he process safety management pro-grams of many companies includeformal process hazards analyses,using methods such as hazard andoperability (HAZOP) studies and“what-if” reviews, as key elements

of these programs. Kletz (1) summarizes the pur-pose of a HAZOP as follows: “ ... to provide afinal check on a basically sound process design,to make sure that no unforeseen effects havebeen overlooked.” To find the latent design defi-ciencies that could lead to hazards or operabilityproblems in the field, a team of highly motivated,knowledgeable, and experienced individuals en-gages in a collective critical thinking process thatis guided by a methodical standard procedure.

By definition, the HAZOP team that thinksmore critically (or creatively) will be the more

likely to discover the unforeseen effects thatmight result in a preventable major accident. Asnoted, the team is working with a basically sounddesign, so the sought after effects are often quitesubtle. To find as many of these as possible, theteam must energetically probe and challenge theprocess design and be able to sustain its effortsover many hours of questioning and answering.

Reviewing incident reports at aHAZOP meeting is more than just a “lessons learned” activity. It canspur sharper thinking and lead to a more telling analysis of your processes.

CEP March 2001 www.aiche.org/cep/ 73

Glenn E. Mahnken,FM Global

Safety

Photos:

©2000 Factory

Mutual Insurance

Company. Reprinted

with permission.

Use Case Histories to

Energize Your HAZOP

T

Table 2. Selected case histories from the AIChE Loss Prevention Symposia (1971– 2000).

Author(s)

R. C. Dartnell, Jr.and T. A. Ventrone

A. H. Searson

T. J. R. Stephenson and C. B. Livingston

T. A. Kletz

T. A. Kletz

S. A. Saia

A. L. M.vanEinjnatten

V. G. Geishler

T. A. Kletz

S. J. Skinner

D. R. Pesuit

R. E. Sanders

T. O. Gibson

D. J. Lewis

Title

Explosion of a Para-Nitro-Meta-Cresol Unit

Fire in a Catalytic Reforming Unit

Explosion of a Chlorine Distillate Receiver

Case Histories onLoss Prevention

Emergency Isolation Valves for Chemical Plants

Vapor Clouds and Fires in a Light Hydrocarbon Plant

Explosion in a NaphthaCracking Unit

Major Effects from MinorFeatures in Ethylene Plants

Organisations Have No Memory

Explosive Evolution of Gasin Manufacture of EthylPolysilicate

Dust Explosions in StorageSilos: Polyvinyl Alcohol

Plant Modifications — Troubles and Treatment

Learning Value from aRecent Loss

A Review of Some Transportation Accidents, Identification of Causes and Minimization of Consequences

Year

1971

1971

1972

1973

1975

1976

1977

1978

1979

1980

1981

1982

1983

1986

Incident type

Unexpected thermal degradation of PNMCcaused the rupture of a 3,000 gal stainless steel storage tank into five pieces inside a building.

Corrosion as a result of a process change led to rupture of piping and release of hydrocarbons.

Hydrogen formed in a corrosive environment where Cl2 concentration was low, then carried over into the process where Cl2 concentration was high. The vapors ignited due to unknown ignition source.

Maintenance was underway to add a branch line to a steam main, which had not been adequately isolated from a process vent prior to welding.

Gasket on a level connection for areactor burst suddenly, allowing the release of polypropylene vapor, which ignited after about 20 min, probably due to buildup of static electricity in the cloud.

During shutdown due to power failure,a 24 in. bellows expansion joint failed,allowing 15,000 gal of polypropylene to toescape. Vapor cloud traveled 250–300 ftto furnaces and ignited within about 2 min.

Upsets during startup caused high level/low temperature in a feed drum, resulting in cold brittle fracture of a weld. Loss of containment of polypropylene. Vapor cloud ignited.

Power failure caused control valves to shut. Thrust forces on pipe caused control loop supports to puncture the pipe, resulting in loss of containment of flammable liquid.

Operator opened the door to a pressurefilter that was still under pressure.

Reactants had different densities and didnot mix initially. Gas bubbles evolved byreaction at interface caused mixing andrunaway acceleration of the reaction.

Electrostatic discharge during unloading of polymer from a tanker truck into a silo. Operation had operated without incident for many years.

No flow of oil when a process heater wasfired up and the safeguards had been field-adjusted out of range.

Electrical fault in an indoor transformer containing 235 gal of mineral oil.

High pressure caused a cryogenic ethylene tanker truck to explode. It was parked near an alcohol unloading rack. The cause was considered to be freezing of the safety relief valve.

Consequences

Fire, explosion damage to building, injuries, one fatality.

Vapor cloud explosionand major fire, injuries.

Chlorine receiver blew apart into five pieces, alsocausing extensive damageto nearby equipment.

When the welder cut intothe steam main, an explosion occurred.

Despite 4,000–5,000 gpm water deluge, the firespread to neighboring unitscausing considerablematerial damage.

Sprinkler systems contained the fire toTrain 2.

14 fatalities, 106 injuries.

Fire, property damage,business interruption.

Operator was killed.

Cover was blown off thereactor and the plant wasenveloped in hydrogenchloride fumes.

Explosion: silo swung over in flames onto the top of the truck and the transfer line.

6 in. dia. tube ruptured andallowed 1,800 gal of oil to escape. Fire ensued andcaused substantial propertydamage.

Oil fire spread to electrical cables and into the control room. Caused emergency evacuation of the control room. A $17.6 million loss.

The tanker rocketed.Alcohol fire. Vapor cloud explosion.

Safety

74 www.aiche.org/cep/ March 2001 CEP

Author(s)

P. G. Snyder

R. F. Schwab

T. O. Gibson

B. W. Bailey

S. E. Andersonand R. W. Skioss

D. J. Leggett

M. L. Griffin andF. H. Garry

W. E. Clayton andM. L. Griffin

R. E. Sherman,K. C. Crawford, T. M. Cusick, andC. S. Czengery

S. Mannan

D. S. Hall andL. A. Losee

F. P. Nichols

H. L. Febo

Y. Riezel

Title

Brittle Fracture of a HighPressure Heat Exchanger

Explosion and Fire at aPhenol Plant

Learning Value from aBlown Fuse

Iron Fire in Heat Recovery Unit

More Bang for the Buck: Getting the Most fromAccident Investigations

Management of a ReactiveChemicals Incident: Case Study

Case Histories of Some Power and Control-based Process Safety Incidents

Catastrophic Failure of a Liquid Carbon Dioxide Storage Vessel

Carbon-initiated Effluent TankOverpressure Incident

Boiler Incident DirectlyAttributable to PSM Issues

Carbon Disulfide Incidents DuringViscose Rayon Processing

Air Compressor DeliveryPipeline Failure

Plastics in Construction —The Hidden Hazard

Fixed Roof Gas-Oil TankExplosion

Year

1987

1988

1989

1990

1991

1992

1993

1994

1995

1996

1997

1998

1999

2000

Incident type

Combination of deviations lead to brittle fracture at 3,400 psig during hydrostatic pressure testing of a steam generator following an outage.

High temperature as a result of a leaking steam valve, in conjunction with abnormal conditions that arose during process restart, caused explosion of a 25,000 gal tank containing cumene hydroperoxide.

Blown fuse in instrumentation power supply caused series of abnormal conditions, including high condensate level in a steam drum, which overflowed into the steam header. Condensate was introduced into a hot 20 in. dia. line when a steam valve was opened.

High temperatures occurred as a result of an electrical short in control wiring while gas turbine was on turning gear. The short caused fuel valves to open and ignition transformer to energize.

High temperature and runaway reactionoccurred in a rail tank car containing a load of methacrylic acid that wasinsufficiently inhibited.

Wrong material was loaded into a chemical barge.

High gas flow to a reactor resulted when an air-to-open valve suddenly went to the full open position (as a result of a plugged orifice in the valve positioner).

High temperature occurred in a tank containing 30 m.t. CO2, when an internal heater failed "on." The high temperature resulted in high pressure. The relief valve on the tank failed to open.

High temperature (hot spot) developed in a carbon bed absorber connected to thevent line of a 1,000 bbl intermediateeffluent storage tank.

Low water level occurred in ahigh-temperature boiler in a process plant due to failure to follow proper proceduresand failure of the low-level interlock.

High level of carbon disulfide liquid during a cleaning operation resulted in overflow into the heating zone and sudden volatilization of the liquid.

Low flow of air from one of the cylinders of a double-acting reciprocating air compressor resulted in high temperature and concentration of lubricating oil mist in the air stream.

High temperature occurred in the plastic duct and scrubber due to loss of quenching for the hot flue gases when apulp mill recovery boiler tripped offline and interlocks failed.

More hydrogen was present than was expected in the gas-oil stream sent froma hydrogen desulfurizing unit to a15,000 m3 storage tank.

Consequences

No injuries. Refineryproduction was curtailedto 60–70% for 4 mo.

Phenol Unit 1 was almost completely destroyed by fire.Severe damage to adjacent Unit 3. Fuel tank fire.

The line ruptured. Three people were sprayed with steam and condensate. Two fatalities.

Fuel gas burned inside thecombustor exhaust duct.The 600 psig heat recovery unit caught fire and was destroyed.

Car exploded. Parts werefound 300 yards away.Overhead electrical lineswere severed, shuttingdown production.

Incompatible reactivechemicals mixed. 48–72 hstate of alert. Near miss.

Gas vented into the areaof the reactor.

The tank exploded.Three fatalities, $20 million property damage, 3 mo.lost production.

The vent stream was in theflammable range, ignitedand propagated back to thestorage tank. The tank roofwas blown off (~200 ft).

The boiler was dry fired. Serious internal damageto boiler and steam drum.No injuries (near miss).

Explosion blew out awall. Extensive fire in theductwork. Minor injuries.

The air stream ignited and an explosion propagated a "galloping detonation" in thecompressed air pipeline.

All plastic duct work destroyed,scrubber collapsed onto cable tray. Mill was shut down for extended period. Propertydamage over $5 million.

The tank exploded as a result of electrostatic discharge during a sampling operation. One fatality. Massive fire instorage dike.

CEP March 2001 www.aiche.org/cep/ 75

How case histories can helpClearly, a variety of psychological factors come into

play that can encourage or hold back the HAZOP teamduring deliberations (2). The intent is to help encouragecritical thinking by making short presentations of previouschemical process industries (CPI) plant accidents to theteam (3). Of course, as a general prerequisite for the suc-cess of any HAZOP, the participants must already own theprocess (4), i.e., the team members must have a strongsense of urgency and be highly motivated by virtue of theirroles and responsibilities as process designers, plant engi-neers, supervisors, operators, and technicians. In this con-text, case history presentations can be made at the start of ameeting, or during a break to help engage and galvanizethe team by telling a short “war story” and, at the sametime, demonstrating the connection between HAZOPguidewords and real world accidents.

The immediate benefit of the case history presentationis not quantifiable in terms of the HAZOP output; one sim-ply surmises that a properly designed 10-minute presenta-tion can be worthwhile, because a group with an accidentexample fresh in their minds will be more critical and morecreative in their deliberations through the course of thestudy. A long-term benefit, assuming case history presenta-tions become an integral part of the plant’s HAZOP ses-sions, is that participants will gradually accumulate a bodyof loss experience and invaluable loss-prevention wisdom

based upon reported CPI plant losses. This benefit is notquantifiable either; it relates to the value of learning anykind of history that we desire to avoid repeating. In this re-spect, the HAZOP session affords a unique opportunity topresent these history lessons to busy engineers and plantpersonnel who generally are not easy to assemble for suchpurposes.

Use a synopsis presentation formatHAZOP meeting time is almost inevitably in short sup-

ply. And, since the main intent of presenting the case histo-ry is not to study the details of the accident, but rather tohelp energize the critical thinking process, a synopsis pre-sentation format is most appropriate. In the context of thestudy, providing the basic sequence of events of the acci-dent, along with a flow schematic, selected loss lessons andkey conclusions will suffice — as long as these are offeredin a manner that engages the interest of the team. The pre-sentation can also include a hypothetical HAZOP work-sheet page that illustrates how the accident might havebeen foreseen in a HAZOP study. This worksheet serves asa minitraining example for new participants and a refresherfor those with previous such experience. Of course, thereasons for making the case history presentation also needto be explained to the group at the start of the presentation.

The person presenting the case history need not be thegroup leader or the same individual. Team members can take

76 www.aiche.org/cep/ March 2001 CEP

Table 1. Case history synopsis — hypothetical HAZOP worksheet (in hindsight).

Company: ABCFacility: XYZ PlantProcess: Waste Gas IncineratorDesign Intent: Burn AOG and SVG off-gases

Study-Section: 2.1 SVG piping: fan to incineratorHAZOP Date:Leader/Scribe:Team Members:

HAZOPItem No.

2.1.1

Deviation

No flow

Cause

Valves L and Kclosed improperly

Consequences

(1) Increaseconcentration ofcombustible gasesin SVG piping.

(2) Potentialexplosion if gas goes into explosive range and gas reaches incinerator.

Questions/Recommendations

2.1.1.1Check procedures for Valves L and KAre procedures clearly documented?Do procedures cover abnormal situations?

2.1.1.2Check gas alarm response time —is it fast enough?

2.1.1.3Check bypass response time vs.travel time to incinerator.

2.1.1.4Review flame arrestor design vs. expected blast pressures.

2.1.1.5Review flame arrestor design vs.expected reaction forces.

Engineering/AdministrativeControls

Operatorsfollowprocedures forshutdowns.

Highconcentrationalarm.

Bypass SVGto flare onhigh: high gasconcentration alarm.

Flame arrestor.

Damage-limitingconstruction.

F* C* R*

2 1 D

2 4 B

* F = frequency; C = consequence severity; R = risk ranking.

Safety

CEP March 2001 www.aiche.org/cep/ 77

Figure 5. Cause slide.Initial Cause

• Field operators misunderstood radio instructions from thecontrol room to close the AOG valve to the incinerator

• Valve L was closed by mistake and Valve K was beingopened

• SVG was blocked in: VOCs increased

• Valve L was then reopened, sending the SVG to theincinerator, which flashed back

Figure 7. Conclusions slide.

Some Conclusions• “… Unusual circumstances of human factors,

unsteady-state events, and a rapid challenge com-bined to overcome the well-designed safety systems.”

• “… Much of the serious damage was the result ofpoor construction.”

➨ Consult the original paper for additional findings and many recommendations that have general application for this type of equipment.

Figure 6. Consequences slide.Consequences (Partial list)

• SVG flame arrestor was broken from its mountingbolts and sheared into 2 pieces

• Stainless steel piping connecting the SVG flame arrestor to SVG fan was broken free from its supportsand came to rest on top of the fan

• Explosion was not stopped by the flame arrestor

• Incinerator had numerous radial cracks in the refractory brick

• SVG piping going up to reactor rack fell from thethird level to the ground

• Plastic (FRP) piping connected to the SVG fan suctionwas sheared and broken

• Missile damage to incinerator bustle

• The manual wheel for Valve K was broken off at thegear box casing

• No injuries — But, at the time of the explosion, an operator was holding onto the wheel for Valve K

Figure 4. Process slide.Process Description

• Waste gas incinerator burns off-gases from two separate sources: AOG and SVG

• SVG stream is normally routed to the waste gas inciner-ator at less than 10% of the lower explosive limit (LEL)

• At 25% LEL, an alarm sounds

• At 50% LEL, the SVG stream bypasses to the flare

Figure 2. Summary slide.Accident Summary

• Miscommunication between outside operators andcontrol room resulted in closing the wrong valve

• A waste gas incinerator experienced a flashback witha pressure wave in the supply piping

• Damage to flame arrestor, piping, fan, and the incinerator

Figure. 1. Source slide.

Case History SynopsisBased on the paper:

“Flashback from Waste Gas Incineratorinto Air Supply Piping”

S. E. Anderson, A. M. Dowell, III, P.E., and J. B. Mynaugh

Rohm and Haas Texas, Inc.P.O. Box 672

Deer Park, TX 77536

Paper 73c — prepared for presentation at the25th Annual AIChE Loss Prevention Symposium,

August 18-22, 1991

SVG Fan

Waste GasIncinerator

To SVG Flare

AOGWaste Gasesfrom Process

Vent Gases (SVG)from Process

Valve K

Valve L

Figure 3. Schematic slide.

turns being assigned a case history as prework tostudy before the meeting, and, using already pre-pared overhead slides or handouts, make the pre-sentation to the rest of the team at a convenientbreak in the meeting. The original case history ar-ticle should preferably be familiar to the presenterbeforehand, but discussion of the accident detailsshould be minimal. The original article can bemade available to interested participants for fol-lowup reading outside of the meeting.

Example presentationA well-known case history paper describing a

waste-gas-incinerator explosion at a chemicalplant was presented at the 25th annual AIChELoss Prevention Symposium (5). As described inthe original paper, the accident evolved as fol-lows: The “AOG” process, which supplied one ofthe two waste gas streams feeding into an incinerator, shutdown safely and tripped offline. The incinerator remainedin operation, burning waste gas from a second process,called “SVG.” In preparing the AOG line for a restart, op-erators accidentally closed the wrong valves, resulting inthe SVG gas flow being blocked in. The control room oper-ator received a low SVG flow alarm and radioed to thefield operators to reopen the SVG valve to the incinerator.The SVG flow to the incinerator was quickly restored andan explosion occurred, resulting in overpressure damage tothe incinerator refractory, as well as the dislocation of pip-ing, valves, a flame arrestor, and the main SVG blower.Fortunately, there were no injuries to the operators whowere working in the vicinity of the explosion.

A synopsis of this accident, prepared in a slide formatintended for presentation to HAZOP groups, is given inFigures 1 through 7. Table 1 represents a hypotheticalHAZOP worksheet that “predicts” the accident (in perfecthindsight, of course). The worksheet attempts to demon-strate to the team how, by using critical thinking and fol-lowing HAZOP methodology, they might have been able toidentify some of the possible causes and consequences, aswell as develop the corresponding action items to help pre-vent or mitigate an actual accident.

Sources of accident case history reportsThe annual AIChE Loss Symposium Papers (6) include

many accident case history studies that are detailed and,often, written first hand by the accident investigators or par-ticipants. Table 2 is a selected list of these reports from1971–2000 that can be used in the manner described above.Other sources are available as well, such as case history-based loss prevention books (7, 8), loss prevention journals,e.g., the Loss Prevention Bulletin, and published investiga-tive reports. A good source of these reports is the U.S.Chemical Safety and Hazard Investigation Board, Washing-ton, DC. The CSB allows downloading of its investigationreports at www.csb.gov. CEP

78 www.aiche.org/cep/ March 2001 CEP

Safety

To join an online discussion about this article

with the author and other readers, go to the

ProcessCity Discussion Room for CEP articles

at www.processcity.com/cep.

<Discuss This Article!>

G. E. MAHNKEN is a loss prevention specialist with FM Global (formerly known as Factory

Mutual), Norwood, MA ((781) 440-8000 ext. 8644; Fax: (781) 440-8718; E-mail:

glenn.mahnken@fmglobal.com). He has been with the company for 15 years, and

holds a BA in biology from Antioch College and a BS in chemical engineering from the

National Technical University of Athens, Greece. He is a member of AIChE.

Literature Cited1. Kletz, T., “Hazop and Hazan: Identifying and Assessing Process In-

dustry Hazards,” 4th ed., Taylor & Francis, London, p. 34 (1999).2. Leathley, B., and D. Nicholls, “Improving the Effectiveness of

HAZOP: A Psychological Approach,”Loss Prevention Bulletin, IssueNo. 139, p. 8 (1998).

3. Mahnken, G., et al., “Using Case Histories in PHA Meetings,”Paper 6c, presented at AIChE 34th Annual Loss Prevention Sympo-sium, Atlanta (Mar. 6–9, 2000).

4. Kletz, T., “Hazop and Hazan: Identifying and Assessing Process In-dustry Hazards,” 4th ed., Taylor & Francis, London, p. 33 (1999).

5. Anderson, S. E., et al., “Flashback from Waste Gas Incinerator intoAir Supply Piping,” Paper 73c, AIChE 25th Annual Loss PreventionSymposium, Pittsburgh (Aug. 18–21, 1991).

6. “Loss Prevention on CD ROM,” AIChE, New York (1998). The setcontains presentations from all 31 Loss Prevention Symposia spon-sored by AIChE’s Safety and Health Division from 1967 to 1997,plus early CCPS conference and workshop proceedings from 1987through 1994. (See www.aiche.org/pubcat.)

7. Kletz, T., “What Went Wrong: Case Histories of Process Plant Dis-asters,” 4th ed., Gulf Publishing, Houston (1998).

8. Sanders, R. E., “Chemical Process Safety: Learning from Case His-tories,” Butterworth Heineman, Boston (1999).

A fire couldcost you ...

more thanyou know.