exida ®

The Longford Gas Plant Explosion;

Could Alarm Management Have
Prevented this Accident?

By Edward M. Marszal, Principal Engineer, Exida

Introduction
The purpose of a well designed alarm system is to inform a plant operator that a
situation has occurred which needs his attention, with sufficient time to allow him
to perform corrective action. The advent of computer-based control systems -
which allow a virtually infinite number of alarms to be presented to operators at
very little incremental cost per alarm - has (in some cases) actually made
operator response more difficult than older systems with hard-wired
annunciators. The problems generated by the unmanageably large amount of
unnecessary and redundant alarms lead operators to develop their own rules to
deal with these “alarm floods”, in some cases ignoring alarms that they perceive
to be unnecessary. Unfortunately, ignoring some of these alarms might result in
severe consequences.

In the case of the Longford gas plant, experts concluded that some alarms were
routinely ignored by operators because their activation had not previously
resulted in any adverse impact. In addition, some analysts suggest that
operators were not aware of the proper response to these alarms, or the ultimate
consequence that could occur if the situation that generated the alarm was
severe.

In order to ensure that an operator’s job is manageable, it is important to manage

a plant’s alarm system so that every alarm is important, prioritized, recognizable,
and the proper response to the alarm is documented and included in operator
training. These are some of the cornerstones of the Exida Alarm Management
Solution™.

The Incident
The information presented here is derived from a detailed description of the
event contain in the text Lessons from Longford – The Esso Gas Plant Explosion,
by Andrew Hopkins (2000: CCH Australia Limited). The reader is encouraged to
review this material for numerous insights and lessons learned that are outside
the scope of alarm management.

The Longford site processes oil and gas which comes ashore from the Bass
Straits. The gas plant in question processed gas by removing water,
condensate, and hydrogen sulfide. In addition, the plant removed some
condensable liquid by using a refrigerated lean oil absorption process.

1
Figure 1 shows the process components that are relevant to this discussion.

Figure 1 – Longford Lean Oil Absorption Process (Partial)

Gas (Post Absorption)

GP 905 Reboiler

Cold Lean Oil In

Other
Processing Hot Lean Oil
Equipment

Cold Lean Oil

Other Processing Equipment

Other Processing Equipment

Rich Oil Out

Condensate Out

On the night prior to the incident, there was a larger than usual flow of liquids,
including condensate, into the plant. As a result, the level of condensate in the
absorber (shown in figure 1) steadily built up. For reasons that are described by
Hopkins, the level of condensate was not brought down, and liquids exceeded
the level measurement at the bottom of the columns (measurement of greater
than 100%). Eventually, the condensate level become so high that it started
flowing into the rich oil draw tray, and out with the rich oil stream. This caused
the rich oil stream to become much colder than usual.

2
Two of the heat exchangers processing the rich oil became extremely cold, as
evidenced by a frost occurring on the outside of the exchanger and pipework.
Eventually, operators were able to restart pumps feeding hot oil to these
exchangers. Because the exchangers had been subject to temperatures below
their Ductile-Brittle Transition Temperature (DBTT), this resulted in fracturing and
catastrophic failure of one of the heat exchangers. The rapid and sudden rise
and temperature produced stresses that exceeded the vessel’s degraded
mechanical integrity limits.

While there are a large number of factors that contributed to this accident,
Hopkins concludes that one key item is that the high level alarm on the
condensate level in the absorber was essentially ignored by operations. In fact,
evidence suggested that this was not the first time that this alarm was present for
very long periods of time with no action being taken that brought the absorber
level back down below the alarm limit. In the terminology of alarm management
this is a standing alarm, which is an indicator that either an alarm is unnecessary
or a design problem exists that prevents the equipment from being used
effectively in the current operating environment.

Alarm System Problems

As discussed previously, modern alarm systems have great capabilities.
Unfortunately, poor design practices have resulted in a large number of
unnecessary alarms that make a process plant very difficult to manage during a
major process upset. Some of the problems that Exida has identified in alarm
systems include.

• Alarm Floods

• Nuisance Alarms

• Chattering Alarms

• Standing Alarms

• Correlated Alarms

• Disabled Alarms

All of these issues can be identified and corrected by employing a sound alarm
management system that begins by prioritizing each alarm in order to establish
how it will be used, including the proper operator response, and then progresses
to statistical analysis of actual performance on a regular basis to determine if
there are any additional alarm issues. This analysis will yield opportunities to
improve operability and safety of the plant by eliminating the issues shown above
and improving operator performance.

3
In the case of Longford, a statistical analysis of alarm activation might have
detected standing alarms. Each of these standing alarms could then have been
explored by engineers who are very familiar with the process and its hazards.
Exida’s Alarm Management Solution™ provides a framework to analyze alarm
issues; including standing alarms where the ultimate consequence could be
hazardous. In the case of Longford, the ultimate consequence of overfilling the
absorber bottoms was dangerously cold temperatures in downstream equipment.
Exida’s Alarm Management Solution™ allows engineers to develop action plans
that improve the operability of the plant so that routine alarms do not occur, and
when they occur they are dealt with appropriately.

Conclusion
Alarm systems can be a very effective means of safeguarding a process against
unwanted accidents and also a tool for improving plant efficiency. Unfortunately,
the ease with which large numbers of alarms can be generated in modern control
systems has lead to large and unmanageable floods of alarms of questionable
importance. Analysis of alarm system operation, when done properly can identify
problems in both alarm system design and process design. These design
problems can then be addressed by a plants continual improvement process to
lead to a safer and more efficient plant.

4
How Exida Can Help
Exida can help prevent both catastrophic incidents, like the one described here,
and the large amount of frequent and small upsets that routinely occur in process
plants by implementing our
Start Alarm Management
Solution™. This set of
services follows our Alarm
Management Lifecycle™,
Procedure for Alarm which is shown here.
Prioritization
This process includes
development of site specific
Conduct Alarm procedures for alarm
Prioritization prioritization. Decisions that
need to be made are
whether or not an alarm
DCS Configuration should be implemented, its
Changes priority, its set point, and
what actions the operator
should take to confirm the
Update Operating alarm condition and bring the
Procedures process back to a safe state.

After initial prioritization,

Update Training periodic review of the system
to identify opportunities for
improvement can be
undertaken. Using statistical
Yes tools to review the alarm
Major
system’s actual performance
Modification?
and compare it to site
metrics for good
No
performance, Exida can
Periodic Compilation identify areas where both the
of Alarm Data alarm system and the
Alarm Floods
Nuisance Alarms
process equipment can be
Chattering Alarms improved to make the plant
Alarm Data Analysis Standing Alarms safer and more operable.
Correlated Alarms
Disabled Alarms

Yes
New Alarm No
issues Stop
identified?

5
References:
Hopkins, Andrew (2000), Lessons from Longford – The Esso Gas Plant
Explosion, (CCH Australia Limited: Sydney, NSW, Australia)