Microsoft Word - 025.docx CHEMICAL ENGINEERING TRANSACTIONS VOL. 48, 2016 A publication of The Italian Association of Chemical Engineering Online at www.aidic.it/cet Guest Editors: Eddy de Rademaeker, Peter Schmelzer Copyright © 2016, AIDIC Servizi S.r.l., ISBN 978-88-95608-39-6; ISSN 2283-9216 The Pitfalls of Risk Based Inspection: an Insurer’s View of the Chevron Richmond and Tesoro Anacortes Incidents Ian Clarke Zurich Insurance Company, London, UK Ian.clarke@uk.zurich.com Risk Based Inspection (RBI) is a tool that has been with us now for several decades. There is no question that when applied well, it allows for an improvement in the effectiveness of the inspection programmes across large and small organisations. However, incidents continue to occur and consistent themes remain, nearly always related to the failure to maintain the asset sufficiently to prevent hydrocarbon escape and ignition. This is the result of common pitfalls, which I see in my travels around the globe to review the risks posed by the businesses that we insure. In both of the incidents described in this presentation pitfalls in the implementation of RBI are present, although, as is always the case, several other contributing factors led to the catastrophic outcome. I am going to focus on the RBI shortcomings that contributed to these incidents, in order to try to encourage operators to build more rigour into their programmes. This is particularly critical in a time of aging assets and plummeting oil prices, a “double whammy” that has insurers in this market profoundly nervous. At Chevron inappropriate deferment and inadequate depth of inspection on a crude distillation tower outlet pipe led to a rupture of that pipe, a fire, and several personnel injuries. The cause of the rupture was primarily caused by a failure to identify extensive sulphidation corrosion in the pipework in question, despite several previous test results showing damage was occurring elsewhere in that pipe section. At Tesoro a narrow focus of the RBI programme and a lack of willingness to investigate seemingly low risk equipment led to the catastrophic failure of a heat exchanger, a fire, and seven deaths. The American Petroleum Institute (API) issued a warning in 2011 about the use of Nelson curves and although it is recognised that this warning came after this incident the US Chemical Safety and Hazard Investigation Board (CSB) report has cited at least eight separate incidents within the industry where high temperature hydrogen attack (HTHA) had been found in equipment supposedly operating within the “safe” zone of these curves. The Nelson curves themselves are based on empirical industry experience only, with no scientific or research data to support them. With this information, while we can always be considered smarter in hindsight, it would appear that not inspecting the equipment when it was operating quite close to the Nelson curve was a mistake. With more rigour in the RBI programme these incidents may have been avoided. RBI is not a way of saving money, although if done correctly it may do so. RBI is designed to ensure continuing safe operation and validate asset integrity programmes. It is about fitness for purpose. RBI is a way of prioritising inspection activities to those containing the highest risk. It is a way of ensuring that, in an atmosphere of finite resources, lower risk items do not wait another year, or indefinitely. I have seen many dubious applications of RBI, and these can be down to many factors, well represented in both examples reported here. 1. Chevron Richmond Refinery The details, descriptions and conclusions on this event are taken from the final report by the CSB on the incident, issued in January 2015, and are not re-presented here other than as necessary background information. On the front page of the report are listed the four key issues, which are Chevron process safety programmes, Chevron emergency response, mechanical integrity industry standard deficiencies and leak evaluation, and response industry standard deficiencies. We will be concentrating on the mechanical integrity issues. DOI: 10.3303/CET1648127 Please cite this article as: Clarke I., 2016, The pitfalls of risk based inspection, Chemical Engineering Transactions, 48, 757-762 DOI:10.3303/CET1648127 757 1.1 Incident Summary On 6 August 2012 a catastrophic pipe rupture in a 20.3cm (8 inch) diameter light gas oil line from the crude unit atmospheric column occurred at the refinery. The line was one of several “sidecut” streams from the column and contained a mixture of hydrocarbons with boiling range of approximately 205-3450C (401-6530F) flowing at approximately 41,200 m3/h (10,800 barrels per day). The line conditions were 3380C (6400F) and 481 kPa absolute (55 psig). The release partially vaporized into a large cloud which ignited some two minutes later. Of the nineteen employees in the vicinity of the event, eighteen safely escaped the cloud before ignition, while the other, a firefighter, was fortunately wearing full body firefighting protective equipment when the fire appliance he was inside was engulfed in the ensuing fireball. He was subsequently able to escape, and in the event six employees suffered minor injuries from the event and resultant emergency response efforts. The event triggered the community warning system and shelter-in-place advisories for three cities neighbouring the refinery, and prompted some 15,000 people to seek medical treatment for a variety of ailments associated with breathing in the resultant smoke. 1.2 Findings The CSB issued several reports including an Interim Report (April 2013), a Regulatory Report (October 2014) and the Final Report (January 2015). These concluded that the rupture of the piping occurred due to thinning and consequent failure under pressure. The thinning of the pipe was caused by sulphidation corrosion, a commonly occurring damage mechanism in crude oil refineries due to the reaction of sulphur compounds and iron at temperatures ranging from 232-5380C (450-10000F). This mechanism is present at various levels of severity in virtually all oil refineries depending on the total sulphur content of the oil, types of sulphur compounds, flow conditions and system temperature. The pipe in question was constructed of carbon steel, which is far less resistant to this mechanism of corrosion than higher chromium containing steels. In addition corrosion rates are more variable across the system due to variances in silicon content in the steel. From the mid-1980’s changes in manufacturing specification resulted in significantly higher concentrations of silicon in carbon steel, but many of the refineries worldwide were built prior to then. The pipe that failed was shown to have significantly different concentrations of silicon in a variety of locations, ranging from 0.01% at the point of failure to 0.16% at the elbow directly upstream of the failure point, to 0.2% in another tested location. The difficulties of carrying out 100% inspection by thickness measurement led to the CSB concluding that inherently safer design, such as replacement of the component by higher specification alloy steels, was the best way to prevent future failures. Chevron specialists within the organisation recommended a 100% inspection or full replacement on several occasions but these recommendations were not implemented. This was due to a variety of reasons including the process for determining turnaround project scope of works, lack of high level management awareness of asset integrity problems and some erroneous assumptions from the remaining life calculations. The process for determining turnaround project scope of work was flawed in the sense that there was no auditable log of the process of approval, deferral or rejection of the item, the justification for the decision or which individual or team made the decision. High level management were unaware of asset integrity issues because there was no formal means of communicating them in the form of key performance indicators (KPIs), or a method for proposers of turnaround works scope to appeal a decision on whether an item was included. Finally, minimum alert thicknesses were lowered without appropriate technical oversight or discussion, which led to erroneous conclusions from remaining life data. The response to the initial leak also came in for criticism, with the attempts to stop the leak while on line, as opposed to shutting down the unit, possibly putting personnel in harm’s way. It was also identified that despite several personnel being uncomfortable with the proposed actions to stop the leak, and some suggesting it be shut down, the work continued anyway. In addition, there were no formal protocols for managing a leak. 1.3 Recommendations The recommendations coming out across these three reports are outlined below. Chevron were to engage a diverse group of qualified personnel to carry out a hazard review to identify potential process safety damage mechanisms and to ensure appropriate safeguards were put in place to control these hazards. On an organisational level, it was recommended they develop a method of accountability to track effective implementation of best practices to ensure process safety, develop an auditable process for all recommended mechanical integrity turnaround work, and develop an approval process for changing minimum alert thicknesses to lower values in the inspection database. The API was to revise various codes of practice to reflect the risks of sulphidation corrosion to low silicon content carbon steel piping, and describe appropriate controls to put in place. They were also requested to provide guidance on appropriate leak response protocols, and this guidance was also to be documented within appropriate American Society of Mechanical Engineers (ASME) standards. 758 The regulatory authorities were to ensure that Process Hazard Analyses (PHA) carried out by facilities within its jurisdiction included a review of hazards and controls such that the risk was driven to a level considered As Low As Reasonably Practicable (ALARP). They were also to extend the first recommendation, for Chevron, to facilities throughout its legislative remit, require the industry to develop and report leading and lagging process safety indicators, and establish a joint regulatory programme to monitor the effective implementation of the hazard review process. The state legislature was to enhance and restructure process safety management (PSM) regulations to include more goal-setting attributes rather than prescriptive approaches, and regulators were to introduce a compensation system suitable to attract personnel capable of performing the appropriate regulatory oversight roles. 1.4 RBI Issues and Discussion The recommendations from the above reports have an impact on a significant number of mechanical integrity and RBI activities. In particular, the review of various API codes identified a number of improvements for RBI programmes, the most critical of which was to require refinery operators to identify all carbon steel piping with potentially low silicon content and carry out 100% inspections, or replace the items with more resistant steel alloys. However, it should also be pointed out that even higher silicon content carbon steels do suffer from this type of attack, and that a robust system of inspections is required to accurately predict an appropriate replacement time. With this in mind, the two recommendations relating to Chevron are also pertinent. At many facilities RBI approaches allow for considerable discussion regarding works to go into the turnaround scope and those that can be left for the next turnaround. The process for approving or deferring mechanical integrity or inspection tasks needs to be auditable and allow for escalation for further review if the situation requires it. In addition to this, there needs to be appropriate technical oversight of the minimum alert and retirement thickness for piping to ensure decision making processes are robust and being made with the appropriate level of technical oversight. 2. Tesoro Anacortes The details, descriptions and conclusions on this event are taken from the final report by the CSB on the incident, issued in May 2014, and are not re-presented here other than as necessary background information. On the front page of the report are listed the five key issues, which are inherently safer design, Tesoro process safety culture, control of non-routine work, mechanical integrity industry standard deficiencies, and regulatory oversight of petroleum refineries. As for the Chevron loss, we will again be concentrating on the mechanical integrity issues. 2.1 Incident Summary On 2 April 2010 there was a catastrophic failure of a heat exchanger in the naphtha hydrotreating unit (NHT) of the refinery. The heat exchanger contained hydrogen and naphtha at temperatures in excess of 2600C (5000F), which escaped and ignited, resulting in a fire which lasted for three hours. The explosion and fire fatally injured seven employees of the Tesoro refinery who were working nearby. The release was from the ‘E’ exchanger, the middle unit of one of two banks of three (A/B/C & D/E/F) used for preheating process fluid before it entered the reactor. The fatally injured employees were working on the restart of the second bank of heat exchangers at the time of the release. 2.2 Findings The CSB issued both an Interim Report (January 2014) and the Final Report (May 2014). These concluded that the rupture of the equipment occurred due to severe weakening of the carbon steel heat exchanger shell, caused by high temperature hydrogen attack (HTHA). HTHA is a well-known damage mechanism that results in cracking and fissures in carbon steel exposed to hydrogen at high temperature and pressure, resulting in severely degraded mechanical properties. The mechanism is concentrated at high stress areas such as non- post-weld heat-treated welds, and the welds on both the ‘B’ and ‘E’ exchangers were not post-weld heat- treated. This is where the exchanger in question failed. The API has published Nelson curves to predict the occurrence of HTHA for various materials but these are based on past equipment failure incidents and reported associated process conditions and are not considered to be accurate for predicting failures. This was confirmed by CSB computer modelling of the incident in question, which showed the exchangers operating within the assumed safe range, although it was possible that process excursions may have taken them above these curves from time to time. Inspection for HTHA is notoriously difficult and requires extensive expertise. It is not considered a reliable means of ensuring mechanical integrity. API has identified high chromium steels which are significantly more resistant to HTHA and these should be utilized in areas where this mechanism is or may be present. 759 Various organizational concerns were raised regarding the startup of the heat exchangers, which had a history of leaks, and the subsequent number of operators that were at the site at the time to facilitate this operation. Furthermore, there was evidence of the use of temporary fixes to facilitate operation of the unit in a way which “normalized deviance” and led to a culture of accepting unusual operating conditions. There were findings regarding the inadequacy of previous Process Hazard Analyses (PHA) by both the current and previous operator of the refinery regarding the safeguards for preventing HTHA on the equipment. In addition, the process conditions within the hottest parts of the ‘B’ and ‘E’ exchangers were inferred from other measurements and led to incorrect assumptions about the risk of HTHA in those vessels. The CSB reports went on to conclude that the current regulatory regime was too prescriptive, rather than being goal-based, and that it did not encourage risk reduction to ALARP levels, sharing and/or implementation of best practices, incorporation of learning from losses and/or incidents or encourage the use of inherently safer technology. It suggested the burden of proof was with the regulator to show the operation was unsafe, for which it was regularly under resourced in terms of both personnel and expertise, rather than the operator having the burden of proof to show the operation was safe. It concluded the current oversight regime for process safety matters was ineffective as a result. 2.3 Recommendations The recommendations from the reports are outlined below. The US Environment Protection Authority (EPA) was recommended to include the use of inherently safer design into regulation, help establish a rigorous enforcement framework and participate in improvements across regulatory bodies in the oversight of process safety management. The state authority was recommended to improve the regulatory regime along the lines of what has already been discussed above, to provide the required resources in terms of personnel and expertise to facilitate this level of oversight, and to assist industry in the development of leading and lagging process safety indicators. It was also recommended that an urgent review of all facilities was carried out to identify potential for further failures related to the HTHA mechanism, and that written hazard evaluations and programmes are put in place to limit the number of personnel present at non-routine or hazardous work. The API were requested to review the appropriate standards to provide better guidance around the HTHA mechanism, to require the use of inherently safer materials where practicable, and ban the use of carbon steels in services above 2040C (4000F) and greater than 345 kPa (50 psia) pressure. Tesoro were required to review the new API guidance and implement a plan and to revise and improve PHA, integrity operating window (IOW) and damage mechanism hazard review (DMHR) studies to ensure that all hazards are identified. They were also required to implement a process safety culture continuous improvement plan in conjunction with the appropriate regulators. 2.4 RBI Issues and Discussion The recommendations from the above reports have an impact on a significant number of mechanical integrity and RBI activities. In particular, the review of various API codes identified a number of improvements for RBI programmes, the most critical of which was to require refinery operators to identify all potential HTHA areas and to replace them with higher integrity steels. There is also concern regarding the ability of an RBI programme to effectively identify and select the systems at risk of potential HTHA, bearing in mind uncertainties regarding the Nelson curves. The process of investigation and hazard determination needs to have an appropriate level of safety and rigour in order to ensure no potential exposures are missed. The evaluations also need to be carried out by a team of appropriately qualified personnel, with external expert assistance if necessary. 3. Common Themes and Insurance Concerns 3.1 Common Themes The Tesoro report includes references to the Chevron CSB investigation, and some commonalities between the two. In both cases the losses were caused by well-known damage mechanisms. In both cases a combination of process safety and mechanical integrity management system failures led to a serious incident. Also in both cases the failure to change to inherently safer design alternatives was critical, with the reliance on the process safety and mechanical integrity programmes not providing a sufficient safety barrier. The report suggests that standards were partly to blame, in that they provided guidance on how to avoid HTHA and sulphidation corrosion failures, but did not specify minimum standards to effectively evaluate and mitigate the exposure. 760 Both of these issues are particularly relevant to RBI, as in both losses decisions were made that the risks were acceptable, when in fact they were not. The organisational factors around these decisions are the areas which are particularly important. Neither set of state regulations were successful in preventing the incidents. It is suggested in the CSB report that regulations requiring more goal-setting attributes, a greater focus on reducing risk to ALARP, and by inference a better process safety management regime, would result in better decision making. As far as this is relevant to RBI, it would lead to a more rigorous mechanical integrity approach, a more auditable trail for organisational design making around asset integrity issues, and a better awareness for the regulator in how risks are managed on a given facility. 3.2 Insurance Concerns Insurance industry concerns about RBI are largely due to the implementation of it. There are a variety of concerns but the most common one is when a client tells you they are implementing RBI in order to save money. While this objective may actually be achieved over a period of time in the initial phases it may in fact result in an increase in inspection work and hence costs if applied correctly. External factors such as mergers, acquisitions and divestments have resulted in the sale of non-strategic assets by large oil companies and the sale of older plants at discount prices to avoid high remediation costs and/or future liabilities. Buyers of these plants are often highly leveraged financial groups who wish to make money, so there is the combination of no investment for 5+ years prior to the sale and then none for another 5+ years. Against this background of under investment the RBI philosophy was implemented. Now we have the “perfect storm” of aging assets and another oil price crisis which will lead to increased focus on maintenance and asset integrity costs. It is vitally important that management resist the temptation to use RBI programmes as the enabler for reducing asset integrity activities further. Below is a chart extracted from the Marsh Loss Control Newsletter. Marsh regularly canvass insurance company risk engineers to determine what issues are most important, in order to ensure their reports provide the information these engineers need to adequately assess the risk for their underwriters. It is prudent to note that inspection comes top of the list. Figure 1: Items of importance to insurance companies. From Marsh Loss Control Newsletter 2011 Edition 2 4. Conclusions The experience of these two losses have led to a great many improvements across a number of areas, not least the management and reporting of process safety. However, there are also some major learnings for organisations to improve the robustness of their RBI programmes, and these messages should be taken on board. While some of these conclusions are not necessarily relevant to these two incidents, they are a good basis for a sound RBI programme. The main points to take away are as follows: In sp ec tio n P ro ce ss S af et y E S D , I so la tio n O pe ra tio ns M ai nt en an ce P ro ce ss A re a… G as D et ec tio n S ite L ay ou t P re ss ur e R el ie f… Fi re D et ec tio n & … Fi re p ro of in g Fi re W at er S ys te m E ng in ee rin g an d… E m er ge nc y P la ns Fi re W at er … P ro ce ss C on tro l Fi xe d Fi re … S to ra ge … M an ag em en t… S ite C on st ru ct io n O n- S ite F ire … M ac hi ne ry … B ui ld in gs … H ou se ke ep in g U til ity R el ia bi lit y S to ra ge L ay ou t S to ra ge … Je tty F ac ili tie s M ut ua l A id R ai l, R oa d, … P er so na l S af et y S ec ur ity Im p o rt a n c e 761 (1) RBI should be undertaken based on a sound understanding of existing plant condition. If this is not in place, such as using historical data from the site or a similar parent facility, then the programme needs to reflect these unknowns and also allow for inspections in areas that are deemed to be lower risk (2) In any RBI programme, periodic assessment of low risk areas on an increased frequency should be undertaken to ensure the assumptions underpinning the RBI programme are valid. As an example, effective corrosion under insulation (CUI) programmes will check for damage in areas outside of the traditional high risk operating criteria (3) RBI is not a tool to reduce the amount of inspections, although that may be a consequence of implementing it. RBI is used to identify all potential damage mechanisms and to put an appropriate inspection regime in place to manage these (4) RBI should not be used as a prioritisation tool to determine the most critical inspection work to be done in a limited scope turnaround budget. Processes that define the time available and then try and squeeze in the maximum number of critical inspections that can be done in that period are doomed to failure. The RBI programme should identify the job scope that has to be done in the upcoming turnaround, and all these tasks should be completed (5) The decisions made within the RBI programme should be auditable, accountable and made by appropriately skilled technical authorities. This includes setting of alert levels and retirement thicknesses for piping (6) Decisions about work scope inclusion in turnarounds for mechanical integrity repair work should be auditable and able to be escalated to higher levels of management if inspection personnel do not believe sufficient weight is being given to their role as the “maintainers of the pressure envelope” (7) RBI processes should be altered or modified in accordance with new information, be it losses on other facilities or new information coming to light. Changes to the inspection programmes should only be made by appropriately qualified individuals (e.g. ASNT Level 3 NDT or equivalent inspection qualifications) after a rigorous assessment of the potential impacts References Marsh, 2011, Loss Control Newsletter Edition 2 US Chemical Safety and Hazard Investigation Board Final Investigation Report, January 2015, Chevron Richmond Refinery Pipe Rupture and Fire, Report No. 2012-03-I-CA US Chemical Safety and Hazard Investigation Board Investigation Report, May 2014, Catastrophic Rupture of Heat Exchanger, Tesoro Anacortes Refinery, Report No. 2010-08-I-WA 762