You are on page 1of 10

IBP1102_12 Let Us Prevent the Next Explosion in Hazardous Environments Jogen Bhalla

Copyright 2012, Brazilian Petroleum, Gas and Biofuels Institute - IBP

This Technical Paper was prepared for presentation at the Rio Oi & Gas Expo and Conference 2012, held between September, 1720, 2012, in Rio de Janeiro. This Technical Paper was selected for presentation by the Technical Committee of the event according to the information contained in the final paper submitted by the author(s). The organizers are not supposed to translate or correct the submitted papers. The material as it is presented, does not necessarily represent Brazilian Petroleum, Gas and Biofuels Institute opinion, or that of its Members or Representatives. Authors consent to the publication of this Technical Paper in the Rio Oil & Gas Expo and Conference 2012 Proceedings.

There are many potential ignition sources in the oil and gas industry (drilling, petrochemical, refining and production). Some of them are hot work, internal combustion engines, improperly classified or maintained electrical equipment, lighting, and adjacent fire equipment. These are typically controlled using measures such as hot work permits for: - Welding/burning - Hot work or vehicle entry permit requirements to operate engines inside posted areas - Proper electrical classification along with maintenance programs - Programs/practices to prevent and detect releases of flammable materials A large number of diesel engines (in vehicles, lighting towers, power generators and other equipment) are used in the oil and gas industry for day-to-day operations. Diesel engine runaway is a serious hazard where flammable hydrocarbon emissions or leaks may occur. Hydrocarbons drawn into diesel engines through the air intake system act as an uncontrolled fuel source and can lead to dangerous engine overspeed or runaway. When an operator cannot shut down the engine using conventional methods (i.e. turning off the engine ignition switch) it could result in a total runaway engine. These could range from minor engine damage to engine and plant explosion, causing catastrophic damage to the equipment and surrounding facilities and/or death or injuries, such as the Texas City refinery and Deepwater Horizon explosions. Fortunately, there is simple, inexpensive technology available which can prevent a diesel engine runaway. The paper is presented to increase awareness and lessons learned from many accidents involving runaway diesel engines. The author will present what companies are doing around the world to avoid diesel engine runaway as an ignition source for explosions in the hydrocarbon industry.

Vice-president Amot Controls Corporation

Rio Oil & Gas Expo and Conference 2012

1. Introduction
High levels of uncertainty require larger margins of safety. The potential combinations of fuel-hydrocarbons, oxygen-air, and energy-ignition are highly complex; making exact predictions of what is safe and unsafe, difficult and often impractical. The science needed to prove conclusively if combinations near explosive limits will be safe is not yet available. The elimination of ignition sources is a well-known strategy to protect people, investments and the environment from fire and explosions because without the energy to ignite flammable gases, a hydrocarbon release (HCR) incident is far less likely to develop into a catastrophic failure situation. This is not to say that ignition source elimination strategies should act alone. Indeed, elimination of ignition sources must form part of an overall safety strategy. The elimination of the energy (ignition source) can avoid a serious hydrocarbon release becoming a fire and explosion. The oil and gas and refining industry has experienced a significant increase in vapor cloud explosions within the last five years. These explosions have resulted in a large number of fatalities and environmental damage. The BP Texas City refinery and Macondo Well/Deepwater Horizon incidents clearly demonstrate the risks associated with runaway diesel engines operating in hazardous environments. With the Shale gas drilling activity at all-time high, the risk of an unprotected diesel engine runaway causing fire and explosion is real and must be addressed. The intent of this paper is to raise awareness within the industries processing hydrocarbons about: The potential fire and explosion hazards associated with runaway diesel engines The time it takes for an overspeed condition to occur after initial vapor release Safe work practices operators should follow when operating diesel engines in hazardous areas Risk to oil and gas companies when they allow unprotected diesel engines into their facilities The responsibility of all employers to properly train employees and contractors on the safe operation of diesel engines. Oil, gas and petrochemical companies which handle, or are exposed to hydrocarbons or other combustible gases, should systematically identify hazards related to possible releases to the atmosphere of these materials. The results of the hazard identification process should be used to evaluate the consequences of hazardous events and to determine appropriate risk reduction. Risk reduction measures should focus on: Preventing incidents (i.e., reducing the probability of occurrence) Controlling incidents (i.e., limiting the extent and duration of a hazardous event) Mitigating the effects (i.e., reducing the consequences)

2. Risk = Probability x Consequence

The industry believes that the probability of a runaway diesel engine is low and as such allows unprotected diesel engines in hazardous areas. The unexpected hydrocarbon release around a well bore, shale gas drilling, vacuuming operation is quite common and as such the probability is not that low. Assuming the probability is low, the consequences as reported on the BP Texas City and Mocando Well/ Deepwater Horizon explosions were of the highest magnitude experienced by the industry in this century. Therefore, the probability may be low but the overall risk is very high. Major engine manufacturers recognize the risk associated with the runaway diesel engine and are now working with the safety system companies to integrate the solution with their engines. However, large numbers of existing stationary, vehicular and mobile engines in the oil and gas industry around the world are not protected. This presents significant risk for serious injuries and fatalities.

Rio Oil & Gas Expo and Conference 2012

Figure 1 - Tank farm explosion involving a runaway truck.

Figure 2 - Tank farm explosion involving a runaway truck.

3. Understanding the Hazard

As refineries age and the oil and shale gas activity rises, the probability of a sudden hydrocarbon release increases substantially. Over time, refineries will require upgrades and expansions. This will require a large number of contractors and diesel engines to perform the work. The use of unprotected engines by employers and contractors will continue to increase the risk of fire, explosions, and fatalities. The majority of the drilling and refining support operations are subcontracted to various companies. In these situations, safety may become compromised. New drilling technologies have enough risks of their own without the added unpredictability of human error.

4. Release Causes
The following are common causes of releases and leaks that can contribute to a diesel engine overspeed condition: Hazardous area maintenance work Leaking control or safety relief valves Equipment failure Gasket failure/flange leak Operator errors Pump seal/valve packing/fittings leak Overpressuring process equipment Sight glass blowout Natural disaster (e.g., earthquake) Electrical problem Holes due to corrosion Gas and oil well blowouts Plant start-up/shutdown Instrument calibration and deviation Process upset Metal fatigue Power dip or interruption Leaking/broken lines/pipes/fittings 3

Rio Oil & Gas Expo and Conference 2012

5. Runaway Diesel Engine

A runaway can be described as an engine running out of control on an external fuel source where the operator cannot shut down the engine using conventional methods. During this condition, turning off the engine ignition switch, fuel system, shutting off the solenoid or disengaging the engine's load will not stop a diesel engine. An automatic diesel engine overspeed protection system installed in the engine's intake system is the most effective method of eliminating this ignition source. Diesel engine speed is governed by the controlled amount of fuel fed to the engine through its normal fuel system and by its internal speed governor. When additional uncontrolled fuel is present in the environment, in the form of combustible vapors, the engine may ingest this uncontrolled fuel causing the engine to overspeed. If the engine draws in a flammable vapor, the engine is likely to backfire through the intake system. Turning off the normal shutdown system will only turn off the engine's normal fuel source, permitting the engine to run uncontrolled on the external fuel source. In a total runaway engine situation, the result can range from minor engine damage to engine explosion, causing catastrophic damage to the equipment and surrounding facilities and deaths or injuries to personnel.

Figure 3 Typical air intake system, 4 cycle diesel engine.

6. High Risk Diesel Engines

Diesel engine powered equipment is required to perform many operations in oil and gas production and refining facilities. These engines listed below must be protected to prevent runaway conditions caused by unexpected hydrocarbon releases and leaks: Stationary diesel engines: gas compressor engines, generator sets, pump stations. Mobile equipment: forklifts, cranes, well servicing equipment, drilling rigs, drilling support equipment, backhoes, wheel loaders, excavators, skid steer loaders, portable generator sets, pump systems, trenchers, compaction equipment, light towers, welding trucks, straddle carriers, aerial work platforms, industrial lift trucks and other like equipment. Emergency response vehicles: fire engines, ambulances. Vehicle mounted engines: pick-up trucks, trash haulers, vacuum trucks, environmental cleaning trucks, tankers, product haulers, pump systems.

7. Area Classification and Diesel Engine Risk

Area classification is a method of analyzing and classifying the environment where explosive gas atmospheres may occur. The main purpose is to facilitate the proper selection and installation of equipment to be used safely in that environment, taking into account the properties of the flammable materials that may be present.

Rio Oil & Gas Expo and Conference 2012 Hazardous areas are classified into zones based on an assessment of the frequency of the occurrence and duration of an explosive gas atmosphere. Diesel engine should be protected for Zone 1 and Zone 2 areas.

Figure 4 - BP Texas City, BLSR and off-shore diesel engine explosions

8. Safe Distance
The global standards are based on technical studies that include gas dispersion modeling under different atmospheric conditions, surface roughness, wind speed, release hole location and size, wind speed and land topography. When you want to define a safety distance between a well bore and equipment, it is necessary to consider the worst case scenario where you evaluate the catastrophic failure, along with a more realistic or less severe scenario, that may occur more frequently. For instance, when a release occurs where the sun cannot heat the ground as fast as the ground cools, the mechanical turbulence by wind is suppressed by the influence from the buoyancy, which occasionally occurs during night time. This may lead to a worst case scenario even without the catastrophic failure. A good example of this was the Buncefield explosion where the atmosphere conditions were stable for the hydrocarbon vapors to disperse into the atmosphere, but rather started to propagate in ground level, causing worst consequences. All engines operating within 100 feet of the well bore or process area must be protected to prevent fire and explosion.

9. Choosing Appropriate Control Methods

Traffic management and control is the first step that can significantly reduce the risk of runaway diesel engine. Vehicle entry into areas where flammables are handled is not tightly enforced at some plants. Once vehicles are inside the gate, there is often no control of where they go; therefore they may be in the wrong place at the wrong time (i.e., downwind and within the flammable cloud). Even if a flammable leak is detected promptly, not everyone with a vehicle may follow the engine safety procedures (e.g., turn off engine if not in the vehicle, turn off engine if emergency alarm sounds). Refining and other large petrochemical facilities can incorporate advanced RFID technology to secure transportation access to secure facilities. This low-cost technology can provide: Mobile and vehicular diesel identification and access control Safety equipment installation verification Personnel and visitor identification and access control Delay/denial of access to vehicles without safety equipment Ability to control the gates during any vapor cloud release

In addition, based on the Center for Chemical Process Safety, AIChE - Process Safety Beacon, October 2009 Safety Alert, the following steps can minimize or eliminate the safety risks associated with runaway diesel engines: 5

Rio Oil & Gas Expo and Conference 2012 Never drive into an area where you suspect there might be a flammable vapor cloud. Protect equipment driven by an internal combustion engine as this can also act as an ignition source. Such equipment might include mobile or portable generators, air compressors, engine driven pumps, and lawn mowers. Educate personnel that the normal engine shutoff methods will not work as long as flammable vapor continues to enter the intake system. Install an automatic overspeed shutdown system on stationary, mobile and vehicular diesel engines operating in hazardous environment. This system detects the speed and activates the shutdown system as the engine speed level reaches an unsafe limit. Train site security personnel that control access to applicable facilities or areas. Inspect applicable engines for an automatic overspeed protection device prior to entering the facility. Educate employees, contractors and other users on how to properly maintain a diesel engine overspeed protection device.

Do not allow unprotected diesel engines into the facility.

10. Recommended Control Methods by Diesel Engine Manufacturers and Experts

Most diesel engine manufacturers and dealers offer shutdown devices on their engines as standard and/or optional equipment. Check with your engine manufacturer for specific details. For after-market engines, air intake shutdown system manufacturers can provide magnetic pick-up speed sensors, speed switch and air intake shutdown valves along with a complete installation kit for each engine type. The installation kit can save many design, engineering and installation hours, as well as eliminate errors. As shown in Figure 5, an automatic overspeed system detects the RPM velocity of an engine and activates the shutdown system as the RPM level reaches an unsafe limit. This action eliminates the diesel engine as an ignition source and limits the workers exposure to the hazardous environment. Automatic systems are available in the following configurations: Automatic electric overspeed detection shutdown system with manual override; Automatic electric to pneumatic overspeed shutdown system with manual and override; Automatic hydro-mechanical overspeed shutdown system with manual override.

Figure 5 - Automatic overspeed shutdown system with manual override Manual systems are available in: Manual electric overspeed shutdown systems Manual electric to pneumatic shutdown systems Pneumatic manual shutdown systems 6

Rio Oil & Gas Expo and Conference 2012 Cable operated shutdown systems

Manual systems as shown in Figure 6, are typically installed on smaller, vehicular or portable engines where an operator is continually present to activate the toggle switch or pull the cable handle to shutoff the air to the engine.

Figure 6. Manual Electric to Pneumatic Shutdown System

11. Industry Recommended Practices

API, ISO, Canadian, British and other international standards recommend installing a field proven overspeed protection system for all diesel engines that are at high risk of ingesting flammables in order to prevent a diesel engine from becoming an ignition source. An overspeed shutdown system and a dry cyclone certified spark arrestor should be provided on all internal combustion engine exhausts operating within 23 meters of the well bore or oil and gas well drilling and servicing operations. Following API area classification guidelines, it is recommended that any diesel engine operating within 7.6 meters (25 feet) of Class I, Division 2, electrically classified areas in refineries, petrochemical, or similar facilities should be equipped with an overspeed protection system and a spark arrestor. The intended function of a flame trap fitted to the exhaust system of a diesel engine is to extinguish flames before they are discharged from the open end of the exhaust system or to the atmosphere. Although there is no evidence to suggest that flames are discharged from the exhaust system of normally running engines, flames may be present if the engine ingests flammable gas or if abnormal combustion conditions exist. The case for fitting the exhaust system flame traps is therefore based on the possibility of flames being discharged if the engine ingests flammable gases. The main drawback to exhaust flame traps is that they are very susceptible to carbon blockage, which if not rectified leads to engine power loss and overheating. A typical plate type flame trap may require cleaning after less than 24 hours of operating time. In addition, flame traps are expensive and vulnerable to damage. Under special circumstances, flame traps may be fitted as additional precautionary measures. In all cases where exhaust system flame traps are fitted, cleaning intervals must be clearly established and cleaning made mandatory. In addition to air intake shutdown systems, consideration should be given to explosion protection kits for mechanical and electronically controlled engines. Typically, these engines are used to drive equipment such as wireline units, nitrogen units, coiled tubing units, cement or fire water pumps working in Zone 2 areas in the oil and gas industry. These protected engines will prevent the ignition of gas or vapor by cooling the engine skin temperature, eliminating sparking components and preventing overspeed conditions. 7

Rio Oil & Gas Expo and Conference 2012

Figure 7 - Spark Arrestors, Flame Arrestors, Flameproof Alternators

12. Current U.S. and International Standards

Many regulations and standards have been enacted with respect to diesel engine overspeed protection. Some of these are: MMS: 30 CFR 250.510, 250.610, and 250.803(b)(5)(ii) for off-shore diesel engines MSHA: Regulation 30 CFR 36, Para V (E) 1985 OSHA 2007 Petroleum Refinery Process Safety Management National Emphasis Program-Page A-53 Motorized Equipment NFPA 37 - Installation and Use of Stationary Combustion Engines and Gas Turbines API Recommended Practice 54 - Occupational Safety for Oil and Gas Well Drilling and Servicing Operations API Publication RP 2001 section 4.2.10 Cal OSHA State of California, subchapter 14 - Petroleum Safety Orders - Drilling and Production Article 35 Drilling and Well-Servicing Machinery and Equipment Subchapter 15. Petroleum Safety Orders - Refining, Transportation6874. Stationary Internal Combustion Engines U.S. Coast Guard - 58.1015 ISO3046-6;1990 European - EEMUA-107 "Recommendation for diesel engine operating in potentially flammable atmosphere" require the use of air intake shutdown valve with flame arrestor

US Nuclear Regulatory Commission

13. Gaps in Current Standards

Canada and Europe implemented comprehensive diesel engine safety standards and as a result, have essentially eliminated the hazards associated with runaway diesel engines. API Drilling and Production recommended practices (RP) and Fire Protection in Refineries standards must not be viewed just as recommendations, but sound safety practices that must be followed and implemented to prevent fatalities, fire and explosions. Process Safety Management (PSM) standards are administrative controls which address hazards through the development and application of suitable work systems and processes. Administrative controls require human 8

Rio Oil & Gas Expo and Conference 2012 intervention at every step. Refineries, gas production facilities and petrochemical facilities should not depend solely on PSM standards to prevent runaway diesel engine incidents. Why? A runaway diesel engine, depending upon the richness of the environment, can explode in less than 60 seconds. Engine runaway can occur at any time and the gas cloud would typically reach the running engine in the area before the gas detector and will speed up the engine. If the engines air intake is not closed quickly, it could result in a valve bounce causing flames, spark, and ignition air and gas mixture travels through the intake. As the environment gains saturation and approaches the flammable limits, the engine runs faster and gets to the valve float / runaway condition sooner and explodes. When it explodes, the plume of flame ignites the air resulting in detonation. In case of a sudden hydrocarbon release, the goal is to protect workers and operators. In many documented cases, workers were severely injured or killed while trying to manually shut down diesel powered equipment or vehicles. The human instinct is for the operator or worker to use manual methods (clothing, books, piece of wood) to try to block the air intake to stop a diesel engine from overspeeding. This is very dangerous and is not an acceptable practice to control ignition sources in an oil and gas facility. Recent incidents confirm that the current PSM standards and Hot Work Permit programs by themselves cannot prevent runaway diesel engine explosion.

14. Hot Work Permit Program

Although many refineries and petrochemical plants control the use of diesel and gas engines into or adjacent to processes with Hot Work Permits, most permits only require continuous standby and gas monitoring when welding or burning is occurring. Vehicle entry generally requires an initial check for flammable gases, and periodic re-checks if the vehicle stays in the area (e.g., crane operation). These practices do not detect flammable releases or shut down the vehicle engines to avoid being the potential ignition source. 1. Assuming, that all steps required for checking the presence of flammable gases and vapors are completed, and a Hot Work Permit is issued to complete the work, the following scenario is the result:A vacuum truck, crane, lighting tower or welding machine is allowed to enter the oil and gas facility 2. A sudden gas leak caused by a ruptured disc or broken line at the facility creates a vapor cloud that moves with the air 3. The gas detector detects the vapor in the atmosphere once the percent exceeds the pre-set lower explosive limit 4. The gas detector reacts and sounds an alarm 5. An operator hears the alarm, stops his job and decides what to do next 6. If the operator or contractor is close to the engine and sees it running (e.g., a crane), they may try to turn it off when the alarm sounds 7. The operator climbs up the crane or the vacuum truck looking for the controls 8. The operator finds the fuel control and turns it off 9. The engine does not stop - it is consuming the same gas leak cloud and is running on compression ignition of the mixture 10. The engine overspeeds and puts a flame through the exhaust 11. The flame results in explosion of the gas and operator injury or death 12. The explosion spreads to the whole refinery resulting in additional fatalities - creating economic and environmental damage In reality, the operator or the contractor will not go to the engine (at point 6) and will run the other way and (if lucky) save himself, but the runaway and explosion would still happen, hurting other people. With several engines, working simultaneously, there could be several points of ignition. Considering that a runaway diesel engine can explode within seconds, there is a high probability that the operator would be killed. Recent accidents validate this scenario.

15. Gas Detection

There are rarely enough detectors installed to pick up all possible flammable material releases. The detectors take some time to detect a leak (up to 1 minute for some types), and it is likely to take 5-10 minutes once a detector alarms before operators verify there is a release and begin to take action to stop it. By this time, the flammable release will have already reached ignition sources (such as diesel engines) in the vicinity. A running diesel engine may be the 9

Rio Oil & Gas Expo and Conference 2012 first gas detector to sense the leak. Moreover, there is rarely enough confidence in gas detectors to allow them to automatically take any action. If a diesel engine is equipped with an overspeed shutdown valve, the engine will be shut down as soon as the engine crosses the safe speed limit preventing explosion.

16. Lessons Learned

Based on the Texas City Refinery and Macondo Well Deepwater Horizon Explosion investigations and hearings, there are numerous diesel engine safety related issues that must be addressed. These include: 1. Rig power emergency shutdown devices should have actuation mechanisms checked no less than once a week to determine that they are in proper working condition 2. All the other internal combustion engine air intake shutdown devices should have actuation mechanisms checked no less than once each thirty (30) days. 3. A field proven overspeed protection system with proper installation kits for diesel engines in vehicles and mobile equipment should be used to prevent a diesel engine from becoming an ignition source. 4. Any diesel engine operating in or adjacent to a unit containing flammable liquids/gases under a hot work or similar permit should be equipped with an overspeed protection system. 5. Ensure that employees and contractors shut off their diesel engines when not in use. 6. Industry should not allow gasoline engines in hazardous areas (as they cannot be protected like diesel engines). 7. Provide adequate training on safe operation of diesel engines 8. Enforce company guidelines on operating diesel engines in hazardous areas on employees and contractors In summary, diesel engines come in a variety of design configurations and fuel schemes but handle air the same way for combustion. Every diesel engine has the potential to overspeed when in the presence of hydrocarbon vapors. This fact, along with the previously mentioned contributors, prove that providing effective combustion air control is the only way to prevent diesel engine overspeed.

The Runaway Diesel-a side by side comparison-by C. Ferrone, Charles Sinkovits; Triodyne Inc. Center for Chemical Process Safety, AIChE-Process Safety Beacon, October 2009 James Thompson-ABS Consulting-Controlling Ignition Sources Dr. Sam Mannan-Mary OConnor Process Safety Center-Texas A&M Professor Trevor Kletz- Fellow of the Royal Academy of Engineering, the Royal Society of Chemistry, the Institution of Chemical Engineers, and the American Institute of Chemical Engineers.