Alarming Your Tank Farm
Why safety-critical alarms can prevent another tank farm explosion.
- By Gary Bradshaw
- Nov 18, 2019
Twenty-five years on from a major explosion at an oil refinery, what can we learn about alarm annunciation? Here, Gary Bradshaw explains why many sites that fall within the scope of the Control of Major Hazards (COMAH) regulations are in urgent need of physical alarm panels that emit light and sound in the event of imminent danger.
At 1:23pm on Sunday July 24, 1994, twenty-six people were injured when an explosion erupted through an oil refinery in an otherwise quiet corner of South Wales. The site was occupied by two companies: Texaco’s Pembroke Refinery and the Pembroke Cracking Company (PCC), a joint venture between Texaco Ltd and Gulf Oil (Great Britain) Ltd.
The site produced hydrocarbon fuels such as gasoline, diesel, kerosene and liquid petroleum gases (LPG) from crude oil. The incident started before 9am when an electrical storm in the area caused lightning to strike the crude distillation unit that provided feed to the PCC units. This resulted in a fire that caused disturbances that affected the vacuum distillation, alkylation and butamer units, as well as the fluidised catalytic cracking unit (FCCU).
What followed was a cascade of failures that highlighted severe shortcomings in the plant’s safety and control systems. The report produced by the Health and Safety Executive (HSE) following an investigation into the events concluded that “the direct cause of the explosion that occurred some five hours later was a combination of failures in management, equipment and control systems during the plant upset. These led to the release of about 20 tonnes of flammable hydrocarbons from the outlet pipe of the flare knock-out drum of the FCCU.
“The released hydrocarbons formed a drifting cloud of vapour and droplets that found a source of ignition about 110 metres from the flare drum. The force of the consequent explosion was calculated to be the equivalent of at least four tonnes of high explosive. This caused a major hydrocarbon fire at the flare drum outlet itself and a number of secondary fires.”
The HSE investigation found several causes of the incident. A control valve was shut when the control system indicated it was open; control panel graphics did not provide necessary process overviews; a modification had been carried out without assessing all the consequences; staff attempted to keep the unit running when it should have been shut down; and the company failed to take the necessary overall perspective, concentrating instead on the local, immediate symptoms rather than looking for the underlying cause.
The 14 subsequent recommendations that were given included everything from improved safety management systems, human factors, protection systems, plant layout, inspection systems and emergency planning.
Two things stood out to me when I read the HSE report. The first relates to human factors, where the report mentions that, “display systems should be configured to provide an overview of the condition of the process.” The second relates to protection systems, where it explains that, “the use and configuration of alarms should be such that: safety critical alarms, including those for flare systems, are distinguishable from other operational alarms; alarms are limited to the number that an operator can effectively monitor; and ultimately plant safety should not rely on operator response to a control system alarm.”
You see, it’s striking because many of the sites I visit today rely largely on their control systems to warn them of imminent danger. The endless stream of visualisations presented to an operator can be overwhelming, and it’s worrying to think how an operator may respond if similar events were to take place today.
While it’s lucky that no one was severely injured, the incident reinforces the need for alarm annunciators. These are physical panel-based alarms that are hard-wired directly into each process and capable of sounding and lighting the relevant window in the event of a critical breach in containment. The HSE’s findings show that, had more effective alarm systems been in place, staff at the site may have had a better chance of preventing such catastrophic circumstances and perhaps avoided the subsequent rebuild cost of £48m at the time—or over £96m today.
Today, tank farms are used in all areas of industry, not just in oil refineries. Any facility that stores toxic or dangerous substances and materials that could cause damage or harm to people or the environment is regulated by the Control of Major Accident Hazards (COMAH) Regulations 2015. Dangerous materials might include those that are toxic, explosive, flammable, self-reactive or pyrophoric, and dangerous substances may include things like ammonium nitrates, potassium, arsenic, bromine, chlorine, nickel powder and fluorine. The list goes on.
Sites are classified into upper and lower tiers. Upper tiers have the potential to cause danger of death or major environmental issues, while lower tiers still handle dangerous substances but pose a lower risk. Businesses in both tiers must consider the potential for a major accident arising from their work and plan accordingly, writing up prevention policies and revising their systems to manage and control the risks where necessary.
Update your alarms
Part of the planning required to meet these regulations requires that plant managers employ the relevant technical measures to control the process and prevent the loss of containment of dangerous substances. In part, this can be achieved through safety instrumented systems and alarm systems that include fire and gas detection.
This problem is that, while many plants have visualised alarms in their control systems, their physical alarm annunciators are severely out of date. Many in use today were installed over 30 years ago, so they may not meet current IEC 61508 safety integrity levels (SIL).
Because the operator response times are an important part of this rating, it’s vital that alarms maximise, rather than impede, the operator’s ability to respond quickly. Managing a mix of critical and non-critical alarms in your control system interface can quickly become overwhelming, so physical alarm annunciators must be up-to-date. They must also only display the safety, health and environmental alarms that the plant operators need to respond to.
Instrumentation, remote monitoring, and safety-critical alarm systems are incredibly important. Sensors that detect tank levels and are designed to protect against overfill can be hardwired to high priority alarms. In emergencies, these alarms give visual indication and provide a horn output before a fuel leak has chance to vaporise and become an ignition source.
Plant and safety managers updating their alarm annunciators should check for a few key things. You should ensure that the alarm annunciator is hardwired into the sensor, and that it has a panel of windows permanently dedicated to specific processes to enhance situational awareness for the operator.
Each alarm should be well-justified and suitably prioritised, and each window should be color-coded to match the severity of the alarm. Additional benefits to look out for include the ability to remotely network the alarms to SCADA systems and the cloud, and to benefit from SMS and GSM alerts so everyone on site can be immediately alerted in the event of imminent danger.
By taking suitable precautions and updating their last defence against potential breaches, tank farm managers can learn from the lessons of the past and give themselves the best chance of preventing such disasters from happening again.