DOI: 10.3303/CET2290112 Paper Received: 30 November 2021; Revised: 9 March 2022; Accepted: 27 April 2022 Please cite this article as: Vairo T., Magrì S., Reverberi A.P., Fabiano B., 2022, Hazardous Spray Release from a Pipeline under Maintenance: Causes and Lessons Learned by a Combined Accident Analysis Perspective, Chemical Engineering Transactions, 90, 667-672 DOI:10.3303/CET2290112 CHEMICAL ENGINEERING TRANSACTIONS VOL. 90, 2022 A publication of The Italian Association of Chemical Engineering Online at www.cetjournal.it Guest Editors: Aleš Bernatík, Bruno Fabiano Copyright © 2022, AIDIC Servizi S.r.l. ISBN 978-88-95608-88-4; ISSN 2283-9216 Hazardous Spray Release from a Pipeline under Maintenance: Causes and Lessons Learned by a Combined Accident Analysis Perspective Tomaso Vairoa*, Stefania Magrìa, Andrea P. Reverberib, Bruno Fabianoa a DICCA - Civil, Chemical and Environmental Engineering Department, Polytechnic School - Genoa University, via Opera Pia 15 - 16145 Genoa, Italy b DCCI - Department of Chemistry and Industrial Chemistry, Genoa University, via Dodecaneso 31, 16146 Genoa, Italy tomaso.vairo@edu.unige.it As widely acknowledged, learning from accidents represents one of the main source of knowledge for future loss prevention. An effective investigation may help enhancing the process of continuous improvement of the safety management system. Recently,, during a pipeline batching operation between two storage facilities of the same corporation, a LOC from the flange caused a spary release of atomised diesel, impacting on the adjacent national road. Two complementary approaches for accident investigation are here considered, i.e., customized root cause analysis workflow and Causal Analysis using System Theory approach. The best approach lies in the systemic nature of the selected methods applied to the whole socio-technical hierarchy of the concerned process trying to improve on one hand existing hazard analysis and on the other hand accident analysis. The paper outlines the fact-finding process from the technical viewpoint, as well as preconditions and latent failures. 1. Introduction Pipelines are a relatively safe transportation system for hazardous fluids, compared to other ones and in relative terms pipeline risk assessment does not come with hazard analysis, but with the calculation of the consequences and damage (Palazzi et al., 2014) still implying a number of uncertainties in the pipeline QRA (Vairo et al., 2021). Crude oil and oil products are the main fluids extensively conveyed in European networks and different fire scenarios may result from the failure of a flammable material pipeline, dominated in case of liquid by pool fire scenario (Palazzi et al., 2017). The study of failure causes associated with corrosion and erosion phenomena are an up-to-date topic for evaluating and strengthening pipeline safety management (Milazzo et al., 2021). The importance is reflected also by recent accidents, as many old pipelines can suffer deterioration due to ageing, aggressive environmental factors, improper protection/preventive maintenance and land-use modification (Vairo et al., 2019). Notably, interaction man-plant-equipment may be considered a determining cause in major accidents, both in fixed plant and transportation, with 8–10% events occurring during loading/unloading (Vílchez et al., 1995). In this context, an accident occurred recently during a pipeline batching operation between two hydrocarbon storage parks of the same company. A loss of containment from a flange caused a liquid spray release of atomized diesel which impacted on the nearby road. Even though immediate cause is identified as an unreported valve opening failure, accident analysis focuses on the operational flow, communication and signal transmission, i.e. the operational and organizational components liable to lead to unwanted events, when inadequately managed. In the reminder of this paper, two complementary approaches for accident investigation are developed, so that accident may be considered rather than a causal chain of events a complex dynamic processes and its re-occurrence prevention implies setting constraints on component behaviour and interactions. 667 2. The accident The bi-directional oil pipeline with nominal diameter 10” and globally equipped with 9 shut-off valves, runs between two storage facility crossing the boundaries of two Italian regions. It originates from the plant in the Northern region where the PIG throwing trap is installed, crosses the territory of various Municipalities, and it is also connected through a sorting node (Berck Node), with a line section (diameter of 10"), coming from a downstream oil plant. Subsequently, the pipeway crosses a mountain region and reaches the other plant. At approximately 11:00 am, the PIG emptying operations of the pipeline connecting two storage parks started according to planned maintenance interventions along the line. At 14:46 the 45-bar high-pressure shutdown intervened and close the MOV valve at the receiving plant. At 14:48 the pressure, recorded by the DCS system with sampling time 10 s, raised to 45.5 bar. The operation coordinator manually adjusted at DCS the opening of the flow regulator (PV) at the set point corresponding to 21%. Five minutes later, the batching operations were resumed by the sending facility in the northern region, opening the MOV valves and the operation has stopped. The operation manager of the receiving plant while verifying the process sequence realized that the MOV valve was actually closed and tried to open it on site. At the same time, the sending plant operation manager performed a line reset at 14:56 to open the valves again. The first valve opens while the receiver MOV remains closed, causing the flange rupture and the diesel jet dispersion. The above-described batching operation was carried out at constant flow rate. To get the pig out of the launch trap, a small amount of diesel was pumped, keeping the MOV valve partially closed, so as not to empty the pipeline. The area of interest, for the operation, is between the launching trap of plant B and the receiving trap of the plant A, for an overall length covering nearly 36 km with different altitude. The batching is carried out by introducing the PIG into the pipeline and subsequently the nitrogen that pushes the diesel fuel into the line, to the Plant 2 tanks; the operation ends with the arrival of the PIG in the trap (see operating conditions summarized in Table 1).. Table 1: Operating conditions. Item Values Nominal batching flow rate (Min - Max) 120 - 250 m3/h Displacement speed (Min - Max) 0.6 - 0.3 m/s Average unit capacity of the pipeline 53.2 m3/km Product to batch Diesel oil Total volume of diesel to batch 1960 m3 Batching fluid Nitrogen Nitrogen pressure at the end 15 barg Amount of nitrogen to be injected 31,100 Sm3 Batching time 10 h Injection time 4 h 42 min Total length of the oil pipeline 36.849 km Injection of nitrogen online must take place according to a two-batches procedure: the accident occurred after the introduction of the first batch when the nitrogen in the line was 16,054 Sm3. The operation involved the recording of data every 15 minutes and the passage of the PIG at the scheduled control points; the actual pressure measurements during the operation are displayed in Figure 1. Figure 1: Pressure measurement charts. 3. Investigation A multidisciplinary team was appointed to investigate the accident. All the components of the transfer section involved were thoroughly inspected for physical evidence to determine the contribution causes of the event. The 668 atomized diesel fuel, mixed with the water of the activated fire-fighting system, fell both inside the plant, and on the adjacent road for nearly 70 m and, to a marginal extent, on the bank right of the bed of the close river, without any serious water contamination. There was no harm to people. During the investigation, it was found that the flange had loosening of the tie rods between the flange and the valve and that the spiral gasket was severely damaged, but globally damages to internal structures was rather limited. There was a loosening of the PSV tie rods and the detachment of leaflets and damage to the barrel fittings. Four tie rods of the flange (pipeline side) of the safety valve have unscrewed and the spiral wound gasket is damaged, allowing the spray release of pressurized diesel oil, as shown in Figure 2. Figure 2: Damaged spiral. While the gasket is damaged, the tie rods are still in their position; the flange on the flow side out from the PSV has all the tie rods in place, except one, completely unscrewed. The other adjacent flanges have tie rods in place. The evidence seems to indicate that the vibrations due to the intervention of the PSV itself with the rapid movement of the plate have triggered the unscrewing of some tie rods, probably less tightened than those that at the end of the event were still screwed all the way down. Field investigation evidenced that the MOV valve actuator that did not open was found unscrewed. At the time of the accident, the batching PIG (and therefore the diesel/nitrogen interface) was about 25% of the way. The PSV and all the connecting piping to the arrival of the oil pipeline involved in the event were built for a working pressure at room temperature equal to 102 bar. The valve release was calibrated at 50 bar based on the operating conditions of the line, always below the 66 bar admissible pressure for the pipeline. From an environmental point of view, on-site monitoring extended to a suitable time span evidenced that the surface of the river was not affected at all by the event, as actually fallout only affected a dry strip in the river-bed. The volume of product involved in the event is estimated in 500 l and during the spray release all the mitigation actions were taken and water curtains and the foam system in the barrel area were effectively activated according to the emergency contingency plan. A qualitative consequence evaluation, based on the relevant scenario, the representative chemical involved and the actual protective measures, is summarized in Table 2. Post-accident and immediate remedial action consisted in asphalt scarification and resurfacing extended to the whole area between the barrel and the surrounding wall. Table 2: Consequences evaluation matrix. Consequence Actual Potential People 0 (none) 3 (medium) Plant 2 (low) 2 (low) Environment 2 (low) 3 (medium) Reputation 3 (medium) 3 (medium) 4. Combined theoretical framework The investigation framework here developed includes a customized root cause analysis workflow and Causal Analysis using System Theory approach. The root-cause analysis is carried out by the means of consolidated risk assessment techniques. Leveson (2019) prescribes a nine-step CAST analysis process, not necessarily performed in sequence: 1. Identify the systems and hazards involved in the loss. 2. Identify safety constraints and requirements associated with each hazard period. 3. Document the safety control structure in place, including each element and its attributes. 4. Determine the proximate events leading to the loss. 6. Determine how and why the successive higher levels of the control structure allowed or contributed to the inadequate control at the current level. 7. Examine overall coordination and communication contributions to the loss. 8. Determine [any degradation] of safety control structure overtime. 669 9. Generate recommendations. The best approach lies in the systemic nature of the selected methods applied to the whole socio-technical hierarchy of the concerned process, trying to improve both existing hazard and accident analysis and evidencing possible safety constraints that were violated at each structure level. The schematic fault tree depicted in Figure3, allows identifying immediate and underlying causes, as follows. Malfunction of the flanged coupling due to improper tightening combined with imperfect assembly ("dirty" tightening) or a defect in the gasket. • The positioning of the PSV and the atomization of the diesel fuel facilitated the extension of the leak outside the plant. • The malfunction of MOV, which, at the reset command, does not open, causing the expected pressures to be exceeded with the consequent intervention of the PSV. • Failure to remove the blocks caused the first interruption of the batching starting the incidental sequence. • Failure of the actuator on MOV. Figure 3: Fault Tree accident analysis. The identified Minimal Cut Sets are: 1. MCS level 1: 1-3-4. There was a signal error at the DCS. The MOV appears to be open, when it was closed. Due to defects in the spiral gasket of the PSV, the MOV still remains blocked close. 2. MCS level 2: 1=4-3. There was a signal error at the DCS. The MOV appears to be open, when it was actually closed. The wrong assumption forced the operator at the PIG sending station to try various restarts of the operation, with the MOV at the closed status. A simple Event Tree Analysis was performed, tracing the event chain starting from MOV valve failure due to unscrewed actuator, as depicted in Figure 4. Figure 4: Event Tree consequence analysis. 670 The CAST analysis integrates the results of the first investigation, and aims at improving the understanding of dynamic accident processes; it was carried out focusing on the batching operation, relevant system hazards and safety constraints, e.g. warning and other technical managerial measures addressing loss minimization. Following requirements for hazard mitigation and relevant control elements are outlined: 1. Protect against loss of containment 2. Provide feedback about the state of the safety-critical equipment and conditions 3. Provide indicators (alarms) of the existence of hazardous conditions 4. Effective containment of hazardous released substances 5. Process block (MOV closure) for high pressure (1st tier) 6. PSV intervention for very high pressure (2nd tier) 7. Alarms and feedback in control room The role of technological and operational components, identified by the accidental sequences analysis and depicted in Figure 5, is crucial to better address the organizational and procedural improvement. Figure 5: Safety control structure for the batching operation. Failures 1. The signal of MOV valve closure was not reported in the control room, for a failure of the actuator. 2. The PSV gasket fails. Unsafe interactions 1. The pressure exceeds tier 1. The control on pressure works, the process is blocked by MOV closure. 2. After the block for high pressure, the operator at the starting station resets the operation by opening the MOV again. At DCS the MOV appears open, and the operator restart the batching. 3. The MOV is actually closed, so the pressure exceeds tier 1 again and the process is blocked again. 4. The operator reset and restart the process for the second time. The MOV actually remains closed. The pressure exceeds tier 2, and the PSV intervenes. 5. The PSV gasket is damaged. Instead transferring the product to the proper tank, a loss of containment from the PSV gasket happened. Missing or inadequate controls that might have prevented the accident 1. There was an inadequate number of sensors at the MOV valve. The sensor was on the actuator, and not on the gate, which would have avoided the signal error following the unscrewing of the actuator. 2. The operator at sending station did not communicate with the operator at receiving station, who could have checked the status of the MOV. Recommendations 1. Improve the signal reports at DCS by inserting an additional sensor on the MOV gate. 2. Define procedures for the communications between operators at different stations. 671 5. Conclusion The root cause analysis resulted in interventions concerning plant components and process control; procedural and organizational interventions arose from the CAST analysis. As follow up of the investigation, a number of preventive and protective safety barriers are outlined, being conceived as combination of technical, human, and organizational measures: 1. Evaluate the preparation of a specific procedure for tightening valves that work at high pressures which includes quality control (visual check) of the gasket and a final check of correct installation. 2. Evaluate the existence of anti-loosening solutions of the nuts for closing the flanges of high pressure valves. 3. Consider the installation of flange covers or deflectors on high pressure valves in critical positions. 4. Evaluate the repositioning of the safety valves that are positioned above the boundary wall and without protection towards the outside of the plant. 5. Anti-loosening devices (for example spring washers) on product valve actuators. 6. Additional sensors on valve gates. 7. Improve the communication flow between the operators involved in the operations. As further improvement, the following preventive actions should be included into the displacement procedure: 1. A check list, including block asset verification and correctly validated by the appropriate functions, before the start of the operation. 2. Design and implement a dedicated structure for DCS, with operational approval requirement by an auditable procedure. As a general conclusion, the added value of CAST analysis includes the through assessment of organizational elements, focusing on the interactions between the system components, including operators, local management and corporation management. In this regard, the operative control is deeply rooted in a reliable operational experience analysis and the operational experience relies on an open communication between operators and the management (Markowski et al., 2021). Results from the combined approach highlight how the root causes of this incident lie in the areas of process safety leadership, management and culture throughout the firm organisation. Acknowledgments This research was funded by INAIL, within the framework of the call BRIC/2019/ID2 (Project DYN-RISK). References Bhattacharjee R.M., Dash A.K., Paul P.S., 2020, A root cause failure analysis of coal dust explosion disaster – Gaps and lessons learnt, Engineering Failure Analysis, 111, 104229. Stoop J., Benner L.J., 2015, What do STAMP-based analysts expect from safety investigations?, Procedia Engineering, 128, 93-102. Leveson N.G., 2011, Engineering A Safer World: Systems Thinking Applied to Safety, MIT Press, Cambridge, MA,USA. Leveson N.G., 2019. CAST Handbook – How to learn more from incidents and accidents. Nancy G. Leveson http://sunnyday.mit.edu/CAST-Handbook.pdf accessed 30.11.2021. Markowski A.S., Krasławski A., Vairo T., Fabiano, B., 2021, Process Safety Management Quality in Industrial Corporation for Sustainable Development. Sustainability, 13, 9001. Milazzo F., Uguccioni G, ,Malatesta G.,,Miglionico R., Tallone F. 2021, Assessment of the effect of technical and management characteristics on the frequency of release from piping: An application to a gas storage facility, J. Loss Prev. Process Ind. 71, 104446. Palazzi E., Currò F., Reverberi A., Fabiano B., 2014, Development of a theoretical framework for the evaluation of risk connected to accidental oxygen releases, Process Saf Environ 92, 357-367. Palazzi E., Currò F., Fabiano B., 2015, A critical approach to safety equipment and emergency time evaluation based on actual information from the Bhopal gas tragedy, Process Saf Environ 97, 37-48. Vílchez J.A., Sevilla S., Montiel H., Casal J., 1995, Historical analysis of accidents in chemical plants and in the transportation of hazardous materials, J. Loss Prev. Process Ind. 8, 87–96. Vairo T.; Pontiggia M.; Fabiano B., 2021, Critical aspects of natural gas pipelines risk assessments. A case- study application on buried layout. Process Saf. Environ. Prot., 149, 258–268. Vairo T., Magrì S., Qualgliati M., Reverberi A., Fabiano B., 2017, An oil pipeline catastrophic failure: accident scenario modelling and emergency response development, Chemical Engineering Transactions, 57, 373- 378. 672 lp-2022-abstract-132.pdf Hazardous Spray Release from a Pipeline under Maintenance: Causes and Lessons Learned by a Combined Accident Analysis Perspective