress cause a release and massive fatalities
26 An oversight in inspection procedures allowed heavy corrosion at a pipe elbow which led to VCE
27 Buiding operations over a gas pipeline caused cracking. Gas ignited when fire fighters attempted to
uncover the leak.
28 A massive explosion when a vapour plume from a gasoline tank overflow ignited
29 A sour gas blowout occurred during adverse conditions giving many fatalities
30 Confusion of design pressure and operating pressure led to pipe rupture and VCE
31 Sour water tank explosion
32 Pump not properly isolated and drained prior to removal for maintenance resulted in explosion
33 Crude oil tank overflow gave a large explosion and multiple tank fires
34 Fuel leak into boiler fire box witout pilot flame led to explosion
35 Pump weld fracture led to release of propylene and a large explosion with domino effects
36 Slops tank explosion
37 Cavitation damage and holing on a vacuum column inlet
37 Crude oil jet fire due to non replacement of fitting after maintenance
38 Water hose used to ransfer hydrogen between vessels ruptured due to overpressure
Systematic Lessons Learned Analysis

39 Pool fire due to lube oil sight glass damage

40 Sulphur burner blower wing shed leading to sulphur dioxide release
41 Steam condensate hammer pipe rupture due to a condensate collection loop overfilling
42 Knock out drum overflow and compressor shattering
43 Wrong materials used for a nitric acid plant pipe spool
44 Wrong materials used for a crude unit bottoms pump leading to rupture
45 Hot oil pumped to an "empty" tank causes rapid phase transition explosion
46 Third party interference rupture of a high hazard natural gas pipeline
47 Pipeline damage while installing new pipelines
48 Propane leaking from a pump seal ignited by a nearby transformer
75 Natural gas liquids released "to a safe place" travelled 15 km. and then exploded.
76 Floating roof tank was emptied excessively so roof settled on its legs then air was drawn in
under the roof
77 Steam release from pinholes due to entry of hydrogen sulphide into the steam system from a
heat recovery heat exchanger.
78 Vertical two phase flow almost destroys an amine regenerator
79 Verical two phase flow in an oil degassing tank riser caused heavy vibration
80 40 m. drain line with no supports
81 Slug catcher bouncing due to two phase flow slugging
82 Incipient lagging fire on a steam turbine
82 Potential lagging fire on ESD fire protection insulation
84 Very high vibration on reciprocating compressor
85 Jet fire from a fired heater.
86 Steam condensate tank collapse
87 Under insulation corrosion
88 Use of ordinary electrical equipment in classified areas
89 Conduit damage caused fire
90 Fork lift and crane collisions
91 Fork lift truck collisions with a drain valve causes major vapour cloud explosion
92 Pipeline jet fire alongside a major highway
95 Inadequate closure of terminal boxes and junction boxes
96 Hydrogen sulphide corrosion of terminals in cable room
97 Vessel damage due to pipe expansion and locked up pipe guides
98 Pipe shoes fallen off the support
99 Vessel support nearly falling from a foundation sole plate
100 Support not adjusted on pipeline relief line
101 Sand accumulation and dew condensation caused pitting corrosion and sour gas release
102 Dripping dew causes localised corrosion
103 Pipe fatigue due to pump vibration
104 Hand rail failure on a distillation column due to acid smoke
105 Projectiles from an LPG packing station fire.
106 Fire induced tank explosion
107 Boilover in a closed roof tank storing heavy fuel oil
108 Torque loading due to failure of expansion bellows bolts causes pipe rupture
109 Solvent fire spread due to fire fighting
110 Oil release from separators
111 Overvolatge on power supply damages all instruments
112 Earthquake causes subsidence and leak from upstream of ESD
112 Large capacitor in main power supply explodes
113 Erratic and dangerous loss of control for a loading arm due to PLC failure
114 Oxygen instead of nitrogen in purging
115 Nitrogen used as backup for instrument air, operators killed
116 Stress cracking due to hard spot initiation resulting in fire
Systematic Lessons Learned Analysis

117 Heat exchanger cracking due to liquefied gas evaporation while shut down
118 Pump seal leak ignited by a transformer
119 Single pipeline used for loading butane, propane and naphtha caused phase transition
explosion
120 Confined space entry lead to multiple fatalities
120 Welder asphyxiated by argon gas seeping from welding set
121 Steam pipe damages an SCBA set
122 Inadequate ventilation prior to confined space entry
123 Fire at a glycol reboiler due to crack in burner face plate to fire tube.
124 Overflow of ethylen liquid to flare due to unconnected instruments
125 Instrument internal failure
126 Lightning strike on tank causes closed roof tank explosion
127 Flame detector bypassed on boiler followed by an explosion
128 Bypass left over from commissioning resulted in a boiler low level without trip and an
explosion.
129 Tank vent taken to ground level was ignited by welding slag
130 Foreman collapses on tank entry due to hydrogen sulphide, multiple fatalities
132 Overpressuring rupture of a heat exchanger due to reverse blow by
135 Wrong NGL line cut leading to large jet fire
136 Evaporator burst due to brittle cracking this being due to cryogenic nitrogen overflow.
137 Failure of hydraulic tubing causes fatality
138 Valve breakage due to excessive force and resultant water jet causes a fatality
84a High vibration level in a high pressure header
 Systematic Lessons Learned Analysis

2.2 Case history index – case history equipment

types
Equipment Equipment type Title Case
group no.
Blower Sulphur burner blower wing shed leading to sulphur dioxide 40
release
Boiler Fire box Fuel leak into boiler fire box witout pilot flame led to explosion 34
Boiler Flame detector Flame detector bypassed on boiler followed by an explosion 127
Column Distillation Premature start up and design errors led to column filling and 19
column overflow of naphtha to a vent
Column Amine Vertical two phase flow almost destroys an amine regenerator 78
regenerator
column
Column Vacuum column Cavitation damage and holing on a vacuum column inlet 37
Compressor Head gasket Compressor gasket leak gave flash fire 5
Compressor Reciprocating Very high vibration on reciprocating compressor 84
compressor
Confined Confined space entry lead to multiple fatalities 120
space
Confined Welder asphyxiated by argon gas seeping from welding set 120
space
Confined Inadequate ventilation prior to confined space entry 122
space
Confined Foreman collapses on tank entry due to hydrogen sulphide, 130
space multiple fatalities
Cylinders Lpg cylinders Projectiles from an LPG packing station fire. 105
Drain Fire water drain Solvent fire spread due to fire fighting 109
Electrical Cables Use of ordinary electrical equipment in classified areas 88
equipment
Electrical Conduit Conduit damage caused fire 89
equipment
Electrical Junction box Inadequate closure of terminal boxes and junction boxes 95
equipment
Electrical Switches Hydrogen sulphide corrosion of terminals in cable room 96
equipment
Electrical Cable Damage to electical power cables due to tench excavation 9
power
Fired heater Fire box Jet fire form a fired heater. 85
Fired heater Reboiler Fire at a glycol reboiler due to crack in burner face plate to fire 123
tube.
Fork lift Fork lift and crane collisions 90
truck
Gas cylinder Oxygen instead of nitrogen in purging 114
Heat Evaporator Heat exchanger cracking due to liquefied gas evaporation while 117
exchanger shut down
Heat Evaporator Evaporator burst due to brittle cracking this being due to 136
exchanger cryogenic nitrogen overflow.
Heat Gasket Gasket displacement due to thermal cycling causes leak and 12
exchanger explosion
Heat Heat recovery Steam release from pinholes due to entry of hydrogen sulphide 77
exchanger exchanger into the steam system from a heat recovery heat exchanger.
 Systematic Lessons Learned Analysis

Heat Overpressuring rupture of a heat exchanger due to reverse 132

exchanger blow by
Hose Water hose used to ransfer hydrogen between vessels 38
ruptured due to overpressure
Instrumentat Level trip Bypass left over from commissioning resulted in a boiler low 128
ion level without trip and an explosion.
Instrumentat Plc Erratic and dangerous loss of control for a loading arm due to 113
ion PLC failure
Instrumentat Pressure Instrument internal failure 125
ion transmitter
Nitrogen Instrument air Nitrogen used as backup for instrument air, operators killed 115
cylinder backup
Pig receiver Natural gas liquids released "to a safe place" travelled 15 km. 75
and then exploded.
Pipe Bellows UVCE after piping modification 1
Pipeline Crude oil pipeline Pipeline damage while installing new pipelines 47
Pipeline Liquefied gas Wrong NGL line cut leading to large jet fire 135
pipeline
Pipeline Multi product Hammer in a multi product pipeline rupture the line, releasing 6
pipeline fuel which flowd into a village and burned
Pipeline Natural gas Buiding operations over a gas pipeline caused cracking. Gas 27
pipeline ignited when fire fighters attempted to uncover the leak.
Pipeline Natural gas Third party interference rupture of a high hazard natural gas 46
pipeline pipeline
Pipeline Natural gas Pipeline jet fire alongside a major highway 92
pipeline
Pipeline Natural gas Stress cracking due to hard spot initiation resulting in fire 116
pipeline
Piping Bellows Torque loading due to failure of expansion bellows bolts causes 108
pipe rupture
Piping Blind flange Problems in shift handover caused a compressor to be started 24
although maintenance was not complete and a blind flange
was open, giving a large fire and domino effects
Piping Condensate Steam condensate hammer pipe rupture due to a condensate 41
collection loop collection loop overfilling
Piping Drain line 40 m. drain line with no supports 80
Piping Drain line Pipe fatigue due to pump vibration 103
Piping Expansion loop Vessel damage due to pipe expansion and locked up pipe 97
guides
Piping Flange Flange failure due to rapid heating of reactor, giving a 13
dangerous flange fire.
Piping Flare line Fire on opening a pipe flange for valve maintenance 7
Piping Flare line Sand accumulation and dew condensation caused pitting 101
corrosion and sour gas release
Piping Flare line Overflow of ethylen liquid to flare due to unconnected 124
instruments
Piping Gas distribution High vibration level in a high pressure header 84a
manifold
Piping Hydrogen pipe Confusion of design pressure and operating pressure led to 30
pipe rupture and VCE
Piping Injection line An oversight in inspection procedures allowed heavy corrosion 26
at a pipe elbow which led to VCE
Piping Instrument tubing Failure of hydraulic tubing causes fatality 137
 Systematic Lessons Learned Analysis

Piping Loading hose Chlorine release due to incorrect supply of material 22

Piping Manifold Single pipeline used for loading butane, propane and naphtha 119
caused phase transition explosion
Piping Natural gas trunk Dripping dew causes localised corrosion 102
line
Piping Pipe shoes Pipe shoes fallen off the support 98
Piping Pipe support Support not adjusted on pipeline relief line 100
Piping Steam piping Condensate hammer caused a pipe rupture after a steam trap 10
was disabled to allow confined space entry
Piping Tank discharge Earthquake causes subsidence and leak from upstream of ESD 112
nozzle
Piping Tee junction Inadequate pipe support and inadequate installation and 11
thermal cycling caused pipe rupture and fire
Piping Valve loop Freezing in a dead leg caused pipe cracking and a welding rod 20
in a block valve allowed propane to escape and a jet fire, with
domono effects.
Piping Wrong materials used for a nitric acid plant pipe spool 43
Piping Wrong materials used for a crude unit bottoms pump leading 44
to rupture
Piping Drain line Fork lift truck collisions with a drain valve causes major vapour 91
cloud explosion
Piping Drain pipe Crude oil release due to vibration fatigue pipe fracture 21
Piping Lagging Under insulation corrosion 87
Power Capacitor Large capacitor in main power supply explodes 112
supply
Power Instrument power Overvoltge on power supply damages all instruments 111
supply supply
PPE SCBA Steam pipe damages an SCBA set 121
Pump Centrifugal pump Human factors error led to opening of a naphtha pump while 17
pressurised, and a VCE
Pump Centrifugal pump Pump not properly isolated and drained prior to removal for 32
maintenance resulted in explosion
Pump Centrifugal pump Pump weld fracture led to release of propylene and a large 35
explosion with domino effects
Pump Centrifugal pump Pump seal leak ignited by a transformer 118
Pump Centrifugal pump Crude oil jet fire due to non replacement of fitting after 37
maintenance
Pump Centrifugal pump Propane leaking from a pump seal ignited by a nearby 48
transformer
Reactor Continuous Procedural drift led to operation of a reactor outside the design 18
reactor envelope and a VCE
Sight glass Lube oil sight Pool fire due to lube oil sight glass damage 39
glass
Structure Hand rail Hand rail failure on a distillation column due to acid smoke 104
Structure Walkway Problem of galvanised stairs and platform walkways in fire 2
Tank Bfw tank Steam condensate tank collapse 86
Tank Closed roof Lightning strike on tank causes closed roof tank explosion 126
Tank Closed roof tank A massive explosion when a vapour plume from a gasoline tank 28
overflow ignited
Tank Closed roof tank Hot oil pumped to an "empty" tank causes rapid phase 45
transition explosion
Tank Closed roof tank Fire induced tank explosion 106
Tank Closed roof tank Boilover in a closed roof tank storing heavy fuel oil 107
 Systematic Lessons Learned Analysis

Tank Degassing tank Verical two phase flow in an oil degassing tank riser caused 79
heavy vibration
Tank Floating roof tank Crude oil tank overflow gave a large explosion and multiple 33
tank fires
Tank Floating roof tank Floating roof tank was emptied excessively so roof settled on 76
its legs then air was drawn in under the roof
Tank Slops tank Sour water tank explosion 31
Tank Slops tank Slops tank explosion 36
Tank Vent line Tank vent taken to ground level was ignited by welding slag 129
Turbine Steam turbine Incipient lagging fire on a steam turbine 82
Valve ESD valve Potential lagging fire on ESD fire protection insulation 82
Valve Shut off valve Valve breakage due to excessive force and resultant water jet 138
causes a fatality
Vessel Feed drum Layering in a liquefied gas accumulator lead to low 3
temperatures and brittle fracture causing release and VCE
Vessel Feed drum Vessel overflow and hammer rupture of flare line 23
Vessel Knock out drum Knock out drum overflow and compressor shattering 42
Vessel Separator Blowby whn liquid was drained from a separator allowing gas 8
to discharge though te liquid line. The LP separator ruptured
Vessel Separator Oil release from separators 110
Vessel Slug catcher Slug catcher bouncing due to two phase flow slugging 81
Vessel Storage vessel Overfilling of propane storage vessel gave condensation 4
hammer, vessel rupture and vapour cloud explosion
Vessel Storage vessel Methyl isocyanate storage was operated despite the vent 25
scrubber being out of operation. Water ingress cause a release
and massive fatalities
Vessel Vessel support Vessel support nearly falling from a foundation sole plate 99
Well Sour gas well A sour gas blowout occurred during adverse conditions giving 29
many fatalities
 Systematic Lessons Learned Analysis

2.3 Lessons learned

lesson Lesson title case
no. no.
1 Need for at least one competent person for all disciplines 1
2 Need for MOC 1
3 Need for a proper safety review in MOC 1
4 Need for safety review of temporary modifications 1
5 Zinc corrosion of piping in a fire 2
6 Layering effect on evaporative cooling 3
7 Low temperature embrittlement 3
8 Need for blast resistance 3
9 Need for engineering quality blast mapping 3
10 Liquefied gas hammer (condensation hammer) 4
11 Ignorance of the many hammer effects 4
12 Good level control, level alarms and trips are needed in storage vessels, especially if these 4
have long rundown lines
13 Need for domino effect calculation 4
14 Inadequate awareness of bolt tightening good practice 5
15 Less than adequate storage and handling 5
16 Avoidance of hammer in pipeline filling and product change 6
17 Need to recognise low pressure as a symptom of pipeline leakage 6
18 Need for awareness of possible plugging when draining for maintenance. 7
19 Use of double block and bleed 7
20 Valve position indication 7
21 Proper procedure for flange opening. 7
22 Avoiding spills when despading 7
23 Need for job safety analysis 7
24 Need for hazard awareness at the supervisor level 7
25 All hazop teams and especially facilitators need to be aware of blowby 8
26 Need for blowby pressure relief 8
27 Blowby in hazard and effects register 8
28 9
29 9
30 Steam trap closure causes hammer rupture 10
31 Need to reinstate after inspection or test 10
32 Need to shut steam traps when working in confined spaces 10
33 Steam condensate hammer rupture 10
34 Piping needs to be installed as specified in the design. 11
35 Pipe inspection required after pipe installation or modification 11
36 Management of change procedure needed for all pipe changes. 11
37 Need for pipe support inspection and audit 11
38 Need for detailed gasket closure procedures 12
39 Need for training in gasket installation 12
40 Avoid flange failure due to rapid heating 13
41 Need for QRA 14
42 Need for blast analysis and spacing or blast protection. 14
43 Need for blast proof or blast resilient control rooms and operator rooms 14
44 Need for gas ingress prevention 14
45 Personnel exposure minimisation 14
46 Need for a properly designed gas detection network 14
Systematic Lessons Learned Analysis

47 Need for PTW enforcement 14

48 Double block and bleed needed for liquefied gas plants which require frequent 14
maintenance.
49 Fire water supply must be independent of process water piping 14
50 power supply ad controls for fire water pumps must be protected from fire 14
51 Need for emergency planning 14
52 Requirement for performance testing after maintenance. 14
53 marking of interchangeable couplings 14
54 Very large size of areas affected by BLEVE 16
55 Vulnerability of fire systems in UVCE or BLEVE explosions 16
56 Need to take BLEVE overpressure into account 16
57 Projectile range in a BLEVE 16
58 Opening flanges 17
59 Quarter turn valve handles need to correctly indicate valve position 17
60 Management of change safety analysis is needed for all changes except replacement in kind. 17
61 Problem of blockage in draining and in venting 17
62 Gradual acceptance of operation outside the design envelope, procedural drift 18
63 Poor display of reactor temperature profile data 18
64 Lack of operator training 18
65 Inadequate maintenance od reactor temperature profile instrumentation 18
66 Procedures out of date and procedural drift 18
67 Inadequate process hazard analysis 18
68 Need for a start up procedure with check list 19
69 Testing of safety critical equipment 19
70 Need to learn from experience 19
71 Need for pre start up safety review. 19
72 Need for safe location for start up trailers 19
73 Need for performance standards 19
74 Need for functional performance standards 19
75 Vents should not be used for hydrocarbon relief disposal within process plants 19
76 Need for dead leg review 20
77 Need for domino effect analysis 20
78 Need for inspection for foreign objects in pipes and vessels 20
79 Need for structural steel fire proofing 20
80 Need for periodic inspection of pipe supports 21
81 Need for post commissioning and periodic inspection for vibration 21
82 Need for guideline for unacceptable vibration. 21
83 Need for PMI 22
84 Need for detailed operating procedures 22
85 Need for safety training 22
86 Need for explanation in operating procedures 22
87 Need to transfer HAZOP information to procedures 22
88 Need for piping integrity inspection 22
89 Need for overview display of the plant performance, including mass balance and critical 23
alarms
90 need for simulator training 23
91 Need for hazard awareness training for operators including input from HAZOP and QRA 23
92 Need for improved HAZOP 23
93 Need for awareness of hammer problems 23
94 23
95 Need for a full HSE management programme 24
96 Need for safety management audit 24
Systematic Lessons Learned Analysis

97 Need for safety management training 24

98 Need for accommodation and muster area segregation from process. 24
99 Need for fire water system operability from multiple locations 24
100 Need for a good shift hand over process. 24
101 Need for living risk analysis 24
102 Need for quality standards for QRA 24
103 Need for vulnerability and functional standards for all safety critical equipment 24
104 Need for evacuation exercises 24
105 need for hazard awareness based on high quality hazops and on QRA results 25
106 Need for plant upset section in the operating procedures 25
107 Need for quality and coverage standards for QRAs 25
108 Need for minimum conditions for operation 25
109 Need for sneak path analysis 25
110 Need for advanced pipework inspection approach 26
111 Need for MOC 26
112 Need for identification process for locations vulnerable to corrosion 26
113 Need for sharing of inspection data with operations and vice versa. 26
114 Need for RBI 26
115 Need for corrosion review as part of MOC 26
116 Need for realistic input to RBI 26
117 Need for exclusion zones in a pipeline right of way 27
118 Need for awareness of massive damage from pipeline release explosions and jet fires. 27
119 Need for accurate pipeline maps 27
120 Need for rapid response to reports of damage 27
121 Need for care in investigating reports of pipeline leaks 27
122 Need for awareness of the explosions caused by a pipeline rupture 27
123 Need for effective follow up of audit recommendations 28
124 Need for full flow and tank status information for tank farm operation 28
125 Need for adequate manning 28
126 Need for hazard awareness based on high quality hazops and on QRA results 28
127 Need for safety critical equipment monitoring 28
128 Need for effective safety auditing 28
129 Need for safety y(HSE) leadership 28
130 Need for better SIL review 28
131 Need for logging of tank level and available capacity 28
132 Need for audit of passive safety measures 28
133 Need for safety critical equipment performance standards and monitoring 28
134 "Flat line" on gauging systems which are filling needs to be alarmed 28
135 Need for human factors review 28
136 Need for reliability standards and reliability or SIL calculation fro safety critical equipment 28
137 Uncontrolled and uncoordinated setting of alarm limits 28
138 Use of alarms as controls 28
139 Lack of detail in procedures 28
140 Inadequate manning 28
141 Lack of hazard awareness for tank farms 28
142 Need for instrument integrity check list during design 28
143 Need for awareness of overflow hazards 28
144 Need for emergency preparedness when drilling 29
145 Once a plan has been made it needs to be followed 29
146 Need to take area topology into account in QRA's 29
147 Need to ignite sour gas blowouts 29
148 Need to be clear about the operations envelope 30
Systematic Lessons Learned Analysis

149 Need for audit of pressure vessel and piping calculations 30

150 30
151 Need for inert gas blanketing on sour water and slops tanks 31
152 Need for preventive maintenance programme. 32
153 Need for safety review of even "small" changes to components. 32
154 Need effective "lock out tag out" programs 32
155 32
156 Need for awareness of the possibility of UVCEs in tank farms 33
157 Need for burner management system 34
158 Rapid recovery after a very large explosion and multiple domino effects. 35
159 Danger of welding old pump casings 35
160 Need to take domino effects into account in emergency planning 35
161 Failures and problems in emergency response 35
162 35
163 Need for blanketing on slops tanks 36
164 There will always be an ignition source 36
165 Erosion due to vacuum 37
166 Release from a pump just after maintenance 37
167 Need for different connections and safety coding for different types of hoses 38
168 Need for training in hose use. 38
169 Sight glasses should be protected from physical damage 39
170 Need for vibration analysis and regular review to prevent fatigue failure. 40
171 Need for investigation when excessive vibration occurs on rotating equipment 40
172 Even respectable manufacturers can suffer from design error 40
173 Hazards of condensate hammer 41
174 42
175 Measures needed to prevent incorrect material installation 43
176 Measures needed to prevent incorrect material installation 44
177 Danger of transferring oil to unused tanks 45
178 Need for awareness of rapid phase transition explosions 45
179 Very clear and direct communication is needed in order to ensure risk reduction measures 46
are implemented
180 Pipelines need to be protected from traffic 46
181 need for careful marking of buried pipelines 46
182 Need for special care when installing new pipelines alongside existing ones 47
183 Housing should never be located close to refinery equipment or storage without an in depth 48
risk assessment.
184 Evacuation is necessary when there is a leak of any liquefied gas or volatile liquid
185 Natural as liquids should not be "drained to a safe place" 75
186 Need for care when emptying floating roof tanks 76
187 Avoid the danger of heat recovery from high pressure gas streams 77
188 Hazard of two phase vertical flow 78
189 Hazard of two phase vertical flow 79
190 Need for piping installation inspection of pipe supports 80
191 Two phase flow induced vibration 81
192 Oil soaked insulation fire threat on hot pipes 82
193 Oil soaked insulation fire threat due to solar heat 82
194 Avoid excessive resonant vibration 84
195 Need for periodic inspection for vibration 84a
196 Need for care in emergency response 85
197 Hot water can be a significant hazard 86
198 Unusual forms of corrosion
Systematic Lessons Learned Analysis

199 Take care when inspecting lagged piping 87

200 Prevention of under lagging corrosion 87
201 Use of ordinary electrical equipment in classified areas 88
202 Need for supervision of tools and equipment used in classified areas 88
203 Need for inspection and remediation of damaged conduit 89
204 Fork lift and crane collision prevention in process pipe tunnels 90
205 Pipe bridges over roadways should be protected by strong steel portals (Headache bars) 90
206 Pipe stubs and valves should not project into roadways 90
207 Vehicle collision protection 90
208 Fork lift and crane collision prevention in process areas 91
209 Need for designated roadways and access ways 91
210 Need for structural steel fire proofing 91
211 Need for pipeline right of way marking 92
212 Need for adequate closure of terminal boxes and junction boxes 95
213 Hydrogen sulphide corrosion of terminals in cable room 96
214 Need for awareness of piping design during construction 97
215 Need for pipe inspection during mechanical completion 97
216 Pipe shoes need to be sufficiently long and well located 98
217 Vessel supports need to be inspected during mechanical completion 99
218 Liquid relief lines need to be designed for hammer and surge effects 100
219 Pipe spring supports need to be adjusted after pipe filling. 100
220 Above ground piping without suitable coating should be kept clear from drifting sand 101
221 Need for understanding of actual ambient conditions when designing 102
222 Need to look for corrosion weak points during inspections. 102
223 Screw jack supports are a menace 103
224 Need for periodic inspection of screw jack supports 103
225 Avoid corrosion due to sulphur containing smoke 104
226 Need for cages to prevent projectile launch in the case of LPG cylinder fires 105
227 Need for fire water monitors at large LPG cylinder storage. 105
228 Fire induced tank explosion 106
229 Leaks from steam coils in a heavy oil tank can cause an explosive atmosphere 107
230 Dipping anything into a tank storing flammable or combustible liquids may cause an 107
explosion
231 Fixed fire suppression equipment needs to be tested on a regular basis 107
232 Boilover can occur in any liquid which has components with high range of boiling points 107
233 Boilovers can have a very large hazard range 107
234 When a crude oil or fuel oil tank develops a full surface fire, evacuate 107
235 need for restraining bolts or rods on expansion bellows 108
236 Fire water for cooling must be applied carefully, and never directly onto oil or insoluble 109
solvent pool fires
237 Need for fire water drainage 109
238 109
239 Need for drainage to divert leaks 110
240 Instrument power supplies should be fitted with overvoltage protection, and should 111
preferably also be fail safe
241 Take subsidence and tank movement into account when building tankage for earthquake 112
prone areas.
242 Segregation and protection of redundant power supplies. 112
243 Need for guaranteed environment for electronics 113
244 Need for CHAZOP 113
245 Assessment of safety for modern control and instrumented safety systems 113
246 Training in correct use of cylinders and potential hazards 114
Systematic Lessons Learned Analysis

247 Use different couplings for different gases. 114

248 Avoid using nitrogen as a backup for instrument air 115
249 Use airline breathing apparatus if SCBA is inadequate 115
250 Connections for breathable air should be different from thos for proces or instrument air 115
251 fatigue ruptures can develop very rapidly 116
252 Cooling water should be kepy running even when plant is shut down if there is a chance of 117
freezing
253 Do not locate high voltage transformers close to critical process equipment 118
254 Foam glass is an effective form of passive fire protection 118
255 Different liquefied gases, and liquefied gas and naphtha should never be transported in the 119
same pipeline
256 Provide training for emergency rescue for persons collapsed in confined spaces 120
257 Need for gas testing on entry to confined spaces 120
258 Need for checking safety equipment before use 121
259 Need for proper positive isolation before confined space entry 122
260 Need for gas testing of the complete confined space, not just at the man way 122
261 Need to be able to enter and exit confined spaces while using SCBA 122
262 Need for personal multiple gas alarm including oxygen deficiency alarm 122
263 Need for detailed analysis of any new assemblies installed on process equipment 123
264 Need for thorough functional test of instrumentation prior to post turn round start up 124
265 Start up should not commence until control functionality has been demonstrated 124
266 Need for adequate manning during turn round 124
267 Pre start up review of lessons from previous start ups is needed 124
268 Make sure that the turn round approval authority has the best possible support 124
269 Review the turn round organisation for simplicity 124
270 Need for care when equipment internals are changed 125
271 Hazards of halogens with stainless steel 125
272 Need for weak roof seam on closed roof tanks 126
273 Boilers and fired heaters should never be started up with flame detectors bypassed 127
274 Bypasses installed for testing during instrumentation commissioning must be removed. 128
275 Need for appropriate safety distances when approving hot work permits 129
276 Need for guidance on hot work safety distances 129
277 Hazards of slops tanks 129
278 Hazards of flying tanks 129
279 Train operators and maintenance on the dangers of hydrogen sulphide in confined spaces. 130
280 Need for formal management of change for all design changes 132
281 Need for awareness of the hazards of rapid phase transition in liquefied gas 133
282 Need for awareness of cryogenic nitrogen hazards 136
283 Need for thorough HAZID check lists 136
284 Need for clear communication of hazards between designer teams and operations. 136
285 Need for a continuity in the management of change register, and a communication of 136
identified hazards to the operators
286 Need for safety review sign off in management of change forms. 136
287 Need for effective way to communicate hazards to operators and maintenance 136
288 Need for hazop of vendor packages 136
289 Need for alarm management analysis 136
290 The operations envelope needs to be defined and appropriate alarm response for 136
excursions stated
291 Need for safety design review procedure 136
Systematic Lessons Learned Analysis

292 Need for care in installing instrument , pneumatic and hydraulic tubing. 137
293 Tubing installations need to be pressure tested 137
294 Do not work with tools on pressurised equipment. 137
295 Do not stand in a line of potential fire, of liquid jets. 137
296 Do not use improvised high power or high force tools on active process equipment 138
297 Do not drive through pool or even approach pools of crude oil 139
 Systematic Lessons Learned Analysis

2.4 Design lessons learned

lesson Lesson title case
no. no.
1 Need for at least one competent person for all disciplines during design through to 1
operations
2 Zinc corrosion of piping in a fire 2
3 Low temperature embrittlement 3
4 Need for blast resistance 3
5 Liquefied gas hammer (condensation hammer) 4
6 Ignorance of the many hammer effects 4

7 Good level control, level alarms and trips are needed in storage vessels, especially if 4
these have long rundown lines
8 Avoidance of hammer in pipeline filling and product change 6
9 Use of double block and bleed 7

10 Valve position indication 7

11 All hazop teams and especially facilitators need to be aware of blowby 8
12 Need for blowby pressure relief 8
13 Steam trap closure causes hammer rupture 10
14 Need to shut steam traps when working in confined spaces 10

15 Steam condensate hammer rupture 10

16 Need for blast analysis and spacing or blast protection. 14

17 Need for blast proof or blast resilient control rooms and operator rooms 14

18 Need for gas ingress prevention 14

19 Need for a properly designed gas detection network 14
20 Double block and bleed needed for liquefied gas plants which require frequent 14
maintenance.
21 Fire water supply must be independent of process water piping 14
22 power supply ad controls for fire water pumps must be protected from fire 14

23 marking of interchangeable couplings 14

24 Very large size of areas affected by BLEVE 16

25 Vulnerability of fire systems in UVCE or BLEVE explosions 16

26 Need to take BLEVE overpressure into account 16

27 Projectile range in a BLEVE 16
28 Quarter turn valve handles need to correctly indicate valve position 17

29 Poor display of reactor temperature profile data 18

Systematic Lessons Learned Analysis

30 Inadequate maintenance od reactor temperature profile instrumentation 18

31 Need for performance standards 19

32 Need for functional performance standards 19

33 Vents should not be used for hydrocarbon relief disposal within process plants 19

34 Need for dead leg review 20

35 Need for structural steel fire proofing 20

36 Need for overview display of the plant performance, including mass balance and critical 23
alarms
37 Need for fire water system operability from multiple locations 24
38 Need for vulnerability and functional standards for all safety critical equipment 24
39 Need for minimum conditions for operation 25

40 Need for awareness of massive damage from pipeline release explosions and jet fires. 27
41 Need for accurate pipeline maps 27
42 Need for full flow and tank status information for tank farm operation 28

43 Need for safety critical equipment performance standards and monitoring 28

44 "Flat line" on gauging systems which are filling needs to be alarmed 28

45 Uncontrolled and uncoordinated setting of alarm limits 28

46 Need for instrument integrity check list during design 28

47 Need to be clear about the operations envelope 30
48 Need for audit of pressure vessel and piping calculations 30

49 30
50 Need for inert gas blanketing on sour water and slops tanks 31
51 Need for burner management system 34

52 Need for blanketing on slops tanks 36

53 There will always be an ignition source 36

54 Erosion due to vacuum 37

55 Sight glasses should be protected from physical damage 39

56 Even respectable manufacturers can suffer from design error 40

57 Hazards of condensate hammer 41

58 Measures needed to prevent incorrect material installation 43

59 Measures needed to prevent incorrect material installation 44
60 Need for awareness of rapid phase transition explosions 45

61 Avoid the danger of heat recovery from high pressure gas streams 77
Systematic Lessons Learned Analysis

62 Hazard of two phase vertical flow 78

63 Two phase flow induced vibration 81

64 Hot water can be a significant hazard 86

65 Unusual forms of corrosion

66 Fork lift and crane collision prevention in process pipe tunnels 90

67 Pipe stubs and valves should not project into roadways 90

68 Vehicle collision protection 90
69 Fork lift and crane collision prevention in process areas 91
70 Need for structural steel fire proofing 91
71 Need for pipeline right of way marking 92

72 Hydrogen sulphide corrosion of terminals in cable room 96

73 Need for awareness of piping design during construction 97

74 Screw jack supports are a menace 103

75 Need for cages to prevent projectile launch in the case of LPG cylinder fires 105
76 Need for fire water monitors at large LPG cylinder storage. 105

77 Fire induced tank explosion 106

78 Leaks from steam coils in a heavy oil tank can cause an explosive atmosphere 107

79 Dipping anything into a tank storing flammable or combustible liquids may cause an 107
explosion
80 Need for fire water drainage 109
81 Need for drainage to divert leaks 110
82 Take subsidence and tank movement into account when building tankage for earthquake 112
prone areas.
83 Need for guaranteed environment for electronics 113
84 Use different couplings for different gases. 114
85 Avoid using nitrogen as a backup for instrument air 115
86 Connections for breathable air should be different from thos for proces or instrument air 115
87 Cooling water should be kepy running even when plant is shut down if there is a chance 117
of freezing
88 Foam glass is an effective form of passive fire protection 118
89 Need for detailed analysis of any new assemblies installed on process equipment 123
90 Need for weak roof seam on closed roof tanks 126
91 Hazards of slops tanks 129
92 Need for awareness of the hazards of rapid phase transition in liquefied gas 133
93 Need for awareness of cryogenic nitrogen hazards 136
94 Need for alarm management analysis 136
95 The operations envelope needs to be defined and appropriate alarm response for 136
excursions stated
 Systematic Lessons Learned Analysis

2.5 Management of change lessons learned

lesson no. Lesson title case
no.
1 Need for at least one competent person for all disciplines 1
2 Need for MOC 1
3 Need for a proper safety review in MOC 1
4 Need for safety review of temporary modifications 1
5 Zinc corrosion of piping in a fire 2
6 Use of double block and bleed 7
7 All hazop teams and especially facilitators need to be aware of blowby 8
8 Need for blowby pressure relief 8
9 Piping needs to be installed as specified in the design. 11
10 Pipe inspection required after pipe installation or modification 11
11 Management of change procedure needed for all pipe changes. 11
12 Need for pipe support inspection and audit 11
13 Quarter turn valve handles need to correctly indicate valve position 17
14 Management of change safety analysis is needed for all changes except replacement 17
in kind.
15 Poor display of reactor temperature profile data 18
16 Inadequate maintenance od reactor temperature profile instrumentation 18
17 Vents should not be used for hydrocarbon relief disposal within process plants 19
18 Need for MOC 26
19 Need for corrosion review as part of MOC 26
20 Need for accurate pipeline maps 27
21 Need for audit of pressure vessel and piping calculations 30
22 Need for safety review of even "small" changes to components. 32
23 Need for blanketing on slops tanks 36
24 There will always be an ignition source 36
25 Measures needed to prevent incorrect material installation 43
26 Measures needed to prevent incorrect material installation 44
27 Danger of transferring oil to unused tanks 45
28 Need for awareness of rapid phase transition explosions 45
29 Avoid the danger of heat recovery from high pressure gas streams 77
30 Avoid excessive resonant vibration 84
31 Pipe stubs and valves should not project into roadways 90
32 Leaks from steam coils in a heavy oil tank can cause an explosive atmosphere 107
33 Take subsidence and tank movement into account when building tankage for 112
earthquake prone areas.
34 Connections for breathable air should be different from thos for proces or instrument 115
air
35 Do not locate high voltage transformers close to critical process equipment 118
36 Foam glass is an effective form of passive fire protection 118
37 Different liquefied gases, and liquefied gas and naphtha should never be transported 119
in the same pipeline
38 Need for detailed analysis of any new assemblies installed on process equipment 123
39 Need for care when equipment internals are changed 125
40 Hazards of halogens with stainless steel 125
41 Need for formal management of change for all design changes 132
42 Need for a continuity in the management of change register, and a communication of 136
identified hazards to the operators
Systematic Lessons Learned Analysis

43 Need for safety review sign off in management of change forms. 136
44 Need for hazop of vendor packages 136
 Systematic Lessons Learned Analysis

3. Case Histories and Lessons Learned

The following list of cases is selected from the Hazards, Threats and Consequences database
(ref. 2) representing cases with lessons relevant to oil and gas plant. For more detail see the
original reference.
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
1 Flixborough Vapour cloud explosion after piping modification with design 1 Need for competency in key engineering discipline
error. Temporary pressure piping was put together without
consulting a mechanical engineer.
1 2 Need for management of change procedure. The MOC
procedure should cover all changes made after issue of
drawings for hazop, and should cover all changes except
"replacement in kind", that is replacements with identical
equipment .
1 3 There should be a safety review in management of change.
For simple change of a component to another .similar type,
or a change of gasket material, the safety review could be
made by a discipline specialist For all larger changes such
as bypassing a reactor, a mini-hazop is needed
1 4 Temporary modifications are often made with some
degree of improvisation, or use of equipment outside its
originally intended purpose. There is an even greater need
for safety review of temporary modification than for
permanent plant
2 Flixborough One problem identified in the enquiry was that of zinc coated 5 Galvanised steel platforms, stairs and piping can release
stairs and platform material, which caused corrosion and piping liquid zinc in a fire and can then cause rapid metal
failure in the piping corrosion and pipe failure. Shell DEP's have special rules
governing the use of galvanised components.
3 Beek A process upset led to gathering of ethane above propane plus in 6 This kind of accident, with layering of fluids, is very difficult
a feed drum (layering). On flashing this caused evaporative to predict in hazop. It needs lessons learned list for hazop
cooling, low temperature in the evaporated gas. This led to low follow up. Need lessons learned list for hazop follow up.
temperature embrittlement and cracking at a pipe elbow. Ethane
and propane were releases giving vapour cloud explosion.
3 7 Low temperature embrittlement is a serious potential
cause of pipe rupture, especially when there are
3 8 Control room was not blast resistant
3 9 Blast mapping is needed as a basis for design for process
plant, especially if liquefied flammable gas is handled or
there are liquids stored above their boiling point. Ordinary
QRA calculations are inadequate because they often use
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
low quality models, and because the correct location and
actual degree of congestion is not modelled. The
calculations need to be of high quality, such as true
geography CAM2, SCOPE or CFD
4 Texas City Overfilling of a propane vessel from a run down line led to 10 The phenomenon of liquefied gas bubble collapse hammer
hammer in the vessel (gas bubble collapse hammer with a long needs to be taken into account in hazops and in vessel
rundown line). The vessel ruptured releasing propane, which design.
exploded on ignition. There was al BLEVE's caused by the
following fires, and several vessels were damaged by projectiles.
4 11 At most hazops, contractor engineers did not know how to
make a full range of hammer calculations.
4 12 Level control was inadequate in the affected vessel. All
storage vessels for hazardous materials should have level
control, high level alarm and hi hi level trip. All should be
tested on a routine basis and should preferably have self
testing or signal comparison.
4 13 Domino effect calculations, including projectile
calculations, are an important part of QRA.
5 Bloomfield At the Bloomfield plant, near Bloomfield, a gasket on a 14 Bolt tightening procedures are critical for process safety.
New Mexico compressor began to leak. Two operators heard the noise and Training in the use of bolt tightening and flange closure
tried to shut off the gas supply and the compressor engine. procedures is necessary.
Before this could be done, ignition occurred, and both operators
were burned.
The problem arose from improper tightening of the compressor
head bolts, and lack of training in bolt tightening.
5 15 Good warehousing and kit preparation for gasket
replacement are important for prevention of leaks
6 Vila Soco, A multi product pipeline was being refilled with kerosene after a 16 Procedures for filling liquid pipelines need to take into
Cubatao, shutdown. The pipeline was filled rapidly, and a valve shattered account the possibility of hammer. Such procedures should
Brazil when the kerosene column hit it. The operators, with little be developed taking into account a full range of
information or feed back from the pipeline, noticed the low possibilities for equipment failure and errors.
pressure and increased the pumping rate.
The kerosene ran through the favela of Vila Soco, ignited and
caused a large fire. There were 800 reported deaths.
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
6 17 A common pipeline operation problem is that operators
increase pumping rate to maintain pressure when rupture
occurs.
7 Grangemouth A fire broke out when a maintenance team opened a flange in a 18 The possibility of plugging of drain valves, leaking isolation
flare line. Hydrocarbons escaped and ignited, killing two persons valves, and the presence of liquids in interspaces must be
and injuring two others. The line was isolated, and drain valve taken into account in procedures.
had been opened, but the drain line was plugged.

Fifteen months before the incident occurred it had been noticed

that the flare line isolation valve V17 was passing. It was decided
however to wait for a scheduled shutdown of the catalytic
cracker unit and No 1 flare before commencing work on the
valve. Gases from the remaining operating units were re-routed
to No 2 and No 3 flares. This flare arrangement would allow the
pipelines at V17 to be isolated.

When senior refinery staff prepared a plan for the isolation of the
flare system, they concentrated on the operational and safety
requirements of the flare system, making sure that no
operational areas of the plant were inadvertently isolated. The
details of the removal of V17 were not considered and left to
those who would be responsible for the work.

Four workers were involved with the removal of the valve. When
the majority of the bolts were undone the joint opened slightly
and liquid dripped from a small gap between the flanges. The
workers sought advice. The valve was checked by the supervisor
and it was concluded that it was safe to carry on. Non ferrous
hammers were provided before continuing with the removal. All
the bolts were removed and the crane took the weight of a
spacer and started to remove it, at which point gallons of liquid
poured from the valve. A flammable vapour cloud formed from
the rapidly spreading pool. The cloud reached the nearby air
compressor, ignited and flashed back around the working area.
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.

Two workers managed to escape the fire but a fitter and a rigger
were engulfed by the flames and killed. The fire was allowed to
burn in a controlled manner for almost two days while the rest of
the refinery was shut down and the flare system purged with
nitrogen.
7 19 Various techniques are used to limit the risk in isolation
and equipment opening. Double block and bleed to a safe
place should be used on all high hazard lines. There is still a
problem however, if the "safe place" is required to be a
disposal system such as a flare, because of the possibility
of back pressuring from the flare, and passing of the bleed
valve, so opening of flanges to install spades, or for vessel
entry needs to be made with case (gas testing and use of
SCBA etc.).
7 20 All valves must have position indicators. Position indicators
need to be permanently fixed, and to follow a consistent
and logical system of indication.
7 21 All flanges must be opened carefully. Once bolts are
loosened, the flange should be "sprung" open, so that
gaskets sticking in the flange do not block possible flows.
"Flange spreader" tools and wedges are available to ensure
this. If liquid drips from the flange, assume the pipe is
filled with liquid.
7 22 Many companies require systems to be "hydrocarbon free"
before flanges may be opened, spades removes, spectacle
plates turned etc. This is best practice, but requires careful
thought being given to draining, with a thorough drain
lines analysis.
7 23 A good job safety analysis would have identified the
hazard. However such a JSA needs to answer several hazop
type questions such as "what if the drain is blocked?
7 24 Supervisors, foremen and team leaders need frequent
hazard awareness training and reinforcement.. The best
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
approach is for supervisors to provide tool box talks with
good prepared material.
Supervisors need to be able to plan for the worst - the
supervisor could have opened a test port to check for
liquid.
8 Grangemouth A control valve on the liquid line between the HP and the LP 25 Lessons learned at the time of this accident are all
Separators was opened in error and the liquid allowed to drain. incorporated into hazop and SIL for review procedures for
High pressure hydrogen passed uncontrolled into the closed LP the plant today. In hazops it has been found that most
Separator which had limited pressure relief capacity. It operators in the oil and gas industries are aware of blowby,
overpressurised rupturing at an estimated pressure of 50 bar. but many designers are not. Few are able to assess blowby
The explosion disintegrated the separator and also damaged pressures. Blowby software is available.
other vessels and pipes. Released flammable substances were
ignited resulting in jet-fires. Check also for hammer effects when blowby occurs.
Check also that any pressure spec break is on the correct
In a safety audit and in a review of pressure relief capacity within side of the valve.
the hydrocracker complex which were carried out in 1975, the
operator of the refinery concluded that high pressure gas
breakthrough into the LP Separator would not arise because
there was a safety trip actuated by low liquid levels. As a
consequence the pressure relief valve on the LP Separator was
sized only for fire engulfment on the vessel and was of
comparatively small size. Increased production caused
turbulence in the HP separator and frequent spurious trips. Also
impulse lines plugged frequently. The trip was removed, with
responsibility for level monitoring passing to the operators.
8 26 Relief systems need to be designed for blowby wherever
there is a change in pressure specification on liquid/gas
process systems.
8 27 A hazard such as the one in this case should be included in
the hazard and effects register, and the risk level should be
evaluated. This ensures the blowby protection s registered
as safety critical
9 Grangemouth A loss of electrical power was caused by damage to a 33kV 28 Third party interference is well recognised as a problem for
2000(a) underground electricity feeder cable which eventually resulted in pipelines and cable power supplies. The problem of first
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
an earth leakage (electricity flowing to earth) from the cable. The party interference is not so well recognised. Procedures
damage had been caused to the electrical cable during are needed for protection of already installed equipment.
excavation of a trench for the installation of a new cable,
sometime before the distribution failure occurred.

The local bus circuit breaker on the distribution system failed to

operate due to the insertion of small plastic connectors which
isolated the relay. The power shut down
9 29 Bypassing and disabling of essential trips is a problem on
instrumentation and on electrical systems. Procedures are
needed to ensure removal of bypasses and defeats after
testing and after maintenance.
10 Grangemouth A steam trap was disabled to allow inspection in a culvert and 30 Even such a lowly item as a steam trap can be safety
2000(b) was not restored after the inspection. As a result, steam critical.
condensate collected, and eventually caused a condensate
hammer. The steam pipe was ruptured and hot steam and
condensate projected across a roadway.

The site wide power distribution failure on 29th May 2000

resulted in excess amounts of water (associated with the
shutdown of utility supplies) being sent to drain, as well as the
unavailability of electrical power to drainage pumps. This led to
the flooding of culverts (service tunnels) beneath the A904
Bo’ness road through the site which contained medium pressure
(MP) stream distribution lines. During the following
investigations to determine whether the flooding had caused any
damage to the pipework a steam trap located in a low point in
the section of pipework beneath the road in the West Gemec
culvert was closed to allow safe access for inspection. The steam
trap was subsequently not re-opened and this prevented the
removal of condensate (hot water produced by the condensation
of steam) from this section of the system. As the liquid
condensate level built up in the pipework a quantity of steam (or
“steam bubble”) was trapped between the hot condensate and
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
closed isolation valves on the southern side of the culvert
beneath the road. Eventually collapse of the steam bubble
resulted in a phenomenon called “condensation induced water
hammer” which led to a gross overpressure and the subsequent
catastrophic failure of the pipeline.
10 31 Care needs to be taken after any maintenance to restore
the plant to its proper state. This should be a check off
item on all PTW's returned.
10 32 The need to shut steam traps when working in confined
spaces needs to be recognised in PTW's. Steam traps
should preferably be avoided in confined spaces.
10 33 Condensate hammer is a relatively frequent cause of
accidents in plant and needs to be taken into account in
steam utility and some process hazops. Unfortunately, this
hazard is often forgotten, or is not known. In this case the
mechanism was not liquid pickup in the flow but steam
condensation in a closed pipe
11 Grangemouth There was a significant leak of hydrocarbons from the Fluidised 34 Great care needs to be taken during construction to ensure
Catalytic Cracker Unit (FCCU or Cat Cracker) creating a vapour that piping arrangements are according to specification.
cloud which ignited resulting in a serious fire. This generally requires auditing. This applies even for high
quality companies. Pipe fitters MUST have proper pipe
A welded up tee piece was installed on at the bottom of a arrangement drawings or isometrics. This applies for
debutaniser column. On removal of a valve in a design change a modifications as well as for initial construction
pipe support was also removed. Also, due to a change in an
upstream design there was a high rate of tripping and thermal
cycling. The tee junction failed due to fatigue. Light naphtha
escaped and a vapour cloud explosion ensued.

Investigations revealed that the leak was as a result of failure of a

tee-piece connection at the base of the Debutaniser column
which then found a source of ignition nearby (probably an
uninsulated hot flange). During the investigations the tee-piece
connection which had originally been installed in the 1950s was
found to be correctly specified but incorrectly fitted and then
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
covered in lagging. (A set-on tee-piece had been installed
whereas a seamless forged weld reducing tee-piece had been
specified.) There had been no subsequent amendment to the
plant layout drawings to identify the change.

Prior to the mid 1980’s modifications had been made to the

pipework at the base of the column and a valve removed which
resulted in there being inadequate support for the remaining
pipework and the tee-piece connection. Further modifications to
the FCCU in 1996/1998 had resulted in the FCCU being
increasingly difficult to operate reliably. This had resulted in an
increase in the number of start-up/shutdown cycles for the plant
and pipework. Failure of the tee-piece connection pipework was
probably caused by a combination of the incorrectly fitted tee-
piece connection, the inadequately supported pipework and the
cyclic stresses/vibration caused by the increased start-
up/shutdown activity on the plant. Eventually this led to
“fatigue” failure of the pipework in the vicinity of the welded
connection.
11 35 New or modified piping MUST be inspected and signed off
before lagging is installed. Inspection includes:
Checking for consistency of piping with specification and
drawings
Checking for alignment and visual weld inspection
Checking flange alignment
Radiography or other NDT as specified in company
standards
Checking of records for any heat treatment or passivation
required
Checking for foreign objects
Checking for dryness
Checking for coating damage
Checking supports are in place and adjusted
Checking pipe guides are in place and that there is freedom
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
for expansion
11 36 A management of change procedure for changes in piping
is required prior to construction. This applies even to
simple changes such as turning a spool.
An effective procedure is needed for this.
11 37 Pipe supports are a regular problem, due not only to poor
installation, but also due to deterioration during operation.
Mechanical integrity auditing, in the sense of OSHA
regulation 1910.119 is needed in order to be able to detect
12 Sodegura, A large release of hydrogen occurred from a feed/discharge heat 38 High pressure piping including flanges and gas should be
Japan exchanger of a heavy oil desulphurisation unit. After a few installed with careful attention to procedures. They should
minutes the leak ignited, and exploded. There were ten killed and be repaired using standard procedures only.
seven injured.
The source of the release was a gasket. The gasket retainer had
displaced due to repeated thermal cycling and resultant
deformation, and an erroneous repair. The gasket retainer no
longer rested in the gasket groove, and on start up, began to leak
12 39 There is a need for detailed training in gasket closure. This
needs to cover all gasket types, and the use of special
gasket tightening equipment.
13 ME An isomerisation reactor was started up much more rapidly than 40 Process start up heating rates are specified in operating
usual. Flanges heated and expanded before the flange bolts could procedures for a reason. Operators need to be aware of
be heated, so the bolts stretched. The then expanded as the the accident potential of rapid heating:
heating caught up. The gasket was then no longer in - Flange leakage due to differences temperatures and
compression. The naphtha, above its autoignition temperature, differential expansion
caught fire. The vessel was protected by insulation so fortunately - Possibility of thermal stress cracking in thick walled pipes
was not significantly damaged and vessels.
14 Pasadena, Polyethylene loop reactors allow ethylene, in a mixture with 41 A hazard analysis needed for made for all plants with this
Texas 1989 propane and A catalyst, to react to make polyethylene as small level of hazard. However none of the usual hazard analyses
pellet like lumps, soft, and gelatinous at first. The mixture is would have predicted this accident. A human error analysis
taken out of the loop and the propane separated, leaving the for the unclogging process would probably have identified
polyethylene to be melted and chopped into easily handled it, since reconnection the wrong way round is a standard
material. If the reactor stops for some reason, it is necessary to maintenance error type.
remove the material from the loop to prevent the reactor from
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
being clogged by solidifying polyethylene.. There is a need for a method of transferring knowledge
from JSA's to design and QRA
The day before the incident scheduled maintenance work had
begun to clear three of the six settling legs on a reactor. A
specialist maintenance contractor was employed to carry out the
work. A procedure was in place to isolate the leg to be worked
on. During the clearing of No.2 settling leg part of the plug
remained lodged in the pipework. A member of the team went to
the control room to seek assistance. Shortly afterwards the
release occurred. Approximately 2 minutes later the vapour
cloud ignited.

The accident investigation established that the single isolating

ball valve was actually open at the time of the release. The air
hoses to the valve had been cross-connected so that the air
supply that should have closed the valve actually opened it.
14 42 Layout separation distances were inadequate and did not
follow industry practice. Blast analysis calculations are
needed for all plants handling liquefied gases of liquids
above their boiling point. Standards such as API 752 and
API 753 describe approaches. Note that usual QRA
calculations are not generally accurate enough for blast
protection design. Advanced methods such as CAM2,
SCOPE or CFD are preferred and the actual location of
congested areas needs to be taken into account.
14 43 Control rooms and operator rooms need to be located at a
safe distance from potential explosions and/or need to be
blast proof.
14 44 Building ventilation intakes need to be equipped with
automatic closure on detection of flammable gas
14 45 Personnel exposure needs to be minimised for high hazard
plant
14 46 plants handling liquefied gases, liquids above their boiling
point or olefines need a properly designed gas detection
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
network. Gas detection mapping needs to be made with
realistic gas jet and plume simulation.
14 47 Permit to work system need to be enforced for plants like
this. The PTW system needs to be enforced, with penalties
for infraction, such as proceeding to work without a
permit, or violating permit conditions.
14 48 Double block and bleed, or unit depressurisation and
purging, need to be practiced on all plants where opening
is frequent prior to maintenance involving opening of plant
14 49 Fire water needs to be provided from an independent
supply, and not from process water source
14 50 Cables for fire water pumps need to be buried, and not
above ground.
14 51 There must be adequate planning for emergencies, and
planning must be based on realistic scenarios. These
lessons are all incorporated into Al Hosn procedures and
designs.
14 52 The misconnection of the shut off valve is a critical issue.
How did the valve come to be controlled the wrong way
round. All valves must be tested during commissioning to
ensure correct operation of opening and closing. To
facilitate this, it must be possible to identify in the field
that the valve position can be seen.
14 53 Where a valve may be dismounted, couplings for opening
and closing should be of different size of type, so that
incorrect reconnection is impossible. Where this is
impossible, the correct connection should be clearly
marked in a way which will not deteriorate.
16 San Juan The PEMEX plant was a distribution terminal for LPC, with six 54 LPG, Propane and Butane vessels are susceptible to BLEVE.
Ixhuatapec, very large storage spheres, and 48 bullets, fed via a 400 km The BLEVE explosions can be extremely large
Mexico pipeline. At 05:30, a fall in pressure was registered in the control
room at a pumping station 40 km up the pipeline. The 8" line had
ruptured. A release of LPG continued for about 5 - 10 minutes, at
which time the gas cloud was ignited at a ground flare. There was
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
a large flash fire and explosion. After this there remained a
ground fire, a jet fire at the rupture, and some house fires. At
05:45, the first BLEVE occurred, followed shortly by others. A rain
of burning LPG fell on the area. A long series of further Bleve´s of
the bullets and spheres occurred. There was a good deal of
rocketing of the bullets, some up to 900 m, and one at 1200 m.
16 55 Fire protection deluge systems are likely to be blown away
in any initial vapour cloud explosion or BLEVE
16 56 When a large LPG vessel ruptures, as in a BLEVE, a
significant explosion occurs as a result of the pressure
release itself. This can be sufficient to blow large vessels of
their saddles. BLEVE explosions do not usually generate
large explosion energies, so the range of the explosion may
be short, but the peak pressures can be very high.
16 57 Projectiles can cause significant damage at up to 1 km.
17 Jamestown A pump on an isobutane stripper failed. Maintenance artisans 58 Care should always be taken when opening flanges, with
NM closed the suction valve and discharge valve and "drained" the cracking and spreading before full loosening of bolts.
pump. However the drain line was clogged and the pump Opening on the side away from the person is preferable.
wrench (opening handle) was installed wrongly so the pump was
open to the process. Alkylate was ejected, hitting two persons.
The alkylate flashed to a gas cloud and ignited, causing an
explosion.
17 59 The valve wrench was removable, and had been put on in
an illogical way, so that the wrench crossed position
corresponded to the valve being opened, not the wrench
aligned. There was a valve position indicator, but this was
much less visible than the wrench valve handles must
follow human factors (and common sense) guidelines.
Valve handles should also not be removable.
17 60 The wrench had been installed as a replacement of a
quarter turn actuator. This was not regarded a safety
related change, and so was not subject to the MOC safety
procedure. This case shows that even the smallest changes
can be strongly related to safety.
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
17 61 Local depressurisation of inter valve spaces is not a reliable
process, blockage in the vent line can often occur, and it is
difficult to know that depressurisation is complete. For this
reason, cracking open of a flange when the bolts are first
loosened is necessary.
18 Martinez CA A naphtha hydrocracker gradually ran away. The operators had 62 Conditions encouraging safe operations were lacking.
become used to an abnormal and unsafe mode of operation, in There was strong management pressure to maintain
which high reactor bed temperatures were accepted. They did production despite exceeding permitted limits to operation
not shut down when the maximum allowed temperature was
exceeded. Exacerbating the situation was a problem that only a
few of the reactor bed temperature sensors could be read from
the control room. A field operator had to go out to the area
beneath the reactor to read the temperature values. Operations
did not follow procedures, and operations above allowed
maximum temperature had become standard practice.
Eventually the reactor discharge pipe ruptured due to high
temperature (7600c. Light gases from methane to butane, light
gasoline, heavy gasoline and hydrogen were release and ignited
coursing an explosion. One operator was killed and 36 injured.
18 63 Human factors for the temperature monitoring wee poor.
Full monitoring could only be done from the field. The
alarm system on the data logger only allowed one alarm.
18 64 Supervisory management was inadequate. Emergency
procedures were not followed on this incident, or on
earlier ones. No comprehensive operator training was
available for this critical unit
18 65 Maintenance was inadequate. The data logger/alarm
system was periodically out of service. Radio
communications needed to relay readings from the outside
panels was unreliable and did not function during the
incident. Quench valves flanges were also leaking.
18 66 Procedures were out of date and incomplete, and in any
case had been replaced by operator developed procedures
18 67 The process hazard analysis was incomplete and did not
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
reflect the actual equipment and instrumentation used.
19 Texas City TX A refinery isomerisation unit was being brought back on line after 68 For safety critical operations such as start up, a properly
turnround. The raffinate splitter tower was lines up for restart, prepared procedure is needed, with a check list of actions
and raffinate was pumped into the tower for over 3 hours. which can be ticked off. (There actually was one for this
However, the pump out had not been started, so that the tower plant, but in the actual incident the completion check
overfilled. Raffinate passed through the tower safety valves to a record was falsified).
vent relief knock out drum, and eventually, sprayed from the top
of the relief vent stack. The resulting vapour cloud was ignited,
most probably by a truck. The resulting explosion and fire killed
15 people and injured 180.
There were many problems contributing, poor operations
practice, defective procedures, lack of maintenance, lack of
supervision, and dangerous location of temporary
accommodation.
19 69 Integrity of safety critical equipment needs to be
monitored. Start up should be commenced while there are
safety items which are known to be defective.
19 70 Eight serious releases had already occurred from the vent.
Near miss incidents must be followed up and the situation
remedied.
19 71 A pre start up safety review and safety mechanical
integrity audit are needed.
19 72 Occupied trailers must be located at a safe distance,
following for example the API 753 standard.
19 73 Instrumentation should have good functional integrity, and
should therefore meet a number of functional
performances.
19 74 A check list based procedure is needed for instrumentation
design review.
19 75 Experience demonstrates that vents should not be used for
relief disposal within process plants because of the
possibility of liquid in the relief, and also because heavy
hydrocarbon vapours can be released and flow to ground
level. Proper disposal to a flare system is required.
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
20 Sunray TX A crack occurred on a shut down by pass line of a flow controller 76 Dead legs are a continuing threat, even on lines which are
to a propane de asphalting unit. The line cracked through nominally isolated. Although freezing is unlikely in a desert
freezing of water, and propane was released. (The line was environment, corrosion and thermal expansion rupture are
normally shut down, but there was a piece of welding rod inside possible.
the shut off valve). The propane ignited, causing a jet fire. The jet
fire impinged on the de asphalting vessel discharge nozzle.
Bolting on the nozzle failed allowing more propane to be
released and a larger jet fire to occur. This jet fire caused
extensive fire at a pipe rack, destroying it. Two persons were
severely burned in the initial flash fire. The jet fire was a near on
a butane sphere, and cause release of 2.5 ton of chlorine when
the over pressure protection plug melted.
20 77 Extensive evacuation was needed because of the number
of pipes failing on the pipe rack, and the failure of chlorine
vessels.

Domino effects and escalation are routinely ignored in

QRA´s and HAZIDS, and are therefore not transferred into
hazard and effects registers. domino effects must be taken
into account for asset risk and emergency response
purposes.
20 78 The presence of foreign objects in piping needs to be
minimised, but will always occur to some extent. Pre
commissioning inspection is essential.
20 79 Structural steel in areas handling hydrocarbons or other
flammable liquids should be fireproofed up to a level
which can be engulfed by pool for jet fires (usually up to
platform 2)
21 Alaska Large pipeline pumps were driven by gas turbines as a series of 80 Pipe supports can deteriorate over time. This is particularly
pipeline pumping stations. The pump discharge lines were true for screw jack supports. On inspection, up to 25% of
subject to heavy vibration, and were designed with detuning supports have been observed to have failed on some
weights on the line, to prevent resonance at the normal plants. Failures must be expected to fail unless maintained
operating speed of the pump. The discharge line was provided periodically.
with a 2½" drain line which ran to a transfer pump at about 25 m
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
distance. The drain piping was high pressure line with a block Mechanical integrity inspection is needed as part of
valve at the end. It was supported on screw jack supports. In the mechanical completion, and needs following up post
course of time, the screw jacks loosened with vibration, and commissioning. It then needs to be repeated on a regular
began to hang from the drain line i.e. ceased to support the line. basis, at least once per year.
In all, lines at three stations cracked due to fatigue in each case
releasing crude oil. In the last incident, the oil vapour caught fire
and an operator was killed in the flash fire.
21 81 Vibration fatigue is a serious cause of failure of piping,
particularly in the neighbourhood of rotating equipment or
reciprocating pumps. Vibration can also occur due to liquid
or gas flow. Vibration fatigue needs to be considered
during hazop, and needs to be checked a) during
commissioning, b) periodically in OSHA style mechanical
integrity audits
21 82 There is a need for a guideline concerning how much
vibration can be tolerated in piping. Inspectors need to be
able to distinguish between minor vibration and
threatening vibration.
22 Missouri, Railroad tank cars were used to supply liquid chlorine 83 Positive Materials Identification (PMI) is essential for
2002 repackaging to cylinders and containers to cylinders. Connections companies relying on supplies of alloy piping and
for tank car unloading were made using 1 inch flexible hoses. The equipment. PMI involves chemical analysis of the incoming
hoses had Teflon liners, with Hastelloy C braid armouring for steel materials. The analysis is made using convenient
pressure containment, and spiral HDPE for abrasion protection. rapid measuring electronic instruments. ZAD made a
In the actual case, hose with 316L stainless steel, rather than special study of alloy materials received, and found a very
Hastelloy C had been supplied. Atmospheric moisture, together high percentage of errors, including components stamped
with chlorine molecules diffusing through the Teflon, formed with the wrong identification.
hydrochloric acid which ate away the reinforcement. The hose
ruptured, releasing 48.000 pounds of chlorine over a period of
about 3 hours.
The cause of the incorrect hose supply was narrowed down on
investigation to inadequate paper tag labelling at the supplier,
and possibility mix ups at the shipping area. The shipping
documents indicated a Hastelloy hose despite a 316L SS hose
being supplied.
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
22 84 It was found that there was inadequate auditing of
operating procedures and insufficient detail in periodic test
procedures to ensure adequate testing. In particular, it was
found that there was no checking of valve positions when
the ESD functioning was tested.
22 85 It was found that there was insufficient training of
supervisors in safety issues, and of operators on
inspection, testing and warning indications. In particular
training was focussed primarily on what to do, when to do
it, but not on why to do it, can on the consequences of not
doing it properly.
22 86 Standard operating procedures and test procedures had
not been reviewed or checked for fitness for purpose.

The inclusion of motivational text of the kind "Why do we

do this, and what happens if we do not do it well?" needs
to be included into procedures. A standard format for
procedures which includes sections on "purpose of the
procedure" "performance standards for the procedure"
and "cautions and warnings".
22 87 Operators were not aware of the need to keep the system
free of moisture. This is the kind of information which
needs to be included in HAZOPS and needs to be
transferred to procedures
22 88 Integrity programs were inadequate to identify corrosion
arising from moisture entry into the chlorine system.
23 Milford A powerful thunderstorm caused the Milford Haven refinery 89 The main lesson to be learned here was that the operators
Haven, units to trip several times during the night. Gas compressors had had no overview of the status of the plant. The failure of a
Wales, to be restarted frequently. Butane began to accumulate in a feed single level indicator left them in confusion. UKHSE´s
drum. However, the level indicator for the feed drum was stuck, lessons learned stated that there should be an overview
so that the operators did not notice. Eventually liquid butane was display of mass flow and conditions for the entire plant.
released through relief valves and passed via the relief header to
a flare knock out drum. The knock out drum had a modified liquid
pump out, which returned liquids to the drum after water
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
separation. The level in the knock out drum built up until it
overflowed. Liquid hammer occurred at the elbow where the line
turned to the flare stack, and ruptured the elbow. Corrosion in
the flare line contributed. Butane escaped, passed into the main
process area of the refinery. A large vapour cloud explosion
occurred.
23 90 UKHSE also concluded that there should be simulator
training for operators, which included extreme events such
as the one which occurred here. This was a major advance
on practice at the time, since simulator training was up to
then regarded as a luxury in most refineries.
23 91 An important lesson to be learned is that operators need
to be trained concerning the results from Hazop studies
and from QRA studies. At present, it seems that most such
information is kept secret from operators, unless they are
participants in the actual Hazop workshop. It must be
admitted, that most hazop and QRA reports do not have a
form which would support training.
23 92 Current hazop analyses would not have (and did not)
predict this kind of accident. The reason is that it involves
failures in two widely separated units, the butane
depropaniser and the flare KO drum. Hazop information
analysis should be taken for enough at least to take into
account flooding of the flare line, since this is a relatively
frequent accident type, (Has occurred at over 50% of the
refineries where information was available).
23 93 All designs need to be checked to ensure that they take
liquid hammer resulting from overflow into account. This is
frequently forgotten both in hazops and in piping design.
23 94
24 Piper Alpha. Work was being done on one of two condensate injection pumps, 95 There was no effective company safety management
North Sea under the PTW system. The second pump tripped resulting in system for the company as a whole.
increase in flare intensity. A PSV had been removed, and a blind
flange installed instead. The first pump was started up. The blind All persons, from the plant manager to individual labourers
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
flange leaked causing a gas cloud to build up in the process need to be aware of the full range of risks, each from his
module. The vapour ignited and exploded, demolishing the own point of view. Training material is needed
control room, large fires followed. The fire suppression system
did not start because it was operating on manual activation,
because there were divers in the water, 2 men went to start the
pumps, and perished. Persons gathered in the accommodation
but no systematic evacuation was carried out. Some self
evacuated on their own initiative. Other platforms continued to
pump oil and gas. The heat from jet fires cause the riser coming
from the Tartan platform to rupture, with a huge fireball. The
Tartan platform continued to pump gas, since the offshore
management lacked authority to shut down. The helideck was by
this time engulfed in smoke. The lifeboats were inaccessible. The
gangway form the safety vessel Tharos was too short 61 persons
jumped into the sea, 165 died, 109 of those from smoke
inhalation, 80 of these in the accommodation.
24 96 A regular audit of the functioning of the safety
management system is essential
24 97 Training is needed in the use of the safety management
system and in understanding risks.
24 98 Control rooms, muster areas and accommodation must be
segregated and isolated from process areas.
24 99 Fire water systems should be operable from several
locations, including the control room, even when on
manual.
24 100 There were problems is shift handover. The actual status of
pump, which had not been restored to operation, was
unknown to the second shift. There was no shift overlap
and no proper handover procedure. A note from one
supervisor to the next shift supervisor was overlooked.
24 101 There was no recognition of the additional risk when the
platform was extended from only processing oil to
processing oil and gas. Ideally a living risk analysis is
maintained which takes into account all modifications to
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
plant or operating conditions before changes are made,..
24 102 The safety assessment which had been made was
inadequate.
24 103 ESD valves were inappropriately located
24 104 Evacuation plans which are not exercised are likely to fail.
25 Bhopal, India, An intermediate storage of methyl isocyanate was operated at 105 Operators need to be completely aware of the accident
the Bhopal plant of Union Carbide. At the time of the accident a types which can occur, and their potential consequences.
relief scrubber used to prevent spreading of methyl isocyanate
when relief valves opened, was out of operation. Water leaked In present practice results from hazop analyses are
from a cooler heat exchanger into the methyl isocyanate, and currently not transferred to QRA or to hazard and effects
reacted. The reaction produces heat, so that the storage register, let alone to operations. This may affect integrity
overpressured and released MIC vapour. There was apparently activities for the safety measures.
no awareness of the seriousness of the release,. No general
alarm was raised, and no evacuation. The plants, though
originally quite remote, had become surrounded by low cost
housing. As a result there were many persons in the hazard zone.
The actual number of persons affected is not known with any
accuracy, but estimated as more than 100,000 persons injured
and over 8,000 fatalities. At the time of the accident, it was
assumed that the accident was a result of poor operating
standards in what was then a developing country. However,
virtually the same accident occurred at a plant in West Virginia in
1986, though with no fatalities due to more favourable weather
and better ability to close windows.
25 106 Operating procedures need to have a section covering
plant disturbances, which should also give a full range of
cases.
25 107 QRA´s need to provide a complete coverage of accident
types. At present QRA practice only covers a fraction of the
accident types occurring. For example, current QRA´s do
not include event corresponding to the Bhopal event, i.e.
cold venting.
25 108 One of the main safety systems, a scrubber, was out of
operation. For any plant, minimum conditions for
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
operation need to be established. For the Bhopal plant, for
example.
25 109 Hazops need to take into account possible reactions and
sneak paths along which reactants can come together
26 Humberside, An elbow on a de-ethaniser unit corroded due to the presence of 110 Need for an effective pipework inspection systems that
England a water injection line just upstream of the elbow. As a result, meet or exceed current industry practice and are based
vapour escaped, causing a vapour cloud explosion and major fire. upon full knowledge of past history and current operating
The injection line had been added as a supplement to the original conditions.
design, in order to deal with build up of salts and hydrates. The
corrosion implications of the change were either not recognised,
or not recorded. No injection quill or other dispersal device was
fitted and the water entered as a free jet.

There had been several discussions about water injection point

corrosion among the company corrosion professionals, but this
particular one slipped through the net. There was no written
scheme of examination for the injection point or the elbow, even
though these were required by law, under the Pressure Systems
and Transportable Gas Container Regulations, 1989, and later
under Pressure Systems Safety Regulations 2000.
A risk based inspection system was under development at the
time of the incident. The injection point had not been included in
the RBI calculations because it was thought to be permanently
isolated. There was no risk assessment for the elbow.
26 111 Need for a management of Change systems that
accommodate both plant and process modifications.
26 112 Need for systematic arrangements for the management of
corrosion including identification of possible corrosion
mechanisms and the use of trained and competent staff.
26 113 Need for arrangements to ensure the effective sharing of
information about process conditions and the accurate
recording of all inspection data. A n integrity review
workshop seems to be a good way of communicating.
26 114 A corrosion analysis is needed for every pipe spool which
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
takes into account material, fluid, flow velocity, amount of
solids, period of static conditions possible inleak of oxygen,
disturbances, possible build up of contamination etc. This
may be done using risk based inspection mathematics, but
can equally be done on a qualitative basis.
26 115 Corrosion implications need to be considered in
management of change, and the result needs to be
incorporated into inspection. This implies that corrosion
specialists or metallurgists need to be on the MOC sign off
list.
26 116 RBI systems need to be implemented properly, and with
care. Assessment of risk needs to be realistic, and based on
evidence. When data are entered and there is no earlier
history of inspection, worst case assumptions should be
made.
27 Ghislenghien, A 40 inch natural gas pipeline operated at 60 bar, design pressure 117 Exclusion zones along pipeline rights of way must be
Belgium, 80 bar (wall 62,5 mm). When the gas receiving terminal at respected, and SIMOPS analyses must take into account
2004 Zeebrugge shut down, the pressure rose to 70 bar. A gas leak was the possibilities of accidental interference. The best
reported, and fire fighters called. The firefighters were setting up approach is to provide physical protection if heavy
barricades when the pipeline ruptured. Five firefighters died in machinery is being used (12 inch girders, or large pipe
the initial blast and 11 others later. Over the following weeks sections are effective, they can be laid gently at the edge
further 8 persons died. There were 150 persons injured. Most of of the right of way).
the injuries were from the intense heat radiation from the jet
fire. Investigation later showed that there were gouges of up to Best practice is for all buried pipelines to have a bund
10 mm deep in the steel of the pipe, both in sections blown away cover, and well marked right of way, which at least helps to
(at 200m) and in the sections of pipeline not affected. Damage prevent encroachment damage to pipelines. Damage has
was judged to have occurred when a mechanical soil stabiliser nevertheless occurred, due to heavy equipment drivers
was used in the construction of a car park. A representation of moving too close to existing pipelines, and there has been
the gas pipeline company had been present all the time of the one case of propane pipe rupture by a backhoe. This is
construction, but apparently had not been able to prevent the second party interference, not third party.
damage, because a 350 mm long deep scoring was found. In the
emergency response, problems were found because the name of The biggest threat to well protected pipelines is from
the road had been changed, the pipeline marker was wrongly installation or maintenance of other pipelines on the ROW,
numbered, and the pipeline was not marked on maps. (Maps with many cases known.
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
existed but not at the emergency centre). As a result, initially the
gas company did not know that it was its own pipeline which was
damaged, but it did send a technician to investigate.
27 118 Large pipelines can give massive damage arising from an
initial flash fire and subsequent jet fires. Such releases are
commonly calculated inaccurately in QRA´s, by not taking
into account experience from accident lessons learned.
27 119 High quality control is needed for prevention of third party
interference, including accurate maps.
27 120 Damage to the pipeline was reported prior to the accident,
but not acted on. All such damage must result in a
professional integrity assessment. From experience in Abu
Dhabi, a no blame reporting system is needed.
27 121 When investigating leaks, the potential for jet fires needs
to be remembered, and proper safety distances need to be
maintained. Gas detectors should be used, and if
excavation is needed it should be done with spark proof
tools.
27 122 There was a significant explosion of Ghisenligen. It seems
doubtful that this explosion from burning gas, considering
the lack of confinement. However, the rupture of any 40".
70 bar vessel will cause a rupture explosion.
28 Buncefield, At the HOSL fuel distribution terminal two gasoline storage tanks 123 Managements systems at HOSL relating to tank filling were
England, were being filled in parallel from the same pipeline. When one deficient, and were not followed, despite the fact that the
tank filled, the full flow was diverted to the second tank. The tank systems were independently audited.
has two forms of level control - a gauge which enabled operators
to monitor filling, and a high level switch, intended to close down
pumping when the level rose towards an unsafe height. The high
level switch had stuck intermittently, prior to the accident. The
switch required a padlock to retain its check level (used for
testing) in a working position. The supplier had not
communicated this fact to the installer or to the maintenance
contractor. Because of this lack of understanding, the padlock
was not fitted. The tank overfilled, and gasoline cascaded down
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
the side of the tank. Liquid gasoline was retained in the bunded
area, but a large amount of liquid evaporated, forming a vapour
cloud. The cloud passed into a light industrial complex, ignited,
and caused an intense vapour cloud explosion. Luckily, the
explosion occurred early in the morning, and no one was killed.
After the explosion, major fires occurred. Burning fuel flowed
into bunds. The bunds were found to leak, however. Also water
supplies for fire fighting were inadequate.
28 124 Pressure on staff had been increasing prior to the incident.
The terminal was fed by three pipelines, two of which the
operators had little control over in terms of flow rate or
timing of receipt of fuel. This meant that staff did not have
efficient information easily available to them to manage
precisely the storage of incoming fuel. Need for full
information about incoming and outgoing flows, and
future expectations is needed to be able to manage a tank
farm or a terminal.
28 125 Throughput had increased at the terminal. This put more
pressure on site management and staff, and further
degraded the ability to monitor the receipt of fuel. The
pressure on staff was made worse by a lack of engineering
support . These pressures created a culture where keeping
the process operating was the primary focus and process
safety did not get the attention, resources, or priority that
it required.

There needs to be adequate manning such that safety

management can be performed.
28 126 There should be a clear understanding of the major
accident risks and the safety critical equipment designed to
control them.
28 127 There should be systems and culture in place to detect
signals of failure in the safety critical equipment and the
respond to them quickly and effectively.
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
28 128 There should be an effective auditing system in place,
which tests the quality of management systems and
ensures that these systems are actually being used on the
ground and are effective.
28 129 At the core of managing major hazards business should be
a clear and positive process safety leadership with board
level involvement and competence to ensure that major
hazards risks are properly managed.
28 130 Hazops and SIL studies should have identified the fact that
a single high level switch is an inadequate protection for a
gasoline tank
28 131 Operators should have a clear idea of the level of filling of
their tanks at all times, with a proper inventory log.
28 132 Bund walls were found to have holes through which fire
water and burning products passed. Even passive safety
measures such as bunds require a periodic mechanical
integrity audit
28 133 Safety critical equipment is required to have functional
performance standards. The equipment needs to be
checked to ensure that it fulfils these standards. This
includes design standards. Unfortunately, nearly all checks
currently made are based on the assumption that
equipment designs are correct.
28 134 The automatic gauging system had stuck, giving a "flat
line". Such flat indications on critical instruments should be
regarded as serious problems, and should be controlled
according to "maximum requirements for operation" rules.
28 135 There was only a single visual display, and tank gaging
could only be displayed one tank at a time. Human factors
had not been taken into account in the design
28 136 There was no backup for the critical tank gaging system.
28 137 Supervisors were able to set ATG alarm levels with no
security limits. The supervisors used the alarm limits each
in his own way
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
28 138 Supervisors relied on alarms to control (shut off) the filling
process. This is a classic cause of overflow accidents.
28 139 Written procedures were available, but had insufficient
detail.
28 140 Supervisors were working 12 hour shifts, with other duties
as well as supervising tank filling, with schedules giving up
to 84 hours work in a 7 day period. There were no fixed
breaks. The investigation committee remarks that:
Management has a duty to monitor working pressure, on
staff, and to take action to keep work loads to acceptable
levels.
28 141 The present author has noted in auditing many fuel
terminals, that managers and supervisors did not really
regard their plants as "major hazards". Even major hazards
specialists have tended to regard gasoline tanks as
"relatively safe", in that, at worst, they would burn down.
In fact, on a world scale, incidents like e at Buncefield have
occurred relatively frequently.
28 142 The instrument problems at Buncefield were design
weaknesses, but of a kind which could only be identified
when instrument engineers select instruments from
catalogues, or instruments checked during commissioning.
A process is needed which ensures that correct functional
and design integrity is in place. This requires a check list
based process.
28 143 The phenomenon of overflow vapour generation and liquid
spray releases leading to vapour cloud explosions was
unknown to risk analysts at the time of the accident, even
though several cases had occurred earlier. The
phenomenon had not been incorporated into safety
analyses, hazids, H&E register or QRA´s. The situation has
not changed much since the Buncefield accident, QRA's
still do not include vapour formation and vapour cloud
explosions for tank farms. Current QRA software is not able
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
to account for this effect.
29 Kaixian During drilling of a sour gas well a kick occurred. The kick was 144 The developers of the well were stated to be unprepared
blowout, detected by the mud logging system, and a driller was sent to for the high well pressure on reacting the pay zone.
Chongquing. shut in the well. Three minutes later, mud erupted from the well, Insufficient mud had been prepared of insufficient density.
and the slips were washed away. By 5 minutes after the kick, the
well was shut in except for a release from the top valve, at storey There is a need for a drilling risk analysis and an emergency
2, which could not be closed. The top drive caught fire. plan for every well drilled
16 minutes after the kick, the BOP was activated. The operators
tried to remove the drill stem, but failed. Inverse circulation was
released from an open flashing valve. At 30 minutes, kick control
failed completely. A large flow (4x106 to 1x107 m2/day) of sour
gas 9% was released.
Weather was cold, with low wind speed and inversion.
The topology was one of a narrow valley, so the gas plume
travelled far. At Kaixian, the elevation is from 500 to 1000m with
narrow valleys. The accident occurred at a site at 470 to 540 m.
wind speed was 0.13 m/s average, 0.7m/s maximum. Stability
conditions varied from D to E.

245 persons were killed, 1242 hospitalised, and 65 000 were

evacuated. Most fatalities were in a zone of 500 m from the well.
H2S concentrations were 11 to 32 mg/m3 at 5700 m
29 145 A back pressure valve had been removed prematurely
29 146 The importance of topology for gas dispersion is
recognised qualitative terms, but has not been taken into
account quantitatively, either in QRA´s or emergency
plans.
29 147 The drilling team ignited the gas 18 hours after the
blowout started. This contributed to the many casualties.
Instructions for ignition were given after 13 hours, but
workers could not ignite immediately.

Modern recommendation is to ignite sour gas blow outs

after 30 minutes.
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.

Emergency preparedness must include facilities for igniting

sour gas blowouts.
30 Woods Cross, A 10" pipe coming from the base of a reactor, failed 148 Checking calculations of this type is normally made during
Utah, catastrophically, during catalyst regeneration. High pressure individual design reviews by the responsible engineer.
hydrogen was being circulated. Gas was released, giving a 35 m Mistakes can be made, and if they are, hopefully they can
high cloud and an explosion. Four workers nearby were blown to be caught during installation on pre commissioning
the ground but were not injured. 100 homes near the refinery inspection. Design review should in principle trap this kind
were damaged, one being knocked off its foundations. of error. However, design review processes are of variable
Mechanical integrity programmes had been undertaken by a quality.
contractor. Metal thickness readings taken by the contractor
were of doubtful validity. The thickness values were
miscalculated. The contractor had been using ultimate tensile
strength values as a basis for allowable operating pressures. Also
thickness readings were inaccurate.
The pipe which failed was accorded in 2007 to have a thickness
of ½ inch but on failing in 2009 had a thickness of only 1/8 inch.
30 149 Calculations of values such as pipe thickness are today
largely made using software, or spreadsheets. These are
often well checked before use. Input of erroneous data will
nevertheless still be a possibility, as here.
30 150 One of the difficulties which can arise with software
calculations is also use of programs beyond their range of
applicability. This kind of problem has arisen in modern
high integrity companies. The only known method to resist
this kind of problem is spot check audits, including QC
system audits. The lesson learned from the case is that
such audits are needed, and that it requires experienced
engineers to make them.
31 Marathon A slops tank containing diesel fuel exploded during maintenance 151 Sour water and slops tanks are among the most
Detroit work at Marathon Detroit Refinery, forcing a mandatory dangerous, if not protected. Blanketing can be by nitrogen,
evacuation order for a nearby area. One employee was injured in or by fuel gas.
the blast, authorities said. Sour water release during l tank
maintenance. Sour water is wastewater from the refining Diesel does not normally need blanketing, but as a blanket
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
process. Pollutants have to be stripped out of it before the water liquid in a slops or sour water tank it is easily
can be reused or sent to an outside wastewater system. contaminated.

Marathon reported the sour water tank involved in the fire

contained ammonia, hydrogen sulphide and sulphur dioxide.
Inside the tank were benzene and hydrogen sulphide covered by
about 4 feet of diesel fuel used to contain those chemicals.

It was the diesel fuel that burned. Benzene and hydrogen

sulphide can penetrate skin, which is why they pulled the trigger
on a 3,000-person evacuation.
32 Gallup NM A spare pump was scheduled for maintenance . To isolate the 152 CSB findings included : "Giant's mechanical integrity
pump for work, plant personnel, using a valve wrench, turned a program did not effectively prevent repeated pump seal
shut-off valve connecting the pump to a distillation column to failures. Problems were addressed when equipment broke
what they believed was the "closed" position. CSB investigators down, not in a preventive manner.
determined that the valve was actually open.
There should be proper mechanical integrity programs to
An operator disconnected the pump's vent hose to verify that no prevent breakdown maintenance. The study said Giant
pressure was in the pump, and witnessed some alkylate flow should have determined the cause of the frequent alkylate
through the hose. After the flow subsided, he believed the pump recirculation pump malfunctions and implemented a
had been de-pressurized and was ready for removal. The study program to prevent them.
concluded that the vent line was plugged, not de-pressurized. As
the mechanics were removing the pump alkylate was suddenly
released at high pressure and temperature, producing a loud roar
that was audible throughout the refinery. One of the mechanics
was blown over an adjacent pump and broke his ribs. About 30 to
45 seconds after the initial release, the first of several explosions
occurred. The plant operator was covered in alkylate that quickly
ignited and seriously burned him. Other personnel suffered burns
and eye injuries.

The design of the valve wrench used to "close" the suction line
made it easy to remove and reposition onto the valve stem in
different directions, and this led to a potential hazard because
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
operators sometimes determined whether the valve was open by
its wrench position, rather than the valve position indicator. In
this incident, the valve wrench collar had been installed in the
wrong position. Operators depended on the wrench position and
mistakenly determined the valve was closed."

The study also found that the valve had been modified in the past
to replace a hand wheel method of opening and closing it with a
bar-type hand wrench. If the company had performed a
management of change analysis before modifying the valve, they
could have recognized the hazard of identifying the valve position
that this modification caused. In addition, Giant operators did not
effectively verify that the pump involved in this incident had
been isolated and depressurized before beginning to remove it.

32 153 Under Lessons Learned, the CSB urges management of

change analyses for any valve modification
32 154 Need effective "lock out tag out" programs to ensure
equipment has been isolated, depressurized, and drained
32 155
33 Caribbean A tank overflow occurred at a crude oil tank farm. At 12:23 a.m. 156 A vapour cloud was formed, presumably as a result of
Petroleum, on October 23, a large vapour cloud ignited at the Caribbean overflow. The cloud ignited and causes a major explosions,
Bayamon, Petroleum facility near San Juan, Puerto Rico. The blast damaged which then involved the full tank farm.
San Juan, homes and businesses over a mile from the facility. Investigators
Puerto Rico from the U.S. Chemical Safety Board arrived in Puerto Rico that
evening. The incident was very similar to that at Buncefield.
34 Wynnewood, A boiler that was being brought back online after maintenance 157 This kind of accident is all too familiar. Over 40 such
Tulsa, OK exploded at an oil refinery in Wynnewood, killing one worker and accidents are registered in the database. Such accidents
injuring another. should be virtually eliminated by the use of a well designed
burner management system.
The explosion occurred after the plant had been shut down
earlier in the week for planned maintenance, a 40-day a
turnaround.
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.

Fuel had entered the boiler fire box for a considerable period
without pilot or burner flame.
35 Alon Big A propylene splitter on a refinery developed a crack and break on 158 One of the lessons to be learned is the surprising speed of
Spring, Texas the bottom of a pump case. The crack was caused by a faulty recovery from what was one of the largest vapour cloud
weld. explosions. Loading racks at 200 m from the explosion
The propylene flashed, and the gas plume flashed, and the gas centre were damaged, but were operating 30 days after
plume reached an ignition source. The gas cloud was in a highly the explosion. The refinery was in operation after 2
congested area. The gas cloud exploded. months, at reduced capacity. The propylene splitter unit
This case is quite ordinary in its cause though it does illustrate was destroyed completely, and not rebuilt.
that manufactured items can contain defects (all other similar
pumps in the refinery were checked). The case is unique
however, in the extent of documentation of the overpressure
and domino effect damage. Damage was recorded to housing at
6 miles, with heavy damage at 2 miles. Storage tank walls were
collapsed and fires started at 370m from the explosion source.
Four persons were injured. All but one were released from
hospital within 2 days.
35 159 The accident was caused by the failure of a weld repair of a
cracked pump casing. This kind of weld is difficult,
especially for pumps handling propylene, where low
temperatures can occur from even the smallest leak.
35 160 The accident gives a very clear picture of the domino
effects from the explosion, because many aerial
photographs were published. The extent of the domino
effects, with secondary fires started at 10 different
locations.

35 161 The explosion occurred at 8:12. Fire service response was

within 3 minutes. Access to the refinery fire house was
damaged. A hydraulic lift fire truck was able to contribute
to fire fighting only after the doors were torn off the
firehouse. The blast also damaged fire pumps, leaving only
one fire pump operable.
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
35 162 Pumps are pressure vessels, and should be repaired
according to standards for pressure vessels, including
checking of consumables, good storage of consumables,
weld preparation, inspection and radiography.
36 Waste Expanded polystyrene entered a slops tank. Electrostatic ignition 163 Slops tank may always receive volatile liquids, and can then
treatment occurred when the polystyrene touched a level control explode on ignition. Slops tanks need to be blanketed
plant instrument. The vessel exploded
36 164 It is virtually impossible to eliminate all ignition sources.
Good housekeeping and good classified area design
reduces the probability but can never eliminate the chance
of ignition
37 Refinery Erosion occurred on the inlet line to a vacuum distillation column 165 Cavitation erosion can occur on pipes subject to vacuum as
due to low pressure downstream of a piping expander section. well as pressure or high fluid velocity
Air was sucked in, and burned immediately in the residual fuel oil
being distilled. The piping glowed red hot. The unit was shut
down successfully, with a small spill of heavy gas oil.
37 Refinery A fire occurred on a crude column bottoms pump. A small (8 mm) 166 Restoring a pump after maintenance can be error prone.
nipple had not been replaced after maintenance, and oil sprayed The pump needs to be checked for leaks before putting it
from the hole. The fire was about 12 m. in diameter, and was back into full production.
extinguished in about 15 minutes.
38 Ethylene A hose was connected from a hydrogen gas vessel to another 167 If water hoses have a standard coupling and this coupling
cracker process vessel. The hose was a water hose and ruptured almost can be fitted to nitrogen, air or process nozzles/couplings
immediately. The hydrogen ignited causing a small fire. there is always a chance that operators will use them.
Water hoses are not rated for the pressures which can
arise in nitrogen or air supplies, and should never be used
as process connections. Properly designed couplings
should be used.

The problem is made worse by the fact that many process

units have couplings for water to allow for washing or
sludge removal, which may be used if the plant is
depressurised and made safe.
38 168 All operators and maintenance personnel need to be
trained in the use for hoses.
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
39 Ethylene A lube oil sight glass was damaged by impact (cause unknown). 169 Sight glasses for lube oil are often mounted at a very
cracker On start up oil escaped and ignited (also cause unknown). The vulnerable height, close to the platform. They are also
fire was about 10 m. in diameter. mounted in the lube oil return line, so the lube oil will be
hot, and many fires have occurred from the release of hot
lube oil. If a sight glass must be located in a vulnerable
position, as is often the case, the glass should be protected
against physical impact, and should be protected against
bezel overtightening damage.
40 Sulphuric A blower on a sulphur burner, producing sulphur dioxide and 170 Fatigue cracks can grow from microscopic size to
acid plant trioxide developed a vibration. It was shut down until catastrophic in minutes or hours. The only way to prevent
engineering evaluation could be made. After assessment it was them from becoming catastrophic is to monitor for
decided to start the blower carefully with close observation, vibration, and to calculate what small defect could grow to
rather than to dismantle the blower, which would have required a major accident. The vibration review needs to be
one or two days loss of production. When the blower reached repeated, for example yearly, because vibration can
3000 rpm, one of the blower blades broke off, and flew up the become worse over time.
discharge duct until it reached the first bent, where it passed
through the duct pipe wall. The 3 m. diameter blower impeller
was now very much out of balance, and caused violent vibration.
The impeller and shroud were torn from the foundations,
tearing2 inch bolts out of the foundation. The 20 1.5 inch bolts of
the main bearing were either stripped of threads or stretched
and broke, With rupture of the bearing box, lube oil escaped and
ignited due to the friction of the shaft on the damaged bearing.
The fire was about 15 m. diameter and 15 m. high. It was put out
in about 10 minutes. The instrumentation on the steam turbine
drive was damaged and had to be replaced.

On investigation it was found that a small sulphur spot was

present at the source of a crack, and a fatigue fracture spread
from this. The development of the crack had taken less that 3
minutes of actual running time at high speed.

A similar crack occurred on the replaced blower impeller 6

months later. The blower manufacturer was one of the most
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
respected in the industry, but nevertheless the design showed
weakness.
40 171 If serious vibration does occur on rotating machinery,
assume that there is a possibility of a serious accident. Do
not restart without in depth inspection.

Inspection using endoscopes can sometimes be used to

detect cracks, but more usefully, can be used to guide
tapping with a small hammer or impactor, or to guide the
application
40 172 Even rotating equipment from reputable manufacturers
with tens of years experience can suffer from design error
41 Ethylene A pipe loop was used to collect steam condensate from a heat 173 Condensate build up in low points, collecting pots or knock
cracker recovery exchanger. The operator knew that the loop was out drums can overflow if not drained of in a timely
becoming full, but calculated that there was enough time to fashion. If the liquid overflows or is caught up as a slug by
allow the loop to be drained. The steam flow through the loop the gas flow, the result is likely to be sever hammer, and
picked up water in the loop, and a slug of water passed into the pipe rupture can occur. This can happen in steam lines or
discharge pip. When it hit the first tee junction, the junction in any wet gas lines.
ruptured, The entire steam system in the unit had to be replaced.
Fortunately, no hydrocarbon lines were damaged seriously
enough to escalate the accident.
42 Polyethylene A knock out drum for an ethylene stream to a compressor 174 Knock out drums need to be regarded as safety critical
plant required manual emptying because the amount of liquid in the equipment. There should be a strict procedure and
gas stream was very small, Eventually the knock out drum filled. schedule for
Liquid passed to the reciprocating compressor, and the
compressor ruptured.
43 Nitric acid A pipe section carrying unabsorbed nitric fumes to a vent stack 175 Incorrect materials are a frequent cause of accidents in oil
plant corroded and released nitrogen dioxide at ground level. It was and gas plants. To prevent such accidents the correct
found that the pipe spool was made from ordinary carbon steel, specification of materials needs to be made on drawings
not the stainless steel used in the rest of the piping. (P&IDs and piping layouts or isometrics) The corresponding
coding is needed in warehouses, and good warehousing
practice is required. Ordinary carbon steel needs to be
kept separate from alloy steel and all components need to
be well labelled.
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
44 Refinery The discharge from a crude unit bottoms pump corroded and 176 Incorrect materials are a frequent cause of accidents in oil
released hot gas oil. Fortunately it did not ignite. The material for and gas plants. To prevent such accidents the correct
the elbow at the discharge was found to be the wrong material. specification of materials needs to be made on drawings
The replacement elbow also failed a month later. The (P&IDs and piping layouts or isometrics) The corresponding
specification provided by the pipe manufacturer was found to be coding is needed in warehouses, and good warehousing
in error. practice is required. Ordinary carbon steel needs to be
kept separate from alloy steel and all components need to
be well labelled.
45 Refinery The operations supervisor at a cracker unit found that all 177 Operators need to be aware that "unused " or "empty"
available tanks for the residual oil were full. He would have to tanks need to be fully investigated before any new use.
close down the unit. However he found a gasoline tank in the Using a tank for a new material such as hoy oil is a major
refinery which had not been in use for a long time and was design change, since the tank will probably not have been
empty. He routed the piping so that the oil could be transferred. designed for the new material. A change safety analysis or
a mini hazop is needed with qualified specialists
When the hot resid reached the gasoline tank the small amount participating
of gasoline remaining flashed immediately due to the heat from
the oil, The roof of the tank blew off, and a spray of oil was blown
across the managers car park.
45 178 The phenomenon of rapid phase transition occurs
whenever a low boiling liquid is mixed with a hotter high
boiling liquid. The effect can be hot oil into water or
gasoline, or vice versa, water into a hot deep fry pan, liquid
steel onto water or butane into a pentane tank for
example.
46 Venezuela, An excavator used by a telephone company to uncover cables cut 179 Very clear and direct communication is needed in order to
into a 10 inch natural gas pipeline, and displaced the ends of the ensure risk reduction measures are implemented
pipeline by over a metre, A jet of gas blew across the highway Implementation may involve several companies, and may
and ignited. This caused a car pile up and many fatalities. involve costs and operating difficulties for each.
Implementation may take time, and large expenditures
The potential problem was recognised many years earlier, but need to be budgeted and approved which means that
communication lines for solving the problem were very long (four momentum may be lost. The implementation may take
companies, with at least three layers of management in each, lay several years because of this. The message must therefore
between the analysts and those needed to implement be very clear. I have found that the easiest way of securing
safeguards. understanding is to provide photographs or videos of
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
accidents similar to the one identified.
46 180 Pipelines should preferably be routed at a considerable
distance from highways. From observation of traffic
accident photographs 40 m. is usually sufficient for an
above ground pipeline. Distances could perhaps be smaller
for buried pipelines but the effect of traffic running over a
pipeline may be a dent or coating damage which need to
be taken into account. QRA guidelines give a good
indication of the risks of mixing traffic and pipelines, but
these still need to be checked. The NTSB reports of
pipeline accidents give a good indication of what can
happen.
46 181 Buried pipelines should be run in well marked right of way,
preferably fenced. Pipes should have a good ground cover,
and warning plastic strips and or concrete slabs to provide
warnings for excavation.
47 Several instances of pipeline damage have been recorded for 182 When a new pipeline is being installed in a right of way
cases in which new pipelines are being installed in existing rights containing existing ones, ideally there should be a good
of way. safety distance. This should be sufficient to allow excavator
In one case investigated, the backhoe operator excavating a and side loader access without running over existing lines.
valve pit turned the wrong way to deposit a bucket full of Protection 1s needed to prevent excavators from swinging
excavated soil. The bucket hit an above ground oil pipeline and hitting existing lines. Heavy concrete barriers or old
putting a dint into it. The hit was not reported, but was found on sections of pipe generally provide good protection. Heavy
inspection. sheet steel should not be used as it can be dropped and
damage pipe. Corrugated steel sheeting does not provide
much physical protection, but it does provide good visual
protection. Excavator drivers do not feel comfortable in
knocking down safety barriers.
48 Venezuela, Propane was released from the seal of a transfer pump. The area 183 Housing should never be located close to refinery
was cordoned off, because the release could not be stopped. equipment or storage without an in depth risk assessment.
Eventually the gas ignited, with a large explosion as a result.
Housing which had been built for security staff only 50 m. from
the fence line was destroyed and there were many fatalities.
Five oil storage tanks were also set on fire.
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
184 Leaks of liquefied flammable gases (including ammonia)
will eventually ignite if the leak is allowed to continue for a
long period, even if the area is cordoned off. It is
sometimes necessary to allow the leak to continue
because there is no way it can be isolated fro a large
inventory. In this case the area should be evacuated, up to
a safe distance. Consequence calculations should be made
to determine what is a safe distance. The calculations
should take into account the fact that leaks can get worse
over time, and that ignition causing a small fire can result
very quickly into a large fire due to escalation. So base
evacuation on a worst case prediction.
75 Venezuela, Natural gas liquids were releases “to a safe place” from a pigging 185 Natural as liquids should not be "drained to a safe place",
station. The vapour travelled 4 km. Along a narrow valley until it what is a reasonably safe place under normal wind
reached a cantina, and was ignited, causing many fatalities, conditions can be a lethal place when winds are low and
Contributing to the accident were the facts that the valley was the atmosphere is stable. Hydrocarbon gas can collect in
narrow and deep, and that the atmospheric conditions were hollows and can remain in high concentration for many
stable. days.
76 Taiwan A floating roof tank was being cleaned, with the roof standing on 186 Tanks must sometimes be emptied completely for example
its supporting legs. Vapour evaporating from the remaining oil on to allow maintenance to take place. When a floating roof
the tank floor and walls ignited, causing an explosion which settles on its legs, air will be drawn in unless blanketing gas
destroyed the roof, but fortunately causing no injuries. is provided. At some stage though, there will be both air
and flammable vapour present. Ignition can occur due to
mechanical sparking as the legs and leg springs adjust, and
form pyrophoric sulphide. The period between stopping of
pumping or stopping of blanketing flow, and the point at
which the tank is ventilated below the LEL must be
minimised. It is a good idea to give a tank roof "time to
settle" after emptying, before ventilation begins.,
77 Taiwan Steam was found to be issuing from pin holes in the steam 187 When designing heat recovery systems, take into account
system at many parts of the steam piping. Later high levels (over the effect of any leakage from the gas stream into the
200 ppm) of hydrogen sulphide were found coming from an steam system
open drain. The source was identified as a steam trap.
On investigation it was found that gas was leaking into the steam
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
system from a heat recovery boiler. The hydrogen sulphide was
causing accelerated corrosion, The entire steam piping had to be
replaced.
78 Taiwan A riser on a rich solvent regenerator (Containing absorbed H2S) 188 Vertical two phase flow can destroy piping in a short time,
was found to be swaying back and forth by about 1 m. Three if bubble collapse occurs at the top of the flow. The
supports had been tor away, and a fourth was half way cracked. problems arise when the liquid is close to the bubble point,
The cause was vertical two phase flow in the line, with bubbles as it can well be in a reflux or a column feed pipe. A
forming and collapsing as they passed up the riser. The collapse particular problem arises when there is a flow control valve
caused the column of liquid to fall, and place a heavy impulse at the base of the column and this is throttled down.
load on the pipe supports. The accident would potentially have
released a large amount of H2S, but the problem was found in Operators need to be aware of this effect, and to react
time and the unit shut down. urgently to prevent pipe damage. Designers need to carry
out calculations where column feed lines will contain
liquids close to their boiling point, or liquid/gas mixtures.
79 An oil degassing tank had a 24 inch riser, the crude oil passing to 189 Vertical two phase flow can destroy piping in a short time,
the top and then being released into the tank. The collapse of if bubble collapse occurs at the top of the flow. The
bubbles of gas in the riser caused a rhythmic vibration lifting the problems arise when the liquid is close to the bubble point,
riser and its support foundations about 3 inches out of the as it can well be in a reflux or a column feed pipe. A
ground. particular problem arises when there is a flow control valve
It was calculated that the vibration, at a frequency of about one at the base of the column and this is throttled down.
cycle every three second, would cause fatigue cracking within 1
to 3 years. The foundations were replaced by much more Operators need to be aware of this effect, and to react
massive construction. urgently to prevent pipe damage. Designers need to carry
out calculations where column feed lines will contain
liquids close to their boiling point, or liquid/gas mixtures.
80 During a plant mechanical integrity audit, a 2½ inch drain line was 190 Even the best companies can make errors in construction
found, over 40 m. long without any supports at all. The need for and pipe installation. EVERY pipe run needs to be
supports had simply been forgotten. The line was an important registered and inspected, and signed off according to a
one, it came from a deethaniser accumulator, and was about half check list when being installed and when being modified
filled with propane. The lack of support placed a very large
torque onto the vessel nozzle. Vibration fatigue would have
eventually ruptured the nozzle.

The surprising thing was that the general standard of piping on

 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
the plant was excellent, with (nearly) all pipes resting on their
shoe supports, and all pipe shoes centred in their guides. Also
surprising was that the lack of supports had not been noticed in
integrity inspections
81 A slug catcher consisting of a 50 m. section of 36 inch pipe was 191 Two phase flow in pipelines can cause severe vibration,
found vibrating (jumping) about four times per minute. The especially if the liquid to gas mass ratio is high, or if there
vibration lifted one end of the slug catcher about three times are low points in the pipeline.
every minute. The cause was two phase oil and gas flow into the
slug catcher.
Later, the foundations were strengthened and the catcher
stresses recalculated to ensure they were below those likely to
cause fatigue cracking in the reinforced structure
82 In an integrity audit insulation on a compressor steam turbine 192 Oil in insulation on hot pipes is a relatively frequent cause
was found soaked in hydraulic oil and was smoking badly. The of small fires,. There can in turn develop into large fires if
turbine was hot enough to ignite the oil especially as an the fire affects flanges or seals.
insulation fire. The oil came from an ESD valve control line. The
line was repaired and Insulation was removed. A fire watch was
organised until the compressor could be shut down
82 Oil was found in the insulation on an ESD valve fire protection 193 Solar heating on cladding can heat any oil or solvent
box. The oil was quite hot due to solar heating, but not at a level soaked into insulation sufficiently to cause ignition. Special
where ignition would be an immediate threat. However ignition care is needed when removing cladding, because at this
is possible in insulation over time, as the oil gradually oxidises. stage, air may reach oil residue above its flash point, or
The oil came from a leak on the hydraulic control lines for the may reach pyrophoric residues. Fire may start though even
ESD valves. when the cladding is intact. Cladding should never be
painted in dark colours and should preferably be left
reflective.
84 Gas injection A gas injection compressor was found to be vibrating very 194 Vibration can be excessive on any rotating machinery and
plant heavily. The vibration was sufficient to cause bolting in the plant especially on reciprocating compressors if there is
structural steel at up to 50 m. away to fail due to fatigue. resonance with some other item, such as piping or the
structural steel. The vibration can cause fatigue cracking
Vibration is to be expected on any reciprocating compressor, but and rupture.
this was beyond anyone's experience. It proved difficult to
determine the cause of the vibration, with many specialists It is in principle possible to predict resonant frequencies,
investigating over a period of years. The compressor had a large but in practice the stiffness of support points is rarely
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
concrete foundation. Possible causes identified were reflection of known, and frequencies change depending on degree of
pressure waves from bedrock with period at the main filling of pipes and vessels. It is essential to identify
compressor frequency and organ pipe resonance in the resonant vibrations during commissioning and in the post
downstream piping and knock out drum. commissioning period, and to add supports or weights
when vibration is excessive (detuning). Also the actual
performance of supports needs to be checked.
84a Taiwan A gas distribution manifold, 16 inch in diameter and rated for 300 195 Vibration needs to be checked not only during and after
bar was found to have heavy high frequency vibration. On commissioning, but throughout the lifetime of a plant.
calculation, the fatigue life of the piping was estimated to be 2 to Resonant frequencies can change due to corrosion
3 years. The problem was eliminated when shims which had reducing pipe thickness and therefore stiffness, and due to
shaken loose were replaced. failure of supports, and excitation frequencies can change
due to changes in operation. Fatigue failures have occurred
many years after initial start up due to these causes.
85 Denmark Tubing on a cylindrical fired heater caused an enlarged fire within 196 The consequences of this accident were due to a tragic
the fire box. The plant fire brigade was called. Seconds after their coincidence of timing. The accident occurred many years
arrival, the heater tube broke causing a large jet fire. Two before the ideas of pre-incident planning had arisen.
firemen were killed and the fire tender burned out. Today, pre-incident planning would give responders an
idea of the degree of hazard, and the appropriate safety
distance. This would not necessarily be sufficient to keep
them safe because inspection of the release and source
control (shutting valves) are part of most emergency
response plans. However it might be possible to make the
responders thing first, and ask for remote shutdown,
rather than risking life.

Responders should be equipped with binoculars to enable

them to see the source of releases from a distance (this
often works, although just as often the source is concealed
with smoke, vapour or fire)
86 An operator was walking alongside a hot steam condensate tank. 197 Hot water tanks and de-aerators should be regarded as
It ruptured along welds which had been attacked by carbonate severe hazards, in the same way as caustic and acid tanks.
corrosion. He was killed by the hot water. Walkways should not be routed alongside such tanks and
there should be a safety distance around them
198 A problem in the actual accident was that the corrosion
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
form was unknown. There are several forms of corrosion
which depend on particular chemical conditions in the
fluid. Plant integrity specialists should be aware of all the
special types of corrosion associated with their plants.
87 ME During a mechanical integrity audit, an insulated vertical pipe run 199 In retrospect, the inspectors were lucky. A more vigorous
was found which deflected on application of pressure from a checking of the piping for weakness would have ruptured
gently applied finger tip. The 1 inch ID pipe was carrying hot the pipe releasing hot high pressure benzene.
benzene to a column for distillation. The plant was quickly shut
down, and the piping inspected. A large part of the piping was
subject to under insulation corrosion, The wall thickness of the
pipe first identified was found to have been reduced from 3.5
mm to 0.8 mm. During dismantling the pipe broke in many
places.

Hot piping will usually not corrode externally, but corrosion did
occur during period of unit shutdown. Water leaking into the
insulation contained salt fro sea pray, being only a few kilometres
from the sea. Salt concentrated in the lagging, and warm
concentrated salt solution then caused accelerated corrosion.
87 200 Under lagging corrosion can rapidly reduce pipe thickness
to a fraction of its initial thickness, especially if the water
leaking into lagging is contaminated.

Liss (ref. National Board of Boiler and Pressure Vessel

Inspectors January 1988 National Board BULLETIN) reports:

"Corrosion may attack the jacketing, the insulation

hardware, or the underlying piping or equipment.
Depending on other factors, chloride, and galvanic, acidic
or alkaline corrosion may occur.

Galvanic corrosion generally results from wet insulation

with an electrolyte or salt present that allows a current
flow between dissimilar metals (i.e., the insulated metal
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
surface and the outer jacket or accessories).

Polyurethane foams with fire retardant, and phenolic

foams were found to form very acidic solutions with
accelerated corrosion.

The major factor in preventing CUI is to keep liquid from

intruding into the insulation. Water decreases the
effectiveness of the insulation and leads to corrosion of
pipe or equipment. Poor conditions caused by wet
insulation can be aggravated by weathering, vibration or
abuse from people.

Unfortunately, the insulation picked is normally based on

installed costs versus energy saved, and maintenance or
corrosion costs are not considered. The following should
be considered:

- The cost of repairing the insulation if corrosion is

detected. Insulation should be removed in limited sections
for inspection. - If insulation is subject to damage by abuse,
the cost of periodic replacement must be considered.
- The cost of the protective paint.
- For non-absorbent insulation, a "credit" should be given
for the energy saved by eliminating periodic water invasion
to absorbent insulation during wash-downs and storms.

Insulations such as calcium silicate, glass fibre and, to some

extent, cellular plastic foams absorb and retain liquids and
vapours. Additional flashing is required where spills, leaks
or drippings may occur, or where washing and hosing are
carried out. The only fully non-absorbent insulation is
cellular glass. Cellular glass should be used where corrosive
or flammable liquids are present.
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.

The proper design of insulation for pressure vessels, tanks

and piping includes consideration of the support and
connection of the material. Details can be found in a
handbook from Midwest Insulation Contractor's
Association.3 According to plant operators, weather
barriers for insulation are frequently broken either
because inappropriate details were originally given for
equipment or not enough space was allotted around the
insulation. Improvement in design can be accomplished by
handling the insulation specifications early during the
vessel design and by "simplifying" the surface to be
insulated."
88 In several mechanical integrity audits, contractors and in one 201 All operators, maintenance workers and contractors need
case company maintenance technicians were found to be using training in the meaning and purpose of classified areas and
ordinary electric hand tools rather than non sparking or Ex safe the rules needed to ensure safety against ignition
types, and were found to be using household cabling, connectors
and plugs, without the areas being approved for hot work. In
some cases the persons involved had made adaptors so that Ex
safe sockets could be used to supply non Ex safe equipment. In
one case an ordinary electric drill was being used in an area with
many operating mixer settlers using volatile solvent. In another
case a team was installing a new corrosive resistant flooring in an
area which was approved for hot work, but had stretched lengths
of ordinary household cable, linked together with household two
pin plugs and sockets, through a working solvent stripping plant.
88 202 Foremen, supervisors and safety officers need to be aware
of the hazards of using unsafe equipment in classified
areas unless there is an approval for hot work. They need
to know, and have the authority, to stop work when
conditions are unsafe and where fire could be started.
89 In many plants conduit was found corroded or damaged. In some 203 During mechanical integrity audits, conduit needs to be
cases conduit was found honing from cables. In such cases, cable inspected and corrosion. Conduit should be watertight,
may be damaged by fretting and resultant short circuiting can and where cables exit from conduit, grommets or flaring
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
take place. This has caused electrocution accidents and fires. should prevent wear on cables and possible short circuits.
90 Fork lift trucks and small cranes (cherry pickers) are often used 204 Pipe tunnels should be kept clear of projections such as
within plants for moving drums of chemicals, lifting replacement light fixtures and pipe stubs, which can be broken if hit.
pumps or vales and similar heavy lifting. Many accidents have
occurred due to collisions with drums, collisions with pipe stubs
and valves and damage to piping. Dropping of hazardous loads is
also a frequent problem.
90 205 Pipe bridges over roadways should be protected by strong
steel portals (Headache bars)
90 206 Pipe stubs and valves should not project into roadways
90 207 Where piping or equipment is close to a parking or vehicle
turning area, or runs alongside a roadway, there should be
an anti collision barrier.
91 At about 3:05 PM on October 6, 2005, a trailer being towed by a 208 Roadways and access ways should be kept clear of
forklift snagged and pulled a small drain valve ( 1 inch valve on a projections such as light fixtures and pipe stubs, which can
2 inch pipe) out of a strainer in a liquid propylene system. be broken if hit.
Escaping propylene rapidly vaporized, forming a large flammable
vapour cloud.

Operators immediately began to shut the plant down and

attempt to isolate the leak They tried to reach and close manual
valves that could stop the release; however, the advancing
vapour cloud forced them to retreat. At the same time, control
room operators shut off pumps, closed control valves, and
vented equipment to the flare stack to direct flammable gases
away from the fire. At about 3:07 PM, the vapour ignited,
creating an explosion The explosion knocked down several and
burned two (one seriously) operators exiting the unit. Flames
from the fire reached more than 500 feet in the air Because of
the size of the fire, Formosa initiated a site-wide evacuation.
Fourteen workers sustained minor injuries including scrapes and
smoke inhalation. The extensive damage shut down Olefins II unit
for 5 months.
91 209 The fork list ruck was moving in a non approved area.
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
There were designated access ways, but these were only
marked on drawings, not on the plant.

Access roads should be clearly marked, and there should

be signage or barriers to areas which are not approved, If
access is needed under exceptional circumstances, for
example for maintenance or replacement of heavy
equipment, this must be done under a permit to work
(PTW) with a job safety analysis and a risk analysis. The
need for protection of vulnerable piping and vessels need
to be taken especially into account.
91 210 Structural steel in areas handling hydrocarbons or other
flammable liquids should be fireproofed up to a level
which can be engulfed by pool for jet fires (usually up to
platform 2)
92 A 10 inch 80 bar pipeline ran alongside a major highway, with a 211 Pipelines should always be laid in a well marked right of
separation distance of as little as 5 m. and with little protection. way. The pipelines should be buried whenever there is a
In the accident, the pipeline was ruptured by a backhoe possibility of collision. Where the pipeline must be
excavating to install new telephone cables, rather than being hit exposed, it must be protected from possible vehicle
by a vehicle, but the risk analysis showed a fairly high frequency collision threats by collision barriers.
for both types of accidents. When the rupture occurred a jet fire
shot across the highway. A multi car collision followed, and a fire
with 64 fatalities.
95 On several refineries terminal and junction boxes intended for 212 Enclosures, terminal panel boxes and junction boxes in
use in classified areas were found with closure bolts missing, classified areas must be kept closed, otherwise classified
bolts loose and in some cases with boxes open. In some cases the area requirements are not met, and fire and unwanted
boxes were partially filled with water. This causes a systematic shutdowns are likely. The mots frequent reason for not
increase in ignition probability as well as cresting a possibility for closing properly is that frequent entry is needed due to
short circuit fires and unwanted plant trips due to control signal poor contacts or for instrument testing. Boxes with a
short circuits minimum of bolts or with handle closure are preferred.
Bolts are often lost, so spares must be made available.
96 A switching and cable room in an oil plant suffered form 213 The atmosphere in cable and switching rooms and control
blackening and sulphide corrosion on copper and silver contacts, rooms needs to be well controlled in order to prevent
which affected plant control system performance with frequent corrosion and poor control reliability
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
false alarms. The hydrogen sulphide entered the room via
ventilation or via seepage into the cellar. The source was from
sour oil which had leaked into the ground from tanks. The
concentration was low, too low to be measured on ordinary
safety gas detectors, but could be detected on more sensitive
detectors. The gas could sometimes be detected by smell. The
problem was cured by better ventilation, and by cutting a
drainage ditch around the building.
97 Pipe guides on a waste heat recovery steam line were placed on 214 Pipe fitting crews need to be aware of the way in which
the expansion loop rather than on the straight line runs. As a piping works, and the working of pipe guides and supports
result the pipe expansion on heating locked the expansion loops
against the guides. The expansion cased force on the heat
exchanger head, forcing it inward. A new heat exchanger head
had to be installed, with a resulting seven month delay in
commissioning.
97 215 There is a need for pipe inspection during mechanical
completion, as is obvious. The inspection though needs to
verify pipe supports and guides, including proper
expansion clearances, proper shimming and proper
adjustment of spring supports.
98 On a steam pipe a relatively long pipe shoe nevertheless fell from 216 Pipe shoes need to be long enough to accommodate pipe
a pipe support due to movement caused by thermal expansion. expansion, and need to be placed well centred on
On contraction, the pipe shoe damaged the structural steel. supports, so that they cannot fall off

The same effect was seen on many oil flow lines resting on
sleepers. In a few cases this led to damage of the coating and
accelerated external corrosion, as the pipe rubbed against the
now tilted support sleeper. This as sufficient to cause holing in
two cases
99 The support shoe for a nitrogen blow down vessel was located so 217 Vessel supports need to be examined as well as piping,
that only ½ inch rested on the foundation sole plate. It was found pipe supports and the vessels themselves during
that the vessel could fall off under abnormal ambient mechanical completion, and need to be inspected again as
temperatures, in which case nozzle breakage could occur. The vessels are filled and temperatures increased during
plant had been operating for several years, so apparently this commissioning.
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
coincidence of high ambient temperature and low cooling in the
vessel was a rare one.
100 A support for a 24 inch pipeline surge relief valve was found out 218 Liquid relief lines need to be designed for hammer and
to be properly installed but springs were not adjusted after line surge effects.
filling. The pipeline rested on the lower snubbers.

Earlier during a surge relief episode, the relief line has kicked as
the oil ran into the surge tank. the line ripped open the side of
the tank and the contents filled the bund. There was fortunately
no ignition.
100 219 Pipe spring supports need to be adjusted after pipe filling.
This means that there is a need for adjustment during the
commissioning stage.
101 A flare line ran on sleepers above ground. In some relief cases 220 Above ground piping without suitable coating should be
the flare gas would be cold, and dew condensed on the flare line. kept clear from drifting sand. Or preferably coating should
Tis kind of effect frequently causes pitting at the 6 o clock be applied suitable for buried piping (this can be difficult
position on lines and in vessels, but in this case the corrosion was for flare lines with a wide rang of operating temperatures.
enhanced by build up of blown sand with a high salt content In such cases, do not locate them close to the ground)
beneath the line. The flare line corrode due to concentrated salt
solution.

When the pit finally crated a through hole of about 1.5 inches,
sour flare gas was released, Gas alarms were activated at about
100 m. distance, but all employees survived without significant
harm due to a well functioning shelter in place procedure.
102 Dew dripping from a concrete slab bridge over a pipe trench 221 Designers who make decisions about coating needs need
caused intense local corrosion on a high pressure gas pipe. The to know the actual ambient and operating conditions for
pipe had no coating because under desert conditions corrosion materials. A common assumption is that deserts are hot
rates were low. The wet conditions could be recognised because and dry, and designers have given that as a reason for not
the locations had a few green plants thriving on the needing coatings. The actual conditions become well
condensation, which often occurred in the cold desert nights. known if you have the opportunity to work on a night or
early morning shift.
102 222 It is necessary to consider unusual forms of corrosion
103 Very large gas turbine driven pumps were subject to a high level 223 In many installations, screw jack supports have been found
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
of high frequency vibration. The pumps and main piping were to be inactive. This usually occurs where there is
designed to resist the vibration, including the use of weight vibrations, because ground vibration caused bas plate
collars on the discharge pipe to detune resonance and prevent rotation and unscrewing. If screw jacks without springs are
vibration fatigue. used they should be supported on a solid foundation, and
the nuts should be tack welded in place.
A 2½ inch drain line on the pump discharge led to a smaller
pump. The drain line was permanently pressurised. Initially the
drain line was not subject to excessive vibration, being well
supported, but the screw jacks worked loose. Fatigue rupture
occurred on three separate similar installations. In one case the
escaping oil ignited, causing one fatality.
103 224 It is necessary to inspect screw jacks for possible air gaps
under the bas plate during integrity inspections. If the
support is causing vibration, consider an alternative form
of support, or adjust the support and tack weld the nut.
104 During an inspection on a distillation column, one of the 225 Smoke form boilers and fired heaters may contain sulphur
inspectors took hold of a hand rail. The rail came away in his dioxide. This can react with rain or mist to form sulphurous
hand, showering rust on those below. The column was close to a or sulphuric acid, which can corrode piping and structures.
fired heater, and firing with oil with a high sulphur content had During layout, avoid locating high columns and stacks in
caused acid corrosion of the railing. Much of it was largely rust. such a way that they are frequently engulfed by smoke
Inspection of the column itself showed only a normal level of plumes.
corrosion, presumably because the column would always be hot
at the time the heater was in operation, so that no condensation
could take place on the vessel itself.
105 A fire occurred in an LPG packing (cylinder filling and distribution) 226 Storage of filled LPG cylinders should be minimised, but a
plant. Many of the cylinders explodes due to the BLEVE effect or certain storage is necessary in order to take into account
due to overpressuring. Several landed on the roof of floating roof the daily demand pattern (many cylinders need to be
tanks at the refinery alongside the packing station. Fortunately loaded onto trucks in the morning, and there is need to
they did not cause fire on the tanks. take seasonal variations into account). Cylinders should be
stored in robust cages, so that if fire and cylinder
explosions occur, projectiles are not generated.
105 227 If fire affects an LPG cylinder storage, the only effective fire
protection is fire water monitors, preferably from different
sides of the store. These need to be placed so that roof
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
and half walls do not obstruct the water stream. The
monitors need to be fixed because only in this way can the
necessary short response time be achieved
106 Lamesa TX Many tanks with liquids stored above below their flash point such 228 Combustible liquids stored in tanks below their flash point
as diesel and fuel oil tanks are stored without blanketing. Under can generate vapour due to the heat input from an
most conditions blanketing is unnecessary. However in a fire the external fire, even one which does not engulf the tank but
oil can be heated generating flammable vapour, and since there only supplies it with radiated heat. The vapour can ignite if
is air in the tank, the tank may explode. If the tank constructed it leaves the tank and the tank may explode.
properly, for example according to API 650, the tank roof will lift,
giving a jet of fire, and may blow off. However if the tank base The explosion should blow the roof partly off in a well
weld is corroded the tank may fly, spreading burning fuel behind maintained and well designed tank with a weak roof seam.
it. Usually the distance flown is 50 to 90 m. and the tank can If the weld between the tank wall and the tank base is
cause significant damage when it lands. weak due to corrosion the tank may be lifted as a whole
from its base and then may fly up to 90 m. in some cases
This occurred at port Edouard Heriot, Lyons in 1992, and the trailing burning liquid behind it. For this reason tanks
result was the total destruction of a fuel terminal. Several fire involved in fire should be cooled with deluge or with fire
induced tank explosions occurred at Thessaloniki in Greece in water monitor sprays, even if they contain liquids stored at
1984, contributing to destruction of a large fuel import terminal. temperatures below their flash point.
A very good video of the phenomenon was taken at the Lamesa,
Texas solvents distribution terminal in 2012.

Examination of the history of tank fires shows that the

phenomenon of fire induced tank explosion and flying tanks
occurs in as many as 30% of closed roof tank fires when the liquid
in the tank is one with high boiling point, stored without
blanketing.
107 Venezuela A 60 m diameter heavy fuel oil tank was heated by steam coils in 229 Leaks from steam coils in a heavy oil tank can cause an
the base. The coils began to leak, resulting in a high temperature explosive atmosphere due to stripping of light fractions. Oil
in the oil. Operators went to the tank and lowered a vapour can collect in the air space above the heavy oil,
thermometer in order to confirm the fixed temperature sensor even if the light fraction stripped has a boiling point above
readings. When they did so, an electrostatic spark ignited the the steam temperature due to the stripping effect.
flammable vapour in the tank, and the explosion blew off the
tank roof. The operators were killed. it is good practice to install a temperature transmitter
inside the tank just above the heating coils in order to
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
Normally there is no vapour of significance in a heavy fuel oil detect overheating
tank, and it is in fact difficult to get it to burn unless it is broken
into a fine spray in a high pressure spray nozzle. It is so resistant
to ignition that in some places it is stored in open lagoons. In the
actual case though the steam stripped whatever light fraction
remained in the vessel, perhaps a small fraction of kerosene used
as a flux oil.

The explosion caused a full surface fire at the tank. Fire fighting
as attempted, but access was difficult due to the step slope and
the way in which the tanks were on a site excavated into the
hillside. Injection of foam through foam risers failed because the
tank had been overfilled earlier, and the heavy fuel oil froze
inside the risers (weathered heavy fuel oil is a bit like soft asphalt
at ambient temperatures).

The fire continued to burn for about 8 hours until a boilover

occurred. many people were killed and many more injured
because the fire had become a spectator event, with fire fighters,
national guard, boy scouts also attending (This was not unusual,
the area was and still is subject to brush fires in the summer, and
volunteers often help in fire fighting). also several news teams
and a large number of onlookers were gathered. Burning oil fell
from the fireball and affected an area up to 400 m. downwind,
and burning oil flowed about 600 m downhill to the sea.
107 230 Dipping is used for sample taking in dip cups , for gaging
tanks to determine the actual level of liquid in order to
check or calibrate level gauges, and to measure
temperature, as in this case. Objects lowered into a tank
may build up a high voltage if they are insulated. Any rods
used for dipping or gaging should be conductive and
earthed to the tank. Any thermometer or dip cup lowered
should be on cotton rope, which is conductive except
when it is clean and in very dry weather. Even with these
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
precautions it is not possible to guarantee that ignition will
not take place due to unusual circumstances, so designs
which avoid the need for dipping are preferred.
107 231 Fire suppression equipment such as foam injection lunes,
fire water monitors, foam generators and hydrants need to
be tested on a regular basis, at least once per year, more
frequently if failures are found. Fire water pumps need to
be tested more frequently.
107 232 Until this accident, boilover was considered to be a
phenomenon restricted to crude oil tanks. I experiments
undertaken after the accident it was found that boilover
could occur in heavy fuel oil with just a small addition of
kerosene and a very small amount (a few litres) of water.
See QRAQ report 10 for detailed description of the
boilover mechanism and modelling. Tank farm operators
need to be aware of this potential
107 233 Boilovers can be the largest accidents developed in oil
plant and refineries. The largest have had burning oil rain
out at distances up to 12 tank diameters. The size of
boilovers needs to be taken into account in emergency
planning.
107 234 Boilover usually takes some time to develop, because heat
must be conducted to the bottom of the tank sufficient to
cause water to boil and to stir up the hot and just warm oil
layers. When the heat begins to move down the tank, the
area should be evacuated upwind, to at least 5 tank
diameters. The entire downwind area should be evacuated
to at least 15 tank diameters.
108 A large circulation pump on a fume scrubber was reinstalled after 235 If a bellows is allowed to expand unrestrained the spring
maintenance. There was a bellows on the 16 inch discharge pipe, sections will extend beyond their design limit and may
fitted to reduce vibration. The bellows restraining bolts (fitted to crack. The expansion may also overstress piping. Bellows
prevent a bellows from expanding beyond its design limit) were should always be fitted with some restraint, and the most
ether forgotten, or failed. When the pump was started , the common form of restraint on pump discharge piping is a
bellows expanded. The discharge pipe had a short riser then a set of loose bolts which limit the length to which the
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
bend with a 4 m horizontal section then a second bend and a bellows can expand. Proper fitting of these must be
second horizontal section at right angle to the first. The bellows checked prior to commissioning and after any removal of a
expansion caused a torque on the second horizontal pipe section pump for maintenance. The restraining bolts nuts usually
and ruptured it. The jet force for the water from the rupture have a lock nut design, when one nut is tightened against
broke the downstream piping. The jet reaction then broke the another, The tightening of these nuts against each other
first horizontal pipe section. should be checked because the nuts can loosen due to
vibration. New lock washers should be fitted. whenever
the restraining bolts or rods are replaced. The length of the
restraining rods or bolts between the nuts must be
checked against manufacturer specifications
109 Extraction solvent leaked from a mixer settler and caught fire. 236 Fire water for cooling must be applied carefully, and never
The fire brigade attacked the fire with cooling water, spreading directly onto oil or insoluble solvent pool fires
the burning solvent throughout the plant unit. It was completely
destroyed.

The plant was quite congested with two units side by side. The
second unit was saved from damage by an 8 m. high fire wall.
109 237 Fire water applied to a fire, or for cooling, needs to be
drained, it should not be allowed to collect within a plant
as it will merely spread the fire. After the accident the
drainage system for the entire plant was rebuilt, with large
drainage trenches routed away from process equipment,
and with wide mesh grids to prevent water flowing more
than a limited distance before being diverted to a safe
drainage..

Plants which are designed with a slope towards a drainage

channel at the edge of each unit generally perform much
better in a pool fire that those which are sloped towards a
central drain.
109 238 Fire water drainage needs to be kept free and unblocked
110 Separators were built on sloping ground. When oil was released 239 Alter the incident, curbs were fitted around the separators
from a drain valve it flowed downhill, partly under the other so that any leak would be directed away from the
separators and partly along the roadway. Fortunately it was not separators to a drainage channel. The channel flowed to a
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
ignited large sump, which could quickly be covered with foam.

Whenever there is a possibility of pool fires beneath

critical vessels, drainage should be fitted to take away
burning liquid as quickly as possible.
111 An output transistor on a 24 volt power pack failed due to a 240 Instrument power supplies should be fitted with
faulty transistor. It then generated 40 volts. Two other power overvoltage protection, and should preferably also be fail
packs on the same distribution regulated down their supply, but safe
the faulty power supply was able to feed the full demand without
blowing the fuse. As a result all instruments on the same supply
bus were damaged.
The power pack was from 1971 and had no overvoltage
protection.
112 Kobe, Japan A cryogenic LPG tank had been back fitted with an ESD valve. The 241 Take subsidence and tank movement into account when
valve was supported on spring supports, but on a separate building tankage for earthquake prone areas. Where ESD
foundation from that for the tank itself. The connection to the valves are fitted, they should be on the same tank
tank was fitted with an expansion joint. foundation raft as the tank itself.

In the earthquake the ground alongside the tank subsided. The

piping for the ESD bent downward, and the upstream flange
began to leak. The leak continued for some days until the LPG
could be transferred to another tank, and remaining LPG
displaced by nitrogen.

During the period of leak all hot work was forbidden and use of
electrical equipment (which could have been damaged in the
earthquake) was forbidden.
112 AD A large capacitor in a power supply exploded. The explosion 242 Even well protected control power supplies with UPS can
overloaded UPS supplies, so that all critical power was lost to a fail if power supply component failure is sufficiently
large oil and gas plant. powerful, such as a capacitor or transformer explosion.
Different redundant supplies should be separated by
physical barriers sufficient to prevent damage to the
unaffected item. This is done routinely for large
transformers, but other electric equipment should also be
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
considered. Where there are redundant power supply
busses these should be protected from voltage spikes
being passed from one to the other.
113 A fourth loading rack for flammable products had PLC control on 243 Enclosures for control systems must provide a guaranteed
the platform, loading arm and valve opening. The earlier three environment for the electronic equipment
loading racks had relay interlocks. In the incident number four
loading arm and platform were seen rising and lowering out of
control. The unit was shut down immediately. One of the tanker
manhole covers was found to have been damaged.

In the investigation, the PLC enclosure was found to have

condensation. The PLC logic implemented the relay logic exactly.
There had been several failures on the relay systems earlier, but
these had always been fail safe, corresponding to the design
intent. It was not realised that the failure modes of the PLC could
differ from those of the relays. In the follow up vents were
provide on the PLC enclosure to prevent condensation. Also an in
depth analysis of the PLC control was made to see if additional
safety could be achieved. As a result a hard wired shut off was
provided from the dead man's loading handle, to prevent the
shut off valve and the flow control valve from opening unless the
dead man's handle was activated.
113 244 CHAZOP should always be made for critical control and
interlock systems
113 245 Assessment of PLC safety is difficult requiring highly expert
fault tree analysis. Old fashioned hard wired safety
systems can provide assurance when complex analyses
cannot.
114 A cylinder of oxygen was used instead of nitrogen as a purge gas 246 All personnel involved with use of cylinders should be
prior to ventilation of equipment for maintenance trained and certificated for their use, including
understanding of colour coding and understanding gas
hazards.
114 247 Where possible, different couplings should be provided for
oxygen and nitrogen cylinders
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
115 Nitrogen was provided as a back up to the plant instrument air 248 Designers should avoid using nitrogen as backup the plant
system. At one point maintenance workers used the instrument air systems. If a back up is needed, designers should at
air system as a supply for their air line breathing apparatus. The least use compressed air.
system switched to backup gas supply, and the two workers were
killed
115 249 If SCBA is not sufficient, safety qualified breathable air
supply and airline breathing apparatus should be used.
This can be portable trolley or vehicle mounted apparatus
if fixed breathable air system is not installed.
115 250 Connections for breathable air should be different to those
for plant air. Safety audits should check to ensure that
there are no “adaptors” allowing connection to plant air.
116 Natural gas pipeline rupture occurred due to stress cracking 251 Ruptures from hard spot stress cracking can develop very
initiated at a hard spot created during manufacture. Fire from the rapidly. Any abnormalities such as inclusions or weld
20 inch, 40 bar line rose to between 90 and 150 m. The fire defects identified by NDT should take this into account
persisted for 2hr 45 min because of confusion about the line
identity, a second parallel line being identified from helicopter
overflight
117 During the shutdown of a plant containing liquid propylene, the 252 Cooling water should be kept running even during
flow of cooling water to a cooler was isolated. As the pressure in shutdown if there is a possibility of freezing
the plant was reduced, the propylene became colder and the
water in the tubes froze, breaking seven bolts in the floating
head. The operators saw ice forming on the outside of the cooler
but did not realize that this was dangerous and did not do
anything about it. When the plant was started up again,
propylene entered the cooling water system and the pressure
blew out a section of the 400mm line. The escaping gas was
ignited at a furnace nearly 40m away and the fire caused serious
damage.
118 Venezuela, Cryogenic propane leaked from pump seals. It evaporated on the 253 High voltage transformers should never be located close to
ground and ignited from an 11 kV transformer that was only 12 critical pumps or other process equipment. The ignition
m. from the pump. The liquid burned until the propane was probability for a gas or vapour cloud which reaches a high
pumped and ejected by pressure from the piping (due to the voltage transformer is historically close to 1.0. The
heat input from the fire). ESD functioned, stopping the flow from question arises of how far away this should be. The answer
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
the storage tank. The pumps were not damaged because they is given by QRA using a calculation method based on
were in the vapour rich part of the plume, above the LEL. Piping discrete ignition locations.
was not damaged because it was protected by foam glass
insulation, but the aluminium cladding burned away
118 254 The fire in this case lasted about 30 minutes until it burned
out, following closure of the ESD valves. The pumps
themselves were relatively undamaged, the motors had no
structural damage but the electrical parts were destroyed.
Piping was undamaged but flanges were damaged to the
extent that they were still leaking small amounts of
propane due to ESD valves passing at the time of the post
incident inspection.
119 At a gas processing plant, a single line from the storage area to a 255 A pipeline or manifold which is used for both liquefied gas
distant jetty was used for propane, butane and naphtha (largely and a higher boiling liquid, mixing will almost certainly
pentane). An error was made in valve line up when a butane occur at some time. This can be due to misalignment of
transfer to a ship was to be made. The discharge valve from the valving, valves passing or failing open. When valves are
pentane tank was not closed. As a result butane was forced back widely open, the mixing of warm liquid with cold liquefied
into the pentane tank. The butane flashed to gas and pentane gas will cause a rapid phase transition or flashing
was ejected from a rupture panel at the top of the tank. 20000 explosion. When the leak is slow, as through a passing
bbl of pentane was ejected into the bund. About 50% of this was valve, the mixing can proceed without an explosion, but it
recovered over a period of 3 days, the rest evaporating. will usually lead to contamination of product, layering in
storage, and may cause a roll over. Separate piping is
needed for each liquefied gas product. (by contrast, multi
product lines are often used for transporting naphtha,
gasoline, kerosene and diesel. Care is needed in transition
because there are differences in viscosity and hammer
effects can arise.
120 Michigan, Two employees in a fertilizer plant had to install a float valve in 256 It is difficult to prevent people from placing themselves in
USA some an old 10m-deepwatercistern. When the first man dropped onto danger by acting instinctively in an emergency, but it can
years ago a wooden platform 1.8m below the tank opening, he was be done by training them to act in a given way in a given
immediately overcome by hydrogen sulphide gas, which had set of circumstances. It is essential that this training be
displaced the oxygen in the tank atmosphere, and he fell into the provided for all people who may have to work in confined
water below. His partner went for help and the two men who spaces and to those members of management who will
entered the tank were also overcome and fell into the water. A have contact with them. In addition, the basic training
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
passer-by, trying to save the drowning men, jumped into the must be backed up with refresher periods from time to
water and he too was drowned. By this time, the fire brigade had time.
arrived and a fire officer wearing breathing apparatus descended
to the wooden platform. He removed his face piece for a
moment to shout instructions to men outside the tank and he
was instantly overcome and died. Thus, the original victim and
four would-be rescuers lost their lives in this one incident. It also
serves to demonstrate that even a seemingly innocent water
tank must be treated with respect and tested thoroughly before
men are permitted to enter and work in it.
120 A welder had been working inside the barrel of a road tanker. 257 Argon is an inert gas and, like nitrogen, can cause death by
When he stopped work for lunch, he switched off the ventilation lack of oxygen in enclosed spaces. The arc welder should
fan but left his argon arc-welding gun inside the barrel. Shortly have been isolated and removed from the work area
after he resumed work, he collapsed but fortunately an observer before the man took his break. When work is interrupted,
was present and he was rescued in time. Argon had leaked from consideration should be given to testing the oxygen
the valve on the argon arc-welding gun and had accumulated in content again before resumption of work.
the barrel to a dangerous level.
121 While a man, wearing breathing apparatus, was working inside a 258 Safety equipment should always be carefully checked
tank, the air supply failed. He pressed the air demand valve but before use. Including the full length of breathable air lines.
no air came out. As he was near to the manhole, he was able to Training in this kind of caution is needed
dive out and remove his mask.
A hole was found in the air pipe about 15cm along the hose from
the mask. It was believed that before use, the mask and air line
had been hung over a pipe nearby and the air line had touched
an unlagged steam tracing line. This had melted the plastic but it
did not fail completely until it had been in use for some time.
122 A nitrogen receiver was to be inspected internally. The vessel was 259 Vessels to be entered should be properly isolated,
isolated and a flange opened to ventilate. To speed the isolation, preferably with spool pieces removed. A minimum is
air was blown in with a hose through the manhole at the bottom. positive isolation with spades or spectacle plates.
The air was tested for oxygen.
When the inspector entered the receiver he worked for a short
time then passed out. The “buddy” waiting outside the tank
could no enter because the SCBA he was using could not pass
through the manhole.
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
122 260 Gas testing requires testing in the entire vessel, not just at
the manway entry. If necessary, the gas detector should be
mounted on a pole.
122 261 If an SCBA is to be used for rescue it should fit the opening
along with the largest “buddy”. This is often an impossible
requirement. In such cases airline breathing apparatus
should be used.
122 262 Under modern conditions persons inspecting inside vessels
should be equipped with personal multiple gas and oxygen
depletion alarms.
123 A glycol reboiler had been in service for about two years when an 263 .The PSV/vacuum breaker had functioned effectively as
operator noted an increase of temperature in the unit, and on two separate units, but had an inherent weakness, which
looking through the burner observation port saw flames within was not apparent under normal operating conditions.
the fire box although the reboiler control unit had shut off the Whilst the 6mm bolts were adequate to withstand the
gas supply to the burner. The flames increased in intensity and stress of internal pressure or vacuum, they were unable to
the unit temperature rose significantly. It was obvious that there withstand the sideways loading produced by expansion of
was a leak allowing glycol to enter the fire tube and burn. As the the vent system piping.
glycol heated up it started to decompose and vaporise. The
vapours were contained within the reboiler shell and passed When purchasing equipment a standard requirement
along a vent pipe, through a combined pressure relief valve (PSV) should be that the equipment is proven in practice
/vacuum breaker and into the platform atmospheric vent. INCLUDING ANY MODIFICATIONS.
Platform personnel were attempting to cool the unit and control
the fire with water hoses when the combined PSV/vacuum If modified equipment is to be accepted it should be
breaker unit failed, releasing vaporised glycol which ignited, thoroughly tested under the actual conditions of
producing a fire external to the reboiler, whereas the fire had operation. If this is impractical, a very thorough electrical
previously only been internal. Significant damage occurred local and stress analysis. In particular take into account the
to the facility before the glycol supply within the unit was stresses imposed by piping and supports external to the
depleted and the fire burnt itself out. equipment, which may be unknown to the equipment
designer.
It was found that the weld between the fire tube and the plate at
the burner end was cracked along the top half of its length.
Examination of the corresponding weld at the other end of the
fire tube showed that it too was fatigued and cracks were
starting to form. The reboiler design was new, with straight
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
through fire tubes. The tubes were fitted with expansion joints to
accommodate thermal expansion between the two fixed tube
plates On investigation it was found that the expansion joints
were much stiffer than calculated, and expansion was actually
accommodated by bowing of the fire tubes. This led to high
stresses at the tube plate resulting in the cracking.

The combined PSV and vacuum breaker was constructed by

bolting two units together. The inlet was on side of the vacuum
breaker, the outlet on the side of the PSV so that a shear force
was generated on the valves. The bolts sheared releasing the
glycol vapour which ignited
124 During the course of starting up the ethylene plant after a major 264 Start up should not be made until it is confirmed that all
overhaul cold liquid hydrocarbon flooded the liquid drain header, controls and all safety loops are working. This should be
filled the knock-out drum and flowed into the flare stack itself. done using a check lists. There should be an operator that
The flare stack failed due to low temperature embrittlement. checks temperatures and levels on the control panel
displays as the plant is being filled.
The area had been inspected for readiness for start up one day
earlier but it was not noticed that level controls on a column
were isolated, nor that the level alarm instruments on the knock
out drum were disconnected, because in both cases the
instruments were obscured by the turn round scaffolding. The
column filled for 4 hours with nobody noticing that the level was
not rising, because attention was diverted to dealing with a
leaking heat exchanger flange. It had been noted in earlier start
ups that the flange should be insulated in order to allow more
rapid equalisation of cold liquid and steel temperatures but this
lesson had not been effectively communicated.

Contributing to the problem was the organisation of the turn

round teams. The turn round managers were working on 12 hour
shifts, but the turn round staff worked on 8 hour shifts for work
agreement reasons related to overtime payment.
124 265 Start up should not be attempted when there are major
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
problems on the plant, and if start up is found to require
bypassing and plant modification it should be suspended.
124 266 It is easy to say that there should be adequate manning for
turn round maintenance but this may not be easy. Turn
round managers for example cannot simply be hired, they
need to know the plant in depth and breadth. They are
often very heavily loaded, and nominal 12 hour shifts often
develop into 14 hour efforts, if for no other reason than
the need for effective hand over. Such work loads may
persist for several weeks. Everything should therefore be
done to assist them, including provision of assistants to
write up daily reports, and assistants with radio
communication to provide feed back from the field.
124 267 A part of start up preparation should be a review of earlier
lessons learned, and a check that these lessons have been
included in the turn round work procedures and also in the
pre startup check procedure
124 268 The area authority who is responsible for approving and
giving permission for the next step to proceed is an
important but very heavily loaded person. The work area
to be approved should be tidy and there should be as little
“hidden” aspects of status as possible. The work should be
organised so that there is a minimum number of pre shift
area inspections
124 269 For any major start up, the organisation should be
reviewed and should be kept as simple as possible. Each
team should include a good proportion of people who
have contributed to turn round on the plant earlier.
125 Bourdon tubes in pressure gauges which were originally 270 It is often difficult to know when vendors change the
phosphor bronze were replaced by stainless steel ones on a internal design of nominally identical replacement
gasoline/tetramethyl lead blending system. Stress corrosion instruments. When the change in design or in materials IS
cracking occurred two months later due in part cavitation known, replacement should be subject to management of
vibration in the gasoline TML inductor and in part to the bromine change.
compounds in the TML.
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
TML contaminated the area and workers in the area were found
to have heightened levels of lead in their urine.
125 271 The problems of halogen stress corrosion cracking is well
known to metallurgists, but generally not to instrument
engineers. The presence of bromine compound in
tetramethyl lead may be known to operators, but this may
fail to be communicated to metallurgists. management of
change requires a multi disciplinary approach.
126 Wynnewood, Lightning struck a closed roof tank holding "25,000 barrels of 272 Closed roof tanks with flammable or combustible contents,
Tulsa, OK light oil" with internal floating roof. Vapour inside the tank or with aqueous fluids which can be contaminated, or can
exploded causing the roof to partially lift, ejecting flame, but the generate hydrogen, should have a weak roof seam. Details
roof settled back into place. Fire continued from beneath the for this are given in API 650
roof.
127 A flame detector on one of three burners on a steam boiler 273 The use of jumpers to bypass instruments should be
showed repeated faults and was therefore bypassed, The normal prohibited because they lead to too many accidents.
bypassing would be available when the neighbouring burners Properly designed bypass systems should be used. In the
were lit, but in this case normal bypassing was not used because present case it appears that the problem could have been
the burner was the first of four to be used. Instead a jumper was avoided by changing the sequence of burner light off.
used ion the terminal block.
Shortly after starting the burner, there was a flame out. It was
considered after the event that this occurred because of a
change in gas density in the multi fuel supply, bringing the gas
above the UEL. When a second burner was brought on line an
explosion occurred. The boiler was completely destroyed and an
adjacent boiler suffered minor damage. An operator on the
burner platform was injured when he jumped over the railing to
escape the fire.
128 A package boiler was used to supply steam for two units. In an 274 Jumpers are often used by contractor instrument
unusual situation the two units started nearly simultaneously and engineers during system testing. All bypasses must be
the water level fell rapidly under the unusually high initial load. registered (even during completion testing). A thorough
The main fire tube was uncovered so that there was no water to inspection should be made prior to commissioning to
cool its upper surface, and it ruptured. The boiler exploded. ensure that all bypasses have been removed.

On investigation it was found that there was a bypass on the trip

 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
relay for the low level trip. This had been left in place since the
original commissioning tests 20 years earlier. There had obviously
been on serious low level incidents in that time
129 A slops tank had a vent pipe which passed to close to ground 275 Flame cutting slag can travel far and carborundum disc
level in a bund. Flame cutting was to be carried out on a platform cutting sparks can travel up to 30 m. This makes the
alongside and above the bund about 2.5 m. away. Slag from the required protected area for working activities very large. If
cutting fell into the bund and ignited the vapour from the tank. work is difficult, steel sheeting can be used as a barrier to
The tank exploded and and separated at the tank base, The tank prevent sparks, as can a welding tent.
flew about 90 m. and spread burning liquid across the area
causing several fatalities.

The bunded area had been tested for flammable vapour as part
of the PTW conditions. However the tests were made 12 hours
prior to the flame cutting work.
129 276 Generally workers and safety inspectors are expected to
“just know” what are the appropriate safety distances
around any work site and threatened operating plant. This
is not satisfactory, because this means that they have to
learn by experience, and even in the best case each
experience is a near miss. There should be clear guidance
about safety distances around working sites, hot work
locations and locations which could conceivably release
flammable or toxic vapour or gas.
129 277 Slops tanks are dangerous, they can have flammable
vapour even when the liquid inside is nominally water.
Slops tanks should have nitrogen blanketing.
129 278 Closed roof tanks can fail at the base in an explosion due to
corrosion at the shell to base plate weld. In this case the
tank fails at the base rather than the tank roof weld as per
API 650. The tank will then fly a considerable distance. To
prevent this, ensure that all tanks have a designed weak
roof seam, and especially inspect the base weld and
reinforce it if it is corroded at every tank inspection.
130 A foreman, in his anxiety to progress a job, entered a large open 279 It is necessary to re-emphasize time and again that there is
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
topped vessel situated in a large well-ventilated building, by a proper procedure for entry into a confined space and it
climbing down a ladder. He attempted to clear a blocked outlet must always be adhered to.
valve by rodding it from the inside. When he disturbed the sludge
in the bottom of the tank it released hydrogen sulphide and he Foremen and supervisors are particularly susceptible to
was immediately overcome. On seeing what had happened, his taking short cuts in order to “get the job done and keep
mate clambered into the tank to rescue him and suffered the production going”. However confined space entry
same fate. Both men were dead by the time a proper rescue was procedures are not optional, in just the same way that
organized. The company had a detailed procedure for entry into prohibition against smoking is not optional.
a confined ,which had been ignored.
132 During the start-up of an ethylene plant on a petrochemical 280 This accident occurred before real attention was given to
complex, a heat exchanger within a cold box was subject to management of change, but illustrates why MOC is
pressure above its design pressure. This resulted in the needed. In this case MOC should have involved a mini-
exchanger rupturing, blowing away a corner of the cold box. The hazop and the results should have been transferred to the
escaping gases ignited at source and the ensuing fire burnt for 36 operating procedures.
hours. Fortunately, no one was injured as a result of this incident.

The possibility of overpressuring had been noted by the plant

manager, plant chemical engineer and plant superintendent, and
they introduced a valve to prevent the overpressuring, but the
changes were not marked on drawings and no information was
transferred to the operating procedures or operators.
133 Jonava An operating error apparently led to liquid ammonia at 10 deg C 281 Insufficient detail is available to determine the actual
being pumped into a cryogenic ammonia storage tank at -33 deg cause of the mistake, but it is possible to conclude that the
C. The warm ammonia cussed a rapid overpressuring, and hazard of hot ammonia into cold ammonia must be
ruptured a section of the plant base. 7500 tonnes of ammonia recognised, included into procedures and communicated
were released. The force of the ejected ammonia pushed the to operators.
tank off of its pedestal. and drove it through a bund wall.
The ammonia caught fire and ignited NPK fertiliser on a conveyor
which then carried the fire to fertiliser storage. This causes a
release of nitrogen dioxide.
134 Deepwater February 2010, the Deepwater Horizon rig commenced drilling at 282 This is a story of multiple failures on what is highly
Horizon the Macondo prospect, 66 km from the Louisiana coast, in a developed equipment, with sophisticated safety design,
water depth of 1500 m. on 20th April 2010, a blow out occurred procedures and training. It is hard to avoid the conclusion
at the rig. It caught fire, exploded and continued to burn. 11 that the teams believed that there were so many safety
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
persons were killed. After burning for about 36 hours, the rig systems that none were particularly important. Lessons to
sank. The following oil spill continued until September 19 2010- be learned are:

At the time of the accident the rig was drilling on exploratory

well. The well had been drilled to 5600 m. production casing was
being run and cemented at the time of the accident. The
cementing contractor stated that it had finished cementing 20
hours before the accident, but that it had not set the final
cement plug to allow temporary well abandonment.

The well head was fitted with a blow out preventer, actuated by
cable from the surface. (The lack of acoustic or other remote
control was later criticised).
At the time of the accident the rig was drilling on exploratory 283 1. The various safety barriers are there for a purpose,
well. The well had been drilled to 5600 m. production casing was and need to be tested and maintained strictly according to
being run and cemented at the time of the accident. The procedures
cementing contractor stated that it had finished cementing 20
hours before the accident, but that it had not set the final
cement plug to allow temporary well abandonment.

The well head was fitted with a blow out preventer, actuated by
cable from the surface. (The lack of acoustic or other remote
control was later criticised).

Analysis showed that a total of five safety barriers failed.

The well head was fitted with a blow out preventer, actuated by 284 2. Maintenance and testing procedures need to be
cable from the surface. (The lack of acoustic or other remote validated, to ensure that they actually work
control was later criticised).
Analysis showed that a total of five safety barriers failed. 285 3. The impact of schedule pressure is evident in the
· Annulus cementing reports, particularly the need for speed in the cementing
· Mechanical barriers at the bottom of the well process, and in reluctance to question the results of tests,
· Well control (mud circulation and mud weight) and the lack of tests. Schedule pressure should never be
· Blowout preventer failed allowed to compromise critical safety procedures.
· Ignition prevention was inadequate
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
Concerning the annulus cementing, subsequent tests indicate 286 4. The blowout preventer reliability was analysed
that there would have been problems in achieving a stable carefully in a detailed risk analysis report in 2001. The
nitrified cement. Also the planned number of casing centralisers analysis makes assumptions about the reliability and the
were not installed because the team believed (erroneously) that testing frequency. In practice, the system was subject to
21 slip on centralisers were the wrong type, and could lodge common cause failure (solenoid coils) connectors,
across the BOP. There are claims of errors in the cement batteries were beyond their intended design life, and had
formulation, and acknowledged lack of testing of the cement. insufficient charge, and had inadequate diagnostics. There
were many other deficiencies.
A negative pressure test was carried out but was over interpreted 287 The original reliability analysis was carried out properly,
to conclude that the cementing was sound. but if underlying requirements ae not met, the analyses
are at best misleading.
The “shoe track” at the base of the well should have prevented 288 A short check list of items which need to be in place to
ingress of oil and gas to the 7 inch casing. The shoe track cement ensure reliability of equipment of this type is:
could have been contaminated by nitrogen or well fluid, or it
could have been badly designed. Float collars with flapper valves
were also determined to have failed.
It was not determined what the actual cause of the two failures 289 - All active systems need to be provided with
were. diagnostics which can test functionality
The negative pressure test should have confirmed the down hole 290 - Certification and replacement intervals must be
seals. The team observed 15 bbl of sea water bled from the well, observed
when 3.5 bbl was expected. The tool pusher interpreted this as
due to “annular compression”. the investigation team could not
find any evidence that the effect exists.
Once the negative pressure test was completed, the annular 291 - Non OEM components should not be used
preventer was opened, and the pressure in the well
correspondingly increased. The crew began to displace mud from
the riser with seawater. As a result well pressure decreased.
Hydrocarbons entered the well. Little or no logging activity took
place, in part because of preparations for the next phase of
completion of the well. The presence of hydrocarbons was not
recognised.
About 5 minutes after the mud pumps were shut down, mud 292 - The condition of consumables such as battery charge
began to flow onto the drilling floor. The crew attempted to needs to be tracked
control the well by closing the BOP. The annular preventer did
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
not fully seal around the drill pipe so that hydrocarbons
continued to be released.
The rig crew diverted the flow to the mud gas separator, but this 293 - Test intervals need to be observed
was quickly over loaded. The alternative, of diverting the flow
overboard was apparently not chosen.
Shortly afterwards an explosion occurred. 294 When failures are found, root cause analysis must be
investigated and causes eliminated
Note: the HVAC systems for the engine room were on manual 295 Evidence of common cause failure needs to be reviewed
control, and did not prevent ignition. with some urgency and the root causes found. If the cause
cannot be found, the safety systems must be regarded as
suspect, and rules for minimum conditions for operation
apply
The blowout preventer had two actuation systems, one electrical, 296 All critical parts need to be on the testing list.
one hydraulic. Evidence was found that there were faults on
solenoids, non original equipment fitted, and batteries not
charged. There is evidence that one of the annular blow out
preventers was subject to a pressure differential larger than its
design value. The blind shear ran failed to close because a non
shearable section of pipe was in the shearing sections.
After the explosion, control of the BOP was probably lost due to 297 5. Maintenance records were not made properly. In
damage to control cables. Automatic (fail safe) shutdown some cases maintenance was recorded for periods in
probably failed due to a defective solenoid on one system, and a which BOP was on the seabed.
discharged battery on the other.
298 6. The emergency response plan was inadequate
135 Mont Belvieu Two maintenance contract workers went to change the position 299 This is yet another example of the importance of isolation
TX of a spectacle plate on an incoming NGL line to an NGL and of safe isolation procedures and proper equipment
processing plant. For an unknown reason NGL was released and identification.
ignited. The workers were killed.

Two workers had gone out to cut a 10" pipe, they had dug a 6
foot hole to the underground pipe. Pneumatic pipe cutters were
found in the hole and pipe had been cut. There were several 10"
pipes in the area, and the wrong one was cut.
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
The resulting jet fires were intense and destroyed a distribution
manifold racks.

The fire continued for several hours because three ESD valves
(out of 27) had failed and became too hot to close down
manually.
135 300 Properly located ESD valves are important, and valves need
to be protected from all reasonable possible fires.
135 301 Permit to work systems need to have a "positive
identification of equipment and piping" section on forms.
135 302 Permit to work systems need to have a "positive
identification of equipment and piping" section on forms.
136 ME Liquid nitrogen overflowed into a nitrogen receiver vessel when 303 The hazards of liquid nitrogen should have been identified
steam supply to a water bath evaporator was shut down. The in hazops, and presumably were identified, since a trip
receiver vessel failed due to low temperature brittle fracture. The system was specified for low temperature. However, the
vessel burst, with damage to neighbouring equipment. knowledge was obviously not communicated to operators.
A much more systematic way is needed for communication
There was a low temperature trip on the nitrogen header but the of hazard knowledge to operators.
trip valve failed to close completely because of a hardware
change. The change had been made much earlier and was
unknown to most of the plant staff.

Low temperature alarms were received and acknowledged in the

control room, but no further actions were taken.

136 304 Liquid nitrogen is listed as a hazard in the ISO hazid check
list under "cold surfaces". Its danger to piping, and vessels
is not mentioned, and its danger as an asphyxiant is
mentioned under "Excessive N2" hazid check lists need to
be complete, otherwise they become a source of danger
themselves.
136 305 Generally, a much more systematic approach is needed to
hazard identification and hazard communication between
designers and operators, designers and maintenance, and
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
between companies when transfer of ownership or
operating licence takes place..
136 306 The management of change procedure broke down
completely, probably in two ways, a) by not being applied
and b) by results not being communicated. The
management of change register needs to be a living
document which follows the plant throughout its life.
136 307 A safety review section is needed in the management of
change procedure
136 308 A more effective way of communications hazards to
operators and maintenance personnel.
136 309 The evaporator was part of a vendor package. All vendor
packages need to be hazopped
136 310 An alarm management review procedure is needed, so
that the correct response to alarms is ensured.
136 311 All parameter excursions outside the normal operating
envelope need to be investigated
136 312 many accident types cannot be identified by HAZOP. A
procedure is needed for safety design review of process
drawings, including as built P&ID´s, cause and effect
matrices, alarm lists and display layouts,
137 Canada A contract operator was part of a team commissioning a well. 313 Instrument tubing must be installed according to
Gas had been seen “bubbling” from the base of a threaded manufacturers procedures, and with the correct tools.
tubing fitting which connected a well head to a pressure
transmitter. Artisans need to be aware of the hazards of high pressure
tubing
The operator attempted to tighten the ferrule using a wrench. He
leaned over the connection and touched it with a wrench, at
which time, the ferrule broke loose. The tubing whipped back
and gouged a hole in the wall. The operator took the full force of
escaping gas in his face. The gas turned his face black, and tore a
15 cm hole in his throat and collapsed a lung.

The ferrule fittings had not been checked, and were found only
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
to be finger tight. The ferrules were not seated on the tubes.

No hydrostatic or pneumatic testing had taken place

A similar accident occurred in Alaska, due to tubing being

designed to operate at maximum allowable pressure. When a
ferrule slipped, the tubing whipped and carved a 1 inch slice from
the top of the fitter´s helmet, missing his cranium by millimetres.
He suffered a strained neck.
137 314 Tubing installations need to be pressure tested
137 315 Do not work with tools on pressurised equipment. The
equipment should be depressurised before tightening
starts.
137 316 Consider the possibilities of failure of equipment when
using tools, and do not stand in the line if fire when there
is a possibility of equipment or breaking or a tool slipping.
138 ME Two operators were trying to close a valve tight on a water 317 Do not use improvised high power or high force tools on
injection system. They used an “extended valve key” – that is a active process equipment (especially high pressure
spanner (wrench) with a length of scaffold pipe as extension. The equipment) There is a temptation to use high force tools to
valve broke, and the jet of water blew the operator across the tighten bolts when valves or flanges are leaking. This is a
platform. The operator died from a broken skull when his head mistake. Firstly the force can break the bolts. Secondly,
hit a railing. overtightening will crush the gasket, so that it will leak as
soon as there is any temperature or pressure change.
139 ME A central degassing station had an emergency shut down. As a 318 Do not drive through pool or even approach pools of crude
result of hammer effects there were oil leaks from two flow lines. oil (or any other chemical or flammable fluid for that
The central degassing station was brought back up and matter). Crude oil generally has a high vapour pressure and
operations teams started to open wells. Another team drove to a will give off plumes of flammable vapour. Such vapour is
remote degassing station to isolate wells from the station. Close easily ignited (for example by a car engine) and will give a
to the remote station, there was a leak from another flow line, large flash fire or possibly a vapour cloud explosion
across the main access track. While crossing the oil pool, the
vehicle caught fire. There were four fatalities and one person
with minor injuries.
139 319 Hammer effects need to be taken into account when
liquid pipelines are closed rapidly. This needs to be taken
 Systematic Lessons Learned Analysis
case Location Accident description Lesson Lessons
no. no.
into account during detail design, but also when periodic
inspection is carried out.
139 320 The wells did not trip on high pressure. (This is not
surprising if the cause of over pressuring was a hammer
effect, since the high pressure does not affect the
upstream pressure sensors.
139 321 Current designs for well flow lines and trunk lines do not
generally have high pressure protection
139 322 Well head maintenance was behind schedule
139 323 Operations at night in response to an emergency had not
been identified as a “critical activity”. There was no risk
analysis or job safety analysis
139 324 Hazop/SIL revalidation had not been undertaken
139 325 Labourers had not been issued with fire resistant overalls.
Systematic Lessons Learned Analysis