M. W. da Silva, Petrobras, São José dos Campos, Brazil
The stockpiling of assets requires a significant amount of energy that can be stored in tanks and pipes. Because of this, the most adverse scenarios related to process safety can occur in the transfer and stockpiling areas.
Unfortunately, because these operations normally occur under low pressures and temperatures, the safety risks in stockpiling operations are often underestimated by operators, managers and engineers. This perspective must be adequately managed to minimize the risks of significant accidents like fire in hydrocarbon storage tanks or containment loss in pipelines.
While process safety management in the crude oil refining industry has seen great advances in the last decades, the cost of these developments has been the loss of human life in process safety accidents, such as the explosions and subsequent fires at the Texas City refinery in 2005 and the Formosa plastics petrochemical plant in 2004. A series of process safety accidents—even without causing the loss of human life—can cause serious damage to an installation and, in some cases, plant closure that impacts hundreds of lives and local economies, like the case of the Philadelphia Energy Solutions (PES) refinery in 2019.
An adequate process safety management system controls the inherent risks associated with the petroleum refining process. The success of any process safety management system depends on all elements of the production chain (e.g., material suppliers, engineers, operators, managers). Each link in this chain is responsible for its own activities and is related to at least one barrier to process safety.
Throughout the years, the process industries have advanced their approach from a reactive approach based on rules and standards to a risk-based strategy.
The standard-based approach considers the lessons learned from process safety accidents to develop safer procedures, standards and rules. The goal is to minimize the risk of recurring process safety incidents. The evolution of risk-based strategies also allows organizations to adhere to regulatory requirements and continue learning from past accidents; however, this approach encourages organizations to anticipate management actions to avoid process safety accidents considering information that describes and details which segment of the process is under higher risk. With this information, an organization can take actions to eliminate or control the process safety risk before an incident or accident occurs. According to the Center for Chemical Process Safety (CCPS), risk-based process safety is based on four pillars, as shown in FIG. 1.
The CCPS also contends that the process safety commitment of an organization should comprise five elements:
Process safety culture
Compliance with regulatory requirements
Process safety competency
Work force engagement
Stakeholders outreach.
A process safety culture can synergize behaviors and values, determining how process safety is managed within an organization. An adequate process safety culture motivates the work force and managers to be intolerant of safety deviations and risks.
Compliance with regulatory requirements is a fundamental part of any process safety commitment—this is even more important to the downstream industry, which is highly regulated due to the inherent risks associated with crude oil refining and petrochemical production. Refiners must remain up-to-date with regulations through continuous capital investments in operational improvements to be compliant with the last revisions of standards and requirements set, for example, by the American Petroleum Institute (API) and the National Fire Protection Association (NFPA).
The development of process safety competency ensures that relevant information is available to stakeholders that can apply lessons learned to their respective tasks. This is strictly related to training and knowledge, particularly for operating and maintenance personnel directly involved with process safety risks.
Work force engagement is another essential component of the culture of process safety. The entire work force must be actively engaged in the development of the process safety culture—this includes compliance with rules imposed by the management team, as well as a collective responsibility to safely accomplish their tasks because they trust the process, not because they are obligated.
The stakeholders outreach is related to an organization’s transparency of the inherent operational risks as well as emergency scenarios.
The second pillar of risk-based process safety is understanding the operational risks and hazards. This pillar is based on two critical elements:
Hazard identification and risk analysis—Awareness based on adequate analysis allows the organization to prioritize projects, investments, inspections and maintenance to minimize the most severe risks and hazards.
Process knowledge management—Employes must be aware of the inherent risks of the process as well as potential emergency scenarios and mitigation efforts.
The risk management pillar is sustained by nine elements dedicated to ensuring stable and safe operations, controlling inherent risks (e.g., respecting operational limits and restrictions), adequately managing changes to keep risks under control, and offering adequate responses if accidents or incidents do occur. The nine elements of risk-based process safety are:
Operating procedures
Safe work practices
Asset integrity and reliability
Contractor management
Training and performance assurance
Management of change
Operational readiness
Conduct of operations
Emergency management.
The last pillar of risk-based process safety is learning from the experience—this involves actions that ensure an organization is constantly learning and developing its process safety due to its own events or from other companies’ incidents. The elements that sustain this kind of learning include:
Incident investigation—Each occurrence must be thoroughly analyzed to determine the root causes and produce effective knowledge and actions to avoid similar events in the future.
Measurement and metrics—Develop and monitor adequate key performance indicators (KPIs) to allow an effective follow-up of process safety deviations.
Auditing—Periodically verify the effectiveness of the organization’s process safety management.
Management review and continuous improvement—Close the PDCA (plan, do, check and act) cycle by verifying the process’s effectiveness and proposing revisions for improvements.
A key factor of process safety in crude oil refineries is how well the operations team knows process safety management, the main process safety risks and key safety elements. After identifying these safety elements, it is necessary to define the mitigation and prevention barriers capable of preventing the risk scenario or process safety accident in the first place. This can be accomplished using one of the traditional hazard identification techniques described below:
Semi-quantitative techniques—The most common technique is the layer of protection analysis (LOPA) which helps to identify the frequency of events that can cause a determined hazard, the probability of failure of the protection layers and the consequences. This leads to an estimate of the risk associated with the scenario in question.
Quantitative techniques—The most applied technique in refineries is the quantitative risk analysis (QRA), which involves data collection and analysis to estimate the risks of hazardous events. This helps operators to understand the outcomes of different scenarios and facilitates the decision-making process.
Qualitative techniques—The techniques detailed below can help refinery management to better understand process safety barriers:
Hazard and operability (HAZOP) study—The most common risk assessment technique is a structured analysis of existing or future processes designed to identify and evaluate the associated risks that can affect personnel, the process and the installation. It also includes proposed actions to mitigate those risks.
Hazard identification (HAZID) study—This technique is applied systematically to identify potential hazards and their consequences over the process asset, and can involve hazards not related to the process.
Control hazardous (CHAZOP) study—This systematic risk assessment approach is focused on identifying hazards and operability issues associated with a control system.
Simultaneous operation (SIMOPS) study—Dedicated to identifying hazards and operability issues in simultaneous operations, this technique is especially important to identify process safety risks in stockpiling and transfer operations, which normally involve at least two different operating areas.
Further discussion of SIMOPS studies. The hazards identified by SIMOP studies are normally not considered by the other risk assessment techniques, which are dedicated to analyzing individual process operation scenarios. Considering the characteristics of stockpiling operations, the SIMOP study is fundamental to identifying hazards related to interdependent actions.
An applicable example of a SIMOP study is the filling of a storage tank, one of the most common operations in a stockpiling area. Several risks are associated with this operation (e.g., overfill, overpressure, a contaminated stream flowing into the tank) that can lead to process safety risks, such as the mixture of naphtha and liquefied petroleum gas (LPG) in an atmospheric tank due to the operational instability in a unit like a distillation unit or a fluid catalytic cracking unit (FCCU). The SIMOP study serves as a fundamental tool to identify hazards in transfer and stockpiling operations mainly related to the lack of integration between these disparate operating teams.
The main steps of a typical SIMOP study are summarized below:
Identify activities—All activities or tasks needed to reach a specific objective (e.g., fill a storage tank) are identified, even with adjacent facilities.
Collect information—Collecting all available information can identify potential conflicts between operating steps and associated hazards.
Clarify possible interactions—This step identifies adverse interactions between activities like process connections, disabled safeguards and communication failures.
Recognize potential consequences—This self-explanatory step identifies any potential impacts of adverse interactions.
Determine existing safeguards—A deep analysis can clarify existing safeguards to the impacts of the adverse interactions identified in the previous steps, as well as the new safeguards to be implemented to avoid the identified hazards.
Make recommendations for any necessary risks controls—Recommendations to control the identified risks should consider the hierarchy of hazards.
Based on the concepts of risk-based process safety, an approach can be proposed to the process safety management in stockpiling operations based on three main pillars: asset management, discipline and integration of the stockpiling area with other operational areas, as shown in FIG. 2.
Asset management. It is impossible to ensure process safety in transfer and stockpiling operations without an adequate asset management strategy. Again, the asset management policies adopted by a refinery reveal the maturity of the refinery’s safety culture.
While containment loss in simple equipment like a tank mixer can lead to a severe process safety accident, an inadequate asset management policy may not have an immediate impact on production. This can lead to a lack of urgency that reliability and maintenance teams may develop when dealing with stockpiling assets.
Stockpiling managers should use their knowledge of the refinery process chain to avoid asset degradation.
According to the literature,1 most storage tank accidents between 1960 and 2003 were caused by maintenance errors or equipment failure. The main cause of storage tank accidents was lightning strikes, which is interesting considering that these incidents can be related to ground system failure.
Failures in asset management policy can cause process safety accidents which may initially be attributed to human error. According to literature, most process safety accidents between 1960 and 2003 were attributed to operational error (e.g., overfilling tanks).
Without adequate training and asset management, safe operations cannot be conducted (e.g., a transfer operation should not be started if the tank gauging system is unavailable, and should be stopped if that system fails).
Stockpiling managers should employ maintenance resources to achieve the best availability and reliability of their assets—maximum operational flexibility leads to maximum profitability. Stockpiling managers must creatively convince maintenance teams of the real impact stockpiling assets have on refinery operations, thus ensuring a culture of intolerance for unreliable or broken equipment and instruments.
It is vital that operations teams help to develop the facility’s asset management policy to avoid sudden failures which raise safety risks. An evolutionary path of asset management is shown in FIG. 3.
In FIG. 3, accidental maintenance can also be considered reactive maintenance: the approach to fix failures as they happen. This approach poses higher process safety risks and relies on the operator’s skills to avoid process impacts.
Scheduled maintenance is an evolution of accidental maintenance: failures are anticipated or predicted, reducing the dependence on operator skills and knowledge to avoid process safety risks and any impact on production. The goal of improvement maintenance is to eliminate failures—especially chronic failures—through improvements in the process itself.
The final evolution of maintenance is the facility’s asset management policy. In this step, management actions and resources improve the performance and extend the lifecycle of operating assets, lowering the risks of sudden failures.
To improve asset management performance, stockpiling managers must sponsor and organize reliability meetings to discuss chronic equipment or system failures, particularly those considered critical to process safety (e.g., tank gauging systems).
The protection layers of the tank farm should be completely available and reliable. As described above, most process safety accidents involving storage tanks are related to overfill, reinforcing the relevance of continuous monitoring with accuracy and reliability.
According to the American Petroleum Institute (API) Standard 2350,2 a refinery’s storage tanks can be classified according to their installed level monitoring system. This classification is summarized here:
Category 0—In this case, the overfill prevention system (OPS) is manual, and there are no instrumentation systems capable of transmitting alarms or liquid level information. The overfill control is dependent on the operator. API 2350 allows these facilities to operate under continuous monitoring during the first hour of product receipt, every hour during the receipt, and again continuously during the last hour of the receipt.
Category 1—This category is related to storage tanks that only have local liquid level information and no information transmission to the panel operator.
Category 2–This category involves storage tanks with automatic gauging (ATG) systems with high-high (HH) level alarm based in the ATG information. The level and alarms information are continuously transmitted to the panel operator. This system is commonly found in crude oil refineries, but there is room for error once the HH level alarm depends on the ATG information. In other words, there is no redundancy in the level control.
Category 3—In this category, the storage tank relies on an ATG system with an HH level alarm that transmits information to the panel operator. This category is safer once it eliminates the dependence of the LAHH on the ATG, establishing a redundancy in the level control.
Each facility presents an overfill risk level that demands different response times. Response time is defined as the time necessary to end a receipt in the safest way, this time is calculated based on the tank levels of concern (LOC) as defined according to API 2350 criteria. TABLE 1 presents the typical response times according to storage tanks categories.
Normally, the overfill systems applied in crude oil refinery storage tanks should present a safety integrity level (SIL) of at least 2—in other words, a frequency of dangerous failures per hour between 10-7 to 10-6. This can be applied using a redundant system combining a level switch and a radar gauge integrated by a programmable logical controller (PLC). FIG. 4 presents an example of a safety interlock structure applied in crude refinery tank farms (Category 3 facilities).
The ESD PLC is dedicated to emergency scenarios, applying at least SIL 2 gauging devices, and the radar gauges should present a minimum accuracy of ± 1 mm. The strategy proposed in FIG. 4 presents redundant level control to avoid overfill accidents like the Buncefield terminal accident in 2005 (UK) that led to the destruction of the asset.
The operations team should operate stockpiling assets diligently, never operating pumps that leak or vibrate excessively, tanks without gauging systems or adequate grounding, or systems under hydrocarbon leakage, among others. The development of adequate KPIs should be encouraged and supported by the refinery management team to achieve the sustainable, safe and reliable operation of stockpiling assets.
Takeaways. It is important to remember that some of the worst emergency scenarios within a refinery can occur in stockpiling assets, especially in crude oil storage tanks and LPG tank farms.
As described above, process safety in stockpiling operations is a three-pronged approach of asset management, operational discipline and integration among the stockpiling team and other areas.
Part 2 of this article will describe how operational discipline and the integration of the operations team are essential for adequate process safety performance in a crude oil refinery. HP
LITERATURE CITED
Chang, J. I. and C-C Lin, “A study of storage tank accidents,” Journal of Loss Prevention in the Process Industries, Vol. 19, Iss. 1, January 2006.
American Petroleum Institute (API) Standard 2350, “Overfill prevention for storage tanks in petroleum facilities,” 5th Ed.
Marcio Wagner da Silva is Process Engineering Manager at a crude oil refinery based in São José dos Campos, Brazil. He has extensive experience in research, design and construction in the oil and gas industry, including developing and coordinating projects for operational improvements and the debottlenecking of bottom-barrel units. Dr. da Silva earned a BS degree in chemical engineering from the University of Maringa (UEM), Brazil and a PhD in chemical engineering from the University of Campinas (UNICAMP), Brazil. Dr. da Silva also earned MBA degrees in project management from the Federal University of Rio de Janeiro (UFRJ), in operations and production management at the University of Sao Paulo (USP), and in digital transformation at Pontifical Catholic University of Rio Grande do Sul (PUC/RS). He is also certified in business by the Getulio Vargas Foundation (FGV).