Embed Size (px)
Citation preview
SPE Paper Number: 136694-PP
Diesel Engine Runaway Safety Risk in Hazardous Environments By Jogen Bhalla, Amot Controls
Copyright 2010, Society of Petroleum Engineers
This paper was prepared for presentation at the SPE Middle East Health, Safety, Security, and Environment Conference and Exhibition held in Manama, Bahrain, 4–6 October 2010.
This paper was selected for presentation by an SPE program committee following review of information contained in an abstract submitted by the author(s). Contents of the paper have not been reviewed
by the Society of Petroleum Engineers and are subject to correction by the author(s). The material does not necessarily reflect any position of the Society of Petroleum Engineers, its officers, or
members. Electronic reproduction, distribution, or storage of any part of this paper without the written consent of the Society of Petroleum Engineers is prohibited. Permission to reproduce in print is
restricted to an abstract of not more than 300 words; illustrations may not be copied. The abstract must contain conspicuous acknowledgment of SPE copyright.
Abstract There are many potential ignition sources in the petrochemical, refining and oil and gas drilling industry; such as hot work, internal combustion engines, improperly classified or maintained electrical equipment, lighting, and adjacent fired equipment. These are typically controlled via measures such as hot work permits for:
- Welding/burning - Hot work or vehicle entry permit requirements to operate engines inside posted areas - Proper electrical classification along with programs to maintain it, and - Programs/practices to prevent/detect releases of flammable materials.
A large number of diesel engines (in vehicles, lighting towers, power generators and other equipment) are used in the petrochemical and oil and gas industry for their day-to-day operation. Diesel engine runaway is a serious hazard in oil and gas drilling and production and similar industries where flammable hydrocarbon emissions or leaks may occur. A runaway can be described as an engine running out of control on an external fuel source (i.e., the “fuel” in the air) where the operator cannot shut down the engine using conventional methods (i.e. turning off the engine ignition switch). In a total runaway engine situation, the result can range from minor engine damage to engine explosion, causing catastrophic damage to the equipment and surrounding facilities and/or death or injuries to personnel such as BP Texas City refinery and BP Deepwater Horizon explosions. Fortunately, there is simple, inexpensive technology available which can prevent a diesel engine runaway. The paper is presented to increase awareness and lessons learned from many accidents involving runaway diesel engines. The author will present what companies are doing around the world to avoid diesel engine runaway as an ignition source for explosions in the hydrocarbon industry.
2 136694-PP
Bio: Jogen Bhalla is a Vice President at AMOT with 25+ years of process instrumentation and control experience in the oil and gas, chemical and petrochemical industry. He became involved in controlling ignition sources including runaway engines after the BP refinery Texas accident in 2005 and has been working with OSHA, Cal OSHA and IADC to increase awareness on this potential detonation source that has resulted in numerous deaths and injuries in the hydrocarbon industries.
136694-PP
3
Diesel Engine Runaway Safety Risk in Hazardous Environments
By Jogen Bhalla, Amot Controls
The oil and gas and refining industry has experienced a significant increase in vapor cloud explosions within the last
five years. These explosions have resulted in a large number of fatalities and environmental damage. The BP Texas
City refinery and BP Deepwater Horizon incidents clearly demonstrate the risks associated with runaway diesel
engines operating in hazardous environments.
The intent of this paper is to raise awareness within the industries processing hydrocarbons about (a) the potential fire
and explosion hazards associated with runaway diesel engines; (b) the time it takes for an overspeed condition to occur
after initial vapor release; (c) safe work practices operators should follow when operating diesel engines in hazardous
areas; (d) risk to oil and gas companies when they allow unprotected diesel engines into their facilities; and (e) the
responsibility of all employers to properly train employees and contractors on the safe operation of diesel engines.
Oil and gas and petrochemical companies which handle, or are exposed to hydrocarbons or other combustible gases or
materials, should systematically identify hazards related to possible releases to the atmosphere of these materials. The
results of the hazard identification process should be used to evaluate both the consequences of hazardous events and
to determine appropriate risk reduction. Risk reduction measures should focus on:
• Preventing incidents (i.e., reducing the probability of occurrence)
• Controlling incidents (i.e., limiting the extent and duration of a hazardous event)
• Mitigating the effects (i.e., reducing the consequences)
4 136694-PP
Figure 1: Tank Farm Explosion involving runaway truck. Source: Center for Chemical Process Safety, AIChE-Process
Safety Beacon, October 2009
Understanding the Hazard
Stationary, mobile and vehicular diesel engines are used in the oil and gas production, refining and petrochemical
industry for their day-to-day operations. These industries are particularly prone to diesel engine runaway due to
hydrocarbon vapor cloud release.
As refineries age and the oil and shale gas activity rises, the probability of a sudden hydrocarbon release increases
substantially. Over time, refineries will require upgrades and expansions. This will require a large number of
contractors and diesel engines to perform the work. The use of unprotected engines by employers and contractors will
continue to increase the risk of fire, explosions, and fatalities.
The majority of the drilling and refining support operations are subcontracted to various companies. In these situations,
safety may become compromised. New drilling technologies have enough risks of their own without the added
unpredictability of human error.
Release Causes The following are common causes of releases and leaks that can contribute to a diesel engine overspeed condition:
136694-PP
5
• Hazardous area maintenance work • Leaking control or safety relief valves
• Equipment failure • Gasket failure/flange leak
• Operator errors • Pump seal/valve packing/fittings leak
• Overpressuring process equipment • Sight glass blowout
• Natural disaster (e.g., earthquake) • Electrical problem
• Gas and oil well blowouts • Holes due to corrosion
• Plant start-up/shutdown • Instrument calibration and deviation
• Process upset • Metal fatigue
• Power dip or interruption • Leaking/broken lines/pipes/fittings
Runaway Diesel Engine A runaway can be described as an engine running out of control on an external fuel source where the operator cannot
shut down the engine using conventional methods. During this condition, turning off the engine ignition switch, fuel
system, shutting off the solenoid or disengaging the engine's load will not stop a diesel engine. An automatic diesel
engine overspeed protection system installed in the engine's intake system is the most effective method of eliminating
this ignition source.
Diesel engine speed is governed by the controlled amount of fuel fed to the engine through its normal fuel system and
by its internal speed governor. When additional uncontrolled fuel is present in the environment, in the form of
combustible vapors, the engine may ingest this uncontrolled fuel causing the engine to overspeed. If the engine draws
in a flammable vapor, the engine is likely to backfire through the intake system. Turning off the normal shutdown
system will only turn off the engine's normal fuel source, permitting the engine to run uncontrolled on the external fuel
source. In a total runaway engine situation, the result can range from minor engine damage to engine explosion,
causing catastrophic damage to the equipment and surrounding facilities and deaths or injuries to personnel.
Figure 2: Typical air intake system-
4 cycle diesel engine
6 136694-PP
In addition, a diesel engine is not just an ignition source but can potentially act as a “hot box”; a high-energy
detonation source for a hydrocarbon release that can cause large scale explosions.
Figure 3: BP Texas City, BLSR and off-shore diesel engine explosions
High Risk Diesel Engines
Diesel engine powered equipment are required to perform many operations in oil and gas production and refining
facilities. These engines listed below must be protected to prevent runaway conditions caused by unexpected
hydrocarbon releases and leaks:
• Stationary diesel engines: gas compressor engines, generator sets, pump stations
• Mobile equipment: forklifts, cranes, well servicing equipment, drilling rigs, drilling support equipment,
backhoes, wheel loaders, excavators, skid steer loaders, portable generator sets, pump systems, trenchers,
compaction equipment, light towers, welding trucks, straddle carriers, aerial work platforms, industrial lift
trucks and other like equipment
• Emergency response vehicles: fire engines, ambulances
• Vehicle mounted engines: pick-up trucks, trash haulers, vacuum trucks, environmental cleaning trucks,
tankers, product haulers, pump systems
136694-PP
7
Area Classification and Diesel Engine Risk
Area classification is a method of analyzing and classifying the environment where explosive gas atmospheres may
occur. The main purpose is to facilitate the proper selection and installation of equipment to be used safely in that
environment, taking into account the properties of the flammable materials that may be present.
Hazardous areas are classified into zones based on an assessment of the frequency of the occurrence and duration of an
explosive gas atmosphere. Diesel engine should be protected for Zone 1 and Zone 2 areas.
In addition to air intake shutdown systems, consideration should be given to explosion protection kits for mechanical
and electronically controlled engines. Typically, these engines are used to drive equipment such as wireline units,
nitrogen units, coiled tubing, cement or fire water pumps working in Zone 2 areas in the oil and gas industry. These
protected engines will prevent the ignition of gas or vapor by cooling the engine skin temperature, eliminating sparking
components and preventing overspeed conditions.
Choosing Appropriate Control Methods Traffic management and control is the first step that can significantly reduce the risk of runaway diesel engine.
Vehicle entry into or adjacent to processes handling flammables is not tightly enforced at some plants. Once vehicles
are inside the gate, there is often no control of where they go; therefore, they may be in the wrong place at the wrong
time (i.e., downwind and within the flammable cloud). Even if a flammable leak is detected promptly, not everyone
with a vehicle may follow the engine safety procedures (e.g., turn off engine if not in the vehicle, turn off engine if
emergency alarm sounds).
Refining and other large petrochemical facilities can incorporate advanced RFID technology to secure transportation
access to secure facilities. This low-cost technology can provide:
Mobile and vehicular diesel identification and access control
Safety equipment installation verification
Personnel and visitor identification and access control
Delay/denial of access to vehicles without safety equipment
Ability to control the gates during any vapor cloud release
8 136694-PP
In addition, based on the Center for Chemical Process Safety, AIChE - Process Safety Beacon, October 2009 Safety
Alert, the following steps can minimize or eliminate the safety risks associated with runaway diesel engines:
• Never drive into an area where you suspect there might be a flammable vapor cloud.
• Protect equipment driven by an internal combustion engine as this can also act as an ignition source. Such
equipment might include mobile or portable generators, air compressors, engine driven pumps, and lawn
mowers, etc.
• Educate personnel that the normal engine shutoff methods will not work as long as flammable vapor continues
to enter the intake system.
• Install an automatic overspeed shutdown system on stationary, mobile and vehicular diesel engines operating
in hazardous environment. This system detects the speed and activates the shutdown system as the engine
speed level reaches an unsafe limit.
• Train site security personnel that control access to applicable facilities or areas. Inspect applicable engines for
an automatic overspeed protection device prior to entering the facility.
• Educate employees, contractors and other users on how to properly maintain a diesel engine overspeed
protection device.
• Do not allow unprotected diesel engines into the facility.
Recommended Control Methods by Diesel Engine Manufacturers and Experts
Most diesel engine manufacturers and dealers offer shutdown devices on their engines as standard and/or optional
equipment. Check with your engine manufacturer for specific details. For after-market engines, air intake shutdown
system manufacturers can provide magnetic pick-up speed sensors, speed switch and air intake shutdown valves along
with a complete installation kit for each engine type. The installation kit can save many design, engineering and
installation hours, as well as eliminate errors.
As shown in Figure 4, an automatic overspeed system detects the RPM velocity of an engine and activates the
shutdown system as the RPM level reaches an unsafe limit. This action eliminates the diesel engine as an ignition
source and limits the workers exposure to the hazardous environment.
Automatic systems are available in the following configurations:
• Automatic electric overspeed detection shutdown system with manual override.
• Automatic electric to pneumatic overspeed shutdown system with manual and override.
• Automatic hydro-mechanical overspeed shutdown system with manual override.
136694-PP
9
Figure 4: Automatic overspeed shutdown system with manual override
Manual systems are available in:
• Manual electric overspeed shutdown systems
• Manual electric to pneumatic shutdown systems
• Pneumatic manual shutdown systems
• Cable operated shutdown systems
Manual systems as shown below in Figure 5, are typically installed on smaller, vehicular or portable engines where an
operator is continually present to activate the toggle switch or pull the cable handle to shutoff the air to the engine.
Figure 5: Manual Electric to Pneumatic Shutdown System
10 136694-PP
Industry Recommended Practices API, ISO, Canadian, British and other international standards recommend installing a field proven overspeed
protection system for all diesel engines that are at high risk of ingesting flammables in order to prevent a diesel engine
from becoming an ignition source. An overspeed shutdown system and a dry cyclone certified spark arrestors should
be provided on all internal combustion engine exhausts operating within 23 meters of the well bore or oil and gas well
drilling and servicing operations.
Following API area classification guidelines, it is recommended that any diesel engine operating within 7.6 meter (25
feet) of Class I, Division 2 electrically classified area in refineries, petrochemical, or similar facilities should be
equipped with an overspeed protection system and a spark arrestor.
The intended function of a flame trap fitted to the exhaust system of diesel engines is to extinguish flames before they
are discharged from open end of exhaust system or to atmosphere. Although there is no evidence to suggest that flames
are discharged from exhaust system of normally running engines, flames may be present if engine ingests flammable
gas or if abnormal combustion conditions exist. The case for fitting exhaust system flame traps is therefore based on
possibility of flames being discharged if engine ingests flammable gases. The main drawback to exhaust flame traps is
that they are very susceptible to carbon blockage, which if not rectified leads to engine power loss and overheating. A
typical plate type flame trap may require cleaning after less than 24 hours of operating time. In addition, flame traps
are expensive and vulnerable to damage. Nevertheless, if special reasons exist, flame traps may be fitted as additional
precaution. In all cases where exhaust system flame traps are fitted, cleaning interval must be clearly established and
cleaning made mandatory.
136694-PP
11
Figure 6: Spark Arrestors, Flame Arrestors, Flameproof Alternators
Current U.S. and International Standards
Many regulations and standards have been enacted with respect to diesel engine overspeed protection. Some of these
are:
• MMS: 30 CFR 250.510, 250.610, and 250.803(b)(5)(ii) for off-shore diesel engines
• MSHA: Regulation 30 CFR 36, Para V (E) 1985
• OSHA 2007 Petroleum Refinery Process Safety Management National Emphasis Program-Page A-53
Motorized Equipment
• NFPA 37 - Installation and Use of Stationary Combustion Engines and Gas Turbines
• API Recommended Practice 54 - Occupational Safety for Oil and Gas Well Drilling and Servicing Operations
• API Publication RP 2001 section 4.2.10
• Cal OSHA State of California, subchapter 14 - Petroleum Safety Orders - Drilling and Production Article 35
Drilling and Well-Servicing Machinery and Equipment
• Subchapter 15. Petroleum Safety Orders - Refining, Transportation§6874. Stationary Internal Combustion
Engines
• U.S. Coast Guard - § 58.10–15
• ISO3046-6;1990
12 136694-PP
• European - EEMUA-107 "Recommendation for diesel engine operating in potentially flammable
atmosphere" require the use of air intake shutdown valve with flame arrestor
• US Nuclear Regulatory Commission
Gaps in Current Standards
Canada and Europe have implemented comprehensive diesel engine safety standards and as a result has essentially
eliminated the hazard associated with runaway diesel engines. API Drilling and Production recommended practices
(RP) and Fire Protection in Refineries standards must not be viewed just as recommendations, but sound safety
practices that must be followed and implemented to prevent fatalities, fire and explosions.
Process Safety Management (PSM) standards are administrative controls. Administrative controls address hazards
through the development and application of suitable work systems and processes that involves human intervention at
every step. Refineries should not solely depend on PSM standards to prevent runaway diesel engine incidents. Why?
A runaway diesel engine, depending upon the richness of the environment, can explode in less than 60 seconds.
Engine runaway can occur at any time and the gas cloud would typically reach the running engine in the area before
the gas detector and will speed up the engine. If the air intake is not closed quickly, it could result in a valve bounce,
flame, sparks, mechanical failure and ignition of the gas and air mixture. As the environment gains saturation and
approaches the flammable limits, the engine runs faster and gets to the valve float / runaway condition sooner and
explodes. When it explodes, the plume of flame ignites the air resulting in detonation.
In case of a sudden hydrocarbon release, the goal is to protect workers and operators. In many documented cases,
workers were severely injured or killed trying to manually shut down diesel powered equipment or vehicles. The
human instinct is for the operator or worker to use manual methods (clothing, books, piece of wood) to try to block the
air intake to stop a diesel engine from overspeeding. This is very dangerous and is not an acceptable practice to
control an ignition sources in an oil and gas facility.
Recent incidents confirm that the current PSM standards and Hot Work Permit programs by themselves cannot prevent
runaway diesel engine explosion.
Hot Work Permit Program
136694-PP
13
Although many refineries and petrochemical plants control the use of diesel and gas engines into or adjacent to
processes with Hot Work Permits, most permits only require continuous standby and gas monitoring when welding or
burning is occurring. Vehicle entry generally requires an initial check for flammable gases, and periodic re-checks if
the vehicle stays in the area (e.g., crane operation).
These practices make the likelihood of detecting a flammable release and shutting down the vehicle engine in time to
avoid being the potential ignition source is extremely low.
Assuming, that all the steps required to check the presence of flammable gases and vapors under a Hot Work Permit
program are completed, and a Hot Work Permit is issued to complete the work, the scenario can be as follows:
1. A vacuum truck, crane, lighting tower or welding machine is allowed to enter the oil and gas facility
2. A sudden gas leak caused by a ruptured disc or broken line at the facility creates a vapor cloud that moves with
the air
3. The gas detector detects the vapor in the atmosphere once the percent exceeds the pre-set lower explosive limit
4. The gas detector reacts and sounds an alarm
5. An operator hears the alarm, stops his job and decides what to do next
6. If the operator or contractor is close to the engine and sees it running (e.g., a crane), they may try to turn it off
when the alarm sounds
7. The operator climbs up the crane or the vacuum truck looking for the controls
8. The operator finds the fuel control and turns it off
9. The engine does not stop - it is consuming the same gas leak cloud and is running on compression ignition of
the mixture
10. The engine overspeeds and puts a flame through the exhaust
11. The flame results in explosion of the gas and operator injury or death
12. The explosion spreads to the whole refinery resulting in additional fatalities - creating economic and
environmental damage.
Typically, the operator or the contractor will not go to the engine (at point 6) and will run the other way and (if lucky)
save himself, but the runaway and explosion would still happen, hurting other people. With several engines, working
simultaneously, there could be several points of ignition. Considering that a runaway diesel engine can explode within
14 136694-PP
seconds, there is a high probability that the operator would be killed. Recent accidents validate this scenario.
Gas Detection
There are rarely enough detectors installed to pick up all possible flammable material releases. The detectors take some
time to detect a leak (up to 1 minute for some types), and it is likely to take 5-10 minutes once a detector alarms before
operators verify there is a release and begin to take action to stop it. By this time, the flammable release will have
already reached ignition sources (such as diesel engines) in the vicinity. A running diesel engine may be the first
“gas detector” to sense the leak. Moreover, there is rarely enough confidence in gas detectors to allow them to
automatically take any action. If a diesel engine is equipped with an overspeed shutdown valve, the engine will be shut
down as soon as the engine crosses the safe speed limit preventing explosion.
Lessons Learned Based on the BP Texas City Refinery and Deepwater Horizon Explosion investigations and hearings, there are
numerous diesel engine safety related issues that must be addressed. These include:
1. Rig power emergency shutdown devices should have actuation checked no less than once a week to
determine that they are in proper working condition
2. All the other internal combustion engine air intake shutdown devices should have actuation checked no
less than once each thirty (30) days.
3. A field proven overspeed protection system with proper installation kits for diesel engines in vehicles and
mobile equipment should be used to prevent a diesel engine from becoming an ignition source.
4. Any diesel engine operating in or adjacent to a unit containing flammable liquids/gases under a hot work
or similar permit should be equipped with an overspeed protection system.
5. Ensure that employees and contractors shut off their diesel engines when not in use.
6. Industry should not allow gasoline engines in hazardous areas (as they cannot be protected like diesel
engines).
7. Provide adequate training on safe operation of diesel engines
8. Ensure that employees and contractors follow the company guidelines on operating diesel engines in
hazardous areas
In summary, diesel engines come in a variety of design configurations and fuel schemes but handle air the same way
136694-PP
15
for combustion. Every diesel engine has the potential to overspeed when in the presence of hydrocarbon vapors. This
fact, along with the previously mentioned contributors, proves that providing effective combustion air control is the
only way to prevent diesel engine overspeed.
Acknowledgements:
The Runaway Diesel-a side by side comparison-by C. Ferrone , Charles Sinkovits;Triodyne Inc.
Center for Chemical Process Safety, AIChE-Process Safety Beacon, October 2009
James Thompson-ABS Consulting-“Controlling Ignition Sources”
Dr. Sam Mannan-Mary O’Connor Process Safety Center-Texas A&M
Professor Trevor Kletz- Fellow of the Royal Academy of Engineering, the Royal Society of Chemistry, the Institution
of Chemical Engineers, and the American Institute of Chemical Engineers.
ABOUT THE AURTHOR: Jogen Bhalla is a vice president at AMOT, with 25+ years of process instrumentation and
control experience in the oil and gas, chemical and petrochemical industry. He became involved in controlling ignition
sources and runaway diesel engines after the BP refinery Texas accident in 2005 and has presented and published
numerous papers on the subject. Email: [email protected]; (1)512.789.2751
