How seemingly normal system statuses can result in accidents

Process engineering systems are generally controlled by measuring process variables such as temperature, pressure, quantity, fill level or certain material properties. All production processes are based on processing the information obtained by sensors in the distributed control system, displaying the data on the measuring station or control station, and automatically or manually actuating valves or pumps using this data. Generally this works very well, but in some situations it can go wrong, as the case studies below illustrate.

There are two important points to note before we begin. Firstly, for space reasons, the case studies focus on the causes and make no mention of certain aspects that were nevertheless taken into account when the safety strategy was drawn up or that nevertheless contributed to the situation being incorrectly assessed. Secondly, it is easy to criticise with the benefit of hindsight, so we must remember that we may well have made those same mistakes ourselves when presented with the same situation. Hindsight bias offers a distorted view of the incident when looking back on it and makes the straightforward apportionment of blame more difficult.

Despite the heating power being set to maximum, the temperature inside a reaction tank according to the reading on the display was just 100 °C; however, on-site operating personnel noted that the solvent toluene that had been added was boiling violently, which meant that the reading should have been 110.6 °C. The reaction mixture was cooled and the cause of the erroneous reading was then sought.

It turned out that maintenance work had been carried out on the temperature sensing probe immediately beforehand. To prevent corrosion, the measuring sensor was protected by a thermowell, which needed to be filled with a heat transfer medium. For unknown reasons, instead of the specified thermal oil (which has a high boiling point), water had been used to fill the well. As the tank heated up, the water began to boil at 100 °C because the well was not hermetically sealed, which resulted in a constant (erroneous) reading.

A system was being inspected for leaks and it was established that there was a leak somewhere. It was suspected that the leak was located in a long conduit, which was heated by means of two separate heat tracing systems. To pinpoint the leak, one of the two heat tracing systems was switched off and the insulation was removed from that section of the conduit.

However, the heat tracing system had not been fully de-energised, and during the attempt to locate the leak, the insulation on a few of the thermocouples on the heat tracing system that was still in operation had accidentally been stripped. The removal of the thermal insulation caused a lower temperature to be measured, which in turn caused the control system to increase the heating power to the maximum setting. This resulted in the conduit and the insulation being heated to over 300 °C; some debris that was present spontaneously ignited, and this set fire to the insulation. The fire was extinguished immediately and there was no further damage.

The batch in a tank was found to be wrong and the tank needed to be cleaned out. When the maintenance personnel opened the tank, the residual pressure in the tank blasted off the heavy cover very suddenly. Three employees were killed.

Off-spec product had been used to fill the tank, which then blocked the exhaust line, causing the pressure in the tank to rise. The pressure gauge had not registered this rise in pressure because the supply line was also blocked.

Maintenance work had been carried out on the hybrid evaporator of an ammonia refrigeration system. This maintenance work included replacing a fill level measuring device, which provided protection against overfilling.

When the system was started back up, a lack of due care and attention on the part of the personnel meant that the shut-off valve in the pipe between the hybrid evaporator and the fill level measuring device remained closed, which deactivated the shut-off function. So when the system came to be filled, the hybrid heat exchanger was overfilled with liquid refrigerant; this resulted in forced rupturing of the compressor. Ammonia was able to escape, injuring 15 people.

In order to synthesise an intermediate product, a number of components needed to be added to a reaction tank at room temperature – to begin with, the agitator needed to be running while carbon dioxide gas was bubbled through the mixture for a limited time at a flow rate of approximately 100 litres/minute. The desired reaction, which was then initiated by adding hydrogen peroxide, required a sufficient concentration of dissolved carbon dioxide to act as a phase-transfer catalyst.

On the day of the incident, the carbon dioxide flowmeter had to be replaced. But the maintenance personnel made a mistake: The new flowmeter used different units of measurement to the old one. This meant that the actual flow rate was just 8 litres/minute and the desired reaction did not take place because the concentration of carbon dioxide was too low. This in turn lead to an increasing concentration of hydrogen peroxide in the reaction mixture.

Once all the hydrogen peroxide had been metered in, the operating personnel noticed that the temperature was not rising as expected so they heated the reactor by means of the heating coils. This initiated the decomposition of the hydrogen peroxide, causing a runaway reaction. The temperature and pressure rose dramatically and 3 tonnes of the reaction mixture exited via the vent line. The mixture was collected in a wastewater collection tank and was disposed of correctly. Nobody was exposed to this mixture and there was no pollution beyond the perimeter of the factory premises.

In a continuous stirred-tank reactor, an acidic suspension was neutralised correctly with sodium hydroxide solution in order to precipitate metal contaminants in the basic medium as hydroxides. The sodium hydroxide solution was delivered via a network of pipes installed on site, and delivery would stop automatically when the preset pH was reached. To protect the easily damaged pH probes and ensure that the pH was measured correctly, the probes were automatically moved into the service position whenever the tank fill level fell below 25%, where they were kept wet using flushing fluid.

On the day of the incident, however, the personnel forgot to activate the pH probes and so they remained in the service position. The distributed control system (DCS) could not tell whether the measured value from the pH probes was the actual process value or whether it pertained to the flushing fluid. The inactive status of the pH probes had not been defined as an error, so this position was not displayed in the DCS's alert area. The inactivity of the measuring probes therefore went unnoticed. The result of this was that far too much sodium hydroxide solution was added, causing a chemical reaction that produced hydrogen.

The resultant rise in pressure caused the tank to rupture at approximately 25 bar, and the contents issued from the tank as if through a nozzle. The force with which this happened ripped the entire tank from its anchoring, blasting a hole through a solid concrete wall and sending parts flying far across the factory premises. At the same time, the hydrogen that was escaping ignited and there was a massive explosion. The employees who were in the danger zone noticed the danger in time and made it to safety, so nobody was seriously injured.

Being able to correctly measure variables is crucial when it comes to the safety of process engineering systems. Possible causes of erroneous measurements should be examined as part of the safety strategy, and the control sequence – with the sensor, processing and actuator – should be executed in conjunction with a safety-related function if necessary. It is important to make sure that the sensors' ability to perform their intended function is not impaired in any way – this is particularly important to remember when carrying out maintenance work. System personnel should be told to report any implausible readings immediately.