105a

SAFETY INCIDENTS IN ETHYLENE PLANTS

Stephen De Haan
Vice President
Lummus Technology
Barbara Stancato
Manager
Lummus Technology
Brian K. Sullivan
Manager
Lummus Technology
Prepared for Presentation at the 2010 Spring National Meeting
San Antonio, TX. March 21, 2010
AIChE and the EPC shall not be responsible for statements or opinions contained in papers or
printed in its publications

Safety Incidents in Ethylene Plants

STEPHEN DE HAAN
VICE PRESIDENT
LUMMUS TECHNOLOGY
BARBARA STANCATO
MANAGER
LUMMUS TECHNOLOGY
BRIAN K. SULLIVAN
MANAGER
LUMMUS TECHNOLOGY

Abstract: Many similar safety incidents occur in ethylene plants throughout the world.
While these should be well known to plant operators, our paper reviews these safety incidents
along with their root causes. The paper then discusses the following three less common
safety incidents in detail:

Heater over-firing during partial trip

Heater over-firing on emergency fuel
Column over-filling

The above incidents were related to or caused by problems in the control system. Some
occurred because the operators did not use or fully understand the control system. Others
resulted from faulty configuration or a lack of understanding of the process by the control
engineer.
We believe these particular incidents are important because they can potentially occur in
any ethylene facility. Also, they involve the control system, which is often treated as a black
box. As such, it represents a gap in the knowledge of some operators and engineers.
Incident analysis techniques are then addressed and a list of key factors based on our
experience is provided.

Introduction
The processing industry places a major emphasis on operating safely and avoiding
incidents. However, there are inherent risks in processing large amounts of hydrocarbons.
Process safety management programs are intended to mitigate but cannot completely
eliminate these risks.
Process safety management has many facets, including:

Designing plants for safe operation, including specific HAZOPs and safety reviews;
Sophisticated monitoring, control, interlock, and safety instrumented systems (SIS);
Proper maintenance, management of change, and periodic safety reviews;
Hiring and training of qualified supervisory, maintenance, and operating personnel;
Accurate, well-thought-out operating and maintenance procedures; and
Incident investigation and directed remedial actions.

However, in spite of the industrys best efforts, safety incidents occur.

Lummus Technology maintains a database of safety incidents in ethylene plants. The
incidents are taken from the literature, news reports, reports from specific plants, and
Lummus direct experience. The AIChE maintains a similar database(1). While many safety
incidents are unique, resulting from a one-time alignment of specific circumstances, many are
not. In reviewing the databases, there are incidents, near misses, and areas of concern that
stand out because they recur in similar form.
The most confounding are incidents that result from relatively routine operations that are
repeatedly performed, such as:
Heater light-off;
Heater switching into decoke or shutdown; and
Filter cleaning or other repetitive maintenance operations.
Many times these incidents are attributed to human error. As noted by others(2), this
may be an overly simplified explanation. Often the reaction to these incidents is increased
automation, control, alarming, and interlocking. When correctly applied and used, automated
systems can be a great aid in incident prevention or mitigation. However, the automated
system, when not properly configured or used, can be a cause or contributor to safety
incidents as well. The purpose of this paper is to discuss some specific incidents where the
automation system played a significant role.
Incidents can occur if the operators do not properly use or fully understand the control
system. Incidents can also result from faulty control system configuration or a lack of
understanding of the process by the control engineer. Too often, the automation system is

treated as somewhat of a black box. As such, it represents a gap in the knowledge of some
operators and engineers.
Various examples are used in this paper to illustrate situations in which the design,
configuration, and/or operation of a control system has contributed to or increased the
severity of a safety incident. The non-essential details of specific incidents have been modified
or removed to generate these examples to avoid identifying the specific plants where they
occurred. In some cases, these incidents have occurred in multiple plants and a composite
example was created to present the key principles and details.
To learn from safety incidents, they need to be thoroughly investigated and properly
understood. Assuring impartiality and accuracy are vital. In addition to describing several
safety incidents, this paper will take the reader through a fault tree analysis of one of the
incidents to depict how the root causes were determined.
Incident Investigation
The discussions of the safety incidents in this paper are the result of incident
investigations. Before describing the incidents themselves, a few words will be said about the
investigation process.
After an incident is reported, a diverse group should be assembled to conduct the
investigation. The group should include a process engineer familiar with the design, an
operator/engineer familiar with the specific plant operations involved, a process control
engineer, an instrument engineer, and a coordinator who has a wide range of
operations/design experience.
There are four basic steps in an incident investigation:
1. Recognizing that an incident has occurred
2. Gathering data
3. Analyzing the cause of the incident
4. Preparing the report
It is important to avoid pre-judging the incident or jumping to conclusions. Certain
structured techniques can be vital in avoiding this pitfall.
There are over 25 specific techniques listed in the literature(3) that might be relevant to
incidents in petrochemical plants. Basically, they are broken down into the following
categories:

Brainstorming
Timeline / sequence diagram
Causal factor identification
Checklists
Pre-defined trees
Logic trees

While many methods can be successful, the following stepwise approach appears to work
well for the type of incidents the industry deals with:

Brainstorming
Timeline / sequence diagram
Fault tree analysis
Final timeline / sequence diagram
Report and recommendations

A relatively simple incident (Incident 1) is analyzed below using this approach. The incident
resulted in a fire underneath a heater, which caused significant damage. Additionally, three
other incidents are described in less detail to demonstrate the role of the automation system in
plant safety incidents.

Incident 1- Improper Calibration of a Valve Leads to Quench Oil Fire

A simplified diagram of the heater is shown below:

Feed
BFW
Dilution
Steam
Steam

TCV
QO

TIC

TLV
Effluent

Decoke
Valve

Heater Process Diagram

The investigation starts with a combination of brainstorming and the preparation of a

timeline/ sequence diagram. The initial phase of brainstorming determines which of the
gathered data may be significant, what additional data may be required, and organizes the
timeline.
The timeline/sequence diagram for the incident is shown below:

15

20

26

Minutes

Incident 1 - Initial Timeline

The incident began with the observation of smoke from a heater stack and smoke in
the area of the TLE platform. The operator tried adjusting the damper but the smoke
continued. Assuming that there was a coil rupture or some other significant problem, the
feedstock was withdrawn from the heater in preparation for isolation and shutdown.
The board operator closed the temperature control valves that fed quench oil (QO) to
the heater quench nozzles. He then asked the field operator to close the QO block valve.
However, the field operator could not reach the local push button because of the smoky
conditions.
The QO flow still showed a low positive reading so the operator checked that the
control valve outputs were zero. The outputs were -5%, so he assumed the flow rate shown
was the result of a calibration error. He and his supervisor then decided to proceed with the
shutdown and isolation of the heater.

The main transferline valve (TLV) was normally interlocked with the QO block valve, but
because this interlock had caused issues on this heater due to valve positioner problems on
the TLV, it was disabled. The operator was therefore able to close the TLV with the QO valve
open, resulting in the opening of the decoke valve. A short period later the field operators
reported a fire under the heater. Recognizing the possibility that QO might still be flowing to
the fitting and then to grade through the firebox, the operator opened the TLV again.
Eventually the plant was shut down and the QO pumps were tripped.
A fault tree diagram was constructed for this incident, and is shown below.
FIRE UNDER
HEATER

POSITIVE FBX
PRESSURE

DAMPER
CLOSED

FAN STOPPED

LIQUID AT
GRADE

REDUCED FAN
SPEED

LEAK FROM
TANK

QUENCH OIL
LEAK TO GRADE

LIQUID FEED
LEAK

LIQUID FUEL TO
BURNER

LIQUID LEAK
INTO FUEL
SYSTEM

QUENCH OIL
AVAILABLE

HOLE IN PIPE

CORROSION

PATH TO FIRE

LEAK IN FLANGE

INVENTORY

QUENCH OIL ON

QUENCH OIL
TCV OPEN

QUENCH OIL
BLOCK VALVE
OPEN

MECHANICAL
DAMAGE

Fault Tree Diagram Incident 1

(page 1)

PUMP ON

CONTROL SYS
OPENS VALVE

APPEARS
CLOSED BUT IS
MISCALIBRATED

VALVE IS
DAMAGED

PATH TO
FIREBOX

EXTERNAL TUBE
LEAKS

A
RADIANT TUBE
RUPTURE

DECOKE LINE

DECOKE VALVE
OPEN

AGE

CGC TRIP

TLV + DECOKE
CLOSED

OVERHEAT

TLE TUBE LEAK

OVERPRESSURE

TLE TUBE
BLOCKED

TRIP

DV LEAK

THERMAL
SHOCK

RADIANT TUBE
BLOCKED

DS DRUM
OVERFLOWS
WATER TO
HEATER

Fault Tree Diagram Incident 1

(page 2)

TLE TUBE LEAK

The ultimate incident was a fire under the heater. This event therefore became the
starting point for the fault tree. The first step was to determine what type of fire occurred. The
seemingly obvious conclusion that the fire resulted from QO was initially discarded to ensure a
thorough investigation.
A fire observed under a heater could be a liquid fire or gas flames emanating from the
firebox as the result of positive pressure. The fire box pressure was slightly positive near the
top of the box, causing smoke to be emitted in the TLE area. However, substantial flames
from the heater bottom would require a full positive box. No induced draft (ID) fan or other
issues were detected. Based on this analysis and the operator descriptions, it was concluded
that the fire was caused by liquid under the heater.
Five causes for flammable liquid under the heater were considered. Three were quickly
discarded and only a quench oil leak and a liquid feed leak were pursued further. The feed
leak option was soon eliminated, leaving a QO leak as the most likely cause.
For a QO leak to have caused the observed fire, two things had to be true:
1. The quench would have to be on (pressurized); and
2. A path would need to exist for QO to reach grade under the heater.
For the QO to be on, all of the following had to be true:

At least one quench pump had to be running; and

The QO block valve had to be open; and

One or more QO temperature control valves (TCVs) had to pass QO.

Initially, the last item appeared to be false. QO would flow if any of the following were true:

The TCVs leaked because they had been eroded by coke fines in the QO; or

The control system had been switched back into automatic causing the TCVs to open;
or

The system was mis-calibrated so the valve was, in fact, open when the controller
output was zero or even less.

The last item was found to be true. The TCVs passed about 10% of the QO flow when
indicating closed as a result of a calibration error. The QO block valve had always been used
on previous shutdowns, so this had not been noticed earlier.

Having established that the QO was flowing, the next step was to determine a path to the
bottom of the heater. Following the fault tree branch marked path to fire leads to two
possible routes:
1. An external QO pipe rupture or leak; or
2. Through the firebox via a tube rupture or other route.
An external leak was considered using the same logic as the branch marked A under
liquid feed leak and discarded as a cause.
The QO could reach the firebox through a radiant tube rupture or via the decoking line. All
reasons for a radiant tube rupture were discarded except overpressure and thermal shock.
Overpressure and/or thermal shock were apparently the result of a TLE tube leak.
However, the other path (through the decoke valve) was also available later in the
incident. Based on the timing of the fire, the decoke valve was the actual path for the QO to
the firebox and ultimately to grade.

The final time line of the incident is shown below.

15

20

26

Minutes

Incident 1 Final Timeline

A leak occurred in a transferline exchanger (TLE) allowing boiler feed water (BFW) to
enter the inlet cone, placing back pressure on the furnace coils feeding that TLE. The higher

back pressure persisted for over a shift but went unnoticed by the operators. The leak
worsened, causing a furnace radiant tube to rupture as a result of back pressure and/or
thermal shock.
Hydrocarbon vapors back-flowed from the process into the firebox via the ruptured
tube, causing a smoky condition in the heater area. The vapor flow rate was, however,
insufficient to entrain QO, which continued to drain forward into the main transferline.
When the board operator closed the TLV, this automatically opened the decoking valve
leading to the firebox. The QO ignited in the firebox and flowed to grade.
The investigation showed that the QO valves were calibrated incorrectly, so while the
distributed control system (DCS) indicated that the valves were closed, they were not. If the
QO flow had been stopped, the damage would have been limited to the ruptured coil. The
pool fire that resulted from the backflow of QO caused much more significant damage.
The lessons learned or reinforced are:

QO and TLVs should have local and remote push buttons. The wiring should be suitably
fire resistant.
Assuming tight shut-off using only process valves is risky. Calibration errors, as in this
case, or erosion can allow substantial flow to continue.
Even when there is actually no flow, flow meters sometimes show readings. These false
readings should be investigated and fixed. False readings of any type can train
operators to ignore important information.
Actions normally prohibited by interlocks should not be undertaken even if the interlock
is temporarily out of service.

Experience with incident analysis at Lummus has shown that no method can replace
knowledge, experience, and thoroughness. However, structured methods can help even the
most expert teams stay organized and focused. Overall, incident investigation remains a
difficult task with no simple formula for success. At the risk of reducing a complex subject to a
list of simple key dos and donts, the following lessons learned are offered:

Do assemble an experienced multi-disciplined team. Analysis methods help but do not

replace expertise.

Do gather all sources of data.

Do explain all variations from normal. Declaring data as bad is too often a substitute
for thinking.

Do consider eyewitness observations but remember were all human. Everyones

observation during an incident and recollections afterward are colored by stress and self
interest.

Dont assume that all computer systems are time synchronized.

Do investigate all possibilities, even those that may seem remote at first.

Incident 2- Improper Tuning of a Controller Affects Safety Response

Modern, efficient cracking furnaces combust fuel in low-NOx hearth burners to provide
most or all of the energy required to crack the feedstock to high value products. One possible
configuration for controlling the fuel in a furnace with low-NOx hearth burners is shown below.

Heater
Firebox
ToPrimary
BurnerTips

FromAvg.COT
Controller
HeatDuty
Calculation
QY

SP

PV

QC

>
QY

FI
Fuel

AI

Note 2

Emergency
ShutoffValve

PC

Emergency
ShutoffValve

LowFuel
Pressure
Override
Controller

HeatDuty
Controller
Note 1

ToSecondary
BurnerTips

Control
Valve

Note 1: the fuel gas flow is compensated for temperature and pressure. If the AI is a molecular weight measurement, then the FI
Is also compensated for MW.
Note 2: The AI may be either a Wobbe meter or a molecular weight measurement.

Heater Fuel Gas Control System

The fired duty (which is a function of the fuel flow rate and the fuel heating value) is
adjusted to maintain the desired coil outlet temperature. The fuel control strategy includes a
low pressure override controller that is intended to prevent the fuel heat duty controller from
reducing the fuel pressure at the burner to a value that is less than the fuel pressure required
for flame stability.
The flow of fuel to the burners is split (after the low pressure override measurement)
between primary burner tips and secondary burner tips in order to stage the combustion of
the fuel to produce lower NOx emissions. Typically, the primary fuel represents approximately
1/3 of the total hearth fuel duty. (Note that some heaters also have wall burners that provide
additional duty.)

There is an emergency shutoff valve on the total hearth burner fuel, but there is also an
emergency shutoff valve on the secondary fuel line. This additional emergency shutoff valve
allows the heater to trip to a low-firing condition by closing secondary fuel. This partial trip
consists of:

Stopping feed; and

Lowering the heat duty set-point to the steam standby condition.

A partial trip occurs under certain circumstances to maintain the heater in a hot state for
a rapid restart.
This incident was initiated when the secondary fuel emergency shutoff valve shut due to a
malfunction. This lead to the following sequence of events:

The flow of fuel to the hearth burners decreased sharply.

The heater coil outlet temperatures (COTs) decreased due to the lower firing
rate, which caused the temperature controller to increase the set-point to the
heat duty controller.

The heat duty controller opened the fuel control valve.

As the output of the heat duty controller increased (in an attempt to increase the
fuel flow and maintain COT), the output of the low pressure override controller
tracked the increase. DCS signal selectors normally are configured with a
tracking feature (typically called external feedback) that forces the non-selected
controller output to track the output of the selected controller (see figure below).
This is done to prevent the non-selected controller output from "winding up or
down." Therefore, the non-selected controller is always able to respond quickly if
an override is required.

Heater Fuel Gas Control System Showing External Feedback

Upon seeing that the COTs were dropping while the heat duty controller output
was increasing, the operator mistakenly assumed that the firebox was starved
for oxygen and opened the ID fan damper.

The sudden increase in air from opening the damper caused a sudden increase
in air flow to the firebox, pushing hot gases from the firebox into the convection
section that increased the steam superheater outlet temperature. This caused
the high steam temperature interlock to initiate a partial trip sequence for the
heater.

Feed was stopped, the dilution steam flow went to high steam standby
conditions, and the set-point of the heat duty controller was reduced to partial
trip firing rate. When the heat duty set-point was changed dramatically from a
normal value to the low partial trip value, the heat duty controller output
decreased dramatically also. The output of the low fuel pressure override
controller, which had tracked up to a value of 100%, was selected by the
override selector.

The low fuel pressure override controller was incorrectly tuned very slowly with
very little integral action. As a result, its output remained near 100% and only
decreased slowly. Therefore, the heater continued firing at a rate that was far
too high for the partial trip conditions with no feed.

The heater coils overheated and one ruptured due to high temperature. Backflow of process gases from the transferline into the fire box provided even more
energy and then overheated the convection section. This resulted in significant
damage to the heater.

In this specific example, while the improper tuning of the low fuel pressure override
controller did not initiate the incident, the analysis showed that improper tuning of the
controller contributed to the severity of the event.
The lesson learned is that even something as seemingly innocuous as the tuning
constants of a controller can result in or contribute to a disaster if the full implications of the
control loop objectives and operation are not properly understood.
Lummus Technologys Plant Performance Improvement (PPI) Group has performed
numerous control system rectifications (i.e., controller retuning, configuration testing and
correction, etc.). Lummus has found override controllers to be improperly tuned, or improperly
configured (i.e., no external feedback leading to windup and slow override response), or
simply turned off. While most of these cases result in limited exposure to risk, as this example
illustrates, it is essential to operate the plant controls in the manner in which they were
intended to ensure that risk is minimized.

Incident 3- Operating Controller in Manual Mode Affects Safety Response

This example illustrates another case where the lack of full understanding of a different
aspect of the same heater-fuel-duty control strategy caused severe damage to heater
equipment.
The typical modern fuel control system uses a Wobbe Meter or molecular weight
analyzer to calculate the heat being released from the burners. The system then controls the
heat release based on a set-point from the temperature controller (TIC) on the coil outlets. If
the fuel composition changes, the analyzer senses this change, and a rapid adjustment is
made to fuel pressure to maintain the correct heat duty input. The control system is the same
as shown in the previous example.
The fuel gas firing control system is either based on a Wobbe Meter or molecular
weight measurement. The COTs of all coils are averaged and compared to a set-point by the
TIC controller. This controller then provides a set-point to the heat duty controller (QIC). This
set-point is compared to the current process variable (PV) value of the heat duty. The QIC
then manipulates the fuel valve to increase or decrease fuel flow as required to match the PV
to the set-point. If the QIC requests a pressure that is lower than the minimum allowable
value for stable burner operation, then the override PIC takes over control of the fuel valve
and maintains operation at the minimum allowable pressure.
A Wobbe Index or the molecular weight measurement, together with the fuel flow, is
used to calculate the current PV of the heat duty.

This incident was initiated when a furnace was in high steam standby mode and an
operator was trying to increase the COT prior to bringing in the hydrocarbon feed. The
operator adjusted the fuel control valve in manual mode to try to speed up the procedure.
During this operation, there was an unrelated upset in the plant. A low temperature safety
system at the coldbox outlet tripped and flared the plant-produced fuel, which caused a high
molecular weight back-up fuel to replace the normal fuel gas.
Higher molecular weight fuels have higher heating values. Since the fuel valve was in
manual mode, the valve opening remained constant thus letting in the same volume of fuel,
resulting in a higher mass flow for the back-up fuel gas. The combination of these effects
resulted in almost tripling the firing rate. At the same time, the operators were now distracted
by a plant-wide upset.
The heater operator reduced the fuel valve output. However, since he was not fully
aware of the coldbox upset, distracted by upsets in other furnaces, and did not know that the
plant was now on 100% back-up fuel, he did not reduce the firing rapidly enough. In
addition, when the back-up fuel entered the furnace, there was not sufficient air to burn all
the fuel and we suspect that the operators saw smoke. At that point, it appears (the data are
incomplete) that he opened the damper and the COT started increasing very rapidly. The
furnace over-fired for about 10 minutes. Both the radiant coil and convection section were
damaged. No injuries occurred.
Manual operation of the fuel gas valve is particularly dangerous during any steam-only
operation. During steam standby or decoking operation, the furnace is operating with high
excess air due to limitations in turndown of the control dampers. At this time, there is
generally enough excess air to burn substantially more fuel than required and there is no
hydrocarbon in the coil to absorb the additional heat input by cracking. However, manual
operation of the fuel gas valve is also dangerous during normal operation. In this case, there is
typically insufficient air to ignite all the fuel in the burners. Unburned fuel may ignite in the
convection section where there is air leakage, resulting in locally intense temperatures.
The graphs below provide an accounting of the sequence of events:

2500

-2
2000

-4
1500
Firing NM3

-6
Draft

1000
-8

500
-10

-12
0

10

15

20

25

Incident 3- Graph of Firing and Draft

36

1300

34

1200

32

1100

30

1000

MW

28

900

COT

26

800

24

700

22

600

20

500
0

10

15

20

25

Incident 3- Graph of Fuel MW and COT

The lessons learned are:

The furnace should be operated with the Wobbe Meter or molecular weight analyzer as
an active part of the control system.
When it is absolutely necessary for the operator to take direct control of the furnace
firing, this should be done by breaking the TIC to heat duty controller (QIC) cascade
and inputting a set-point into the QIC. Should the fuel composition change, the control
system will attempt to maintain the heat input specified by the operator.
The one exception to the recommendation above would occur when the firing rate is
below the acceptable turndown for the fuel flow measurement (i.e., the fuel flow
measurement is not reliable). In this case, the fuel should be controlled on pressure (to
protect against fluctuations in fuel gas pressure and non-linearity of the fuel gas valve)
and the operator should closely monitor the fuel heating value measurement.

An alarm should be provided to indicate when the back-up fuel has begun to flow and
the operators should be trained to understand all the potential issues.

Incident 4 Unrecognized Error in Level Reading Leads to Equipment Damage

The final example shifts the focus to the recovery section of the plant. This example
highlights that something as simple as misunderstanding a level indication can lead to
significant risk or even damage to the plant.
The level indicator/controller of a tower is most often a pressure differential type. The
pressure is sensed at two points (top tap above the highest operating liquid level and bottom
tap below the lowest operating liquid level). The weight of the liquid in between will cause the
pressure at the bottom tap to be slightly higher than that at the top tap. The difference in
pressure is used to estimate the liquid level.

Tower with Level Indicator

Once the liquid level reaches the top tap, the level instrument will not register any
further rise in level. As the level rises above the top tap, the increase in pressure caused by
the weight of the liquid will cause the pressure at the top and bottom tap to rise by the same
amount. The differential pressure will not change and the instrument will interpret this as no

change in level. Therefore, the instrument will maintain a constant reading while the vessel is
actually over-filling. This is illustrated in the diagram below.

Incident 4- Level Indication/ Actual Level

(Note the dashed line is the actual level, the solid line is the level indicator reading)

The reading that will be displayed will depend on the calibration of the level indicator.
For example, assume that the level was calibrated to read 100% when the top tap was
reached based on a liquid specific gravity of 0.5. If the actual liquid gravity were 0.45, the
level would read 90% when the level reached the top tap. If the level continued to rise, the
reading would remain essentially constant at 90%. This is depicted in the figure above. Note
that some drift is possible (see explanation below). If the actual liquid had a higher specific
gravity than the calibration basis of the level indicator, the reading would exceed 100%.

If the density of the liquid between the taps changes as the result of heating or cooling,
the level reading would rise or drop in response. These changes would normally be small but
could be interpreted by the operator as the level indicator functioning normally.
The following diagram illustrates a simulated trend display for a level measurement
that exceeds its top measurement tap. The telltale sign of this condition is the abrupt change
in slope of the line from horizontal to nearly vertical as the level passes the top tap. In reality,
the level is changing according to the red line, but the DCS is only capable of displaying the
blue line. This can be misleading for the operators. If you have observed a level trend that
looks similar to the blue line, it is likely that you may have a level that has exceeded its top
tap. If the trend remains horizontal and near its high end of range for a long period of time,
then this would indicate that the true level might be significantly higher than you think.
Operating levels well beyond their intended limits can lead to safety issues.

120

110

Level (%)

100

90

80

70

60

63

61

59

57

55

53

51

49

47

45

43

41

39

37

35

33

31

29

27

25

23

21

19

17

15

13

11

50

Time (minutes)
Displayed

Actual

Level Indication When Level Exceeds Top Measurement Tap

An over-filling incident occurred in an ethylene plant during start up of a tower due to

this type of level measurement effect. Although the safety system prevented any equipment
damage or injuries, there was the potential for a significant problem.
In this incident, the operators fed the tower at rates between 40 and 70% of normal
but failed to start the bottoms pump in a timely manner. The liquid fed to the tower exceeded
the product draw-off rate by a significant amount for two hours, while the operators struggled
to get the tower on specification. As a result, the tower was completely filled with a two-phase
mixture and liquid was entrained overhead. During this period, the level indicator varied
slightly around 94% and the operator believed that the sump liquid level was not rising.

The combination of added mass flow overhead and the two-phase flow resulted in
back-pressure on the tower that caused the PSVs to lift. No equipment damage or injuries
occurred.
High liquid levels have occurred in many ethylene plant towers as a result of similar
phenomena. While most were non-events, a few have resulted in tray damage.
CONCLUSION
Hundreds of incidents have been analyzed and much data amassed on causes and
prevention. Experts in the field have offered substantive advice on prevention of incidents. The
role of the process control systems have not been emphasized enough in the literature. The
purpose of this paper is to show the importance of a full understanding of the various control
systems by the plant engineers and operators as well as the need to use a structured
approach to incident analysis.

Notes:
1. C. MacKenzie and D. Hohnstrom, Investigating Beyond the Human Machinery A Closer Look at
True Accident Causation in High Hazard Industries, AIChE EPC April, 2008
2. D. Gent, Reflections on 20 Years of EPC Safety, AIChE EPC April, 2008
3. Guideline for Investigating Chemical Process Incidents, Second Edition, CCPS (Center for
Chemical Process Safety), copyright 2003