M. W. da Silva, Petrobras, São José dos Campos, Brazil
The stockpiling of assets requires a significant amount of energy that can be stored in tanks and pipes. Because of this, the most adverse scenarios related to process safety can occur in the transfer and stockpiling areas.
Unfortunately, because these operations normally occur under low pressures and temperatures, the safety risks in stockpiling operations are often underestimated by operators, managers and engineers. This perspective must be adequately managed to minimize the risks of significant accidents like fire in hydrocarbon storage tanks or containment loss in pipelines.
Part 1 of this article presented the pillars of process safety management in stockpiling operations of crude oil refineries: asset management, operational discipline and the integration between the stockpiling team and the other areas of the refinery. Part 2 describes how operational discipline and integration affect process safety performance within the stockpiling area, and how failures in these areas can potentially cause some of the worst emergency scenarios, especially in crude oil storage tanks and liquefied petroleum gas (LPG) tank farms. FIG. 5 presents the concept of tank level control to avoid overfill occurrences.
Operational discipline. This is another key pillar of process safety in stockpiling operations. Like any operating area in or around a crude oil refinery, stockpiling operations have a series of procedures to ensure the safety of routine operations.
One of the main safety factors in stockpiling operations is the communication quality between the operators and teams involved. Before starting a transfer operation between tanks, panel operators should confirm the valves and equipment involved in the operation to eliminate potential mistakes.
Communication is only one of many procedures and standards that drive stockpiling operations—managers and the operations team must be adequately trained and disciplined to comply with all standards without deviations. FIG. 6 illustrates the effects of management drift between planning and execution.3
To avoid drift management over time, constant training is necessary to maintain operator awareness of the risks associated with their daily operations. Unfortunately, the greater the familiarity with the asset, the greater the risks associated with human error. Familiarity can lead to inattentive behavior, or in the extreme, negligence with the risks associated, standard procedures and operational discipline. FIG. 7 presents an overview of the human error classification based on the concept developed by Reason.4
Based on this classification, it is possible to understand the natural evolutive cycle that demands management action to prevent skill and familiarity from becoming negligence (FIG. 8) and operational “indiscipline.” 5
The management actions described in FIG. 8 can be attributed to adequate periodic audit planning that ensures that teams are well-trained and follow procedures without—or at the very least with minimum—deviations. Such audits can also support a training program by identifying any lack of knowledge.
The audits should encompass all aspects of routine stockpiling operations not just to find errors and mistakes, but also to identify procedural deviations that support the need for more in-depth training programs. Audits should not be punitive, but rather viewed as an opportunity to learn and encourage management actions to promote an organizational culture that fosters the relationship between the management and operations teams.
One example of how adequate communication between operators during the transfer of hydrocarbons is essential in stockpiling operations is the change of storage tank—receiving production from a processing unit. This scenario is particularly relevant when the production of liquified gases like LPG or propylene is involved.
In a crude oil refinery, during the change of the LPG production stream from a delayed coking unit from LPG Sphere A to the LPG Sphere B, the operator closed the admission valve in Sphere A before opening the admission valve in Sphere B. During the interval, the LPG stream alignment was blocked, and the process safety valve of the production vessel in the delayed coking unit was open to the flaring system, characterizing a significant process safety incident.
The correct operation in this scenario should be the adequate communication between the panel and field operators of the stockpiling area confirming the valve involved in the LPG sphere change. After the alignment confirmation and valve identification, the field operator should open the admission valve in Sphere B followed by the closing of the admission valve to Sphere A. After confirmation from the field operator about the adequate sequence of valve operations, the panel operator should confirm that the LPG production is feeding Sphere B.
In another operational incident, during the change of spheres that received propylene production (from Sphere B to Sphere A), the panel operator requested the field operator to align the valves of Sphere A. The field operator incorrectly informed the panel operator that the production valve of Sphere A was open; however, the valve only seemed to be open, and in the sequence of events, the production valve of Sphere B was closed. After ~40 min, the gauge system of Sphere A did not indicate flow or rising levels, and the supervisor of the propylene production unit asked the stockpiling supervisor to confirm the propylene alignment once the pressure in the propylene production vessel was close to the limit. Two minutes later, the pressure safety valve of the propylene production vessel was opened to the flare system.
The correct operation should involve closer and clearer collaboration: the field operator should confirm that the valve is really open in the field, and the panel operator should monitor the gauging system of the new receiving sphere to ensure that the alignment is correct.
These are brief examples of the criticality of operational discipline in stockpiling operations—the focus should be on identifying deviations as learning opportunities in lower impact events rather than during near accidents or in emergency situations.
TRANSFER OPERATIONS
These are among the most critical and potentially dangerous operations in a crude oil refinery, and should be conducted under constant monitoring and adequate safety procedures like those presented below
Before beginning a hydrocarbon transfer. Before the transfer, personnel should check the hydrocarbon level of the receiving tank to determine how much product it can take. It is important to determine a safe gauge height (SGH), i.e., how much fuel the tank can safely hold, allowing for expansion due to temperature variations. The field operator should walk the pipeline to check for visible leaks or any irregularities, as well as the position and condition of valves. This is vital to ensure they are in the proper position to direct the product to the targeted tank.
Next, determine how much product is above the receiving pipe inside the receiving tank. If there is < 1 ft of hydrocarbons above the receiving pipe, transfer should be conducted at a reduced rate until at least 1 ft of product is covering the pipe. This will reduce the potential for explosions caused by static electricity when fuel is pumped into the tank at a high rate.
This point is especially relevant for filling tanks back from maintenance that require ballasting, where the risk of explosions is even more severe. It is possible to determine the maximum ballasting flowrate by the diameter of the receiving pipe, as presented in TABLE 2.
If a transfer is made out of the refinery (for local terminal clients), the stockpiling operator should request an alignment inspection document from the terminal team to ensure the receiving alignment is correct and there is sufficient space in the receiving tank to hold the planned transfer volume. The operation teams should be in constant contact to monitor transfer conditions, but this is especially critical during the beginning and end of the transfer due to the process transients.
During the transfer. The transfer should begin under a reduced flowrate until the operations team can ensure that the receiving tank is receiving the transfer without leakage or deviations. Throughout the transfer, the operations team should periodically monitor the levels of both the expending and the receiving tanks levels.
The transfer flowrate should be reduced when the level nears the height of the safe gauge, avoiding overfill risks and allowing sufficient time for the operations team to close the valves and end any procedure.
End of the transfer. First, close the valves of the receiving tank to avoid hydraulic hammer in the transfer pipe and end the transfer operation by checking and communicating the valves position.
After an adequate time interval (normally 24 hr), personnel can manually gauge the receiving tank to check the water level accumulated at the bottom and then the water can be drained for adequate operations.
As described above, operational discipline is fundamental to ensuring consistency between how operations are planned and how they are actually conducted by operating personnel. It is necessary to adequately manage and overcome deviations to promote a safe environment, where employees trust the management team to promote the development of the team, and avoid blame and punishments that can lead to a psychologically unsafe work environment.
Integration. The third pillar proposed for process safety in stockpiling operations is integration. Unfortunately, it is not uncommon to hear from stockpiling teams that they were uninformed and inadequately involved in refinery operations planning, particularly in maintenance shutdowns.
This serious mistake can have severe consequences. During planned shutdowns, it is necessary to define the space required to store intermediates and final products from the process units that will remain in operation. Only the stockpiling team has sufficient knowledge of the risks and availability of the storage tanks able to allow the safe shutdown and startup of the processing units. This includes the risks associated with hydrocarbon stream transfers throughout these steps once the processing units are in the transient operation regime and the process safety risks are higher.
Another key aspect of the impact of a maintenance shutdown within the stockpiling area is the discharge to the flare system—the system has a limited capacity, which can bottleneck the processing units shutdown without an adequate planning and shutdown sequence. This is especially relevant for refineries located in regions with high population density, since the flaring noise, odor and emissions can be contrary to the company’s environmental, social and governmental (ESG) policies.
Stockpiling processing unit teams often view their culture as being “different,” leading them to maintain “distance” from other operating areas of the refinery. While each operations area of the refinery has its own specificities, the management team should create, develop and incentivize an integrated environment. This is particularly true for the stockpiling team, as its realm of responsibility affects and is affected by the other relevant operations within the refinery.
The stockpiling operations team should be able to describe which stream is filling and emptying each tank or each pipeline—this is only possible with integration and collaboration throughout the organization.
To promote closer integration, managers can apply proven integration models like FSPNA (forming, storming, norming, performing, adjourning) and the Lencioni models to troubleshoot any scenario and build alignment. The framework of the Lencioni model6 is presented in FIG. 9.
The model proposed by Lencioni6 establishes key factors that can lead to team failure:
Absence of trust—This is particularly concerning for refinery operations teams that face process safety risks daily. Because this demands a high-confidence environment, operating teams may withdraw and not share information, increasing the risk probability. Teams may also adopt a defensive positioning to protect their own operations and team, and their interest can be limited to their own results and performance rather than that of the entire organization.
Fear of conflict—Teams without confidence cannot create an adequate environment to honestly and directly communicate their limitations and restrictions. They avoid discussions that are necessary to attain a deep understanding of various operations. Conflict is not necessarily a bad thing; respectful discussions can improve safer operations. The fear of conflict can lead some operators to avoid discussing some procedures, leading to lost opportunities for improvement and learning.
Lack of commitment—Operations teams without a complete understanding of their roles develop poor engagement to the team and the whole business. This creates a culture of individuality that can negatively affect process safety requirements. Operators must clearly understand their impact over the business and how their performance can add or destroy value. This helps develop commitment to the team, minimizing the risks associated with non-integrated actions.
Avoidance of accountability—Without team unity and mutual accountability, gaps develop between various positions and create or worsen risks to process safety. The avoidance of accountability is a side effect of the absence of trust. An “every person for themselves” attitude increases process safety risks, as each operator becomes concerned only with their individual safety.
Inattention to results—A lack of understanding of how the team’s performance and results fit into the bigger operational picture creates siloes. The integration of various refinery teams allows adequate information flow and collaborative decision-making, enabling improved control of inherent operational risks.
The main benefit of the Lencioni model is for managers to understand and overcome their team’s weaknesses. Promoting closer integration and cooperation between operating teams minimizes the impact of non-integrated actions.
Stockpiling personnel are potentially affected by each mistake of other refinery teams (e.g., receiving gaseous streams in atmospheric tanks, streams with temperatures above the design temperature of the tank). Stockpiling operations should be continuously monitored through an alarm system, and any non-identified stream flow to a storage tank should be immediately and thoroughly investigated.
Tank alarms are helpful to maintain awareness of any changes in the gauge status of the storage tanks, which can indicate unprogrammable transfer between tanks or from processing units to storage tanks. The basic philosophy of typical storage tank automation is shown in FIG. 10, while TABLE 3 summarizes the storage tank operation status and the corresponding intrinsic risks and protection layers.
High- and low-level alarms. At the end of product movement (receipt or transfer), the product level is expected to remain unchanged until the next operation. The reference level is then changed to the first level value after termination. Level variation alarms are created (high and low), using the previous value as a reference.
When beginning a receiving or shipping operation, the operator defines the volume to be pumped. Based on the diameter of the tank, the change in level is calculated. The high-level (receiving) or low-level (transferring) alarm is then changed automatically.
Dynamic high- or low-level alarms. During receiving or transferring operations, as the level rises or falls, the low-level (receiving) or high-level (transferring) alarm is dynamically modified every few seconds. The new level is based on the previous level value, so any abnormality in the operation will immediately trigger the alarm.
It is vital to detect leaks and/or transfer abnormalities that could potentially lead to severe process safety incidents or accidents, as described by the following examples.
Example 1. An operational instability occurred in a refinery’s crude distillation unit (CDU). The debutanizer column—which is responsible for separating LPG from the straight-run naphtha (FIG. 11)—experienced a loss of performance and the high vapor-pressure naphtha (naphtha with high LPG concentration) was kept aligned to the naphtha hydrotreating unit storage tank.
Communication did not reach the stockpiling operations team personnel, and the mixture of naphtha and LPG was kept aligned to Tank A (naphtha hydrotreating feed tank). After ~30 min, the feed pump of the naphtha hydrotreating unit suffered cavitation, leading to the emergency shutdown of the processing unit.
Such an incident could be treated as a simple emergency shutdown of a processing unit, but it is necessary to remember that nothing is simple in a crude oil refinery. Fortunately, the pump stopped under cavitation, and the only consequence was the required unit shutdown. Potentially, the pump seal could have failed, leading to a containment loss of LPG and naphtha with a dangerous potential of fire or explosion.
A simultaneous operations (SIMOPs) analysis can help refiners avoid such a process safety risk scenario through adequate communication among operations teams, such as proposing actions capable of interlocking the process plant to avoid the alignment of the high vapor-pressure naphtha to the storage tank (e.g., sending it to a residue tank or flaring system during the operational instability). TABLE 4 shows an example of the result of the SIMOPs application in this case.
Another example of integration failure between processing units and stockpiling operations teams occurred in a crude oil refinery during the startup of a fluid catalytic cracking unit (FCCU).
The stockpiling field operator determined that the crude oil was projected to exceed the floating roof of the tank because it was receiving too much high vapor-pressure naphtha from the FCCU during startup. The crude oil storage tank had insufficient hydrocarbon levels to absorb the LPG, which led to the projection of the crude oil exceeding the roof through the roof seal.
During the root cause analysis (RCA), it was discovered that the FCC operations team was struggling to heat the bottom of the debutanizer column of the processing unit, which led to the production of high vapor-pressure cracked naphtha (cracked naphtha with high LPG concentration). Again, this was not communicated to the stockpiling operations team, and the stream was sent to a crude oil storage tank with low hydrocarbon levels. The containment loss of the crude oil could have caused a fire in the crude oil storage tank—one of the most severe emergency scenarios in a crude oil refinery. Another potential consequence is roof sink once the buoyancy density limit is reached.
These examples reinforce the need for close integration of process safety requirements among refinery and stockpiling operations teams. Any process changes must be communicated across all teams to allow operating procedures to mitigate the risks and minimize the impact of instability.
Such communication and integration depend on the implementation of a culture of confidence in management and among team members. This can only be achieved by a stockpiling manager with a thorough understanding that any change in a facility’s processing units will impact the stockpiling assets under their management. As previously mentioned, most stockpiling and hydrocarbon transfer operations involve simultaneous operation between at least two different operation areas, and a SIMOPS analysis should be conducted for each operation characterized as critical by the stockpiling operation team, particularly those associated with the startup and shutdown of processing units that will lead to transient flow to storage tanks. HP
LITERATURE CITED
Chang, J. I. and C-C Lin, “A study of storage tank accidents,” Journal of Loss Prevention in the Process Industries, Vol. 19, Iss. 1, January 2006.
American Petroleum Institute (API) Standard 2350, “Overfill prevention for storage tanks in petroleum facilities,” 5th Ed.
Dekker, S., The field guide to understanding ‘human error,’ 3rd Ed., CRC Press, 2014.
Reason, J., Human error, 1st Ed. Cambridge University Press, 1990.
Reason, J., Managing the risks of organizational accidents, 1st Ed., Routledge Press, 1997.
Lencioni, P., “The five dysfunctions of a team,” Jossey-Bass, 2002.
Marcio Wagner da Silva is Process Engineering Manager at a crude oil refinery based in São José dos Campos, Brazil. He has extensive experience in research, design and construction in the oil and gas industry, including developing and coordinating projects for operational improvements and the debottlenecking of bottom-barrel units. Dr. da Silva earned a BS degree in chemical engineering from the University of Maringa (UEM), Brazil and a PhD in chemical engineering from the University of Campinas (UNICAMP), Brazil. Dr. da Silva also earned MBA degrees in project management from the Federal University of Rio de Janeiro (UFRJ), in operations and production management at the University of Sao Paulo (USP), and in digital transformation at Pontifical Catholic University of Rio Grande do Sul (PUC/RS). He is also certified in business by the Getulio Vargas Foundation (FGV).