United States4
          Environmental Protection4
          Agency4
Office of Solid Waste4
and Emergency Response4
(5104)4
EPA 550-R-98-0094
November 19984
www.epa.gov/ceppo/4
          EPA  CHEMICAL
          ACCIDENT
          INVESTIGATION
          REPORT
          Tosco Avon Refinery
          Martinez, California
Chemical Emergency Preparedness and Prevention Oficef
          i Printed on recycled paper

-------
                                                EPA550-R-98-009
                                                   November 1998
EPA Chemical Accident Investigation Report
            Tosco Avon Refinery
            Martinez, California
         U.S. Environmental Protection Agency
     Office of Solid Waste and Emergency Response
  Chemical Emergency Preparedness and Prevention Office
              Washington, D.C. 20460

-------
                                        Table of Contents

       The EPA Accident Investigation Program 	vii
       Chemical Safety and Hazard Investigation Board (CSB) 	 viii
       Basis of Decision to Investigate the Tosco Accident	 viii
       Other Investigating Agencies Involved in the Tosco Investigation	 viii
       Executive Summary of the Tosco Accident Investigation 	  ix

1.0    Background	1
       1.1     Facility Description	1
       1.2     Process Description 	1
               1.2.1   Hydrocracking Chemistry	1
               1.2.2   Hydrocracker Operations 	5
               1.2.3   Stage 2 Operations	5
               1.2.4   Stage 2 Reactor Monitoring and Control	8
                        .2.4.1  Thermocouples	8
                        .2.4.2  Control Board Instruments  	9
                        .2.4.3  Data Logger	9
                        .2.4.4  Field  Panels for Temperature Monitoring  	11
                        .2.4.5  Alarms	11
               1.2.5   Operating Parameters	13
               1.2.6   Emergency Depressuring 	14
               1.2.7   Operating Personnel	15

2.0    Description of the Accident	15
       2.1     Events  of January 21, 1997	15
               2.1.1   Night Shift (10 pm to 6 am)  	15
               2.1.2   Day Shift (6 am to 2  pm) 	16
               2.1.3   Swing Shift (2 pmto 10 pm)	16
       2.2     Emergency Response Actions  	21
       2.3     Consequences of Explosion and Fire	22
               2.3.1   Death and Injuries 	22
               2.3.2   Equipment Damage  	23
               2.3.3   Environmental Impact  	23
       2.4     Summary 	27
               2.4.1   Key Events Preceding the Day of the Accident 	27
               2.4.2   Key Events the Day of the Accident  	28

3.0    Investigation	29
       3.1     Approach	29
               3.1.1   Coordination with Other Agencies   	29
               3.1.2   Physical Evidence Collection  	30
               3.1.3   Information Sources Reviewed	30
               3.1.4   Methodology  	30
       3.2     Testing Results	32
               3.2.1   Ruptured  Pipe Testing & Inspection	32
               3.2.2   Catalyst Testing	33

-------
               3.2.3   Thermocouple Testing  	33
               3.2.4   Data Logger Testing	33
       3.3     Information Analysis	35
               3.3.1   Effluent Pipe Rupture	35
               3.3.2   Reactor Temperature Excursion	35
                      3.3.2.1 Flow and Heat Distribution	35
                                    Distribution Tray Pluggage	36
                                    Catalyst Coking	36
                                    Bed 4 Operating Problems	36
                                    Bed 4 Phase Change  	37
                                    Bed 4 Distribution Design	37
                                    Levelness of Distribution Trays	38
                      3.3.2.2 Catalyst Condition  	38
                      3.3.2.3 Feed Temperature	39
                      3.3.2.4 Oil and Recycle Gas Flowrate	39
                      3.3.2.5 Quench Flow to Bed 5  	40
               3.3.3   Control of Temperature Excursion	41
                      3.3.3.1 Awareness of Emergency Situation	42
                                    Confusing Temperature Readings  	42
                                    Problems with Temperature  Monitoring	42
                                    Strip Chart vs. Data Logger Data  	43
                                    Audible Temperature Alarms	43
                                    Makeup Hydrogen Flow and Recycle Hydrogen Purity	44
                                    Accessibility of Temperature Data  	45
                                    Radio Communications	46
                      3.3.3.2 No Emergency Depressuring Used  	47
                                    Prior Temperature Excursions	47
                                           July 23, 1992 	47
                                           March 19,  1996 	47
                                           January 19, 1997 	48
                                    Supervision	48
                                    Training  	49
                                    Emergency Depressuring System Reliability  	51
                                    Procedures  	51
                                    Safety and Performance Goals	54
               3.3.4   Process Hazard Analysis (PHA)	55
               3.3.5   In-Plant Emergency Notification	58

4.0    Causes of the January 21 Accident	58
       4.1     Cause of the Pipe  Rupture	58
       4.2     Cause of the Temperature Excursion	59
       4.3     Failure to Control Temperature Excursion	60
       4.4     Root Causes and Contributing Factors  	61
                      Conditions to Support and Encourage Employees to Operate
                             Reactors in a Safe Manner Were Inadequate	61
                      Human Factors Were Poorly Considered in the Design and
                             Operation of the Temperature Monitoring System	63

-------
                      Supervisory Management Was Inadequate	65
                      Operational Readiness and Maintenance Were Inadequate	66
                      Operator Training and Support Were Inadequate	67
                      Procedures Were Outdated and Incomplete	68
                      Process Hazard Analysis Was Flawed	69
                      Barriers Against Hazardous Work Conditions Were Inadequate  	70

5.0    Recommendations	70
               Management System Policy and Implementation	71
               Human Factors Considerations	71
               Supervision	72
               Facility Readiness and Maintenance  	73
               Training and Support  	73
               Procedures  	74
               Process Hazard Analysis	74

APPENDICES  	A-l
       Appendix A    References	A-l
       Appendix B    History of Major Process Changes  	B-l
       Appendix C    Stage 2 Hydrocracker Process Flow Diagrams  	C-
       Appendix D    Interbed Quench and Distribution Sketches	D-
       Appendix E    Stage 2 Reactor Thermocouple Points per Instrument Display	E-
       Appendix F    Average Bed Differential Temperature for Reactor 3 (pre-incident)	F-
       Appendix G    Agency Personnel Involved in Tosco Accident Investigation  	G-
       Appendix H    Participants on Tosco Avon Refinery Root Cause Analysis	H-
       Appendix I     Follow-up Actions Undertaken by Tosco as of June 1997 	I-
       Appendix J     Glossary	  J-l

List of Tables

       Table 1        Critical Operating Limits for Stage 2 Reactors  	14
       Table 2        Some Reactor 3 Temperatures- Bed 4, Bed 5, Reactor Inlet/Outlet  	19
       Table 3        Time Line of Key Events Preceding the Day of the Accident	27
       Table 4        Time Line of Key Events the Day of the Accident	28

List of Figures

       Figure 1       Site Location Map  	3
       Figure 2       Facility Plot Plan	4
       Figure 3       Hydrocracker Unit Flow Block Diagram 	6
       Figure 4       Stage 2 System- Simplified Flow Diagram  	7
       Figure 5       Stage 2 Reactors  Thermocouple Arrangement- Isometric Drawing  	10
       Figure 6       Hydrocracker Plot Plan  	12
       Figure 7       Reactor 3 Temperatures ( Bed 4 Outlet,  Bed 5 Inlet, Rx Inlet/Outlet)  	20
       Figure 8       Reactor 3 Temperatures (Four Bed 5 Outlet)	20
       Figure 9       Photograph- First and Second Stage Reactors	24
       Figure 10      Photograph- Reactor 3 Effluent Piping Rupture  	25
                                              in

-------
Figure 11       Photograph- Temperature Field Panel Location	25
Figure 12       Photograph- Back Side of Reactor 3 Effluent Piping Rupture 	26
Figure 13       Photograph- Ruptured Effluent Piping after Removal 	26
Figure C-l      Stage 2 Hydrocracker High Pressure System- Process Flow Diagram 	C-l
Figure C-2      Stage 2 Simplified Emergency Depressuring System Diagram	C-2
Figure D-l      Stage 2 Reactor Internals Sketch	D-l
Figure D-2      Stage 2 Reactor Interbed Quench and Distribution Details	D-2
                                        IV

-------
The EPA Accident Investigation Program

EPA has a responsibility under section 112(r) of the Clean Air Act Amendments of 1990 (CAA)
for the prevention and mitigation of accidental chemical releases.  One of the fundamental ways to
prevent chemical accidents is to understand why accidents occur and to apply the lessons learned
to prevent future incidents.  Consequently, EPA has a responsibility to investigate and understand
why certain chemical accidents have occurred. A key objective of the EPA chemical accident
investigation program is to determine and report to the public the facts, conditions, circumstances,
and causes or likely causes of chemical accidents that result, or could have resulted, in a fatality,
serious injury, substantial property damage, or serious off-site impacts, including a large scale
evacuation of the general public. The ultimate goal of an accident investigation is to determine
the root causes in order to reduce the likelihood of recurrence, minimize the consequences
associated with accidental releases,  and to make chemical production, processing, handling, and
storage safer. This report is a result of an EPA investigation to describe an accident, determine its
root causes and contributing factors, and identify findings and recommendations.

Note that under section 112(r)(l) of the CAA, industry has a general duty to design and maintain
a safe facility taking such steps as are necessary to prevent releases, and to minimize the
consequences of accidental releases which do occur.  In addition, under section 112(r)(7), EPA
has promulgated regulations for the preparation of risk management programs and plans for the
prevention of accidental chemical releases.  However, compliance and enforcement with these
provisions are not the focus of this report but will be addressed at EPA's discretion in separate
reports or actions.

Prior to releasing an accident investigation report, EPA must ensure that the report contains no
confidential business information. The Freedom of Information Act (FOIA), the Trade Secrets
Act, and Executive Order 12600 require federal agencies to protect confidential business
information from public disclosure.  To meet these provisions, EPA has established a clearance
process for accident investigation reports in which the companies who have submitted potentially
confidential information used in the report are provided a portion of the draft report.  The portion
provided contains only the factual details related to the investigation (not the findings, the
conclusions nor the recommendations). Companies are asked to review this factual portion to
confirm that the draft report contains no confidential business information.  As part of this
clearance process, companies  often will provide to EPA additional factual information. In
preparing the final report, EPA considers and evaluates any  such additional factual information for
possible inclusion in the final report.

Chemical accident investigations by EPA Headquarters are conducted by the Chemical Accident
Investigation Team (CAIT) located in the Chemical Emergency Preparedness and Prevention
Office (CEPPO) at 401 M Street SW, Washington, D.C. 20460, 202-260-8600.  More
information about CEPPO and the CAIT may be found at the CEPPO Homepage on the Internet
at http://www.epa.gov/ceppo. Copies of this report can be obtained from the CEPPO Homepage

-------
or from the National Center for Environmental Publications and Information (NCEPI) at 800-
490-9198.

Chemical Safety and Hazard Investigation Board (CSB)

In the 1990 Clean Air Act Amendments, Congress created the Chemical Safety and Hazard
Investigation Board (CSB). Modeled after the National Transportation Safety Board (NTSB),
the CSB was directed by Congress to conduct investigations and report to the public the findings
regarding the causes of chemical accidents.  Congress authorized funding in November 1997 and
the CSB began operations in January 1998.  Several investigations by the CSB are underway.
More information about CSB may be found at their Homepage on the Internet at
http://www.chemsafety.gov or http://www.csb.gov.

EPA plans to complete its work and issue public reports on investigations initiated prior to
funding of the CSB. Under its existing authorities, EPA will continue to have roles and
responsibilities in responding to, and investigating, chemical accidents.  The CSB, EPA and other
agencies will be coordinating their efforts to determine the causes of accidents and to apply
lessons learned to prevent future events.

Basis of Decision to Investigate the Tosco Accident

On January 21, 1997, an explosion and fire occurred at the Hydrocracker Unit of the Tosco
Refinery at Martinez, California, resulting in one death, 46 worker injuries and precautionary
sheltering-in-place for the surrounding community.  The accident involved the release and
autoignition of a mixture of flammable hydrocarbons and hydrogen under high temperature and
pressure. EPA undertook an investigation into the causes and underlying circumstances
associated with this accident because of its serious consequences (fatality, injuries and offsite
concern), the potential for greater impacts, and the opportunity to  learn from this accident how
similar accidents could be prevented.

Other Investigating Agencies Involved in the Tosco Investigation

This investigation was coordinated among investigators working for USEPA Headquarters,
USEPA Region 9, California Division of Occupational  Safety and Health (CAL  OSHA), US
Department of Labor (DOL) Occupational Safety and Health Administration (OSHA) Region 9,
Contra Costa County Health Services Division (CCCHSD) and the California Bay Area Air
Quality Management District (BAAQMD).  CAL OSHA, with assistance of Region 9 Federal
OSHA, concurrently conducted an investigation for violations of health and safety orders as well
as a process safety management (PSM) audit.  The Bureau of Investigation of CA Department of
Occupational Safety and Health concurrently conducted a criminal investigation. CCCHSD
concurrently conducted an investigation into the root causes of the accident. BAAQMD
concurrently conducted an investigation into possible violations of air quality control regulations.
                                           VI

-------
Executive Summary of the Tosco Accident Investigation

At approximately 7:41 p.m. on January 21, 1997 at the Tosco Avon Refinery in Martinez, CA, a
section of effluent piping ruptured on the Hydrocracker Stage 2 Reactor 3.  A mixture of light
gases starting with methane through butane; light gasoline; heavy gasoline; gas oil and hydrogen
was released from the pipe and instantly ignited upon contact with air, causing an explosion and
fire.  A Tosco Hydrocracker operator checking a field temperature panel at the base of the reactor
was killed; 46 Tosco and contractor personnel were injured. Thirteen injured personnel were
taken to local hospitals, treated and released.  There were no reported injuries to the public.

The immediate cause of the hydrocarbon and hydrogen release and subsequent fire was a failure
and rupture of a Stage 2 Reactor 3 effluent pipe due to excessively high temperature, likely in
excess of 1400F. This high operating temperature was initiated by a reactor temperature
excursion that began in Bed 4 of Reactor 3 and spread through the next catalyst bed, Bed 5.  The
excessive heat generated in Bed  5 raised the temperature in the reactor effluent pipe. The
excursion was not brought under control because the Stage 2 reactors were not depressured and
shut down as required when the  reactor temperatures exceeded the SOOT temperature limit
specified in the written operating procedures.

The temperature excursion began with a hot spot in Bed 4 Reactor 3.  The hot spot was most
likely caused by poor flow and heat distribution within the catalyst bed.  Investigators could not
determine the specific cause of the maldistribution.  Operators  did not activate an emergency
depressuring of the reactors when some internal reactor temperature readings reached SOOT
because they were confused about whether a temperature excursion was actually occurring.  Their
confusion was due to a variety of factors including: fluctuating temperature readings, a
discontinuation of makeup hydrogen flow to Stage 2, a misleading recycle hydrogen purity
analysis and the absence of additional audible high temperature alarms after the first high
temperature occurrence. They were  attempting to verify temperatures in the reactor by having an
operator obtain temperature readings from the field panels under the reactors.  Poor radio
communications hampered relaying these readings to the control room. Even after operators in
the control room noticed that the Reactor 3 inlet temperature had increased beyond SOOT, they
did not depressure but began to take steps to cool the reactor by increasing quench hydrogen flow
and reducing heat input from the trim furnace.

Investigators identified the following root causes and contributing factors of the accident:

      Conditions to Support and Encourage Employees to Operate Reactors in a Safe Manner
       Were Inadequate.  The emergency depressuring  system was not used as required to
       control previous temperature excursions.  Management did not take effective corrective
       action to ensure that these emergency procedures were followed.  An operating
       environment existed that caused operators to take risks while operating and to continue
       production despite serious hazardous operating conditions.  Temperature limits for the
       reactors were inconsistently stated and operators did not always maintain temperature
                                           vn

-------
within these limits. Management did not recognize or address the conflict between
acceptable performance goals and risks.  Negative consequences from the past instances of
use of the depressuring system may have contributed to operators' reluctance to
implement depressuring when required.

Human Factors Were Poorly Considered in the Design and Operation of the Reactor
Temperature Monitoring System. Operators were using three different instrumentation
systems to obtain temperature data. Not all the temperature data were immediately
accessible, which did not allow operators to make critical decisions quickly. Although not
planned by design, access to the  most critical monitoring points (those reading the highest
temperatures) happened to be located underneath the reactors and could not be accessed
from the control  room. No Management of Change (MOC) process was implemented for
the installation of the outside temperature panels.  The alarm system on the data logger
only allowed one alarm to be received at a time and did not distinguish between
emergency alarms and other operating alarms.  The temperature control system caused the
operators to make many manual  adjustments to control temperatures, which made the
Hydrocracker reactor more difficult to operate.  Hydrogen purity analysis data available to
operators lagged seven minutes behind the actual time  of the analysis and provided
misleading information to the operators.

Supervisory Management was Inadequate. Several apparent serious deficiencies were
evident. For example, unit process operators failed to  follow posted emergency
procedures on this as well as previous temperature excursion incidents. Problem incidents
were not always  properly communicated to management and inconsistent application of
emergency procedures was tolerated  by management.  No comprehensive operator
training, including refresher training,  had been implemented to address all hazards
associated with Hydrocracker Unit operations. No management of change program was
implemented to address mechanical changes or operational changes such as those needed
for the change in catalyst.

Root cause incident investigations were inadequate in that they did not investigate all
temperature excursions.  Also they did not identify the root cause  of the excursion nor did
they determine why operators were reluctant to follow posted emergency procedures.

Operational Readiness and Maintenance Were Inadequate.  The temperature monitor (data
logger) in the control room that had most of the reactor temperature readings was
unreliable and out of service sometimes. In the past, reactor operation would continue
despite the data logger being out of service.  Under the conditions of a temperature point
rising more than  50F above normal,  the data logger could not be reset in order to receive
additional high temperature alarms. Radio communications needed to relay temperature
data from outside panels to the control room were unreliable and did not function during
the incident. Operators had to run the unit with leaking quench valves and stop-gap
                                    Vlll

-------
       measures were used to deal with leaking heat exchanger flanges. The emergency
       depressuring system was not tested to ensure its reliability when needed.

       Operator Training and Support Were Inadequate.  Training materials were out of date and
       unit specific training was mostly on the job and not well documented. Unit specific
       refresher training had not been developed.  Operators received inadequate training  on
       temperature instrumentation.  They did not understand that zero default values on the data
       logger potentially meant extremely high temperatures.  Operators did not understand that
       the decrease in makeup hydrogen flow was an indication of an extreme temperature
       excursion.  Training for abnormal operating situations and drills for emergency procedures
       were not adequate.

      Procedures Were Outdated and Incomplete. Procedures were scattered throughout
       various documents and had not been updated as changes were made to operating
       equipment and the process. Recommendations from several incidents were not
       incorporated into procedures.  Procedures were not developed for many operations,
       including obtaining temperature data from outside field panels underneath the reactors.
       Procedures had conflicting differential temperatures limits for catalyst bed operation.

       Process Hazard Analysis Was Flawed. The process hazard analysis did not address all
       existing known hazards and operating abnormalities. It did not reflect the actual
       equipment and instrumentation used in the process. It did not adequately address previous
       incidents that had potential catastrophic consequences, such as previous reactor
       temperature excursions.  No hazard analysis was performed for the installation and use  of
       the temperature field panels.

Investigators from EPA,  CAL OSHA and BAAQMD developed recommendations (summarized
below) to address the root causes and contributing factors to prevent a recurrence or similar event
at Tosco and other facilities. Hydroprocessing facilities should consider each recommendation in
the context of their own circumstances, and implement them as appropriate.

       Management must ensure that operating decisions are not based primarily on cost and
       production. Performance goals and operating risks must be effectively communicated to
       all employees.  Facility management must set safe, achievable operating limits and not
       tolerate deviations from these limits.  Risks of deviation from operating limits must be
       fully understood by operators. Also, management must provide an operating environment
       conducive for operators to follow emergency shutdown procedures when required.

      Process instrumentation and controls should be designed to consider human factors
       consistent with good industry practice. Hydroprocessing reactor temperature controls
       should be consolidated with all necessary data available in the control room.  Some
       backup system of temperature indicators should be used so that the reactors can be
                                           IX

-------
operated safely in case of instrument malfunction. Each alarm system should be designed
to allow critical emergency alarms to be distinguished from other operating alarms.

Adequate supervision is needed for operators, especially to address critical or abnormal
situations.  Supervisors need to ensure that all required procedures are followed.
Supervisors should identify and address all operating hazards and conduct thorough
investigation of deviations to determine root causes and to take corrective action.
Equipment and job performance issues related to operating incidents should be corrected
by management.

Facilities should maintain equipment integrity and discontinue operation if integrity is
compromised. Hydroprocessing operations especially need to have reliable temperature
monitoring systems and emergency shutdown equipment.  Equipment should be tested
regularly and practice emergency drills should be held on a regular basis. Maintenance
and instrumentation support should be available during start up after equipment
installation or major maintenance.

Management must ensure that operators receive regular training on the unit process
operations and chemistry. For hydrocrackers, this should include training on reaction
kinetics and the causes and control of temperature excursions. Operators need to be
trained on the limitations of process instruments and how to handle instrument
malfunctions. Facilities need to ensure that operators receive regular training on the use
of the emergency shutdown systems and the need to activate these systems.

Tosco management must develop written operating procedures for all phases of
Hydrocracker operations. The procedures should include operating limits and
consequences of deviation from the limits.  The procedures should be reviewed regularly
and updated to reflect changes in equipment, process chemistry, and operation.  As
appropriate, the procedures should be updated to include recommendations from process
hazard analysis and incident investigations.

Process hazard analyses need to be based on actual equipment and operating conditions
that exist at the time of the analysis.  The analysis should include the failure of critical
operating systems, such as temperature monitors or emergency operating systems.  A
Management of Change review should be conducted for all changes to equipment or the
process, as necessary, and should include a safety hazard review of the change.

-------
1.0    Background

       1.1    Facility Description

The Tosco Avon Refinery is a 2,300 acre facility located in Eastern Contra Costa County near
Martinez, California in the San Francisco Bay Area. The Refinery was originally built in 1913 as a
Standard Oil of California facility; in 1976 Tosco purchased the Avon Refinery from Phillips
Petroleum. The Refinery processes 140,000 barrels per day of crude oil, producing gasoline, jet
fuel, and diesel fuel.  Other products generated are coke, sulfur, ammonia, and sulfuric acid.
Crude oil is delivered to the Refinery either through pipeline or through two marine terminals,
primarily from production fields in Alaska and California.

Figure 1 is a site map showing the Refinery and the immediate surrounding area. Light industrial
areas, residential areas and Suisun Bay are located approximately one mile from the Refinery.
Figure 2 is a facility plot plan showing the location of the Hydrocracker Unit within the Refinery.

This investigation report describes the conditions and circumstances surrounding the January 21,
1997 accident, the events leading up to the explosion, existing process safety management
practices, the causes  of the accident and contributing factors, and recommendations.  The accident
occurred in the Stage 2 Reactor area of the Hydrocracker Unit and thus, description of processes
and events are focused on this area of the Refinery. For readers not familiar with technical terms
associated with refineries or chemical processes, some of these terms are explained in a glossary
in Appendix J.

       1.2    Process Description

This section describes the chemistry, process operations, control system, and operating
parameters in the  Stage 2 of the Hydrocracker Unit. A history of major process changes to Stage
2 of the Hydrocracker Unit are summarized in Appendix B.

              1.2.1  Hydrocracking Chemistry

Hydrocracking involves catalytic cracking of hydrocarbon oil in the presence of excess hydrogen
at high temperature and pressure. The process breaks larger molecules into  smaller ones while
reacting them with hydrogen to create more of the molecules used in commercial fuels,  such as
gasoline and diesel.  Sulfur and nitrogen compounds must first be removed from the oil to prevent
fouling of the hydrocracking catalyst and to meet final product specifications. This is done by
reacting the sulfur and nitrogen compounds with hydrogen to form hydrogen sulfide and
ammonia, which are then extracted from the process stream.

The general mechanism in hydrocracking includes breaking carbon-carbon single bonds (cracking)
followed by hydrogenation (addition of hydrogen to a carbon-carbon double bond).

-------
       Typical Cracking Reaction

           CnH24     + heat   =-   C5H10        +   C6H14
       hydrocarbon oil    pentene (olefin)       hexane

       Hydrogenation Reaction

       C5H10    +  H2   =   C5H12    +heat
       pentene        pentane
Cracking forms olefins (compounds with double-bonded carbons), which could join together to
form normal paraffins (compounds with single-bonded carbons).  However, hydrogenation rapidly
fills out all the double bonds, often forming isoparaffins, preventing reversion to less desirable
molecules, such as straight chain paraffins which have a lower octane rating.

The cracking reaction is endothermic (requires heat) and the hydrogenation reaction is exothermic
(produces heat). Heat liberated during hydrogenation is greater than heat consumed during
cracking so the overall process is exothermic.

The primary variables involved in hydrocracking are reactor temperature and pressure, feed rate,
hydrogen consumption, catalyst condition, nitrogen and sulfur content of the oil feed,  and
hydrogen sulfide content of the gases.  Besides serving as a reactant, excess hydrogen is added in
order to suppress coke formation on the catalyst and to act as a coolant to keep the temperature
rise under control.

The higher the temperature, the faster the hydrocracking reaction rate. At normal reactor
pressure and flowrate conditions, a 20F increase in temperature almost doubles the reaction rate.
The heat generated from the hydrocracking reaction causes the reactor temperature to increase
and accelerates the reaction rate. To control the reaction rate, each  reactor has several catalyst
beds between which cool hydrogen is injected as quench gas for temperature control.

The activity of the catalyst generally declines over time due to an accumulation of coke and other
deposits, until the catalyst requires regeneration.  Regeneration is accomplished by shutting the
unit down and burning off the carbon deposits, or by removing the catalyst and replacing it with
regenerated or new catalyst.

-------
  Base map source: USGS 1:100,000 Healdsburg, CA quadrangle (1972) (reduced)
                            ^ij1-  ,. "tf  -y-U'-  -f-

      APPROX. 4 MILES    \*,,,   ~"*}i ' '*(,. < f  ''.'" ,
      Tn MARTIMF7     \       ^ *^. *  ' X*\  ^

                                                                             01 SOTRPAXX.al (copy) (Z.2) 01/15/98
Figure 1    Site Location Map       Tosco Avon Refinery, Martinez, California

-------
Reference: Tosco Avon Refinery Evacuation Map, Tosco, January 1996
                        Gaugers
                                   ^Wesl Trad 3 Gale  -. Eosl Tract 3 Gate
                                                                  WATERFRONT ROAD
       Environmental
               NOT TO SCALE
                                                               MONSANTO ROAD
                                                                                       01 SOTRPAXX.g (copy) (St23) I 2116/97




Figure  2       Facility Plot Plan     Tosco Avon Refinery, Martinez, California

-------
              1.2.2  Hydrocracker Operations

The Hydrocracker Unit includes four sections, a Hydrogen Plant, Stage 1 Unit, Stage 2 Unit, and
Gas Plant.  The Hydrogen Plant produces hydrogen for use in the Hydrocracker Unit and other
process units.  Stage 1 hydrotreats the refinery gas oils in Reactors A, B and C to remove sulfur,
nitrogen compounds, and other impurities, to prevent fouling of the Stage 2 catalyst. Cracking
and hydrogenation occur in the Stage 2 Reactors 1, 2 and 3.  The Gas Plant fractionates the
hydrocracked product from Stage 2 into propane, butane, light and heavy hydrocrackates, and
diesel.  Figure 3 is a simplified flow block diagram of the Hydrocracker Unit showing how
process streams between the four sections are connected.

              1.2.3  Stage 2 Operations

Stage 2 is described in detail here because it was the process in which the accident occurred. The
hydrocracking technology used in Stage 2 was licensed as a Unicracker by Union Oil of California
in 1986.  The original Hydrocracker was started up in 1963 under a license from Chevron
Research Corporation and was known as  an Isocracker, a term which was still used in many of
Tosco's documents.

The hydrocracking reaction occurs in the  high pressure system of Stage 2 which operates in the
range of 1350 to  1735 pounds per square inch gauge (psig).  Figure 4 is a simplified process flow
diagram of the Stage 2 Hydrocracker High Pressure System; Appendix C contains a more detailed
process flow diagram of the Stage 2 High Pressure System.

A charge pump provides fresh feed from Stage 1 equally to the three Stage 2 Reactors 1, 2, and 3.
Preheated hydrogen is added to the liquid fresh feed after the Stage 2 charge pump.  The
temperature of this two-phase stream is then raised from about 350F to over 5 SOT by heat
exchange with the reactor effluent in the Stage 2 feed/effluent exchangers.  This provides most of
the heat for Stage 2.

Additional hydrogen is preheated in Trim  Furnaces 1, 2 and 3 and combined with the feed stream
from the feed/effluent exchangers, to obtain a desired inlet temperature, ranging from 600-650F.
The heated mixture of oil and hydrogen enters the top of each reactor where it is  hydrocracked
to produce  a mixture of desirable, lighter hydrocarbon components.  These range from as light as
methane to as heavy as  naphtha (up to 10-12 carbons).

Within each reactor, the oil/hydrogen feed passes sequentially through five beds of catalyst. The
catalyst used by Tosco is a zeolitic (molecular sieve) catalyst. Each bed is designed to achieve
about 60%  reaction conversion.  Cool recycled hydrogen gas is added as quench between the
catalyst beds in the reactors, limiting the temperature rise created by the exothermic reaction. The
quench hydrogen is injected above Beds 2, 3, 4 and 5 and distributed uniformly through a
perforated pipe distributor known as a quench ring.  The hydrocarbons and hydrogen are

-------
                       g -
                       I 3

IF
I!
 x
                                                        rt

                                                        M
                                                        rt
                                                          
                                                       CD v
                                                    D)
 -


II
                                                        U
                                                        RS

                                                        U
                                                        o

                                                        a
                t
                iS
                        S-  J
                        I  I

-------
             n
      1 of 3
Oil from
      1
Stripper
     2
Charge
 Pump
                         Recycle
                        Hydrogen
                                     Makeup j
                                    Hydrogen1
                          Hydrogen
                           Qpench
                              Hydrogen:
                              Reeyeto
                  Exchangers
 4C
1 Hydrogen
  supply
                                                    2
                                            Compressor
                                               1 of 2
                                                        2
                                                  Recycle
                                                  Compressor
                                            Recycle
                                           Hydrogen
                                                2
                                            High
                                          Pressure
                                          Separator
                                                       Stripper Gas to
                                                            1 Stripper
                                                                   2
                                                               Low
                                                             Pressure
                                                             Separator
                                                     Oil
                                                                To
                                                             Stabilizer
                                                                4
                     4 -       2        -SimpS;fied Flow

-------
collected on quench trays above Bed 2, 3, 4 and 5 and mixed in a quench box in the center of each
tray. The mixture is passed over and through distribution trays in order to mix and evenly
distribute flow to the next catalyst bed below. Beds 2, 3 and 5 have two distribution trays above
them while Bed 4 has only one. See Appendix D for sketches of the reactor interbed distribution
system.

The reactor effluent stream is cooled in the feed/effluent exchangers by exchanging heat with the
incoming feed stream.  The cooled effluent stream from each reactor is combined and cooled
further in heat exchangers before entering the High Pressure Separator (HPS).

In the HPS, hydrogen and oil are separated. Hydrogen and light hydrocarbon gases are recycled
back to the Stage 2 recycle compressor (called the IIR compressor). Makeup hydrogen is added
to the recycle gas downstream of the compressor to maintain pressure in the recycle gas system.
The recycle gas is used as quench hydrogen or heated and combined with oil feed to the reactors.
The hydrogen partial pressure of the recycle gas is kept at a minimum of 1100 pounds per square
inch absolute (psia) to minimize petroleum coke buildup on the catalyst and subsequent catalyst
deactivation.  The purity of the recycle gas can be raised by bleeding off a portion of the recycle
gas in order to purge light hydrocarbon gases.

The liquid phase (oil) from the HPS is pressured down to the Low Pressure Separator (LPS), to
flash the remaining light gases overhead to the Stage 1 stripper. The stream from the bottom of
the LPS is heated in the stabilizer preheater and fed to the Gas Plant System.  The Gas Plant
fractionates the product from Stage 2 into propane, butane, light and heavy hydrocrackates, and
diesel.

              1.2.4   Stage 2 Reactor Monitoring and Control

Stage 2 Reactors were monitored and controlled from the control room using board mounted
instruments and a personal computer (PC)-based data logger display.  Temperature display panels
located underneath the reactors were also used to monitor temperatures; however this data could
not be accessed from the control room. The internal reactor temperatures were electronically
monitored by 96 thermocouples which were connected to the various temperature display
instruments.

                     1.2.4.1   Thermocouples

Thermocouples used by Tosco were type "J", iron-constantan, sheathed thermocouples, designed
to be flexible to allow routing to various locations in the reactor catalyst beds.   In January 1996
an array of 96 thermocouples were installed inside each reactor to indicate the inlet, middle and
outlet temperature of each catalyst bed (except Bed 1 inlet). They were also used to determine
the axial temperature gradient (temperature difference between points above and below each
other in catalyst bed) and the radial temperature gradient (difference in temperature among points
at the same level in the catalyst bed). Twelve thermocouples were located in Bed 1, twenty-four

-------
were located in each Bed 2 through 4, and twelve were located in Bed 5. Figure 5 shows the
location of the internal Stage 2 reactor thermocouples.  Additional thermocouples (not shown)
monitor the feed, reactor inlet, reactor outlet and  reactor skin temperatures (three skin
temperatures per reactor).

Fifty-six of the thermocouple outputs were sent to a field instrument panel at the base of the
reactor and the rest (40) were routed to the control room.  The control room thermocouple
signals were routed to board mounted instruments and a PC-based data logger (see next section).
Appendix E shows, for each bed, how many inlet, middle and outlet temperatures were monitored
by each type of instrument.

                    1.2.4.2  Control Board Instruments

The control board instruments displayed the Stage 2 flowrates and temperatures in digital, LED
light bar, and strip chart format. Figure C-l in Appendix C shows the instrument controllers used
for process streams in Stage 2 High Pressure System.  The oil feed rate to the reactor, and
hydrogen flow to the trim furnace were regulated by flow controllers.  The hydrogen flow to the
feed/effluent heat exchangers was flow controlled so that a sufficient hydrogen to oil ratio was
maintained.  Recycle gas pressure was pressure controlled by hydrogen added from the makeup
compressors. Reactor inlet temperature was input to a controller to regulate the trim furnace
temperature which was then input to a controller that regulated the fuel gas pressure to the trim
furnace.  Alternatively, the trim furnace could also be operated at a specified fuel gas pressure.
The center inlet temperature from each of the four lower beds was input to  a controller which
changed the flow of quench hydrogen to each bed to maintain a set temperature.

Other temperatures were displayed in the control room but were not automatically regulated by
instrument controllers.  These were Bed 1 through 4 outlet temperatures, the reactor outlet
temperature1, and the differential between reactor inlet and outlet temperature.  Strip charts
recorded the temperature of the center thermocouple in the inlet of Beds 2 through 5 and  the
center thermocouple in the outlet of Beds 1 through 4.  These same two bed points were also
monitored by the data logger.

                    1.2.4.3  Data Logger

The data logger monitor displayed temperatures and locations of 40 of the 96 internal reactor
thermocouples. Signals from the remaining 56 thermocouples were displayed at a local panel at
the base of the reactor (see next section). Operators accessed the various display screens  using a
small, customized keyboard and on-screen menus. The data logger also displayed averaged
values of catalyst bed temperatures.  If the operators saw an erroneous reading on a temperature
       lrThis same point was displayed on strip chart for Bed 5, but was referred to as Bed 5 outlet even though it
was the reactor outlet temperature.  Bed 5 outlet temperatures were shown on the data logger and field panel.

-------
 Reference: figure 2 Isometric Thermocouple Arrangement - Stage 2 Reactors, Second Stage Hydrocrocker, Tosco
                                                                               OlSOTRPAXX.h (copy) (St23) 01/29/98




Figure 5       Stage 2 Reactors Thermocouple Arrangement - Isometric Drawing
                                                   10

-------
point, that point could be accessed and designated as "bad" from the keyboard. This designation
excluded the "bad" point from bed-average temperature calculation.

The data logger displayed temperatures from five points at the outlet of the first catalyst bed, five
points at both the inlet and outlet of the next three catalyst beds, and one point at the inlet and
four points at the  outlet of the fifth bed. It also displayed three skin (external wall) temperatures
per reactor and the inlet  and outlet temperatures of each reactor.   The thermocouples were
connected to a field multiplexer that sent a digital signal over a single pair of wires to the data
logger.  The signal coming into the data logger from a field multiplexer ranged from 0F to
1400F.  If a thermocouple failed or indicated a temperature that was above range, the multiplexer
would send a 0 signal to the data logger. The data logger displayed updated temperatures at 15
to 40  second intervals.

The data logger was also programmed to retain a record of temperature indications, known as the
data logger historian. Data from the historian was available to the accident investigators but did
not duplicate exactly what operators saw on the data logger the night of the accident because the
historian records only some of the information displayed.  Every hour,  the historian recorded the
current value of all points. Between these periodic readings, the historian recorded and time
stamped temperature readings only if they changed more than a predetermined amount
(deadband). For all the points, the deadband was 0.5%, or 7F for the  0 to 1400F range. The
historian created a data file every eight hours.  If the historian had not recorded a temperature for
a time interval (because it had not changed significantly from the previous value), the historian
used the value from the last previous recorded value. The data files were stored  on the computer
hard drive for one month.  The data logger could print from the historian file a value for each
temperature at requested time intervals.

                     1.2.4.4  Field Panels for Temperature Monitoring

Field panels were installed under the reactors during the 1996 January-February turnaround in
order to provide additional temperature readings in the catalyst beds.   Figure  6 is a plot plan of
the Hydrocracker operation that shows the location of the panel under Reactor 3 relative to the
control room.  Seven points from each thermocouple array were displayed on the panels.
Individual temperatures could be displayed by the operators at the panel using multipoint rotary
switches; one switch to select the bed desired and five other switches for selecting the point
within each bed. The field panel could display temperatures between -10F and 1200F. If the
temperature was outside this range, the  display would show all dashes  ().

                     1.2.4.5  Alarms

Each input point to the data logger had a high and low temperature alarm.   High temperature
alarms for the catalyst bed points were set at 780F. It is not known what alarm  points were set
for the reactor inlet and outlets. The reactor skin temperature low alarm was SOOT, while the
                                            11

-------
               Location of field panel
                                                    STABILIZER
                                                    REBOILER  O   O
                                                    HYDROCRACKER
                                                    CONTROL ROOM
Figure 6      Hydrocracker Plot Plan     Tosco Avon Refinery
                                         12

-------
high alarm was 1500F. When a point alarmed, the temperature reading appeared to "blink" and
the background color behind the reading changed from black to red.  The operator could
acknowledge the alarm, after which the reading would be steady and the background would stay
in the alarm color until the condition cleared.

The data logger had one digital output for high temperature that was connected to the board
annunciator. The temperature points signaled this alarm whenever they were in "new" alarm
status. The board annunciator alarm consists of a flashing light and audible horn on the Stage 2
alarm panel.  The operator would have to acknowledge the board annunciator to silence the horn
and stop the annunciator flash. If the alarm was acknowledged on the data logger keyboard, it
was no longer a "new" alarm and so the digital output turned off. This reset the system for the
next "new" alarm that came in.

The data logger also had alarms, with outputs to the annunciator, for points more than 50F above
or below the average  temperature, and low skin temperature alarms.  On the control board, a
flashing signal alarm would occur for the quench controllers if quench valve was more than 50%
open on Beds 2, 3, or 5 or more than 75% open on Bed 4.

              1.2.5  Operating Parameters

The maximum oil feed rate to Stage 2 was about 53,000 barrels per day (BPD). This
corresponded to about 35,000 BPD of oil feed to Stage 1. Volume expansion and 40%  oil
recycle rate made up the difference between these two feed rates.  Stage 2 reactor normally
operated at 650-690F and  1560 psig (pounds per square inch gauge). Typical operating
pressures and temperatures for various process streams in Stage 2 are shown in Figure C-l in
Appendix C. The minimum hydrogen partial pressure in Stage 2 was maintained at 1100 psia.
The recycle gas hydrogen purity was maintained between 75-84%. The  hydrogen to oil ratio was
maintained at 5500 (5000 minimum) standard cubic feet (SCF) hydrogen to barrel (bbl) of oil
feed.  The nitrogen level for feed to Stage 2 was not to exceed 14 parts per million (ppm).

Critical operating limits were defined by Tosco to establish the safe operating range for the unit.
Some of these are listed below in Table 1 for Stage 2 with the reported consequences of
deviation.
                                           13

-------
                                         Table 1
                      Critical Operating Limits for Stage 2 Reactors
Operating Parameter
Maximum reactor
temperature
Maximum temperature
for reactor outlet
Maximum reactor bed
average differential
temperature
Maximum reactor
differential
temperature
Limit
SOOT
690F
40F
75F
Consequences of Deviation
Possible temperature runaway. Possible vessel failure and
fire due to temperature runaway.
Possible downstream feed/effluent exchanger fire.
Possible fire, explosion if ignition source present.
Possible temperature runaway. Possible vessel failure and
fire due to temperature runaway.
Possible temperature runaway. Possible vessel failure and
fire due to temperature runaway.
              1.2.6  Emergency Depressuring

A 100 psi per minute (psi/min) and 300 psi/min depressuring systems were installed in 1986.
These systems were designed to rapidly depressure the reactors to reduce the reaction rate and
high temperatures in emergency situations.  Both emergency depressuring valves were located at
the gas outlet line of the HPS and discharged to the flare system.

The 100 psi/min system was activated automatically if the recycle compressor shutdown. The
system could also be manually activated by an operator in the control room. Once the 100
psi/min system was activated, the following would automatically occur:

       Stage 2 charge pump is shut down;
       Fuel to the trim furnace is shut off;
       Makeup gas to Stage 2 is shut off;
       Hydrogen to recycle compressor suction and discharge streams are stopped; and
       The Hydrocracker reactor system is depressured at the rate of 100 psi/min to refinery flare
       system.

In addition, the oil feed from Stage 1 would be manually diverted to storage tanks.  If the 100
psi/min system was activated manually, the recycle compressor would continue to operate.  The
100 psi/min system allowed the unit to be restarted quickly if the situation could be corrected
before the unit was fully depressured. If reactor temperatures continued to increase while the unit
was being depressured, the operators were instructed to activate the 300 psi/min depressuring
system immediately.
                                           14

-------
The 300 psi/min system was activated only manually using a switch in the control room. It
depressured the Stage 2 high pressure system to the refinery flare, diverted make-up hydrogen,
shut down the Stage 2 charge pumps and the recycle compressor, and stopped fuel to the trim
furnace. If the 300 psi/min system was activated, the unit had to be depressured to less than 10
psig before the unit could be restarted. This is because the reactors are required to be under
pressure after the vessels walls have cooled because of the risk of catastrophic failure due to
temper embrittlement.

              1.2.7  Operating Personnel

The Hydrocracker operated continuously for 24 hours a day staffed by three eight-hour operating
shifts. There were normally five operators on duty at the Hydrocracker during each shift.  One
operator was known as the No. 1 Operator who oversaw the shift, assisted with board duties if
necessary and made outside rounds at least once per shift.  The other operators were known as
No. 2 Operators. One was the Hydrogen Board Operator who operated the control system for
the Hydrogen Plant and Stage 1.  Another was the Stage 2 Board Operator who operated the
control system for Stage 2, including the high and low pressure systems. The other two operators
were East Pad and West Pad Operators who were responsible for making rounds to check
equipment, taking outside readings and obtaining samples as necessary for the East Pad
(Hydrogen Plant) and West Pad (Stage 1 and Stage 2) high and low pressure systems,
respectively. Figure 6 shows the location of the Hydrocracker control room and Stage 2 Reactor
3 on a Plot Plan.

2.0    Description  of the Accident

This section describes the events that occurred on January 21, 1997 leading up to the explosion
and fire at the Hydrocracker Unit.

       2.1    Events of January 21, 1997

             2.1.1  Night Shift (10 pm to 6 am)

At about 4:50 am on January 21, a clamp on the flange of the  Stage 1 Reactor A effluent
exchanger began to leak.  The pressure and feed rates to Reactor A were reduced to stop the leak,
but this action was ineffective.  The feed to Reactor A was diverted to Reactors B and C at about
5:20 am to stop the leak.  The extra feed to these reactors lowered their temperatures and limited
the hydrotreating reaction. This caused the nitrogen content in the Stage 1 effluent to rise above
the specified limit of 14 ppm.
                                           15

-------
              2.1.2  Day Shift (6 am to 2 pm)

At 8:10 am, the nitrogen content of Stage 1 effluent was 196 ppm, above the specified limit of 14
ppm.  According to the swing shift Stage 2 Board Operator, the high nitrogen content material
from Stage 1 had to continue to Stage 2 and could not be sent to the off-test tanks because they
were full.  Because of the high nitrogen levels in the feed to the Stage 2 reactors, the Stage 2
catalyst became "poisoned" causing the Stage 2 cracking reaction to decline. By 9:30 am, the
quench flows to Stage 2 catalyst beds had begun to drop off, indicating a reduced reaction. At 10
am, the nitrogen content from Stage 1 was 352 ppm.  At approximately 11:30 am, the strip charts
showed no temperature differential across Reactor 3.  During the day shift, the differential
temperatures averaged less than 10F per catalyst bed for all Stage 2 reactors and the unit was not
producing any light product.

Feed rate to Stage 1, Reactor B was reduced in order to enable bed temperatures to be increased.
A contractor repaired the leak on the Reactor A exchanger flange clamp by injecting sealant into
it.  The leak was stopped but Reactor A remained down to allow time for the sealant to cure.
Meanwhile, operators continued to adjust rates and temperatures in Reactors B and C in order to
increase the reaction and reduce the nitrogen content in the effluent. At 12:13 pm, the Stage 1
stripper bottom nitrogen analysis was 66 ppm.  At 1:10 pm, it was 40 ppm.

Sometime during the day of January 21, an operating plan was written in the shift logbook for the
evening of January 21, to prepare for the introduction of oil to Reactor A the next morning at 8
am.  The plan directed the operators to continue to raise temperature in Reactors B and C at a
reduced rate, in order to get the nitrogen down to 5 ppm or less,  and then to increase the rate to
these two reactors as much as the nitrogen constraint allowed. In addition, the operators were
directed to gradually increase temperatures in Stage 2 in order to drive the  nitrogen off the
catalyst.

              2.1.3  Swing Shift (2 pm to 10 pm)

On the swing shift, two extra operators were added to help with Stage 1 problems.  One was the
No. 1 Operator on the day  shift who stayed over on the swing shift to help  out and monitor
repairs on the Reactor A exchanger clamp.  The other was a No.  2 Operator (worked night of
January 20-21) who was brought  in to get  Stage 1 Reactor A up to temperature before planned
introduction of oil at 8 am the next morning (January 22).  At the start of the swing shift, there
were no light products in the low  pressure  section of Stage 2, indicating little or no reaction
occurring.  Only a few quench flows (Beds 2 and 3 in Reactor 1, Bed 2 in Reactor 2 and Bed 3 in
Reactor 3) were above 10% of full-scale flow which is also an indication of low reactor activity.
Stage 2 bed inlet temperatures varied from about 612 to 640F.  At 5:38 pm, the nitrogen analysis
for the Stage 1 stripper bottoms was 47 ppm.
                                           16

-------
At 7:34:00 pm (corrected data logger time2), the Reactor 3 Bed 4, Point 2 outlet temperature
increased from 628F to 823F in 40 seconds. See Table 2 for temperature data.  The data logger
alarm sounded displaying a Bed 4 outlet high temperature and also a high Bed 5 inlet temperature.
The Stage 2 Board Operator heard the alarms and saw temperatures of about 690F on Bed 4
outlet and 890F on the Bed 5 inlet.  According to data logger records, Reactor 3, Bed 5 inlet
temperature had risen from 637F to 860F within one minute.  The strip recorder on the control
panel for Bed 5 inlet temperature went from about 640F to full scale (SOOT).  The strip chart
recording the Bed 4 Point 3 (center) outlet temperature appeared normal.

About 7:34:20 (based on the data logger reading for Bed 5 inlet high temperature), the hydrogen
quench flow to Bed 5 began to open further to reduce the temperature, as was seen on the strip
chart recorder.  It continued to open to 100% on the strip chart recorder. At about the same
time, the makeup hydrogen to Stage 2 began to decrease.

The Stage 2 Board Operator expressed concern over a potential excursion and within a minute
the two No. 1 Operators joined him in evaluating the control board and data logger readings.
They reported seeing the data logger temperatures start to bounce up and down, from normal
range temperatures to 0 and back again. The Stage 2 Board Operator stated that the Bed 4 and 5
temperatures were swinging from 0 to 1200F, then back to 650F. The No. 1 Operator stated
that they could not trust the figures.  At some time prior to 7:37 pm, a No. 2 Operator went to
check the temperatures at the field panel under Reactor 3.

The sudden increase in quench flow to Bed 5 caused the hydrogen flow to the trim furnace(s) to
fluctuate. This in turn caused the hydrogen flow control valve to the trim furnace to open further.
Since the trim furnace hydrogen is temperature controlled, this caused an increase in fuel gas flow
(to heat up additional hydrogen in the trim furnace) and dropped the fuel gas pressure. At 7:36:20
pm (alarm log history time), a high flow alarm occurred for the hydrogen flow to Reactor 1 trim
furnace.

By 7:35 pm, the Bed 4 Point 2 outlet temperature had decreased to 637F and the quench flow to
Bed 5 was still full open. The other four Bed 4 outlet temperatures remained normal during this
time, which included Point 3 (center outlet) which was also recorded on the control panel strip
charts.  According to the data logger, by 7:35 pm, the four Bed 5 outlet temperatures had
decreased by 15-30F each in response to the Bed 5  quench valve opening.

By 7:36 pm, the quench flow to Bed 5 had risen to full scale, and the Bed 5 inlet temperature had
decreased to 633F on the data logger and had also decreased accordingly on the strip chart
recorder.  At 7:36:00, the Reactor 3 outlet temperature had increased 9 degrees in 20 seconds,
       2 The data logger recorded time that was 52 minutes ahead of actual time; this report uses the actual time.
The data logger temperatures cited in this report are from the historian file created by the data logger computer.
Because the historian file saves temperature data according to a specified program (see Section 1.2.4.3), it may not
duplicate the exact same temperature that the operators saw on the data logger.

                                            17

-------
from 641 to 650F, but this was apparently not noticed by the operators. Operators said that they
did not hear any other high temperature alarms. Throughout this time, the operators reported that
the temperatures on the data logger continued to "bounce up and down", fluctuating between
high, normal and 0 temperature readings.

Between 7:36 and 7:37 pm, the fuel gas pressure at the Reactor 1 trim furnace had increased to
30 psi which was over the maximum limit of 28 psi.  The extra No. 1 Operator reduced firing in
the furnace to prevent overfiring. He took the trim furnace off temperature control and put it on
fuel gas pressure control.  He then switched the Bed 5 quench flow controller from automatic to
manual control and closed the quench valve to Bed 5 because he was concerned about losing
temperature in the reactor. The Stage 2 Board Operator stated that he saw high recycle flows
through the Trim Furnace 1 and 2.  The extra No. 1  Operator was blocking his view of the Trim
Furnace 3 instruments.

By 7:37 pm, the Bed 5 outlet temperatures had all started to increase in temperature, the highest
being Bed 5 outlet Point 1 at 681F.  See Figures 7-8 depicting graphs of the relevant Reactor 3
temperature changes during this period of time. At 7:37 pm, the hydrogen makeup dropped to
zero according to the Performance Monitoring System (PMS) computer. The Hydrogen Board
Operator alerted the other operators of this change.  He said the hydrogen plant was becoming
over pressured.  Excess hydrogen was directed to the header/flare system to prevent over
pressure. At 7:39:02 pm (according to alarm log history), a high flow alarm for the hydrogen
blowdown to the flare occurred.

Between 7:37 and 7:39 pm, the extra No. 1 Operator controlled the operation of the trim furnace
while the Stage 2 Board and No. 1  Operators continued to monitor temperatures and the data
logger which continued to fluctuate.  The Stage 2 Board Operator noticed on the control board
that the quench flow to Bed 5 had been manually closed, and at 7:38 pm, he re-opened it.

Between 7:38 and 7:39 pm, all four Bed 5 outlet temperatures rose above 780F, with Point 1
reading a maximum of 1255F at 7:38:20 pm.  All four Bed 5 outlet temperatures continued to
rise until they defaulted to zero at 7:39:20 (see Table 2).

From 7:36:20 to 7:39:20 pm, the Reactor 3 outlet temperature rose from 650F to  a maximum of
1220F. The reactor inlet temperature increased from 649F at 7:38:00 pm to 693F at 7:39:00.
The control board strip charts also recorded the sudden rise in reactor inlet and outlet
temperatures.

At approximately 7:39 pm, operators heard a radio message from the No. 2 Operator that was
garbled and unclear. The Stage 2 Board Operator thought he heard "1250" on the radio,  but was
not sure. Two unsuccessful attempts were made to contact him.  Two operators (East Pad and
extra No. 2 Operator) went outside to check on him. The reactor outlet temperature reading on
the data logger defaulted to 0 at 7:39:40 pm.
                                           18

-------
                                              Table 2
              Some Reactor 3 Temperatures- Bed 4, Bed 5, Reactor Inlet/Outlet


Time (pm)
7:33:00
7:33:20
7:33:40
7:34:00
7:34:20
7:34:40
7:35:00
7:35:20
7:35:40
7:36:00
7:36:20
7:36:40
7:37:00
7:37:20
7:37:40
7:38:00
7:38:20
7:38:40
7:39:00
7:39:20
7:39:40
7:40:00
7:40:20
7:40:40
7:41:00
7:41:20
7:41:40
Bed 4
Outlet
Temp
PM33C2
628.3
628.3
636.5
823.2
732.0
732.0
637.3
637.3
637.3
637.3
637.3
637.3
637.3
637.3
637.3
637.3
637.3
637.3
637.3
637.3
637.3
637.3
637.3
637.3
637.3
0.0 ????
0.0 ????
Bed5
Inlet Temp
PM40C3
636.9
636.9
658.0
720.7
859.5
859.5
792.4
715.7
664.4
633.4
633.4
660.7
660.7
660.7
660.7
660.7
660.7
660.7
648.0
648.0
655.6
655.6
655.6
645.7
645.7
0.0 ????
0.0 ????
Bed 5
Outlet
Temp
PM34C1
648.6
648.6
648.6
648.6
648.6
648.6
624.2
624.2
624.2
650.3
663.9
672.9
681.1
681.1
697.3
717.2
1255.7
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0 ????
0.0 ????
Bed5
Outlet
Temp
PM34C2
646.3
646.3
646.3
646.3
646.3
646.3
627.7
627.7
640.3
647.9
667.7
667.7
676.8
676.8
707.5
876.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0 ????
0.0 ????
BedS
Outlet
Temp
PM34C4
656.8
656.8
656.8
656.8
656.8
656.8
633.4
633.4
633.4
623.6
623.6
623.6
656.0
672.0
690.7
690.7
783.0
0.0
0.0
0.0
0.0
0.0
0.0
1397.1
1398.4
0.0????
0.0 ????
BedS
Outlet
Temp
PM34C5
645.9
645.9
645.9
645.9
645.9
645.9
645.9
615.4
615.4
615.4
615.4
625.6
645.8
673.5
673.5
673.5
705.8
744.0
889.0
0.0
0.0
0.0
0.0
879.9
694.9
0.0 ????
0.0 ????
Rx3
Outlet
Temp
PM41C
641.3
641.3
641.3
641.3
641.3
641.3
641.3
641.3
641.3
649.9
649.9
658.9
658.9
760.7
760.7
684.6
701.8
788.8
983.1
1219.6
0.0
0.0
0.0
0.0
0.0
0.0 ????
0.0 ????
Rx3
Inlet
Temp
PM25C
632.2
632.2
632.2
632.2
632.2
632.2
632.2
632.2
632.2
632.2
632.2
632.2
632.2
632.2
640.2
640.2
648.8
660.0
693.0
754.7
826.5
889.1
960.7
1233.5
0.0
0.0 ????
0.0 ????
Source : Data Logger Historian

The time listed in the table above is the actual time; the time in the data logger historian report was 52 minutes
ahead of actual time. Highest temperatures recorded per point are bolded.  A reading of 0.0 means temperature
was above 1400F. A reading of 0.0 ???? means loss of power to data logger computer. Bed 4 inlet temperatures
did not vary during the incident. Only the Bed 4 outlet temperature that experienced an abnormal rise in
temperature is included in the table.  Unchanged temperature readings mean that temperature did not change more
than 7F from last reading, therefore  data logger historian retains last previous recorded value.
                                                 19

-------
    1500


    1400


    1300


    1200
  1100
'ra
0)
  -  1000
     900
     800
     700
     600
                          Figure 7
               Reactor 3 Temperatures
Bed 4 outlet-Pt. 2   Reactor outlet

    Bed 5 inlet       Reactor inlet
                                                                    I    I    I    I    I    I    I    I
                                                                                                   j	i
             7:33:00   7:33:40   7:34:20   7:35:20   7:36:00   7:36:40   7:37:20    7:38:00    7:38:40   7:39:20   7:40:00   7:40:40
                 7:33:20   7:34:00   7:35:00   7:35:40   7:36:20   7:37:00   7:37:40    7:38:20    7:39:00   7:39:40   7:40:20   7:41:00
 Source: Jan 21, 1997 Data Logger Historian
                                                        Time (pm)
    1500
    1400
                      Figure 8
            Reactor 3 Temperatures
                         Bed 5 outlet Pt. 1   Bed 5 outlet Pt. 3

                         Bed 5 outlet Pt. 2   Bed 5 outlet Pt. 4
                                                                                  Gap in temp data due to data
                                                                                  logger defaulting to zero.
                        Ill
     700
     600
             7:33:00    7:33:40   7:34:20   7:35:20   7:36:00   7:36:40   7:37:20   7:38:00   7:38:40   7:39:20   7:40:00   7:40:40
                  7:33:20    7:34:00   7:35:00   7:35:40   7:36:20   7'37:00   7:37:40   7:38:20   7:39:00   7:39:40   7:40:20   7:41:00
 Source: Jan 21, 1997 Data Logger Historian
                                                         Time (pm)
                                                         20

-------
After 7:40 pm, the strip chart readings for the reactor inlet and outlet temperatures continued to
read off scale high.  The reactor inlet temperature reached a maximum of 1234F on the data
logger at 7:40:40 pm before defaulting to 0. About the same time, the extra No. 1 Operator
called the shift supervisor by phone, who immediately returned the call. The operator requested
the assistance of an instrument technician to work on the temperature logger on Stage 2.  Also at
this time, the Stage 2 Board Operator noticed that the reactor inlet temperature had increased to
over SOOT . In response, he reduced firing on the trim furnace and lowered the temperature set
points to the top two beds,  as a means of increasing quench flow.

At 7:41 pm, the highest recorded temperature on the data logger was the  Bed 5 Point 2 outlet
temperature, which registered 1398F. At this time, the two outside operators had reached the
northwest corner of the control room and the Stage 2 Board Operator was lowering the
temperature set point on Bed 3. At approximately 7:41:20, an explosion  occurred, followed by a
fire.  Seconds before the explosion, one observer driving by the Hydrocracker Unit reported
seeing a glowing red-hot pipe elbow in front of the Stage 2 reactors.

Several Tosco and contractor employees reported hearing a pop or crack sound, followed by two
explosions, one small and one bigger. A horizontal straight section of 12" diameter Reactor 3
effluent piping had ruptured just upstream of a 12"x 10" diameter reducer. Beyond the reducer,
the 10" diameter pipe entered the top of the 40-foot high feed/effluent exchanger structure for
Reactor 3.  The hydrocarbon and hydrogen mixture released from the pipe rupture apparently
autoignited very shortly after the initial release, causing a fireball over 100 feet high.

Immediately following  the explosion, the 300 psi/min depressuring system was activated and
operators began to  shutdown the unit. After the explosion, there was a power failure and the unit
operated on backup power  and batteries for several hours. Emergency response procedures and
notifications were started.

      2.2    Emergency Response Actions

The news media reported that reverberations from the blast were felt 20 miles away, and smoke
and flames were visible from nearby freeways. Within minutes of the explosion, Tosco responded
by activating the Emergency Command Center and employee volunteer fire brigade.  The Incident
Commander was on site at the time of the explosion and immediately set up an Incident Command
Post.

Tosco notified various  agencies, including Contra Costa County Health Services Department
(CCCHSD), California Office of Emergency Services, Bay Area Air Quality Management District
(BAAQMD), California Department of Fish and  Game, National Response Center, EPA Region
IX, CAL OSHA and Santa  Fe Railroad.  Some problems occurred with communications and
notifications because the phone lines were overwhelmed with incoming calls. Contra Costa
County fire fighters were deployed outside the refinery  and were available in case additional
assistance was required.  Tosco had its own fire brigade and did not request outside help during
the incident.
                                           21

-------
Tosco requested at 8:26 pm that CCCHSD activate the Community Alert Network and sirens for
a Level 3 incident.  CCCHSD activated the Community Action Network, an automated
emergency telephone notification system, which notified residents about an hour after the
accident. The notification system reached 1,440 of 1,851 households in the Clyde and North
Concord areas to warn them to stay inside as a precaution. The county tried  to activate a new
siren warning system for the first time, but it failed to work completely.

The unit was isolated, depressured, and shut down while cooling water was applied to the fire and
surrounding structures.  Approximately 50 Tosco fire fighters participated in the response using
portable fire monitors and all of the stationary fire monitors in the area.  Additional fire pumps
were started throughout the refinery as required to maintain fire water pressure. The firefighters
spent most of the night battling the fire. The fire was contained to the Hydrocracker Stage 2
Reactor 3 outlet, control valves and associated piping, and eventually burned out.

Nitrogen was purged through the reactor and damaged piping to remove hydrocarbon vapors and
to prevent any further flare-ups. Some smoke was emitted from the burst pipe, after the nitrogen
purge was initiated.  Several flare-ups of the fire occurred the next day, due to seepages of
hydrocarbons.

       2.3    Consequences of Explosion and  Fire

              2.3.1  Death and Injuries

A Tosco Hydrocracker operator, who was in the  process of checking the temperature panel
located at the base of Reactor 3, was killed. He was severely burned as a result of being in close
proximity to the fire from the ruptured pipe. According to the coroner, he died of third-degree
burns on 100 percent of his body and smoke inhalation.  A total of 46 personnel were injured;
eight were Tosco employees and 38 were contractor personnel. Injuries consisted of a fractured
foot, emotional trauma, headaches, ringing ears, cuts and scrapes, and twisted knees. Thirteen
injured personnel were taken by ambulance to local hospitals, treated and released.  There were
no reported injuries to the public or other offsite personnel.

As many as 500 Tosco employees and contract workers were at the plant at  the time of the
explosion, working to complete maintenance turn-around projects.  Some of the injured were
inside or near contractor trailers close to the Hydrocracker Unit. The blast from the explosion
blew out the windows of one trailer and the flames prevented workers from exiting the trailer
door. The workers climbed out of the trailer window facing away from the fire. Many personnel
in the surrounding areas were knocked down by the force of the explosion resulting in some of
the injuries. Some workers who were knocked down were in a tent receiving a safety orientation.
Other personnel fell or tripped as they tried to run away from the explosion and fireball.  A few
were knocked  down by other running personnel.
                                           22

-------
              2.3.2  Equipment Damage

The rupture created about an 18 inch long tear in the Reactor 3 effluent piping.  The photographs
in Figures 9-13  show some of the resulting damage.  The fire melted a light pole on the road next
to the reactors.  The lower part of a metal ladder on Reactor 3 was damaged by the heat.
Scaffolding around the Stage 1 and 2 reactors was misshapen from the heat of the fire, but there
did not appear to be much blast damage. The fire fighting equipment next to Reactor Road (see
Figure 6) was damaged.  Wooden platforms near the unit were charred. The six reactors were
covered with asbestos insulation overlaid with aluminum, which was blackened by the fire. A large
valve on the fire water piping near the road was damaged.

             2.3.3  Environmental Impact

The wind during initial stages of the incident was out of the south-southwest; smoke, vapors and
particulates released were blown by 5-7 mph wind towards uninhabited areas and Suisun Bay north
of the Refinery.  Tosco estimated that 13 pounds of friable asbestos insulation from the damaged
piping and equipment was released.  Air sampling for asbestos was conducted by Tosco in the
immediate area of the accident.  All results were below the detection limit of the test and below
the OSHA standard of 0.1 fibers per cubic  centimeter averaged over an eight-hour period.

The Bay Area Air Quality Management District (BAAQMD) received one public complaint during
the incident. Air monitoring was conducted by BAAQMD which showed low (< 2.4 parts per
billion) but detectable amounts of six organic chemicals (toluene,  methyl tert-butyl ether, benzene,
methyl chloride, carbon tetrachloride and perchloroethylene). None of the concentrations detected
were above levels of concern.
                                           23

-------
                             Tosco Avon Refinery
                              Hydrocracker Unit
Figure 9      First and Second Stage Reactors
                                    24

-------
Figure 10     Reactor 3 Effluent Piping Rupture

Figure 11     Field Panel Location
                                  25

-------
                                 Tosco Avon Refinery
                                  Hydrocracker Unit
     Figure 12     Back Side of Reactor 3 Effluent Piping Rupture
Figure 13    Ruptured Effluent Piping after Removal
                                      26

-------
      2.4    Summary

             2.4.1   Key Events Preceding the Day of the Accident

Table 3 lists some events that occurred in the 11 days before the accident.  Some of these events
are discussed in more detail in Section 3 of this report.

                                       Table 3
                               Time Line of Key Events
                           Preceding the Day of the Accident
January 10
Day shift
January 11
January 12-15
January 16
January 17
January 18
January 19
Day shift
10:20 pm
January 20
Day shift
Swing shift
Stage 1 and 2 were in operation. Temperature monitoring for Stage 2 was
switched from data logger to new I/A computer system. (See Section
3.3.3.1 of this report for further discussion)
An internal leak was detected in a Stage 1 heat exchanger, the stripper feed
preheater.
Stage 1 and 2 of the Hydrocracker were shutdown and internal heat
exchanger leaks on Stage 1 were repaired. Various control valves were
replaced on Stage 2.
Stage 1 was put into operation. Reactor A feed/effluent exchanger began
to leak externally from a flange but then stopped leaking on its own.
Reactor A exchanger began to leak again. Leak was repaired by applying
sealant to clamp on exchanger.
Feed was introduced to Stage 2.
Stage 2 was operating. Compressor B relief valve was replaced.
A temperature excursion occurred in Bed 4 of Reactor 1 . Some
temperatures exceeded 900F. Operators did not depressure Stage 2 but
controlled temperature by other means. Operators reported problems with
I/A temperature monitoring system.
The use of I/A system was discontinued and the data logger was put back
into service.
Feed rate to Stage 1 was increased.
                                         27

-------
2.4.2  Key Events the Day of the Accident
                  Table 4
          Time Line of Key Events
           the Day of the Accident
January 21
4:50 am
8:10 am
10am
2pm
7:34 pm
7:35 pm
7:36 pm
7:37 pm
7:38 pm
7:39 pm
7:40 pm
7:41 pm
Reactor A effluent/feed exchanger clamp began to leak again and the leak
could not be controlled. Feed to Reactor A was diverted to Reactor B and C,
causing reactor cooling and high nitrogen content in effluent.
Nitrogen content of Stage 1 effluent was 196 ppm, above the specification of
14 ppm.
Stage 2 catalyst beds were poisoned from high nitrogen levels in the feed and
cracking was greatly reduced. Nitrogen content from Stage 1 was 352 ppm.
Sealant was injected into clamp on Reactor A heat exchanger.
Two extra operators were added on swing shift to help with Stage 1 problems.
During swing shift, operators gradually increased temperatures in Stage 2 to
drive nitrogen off the catalyst.
A temperature excursion occurred in Reactor 3, Bed 4. Inlet temperature to
Bed 5 increased rapidly as a result.
The quench valve above Bed 5 opened wide. Data logger temperatures
bounced from zero to normal or high and back. Makeup hydrogen to Stage 2
began to decrease. Bed 4 outlet temperature point decreased to 637F.
Bed 5 inlet temperature decreased to 633F. Reactor 3 outlet temperature
increased to 650F. A No. 2 Operator went outside to check temperatures on
the external panel sometime before 7:37 pm..
Bed 5 outlet temperatures were increasing. Operator manually closed quench
valve to Bed 5. Hydrogen makeup to Stage 2 dropped to zero.
Quench valve to Bed 5 was reopened. Bed 5 outlet, reactor inlet and outlet
temperatures continued to rise; some of these exceeded 1200F.
Operators heard a garbled radio message from No. 2 Operator. Two
operators went outside to check on No. 2 Operator.
Bed 5 temperatures and the reactor outlet temperature read off scale on strip
charts and defaulted to zero on data logger. Operators requested assistance of
instrument technician.
One of the Bed 5 outlet points read 1398F on the data logger. A section of
the Reactor 3 effluent piping ruptured causing an explosion and large fire.
The No. 2 Operator was killed.
                    28

-------
3.0    Investigation

USEPA Region 9 was notified of the accident at 9:03 pm on January 21, 1997 and an
investigation to determine the root cause of the accident was begun January 23, 1997 by Region 9
and Headquarters investigators.  The investigation was conducted under authorities contained in
CERCLA, Section  104, 42 U.S.C.  9604 and the CAA,  Section 114, 42 U.S.C. 7414, Section
112r.  The scope of the investigation was limited to determining the causes and contributing
factors associated with the explosion and fire in Stage 2, Reactor 3 of the Hydrocracker Unit.
The purpose of identifying these causes and factors was to understand why the accident occurred
so that the lessons learned could be applied by Tosco and other hydroprocessing facilities in order
to prevent reoccurrence of similar accidents.

       3.1     Approach

The investigation team sought to determine why the reactor effluent pipe failed, triggering the
explosion and fire.  The team coordinated its  efforts with other agencies to determine the causes
of this event.

              3.1.1  Coordination with Other Agencies

This investigation was coordinated among  investigators working for:

    USEPA Headquarters, Chemical Emergency Preparedness and Prevention Office (CEPPO),
   Washington, DC
    USEPA Region 9, San Francisco, CA
   California Division of Occupational Safety and Health (CAL OSHA), Concord,  CA
    US Department of Labor (DOL) Occupational Safety and Health Administration (OSHA)
   Region 9, San Francisco, CA
  Contra Costa County Health Services Division (CCCHSD), Martinez, CA
   California Bay Area Air Quality Management District (BAAQMD), Martinez,  CA

The coordination consisted of consultation on agency information requests to avoid duplication of
effort, sharing documents and interview results, and jointly exploring the possible causes of the
accident. CAL OSHA,  with assistance of Region 9 Federal OSHA, concurrently conducted an
investigation for violations of health and safety orders as well as a process safety management
(PSM) audit.  The Bureau of Investigation of CA Department of Occupational Safety and Health
concurrently conducted a criminal investigation.  Contra Costa County Health Services
Department concurrently conducted an investigation into the root causes of the accident.
BAAQMD concurrently conducted an investigation into possible violations of air quality control
regulations.  The personnel from each agency involved in the accident investigation  are listed in
Appendix G.
                                           29

-------
On May 29, 1997, CCCHSD and Tosco issued separate investigation reports discussing the
events leading up to the accident, the causes and contributing factors, and recommendations.  A
presentation discussing the findings in both reports was made by Tosco and CCCHSD
investigators to the Contra Costa County Board of Supervisors at a public meeting on June 3,
1997.

              3.1.2   Physical Evidence Collection

Pieces of equipment and evidence were collected,  stored and identified by using a protocol
approved by Tosco and the investigating agencies. Testing of the ruptured pipe and reactor
thermocouples was conducted using a prescribed protocol. Physical evidence collected included a
bull plug from a nipple on the 12" diameter effluent line, the thermowell and hardware, blind
flange from bottom of reactor #3 effluent line, damaged section of effluent pipe, five hydrogen
quench valves (inlet quench and 4 big quench valves), thermocouple bundles from Reactor 3, and
catalyst samples from Reactor 3 (three samples per bed).

              3.1.3   Information Sources Reviewed

Interviews with Tosco operators and management personnel were conducted by CAL OSHA
inspectors with interview questions developed with the assistance of all the agencies investigating.
CAL OSHA then briefed the other investigators on discussions from the interviews. Investigators
reviewed documents supplied by Tosco including  procedures, process and instrumentation
diagrams (P&IDs), reactor temperature data, strip charts, process flow data, alarm logs,
maintenance records, management of change documents, shift logs,  shift superintendent logs,
work permits, written  witness statements,  reactor  internal drawings, catalyst data, incident
reports, process hazard analysis, engineering memos and reports, pipe inspection data, equipment
and piping design specifications, training materials, health and safety practices, test data (ruptured
pipe, thermocouple, and catalyst tests), videotapes of reactor internals, and CCCHSD and Tosco
Refining Company accident investigation reports.

              3.1.4   Methodology

An Events and Causal Factors (E&CF) chart was  developed to establish a sequence of events for
the accident.  A workshop was held during the week of July 21-25,  1997 in Concord, California
with investigators participating in reviewing the E&CF chart and identifying contributing factors
to the accident. See Appendix H for a list of participants in this root cause analysis workshop.

The investigators participating in the root cause workshop used several methods to identify causes
and contributing factors to the accident. A consultant in root cause methodology assisted the
investigators in using the methodologies, and facilitated discussion of the analysis.  Investigators
used the following methods to analyze the information collected during the investigation:
                                           30

-------
Hazard-Barrier-Target Analysis- used to analyze the fire/explosion hazard to the fatality (No. 2
Operator) and injured parties.

Fault Tree Analysis- used to identify possible causes of pipe rupture, control system failures, and
temperature excursion.

Management and Risk Oversight Tree (MORT)- used to assess the adequacy of various
management systems such as:
Personnel Errors
Design
Human Factors
Management Policy and
Implementation
Maintenance
Readiness
Hazard Analysis Process
Procedures
Information System
Supervision
Control room operator errors
Temperature and pressure indicating system, control room, field
temperature panel, effluent piping system, reactor
Design of the control room information devices - charts, loggers
Including services and management expectations
Maintenance plan and implementation
Monitoring system ready to operate
Evaluating the installation and design of the new temperature
logging system
Routine and emergency operating procedures appropriateness and
completeness
Information available to the operators regarding process monitoring
system
Detecting and correcting hazards, enforcing safety and emergency
practices.
The investigators worked in teams using different methods on various areas of identified
problems. Facts collected during the investigation were organized and documented to explain the
adequacy or inadequacy of safety management.  Root causes were identified and
recommendations developed to address the root causes.  A draft report with a description of the
accident, facts and analysis, root causes and recommendations was developed and reviewed by the
investigators. Petroleum refining consultants were called upon where needed to provide an
assessment of information used in the report.
                                           31

-------
              3.2     Testing Results

This section described tests conducted on the failed pipe, catalyst, reactor thermocouples, and the
data logger. The purpose of this testing was to focus on the cause of the pipe failure and the
temperature excursion in Reactor 3 and the conditions present that led to their occurrence.

              3.2.1   Ruptured Pipe Testing & Inspection

The only inspection history available for the particular portion of the Reactor 3 effluent piping line
was an ultrasonic wall thickness measurement of 0.94 inches from a 1991 inspection. There was
no record of original gage thickness for the effluent piping, which was assumed to be original
piping installed in 1963.  There were no records showing that it had ever been repaired or
replaced.

The Reactor 3 outlet piping was originally specified to be 12-inch diameter piping of l-Vi%
Chromium  and l/2% Molybdenum alloy steel ASTM A335 Grade PI 1 with a wall thickness of
0.746" minimum or schedule 100.  Schedule 100 12-inch diameter pipe has a nominal wall
thickness of 0.843 inches.  The current ASTM specification for standard A33 5 does not specify
minimum pipe thickness but references standard A 530 for general requirements which includes
pipe wall thickness. The current ASTM standard A530 states that minimum wall thickness at any
point shall not be more than 12.5% under the nominal wall thickness specified. For a nominal
wall thickness of 0.843 inches, the minimum wall thickness would be 0.738 inches.

Downstream from the point of rupture, the piping was welded to a 12"x 10" reducer to match the
10-inch diameter pipe that entered the feed/effluent heat exchangers. The piping specifications
called for schedule  120 for 10-inch diameter pipe.  Nominal thickness of this pipe is 0.843 inches.

The post-accident testing of the section of ruptured effluent pipe consisted of visual inspection,
thickness measurements, ultrasonic measurements, liquid penetrant examination, magnetic particle
examination, metal chemical analysis, tensile strength tests, hardness tests, microphotographic
analysis, and metallographic analysis. The point of failure on the section of pipe was not a weld,
elbow or reducer. Nearly all (21 of 24) of the measurements of pipe thickness just upstream and
downstream of the  ruptured section were greater than the minimum pipe thickness specification of
0.746 inch.  Testing results indicated that the  pipe failed due to excessively high temperature.  The
temperature in the ruptured pipe reached 1700+F at the point of failure, based on visual
microscopic inspection by the lab.  The pipe had been stretched resulting in a thickness of 0.3-0.4
inches at its thinnest point.  At the point of failure, the pipe had expanded in circumference by
approximately 5 inches, which created a localized bulge in the pipe prior to rupture. Other
sections of the Reactor 3 effluent piping had also expanded.

Chemical analysis for the base metal samples were found to conform to the requirements for
ASTM A335-94, Grade PI 1 and the weld metal was found to be of the  1-Vi %Cr, V2% Mo type
and was compatible with the base metal.  The minimum tensile strength  of the metal should be 60
                                            32

-------
ksi according to ASTM A335.  This corresponds to a Rockwell Hardness number (HR) of 69
using the Rockwell B Scale. Testing showed that the hardness of base metal samples varied from
76 to 81 HRB (Rockwell Hardness number using Rockwell B Scale) while the hardness of the
weld metal samples varied from 70 to 91 HRB.

             3.2.2  Catalyst Testing

Catalyst samples from all three  Stage 2 reactors were collected and analyzed.  Inspection of the
catalyst bed after the accident revealed a fused hardened pillar of catalyst in Bed 4 of each Stage 2
reactor. The catalyst samples from the pillars had 2.5 to 3 times higher carbon content than
samples of loose catalyst from the same beds.  This high carbon content was due to the buildup of
petroleum coke.  Catalyst samples from the middle of Bed 5 in Reactor 3 showed an 80% loss of
surface area, consistent with exposure to extreme temperatures. The catalyst had been in use for
one year, since it was installed in the January 1996 turnaround.

             3.2.3  Thermocouple Testing

All thermocouples from the Reactor 3 arrays were tested to see if they would give temperature
readings. All but three did; these had loose junctions in the silver soldered joint from the
thermocouple to the lead wire, where an epoxy seal was located. According to the thermocouple
vendor, the silver solder joint was likely to have been damaged by exposure to fire. Moving the
lead wires around to make contact allowed readings to be taken.

Bed 4 outlet and Bed arrays were tested using a propane torch to determine if the lead wires were
shorted.  The only problems detected were loose junctions as described above.

The Reactor 3 thermocouples were also tested for temperature accuracy, using a controlled heat
source.  The largest deviation was 16F and all deviations were readings below the controlled
source temperature. The thermocouple vendor indicated that moisture in the insulation on these
thermocouples was probably leaking voltage across the insulation resulting in a low reading.
Based on the test results, it is believed that the thermocouples were working properly prior to the
accident.

             3.2.4  Data Logger Testing

Since the operators had reported problems with the data logger, tests were conducted on the data
logger and thermocouple arrays using a simulator connected to the data logger.  Various
operating conditions and failures were simulated to determine the response of the data logger and
to determine if it was malfunctioning.  Results of the thermocouple and the data logger testing
showed that they were likely to have functioned properly on the night of the incident, with the
exception of one of the high temperature alarms, which is discussed further in a later section.
                                           33

-------
The outcome of these tests showed that for a 5F change (slow or fast), the historian data did not
change. For slow or fast 50F and SOOT changes, the screen updating time ranged from 13 to 62
seconds, depending on the number of input points showing.  For temperature increases of 0.1F
every 20 seconds for 5 minutes, the screen update time was about 20-40 seconds. A loss of signal
to the multiplexer caused the temperature display to default to 0.0.  Data logger response to a
short in a thermocouple wire was that the temperature points defaulted to the ambient
temperature at the location of the short. Loss of power to the multiplexer or the interface unit
resulted in screen  and historian holding the last good value, even after  10 minutes.  Removal of an
input card to test the data logger response of failure of an input card resulted in readings of 0.0
for all thermocouples associated with that input card. If power was shutdown to the data logger
computer, temperatures were displayed as "0.0????"  on the data logger.

High thermocouple readings were simulated followed by disconnection of the simulation.  This
tested high input to the data logger followed by thermocouple failure.  The data logger points
triggered an alarm at 780F. However, the alarm status cleared when the temperature went above
1400F; data logger readings defaulted to 0.0.

Using a controlled heat source, several thermocouples were heated, triggering a high temperature
alarm on the data  logger at 780F. The alarm status cleared when the thermocouples were cooled
below 780F.

Rapid full-scale changes (0 to 1400 and back) were simulated on several temperature points.  No
unusual readings were produced and the historian data showed the rapid changes.  Heating the
lead wires in the thermocouple sheath had no effect on the readings.

Testing showed that points changing  by +/- 50F would alarm but would not change state
(reading on monitor changing from blinking to steady) when acknowledged on the data logger
keyboard. The +/- 50F alarm would not be triggered again if another  point were to exceed the
limit.  (See Section 1.2.4.5 discussing Alarms). This could explain why operators in the control
room did not  receive additional high temperature alarms during the January 21 incident.  A point
tested for low skin temperature (< SOOT) would change state when it was acknowledged on the
data logger.

Tosco management stated they did not know how often the temperatures were being updated on
the data logger display during the January 21,  1997 excursion. Tosco was not able to reproduce
the operators' reports of temperatures dropping to zero because the data logger stored data
differently than what was displayed in the control room. However, printouts from data logger
showed zero readings for some thermocouples, some of which later indicated high temperatures.
                                           34

-------
       3.3    Information Analysis

              3.3.1   Effluent Pipe Rupture

The results of the pipe testing show that the pipe failed because of extremely high temperatures.
Tests indicated the data logger temperatures were correct except when they defaulted to zero
because they exceeded the range of the data logger.  Results of the catalyst testing showed that
extremely high temperatures had occurred in Bed 5 of Reactor 3. Based on the data logger
historian temperatures (Table 2), the high temperatures were initiated by a temperature excursion
which originated from the outlet of Bed 4 of Reactor 3.  The heat from this excursion caused an
elevated inlet temperature to Bed 5, which subsequently  increased the reaction rate and
temperature rise across Bed 5.  This caused the extremely high temperatures in the Bed 5 outlet
and the Reactor 3 effluent piping.

              3.3.2   Reactor Temperature Excursion

Temperature excursions are not unusual occurrences in hydrocracking, especially during startup.
The hydrocracking reaction generates heat which increases temperature and causes the reaction
rate to accelerate.  Since the hydrocracking process is exothermic (generating heat), once a
reaction is initiated, reaction rate and temperature will continue to rise unless properly controlled.
The common causes of temperature excursions in hydroprocessing include:

        Uneven flow and heat distribution in catalyst bed, causing hot spots
        Internal reactor failures, leading to catalyst migration and dead zones
        Incomplete sulfiding of catalyst
        Raising reactor temperatures too quickly when using fresh highly reactive
          catalyst
        Feed temperature too high
        Loss of recycle gas
        Low recycle gas or oil flow rate
        Inadequate reserve quench gas capacity
        Improper control, overreaction to some process change or operator inattention

                     3.3.2.1  Flow and Heat Distribution

Proper flow distribution is important to minimize risk of temperature excursions. Therefore, the
conditions in the reactor that might have interfered with uniform flow or heat distribution were
reviewed.  Some of the conditions discussed below could be causes of flow or heat
maldistribution and some are evidence that uneven  flow or heat distribution had probably
occurred.  Technical Services (Tosco's Engineering Support group) noted in April 1996 that Bed
5 appeared to have the worst temperature differentials in the reactor. This was indicative of flow
distribution problems and may have aggravated the generation of extremely high temperatures in
Bed 5, but it was not the sole cause since the excursion was initiated by a high Bed 4  outlet
                                           35

-------
temperature.  Appendix D shows the location and description of inter-bed distribution system
used on Stage 2.

                            Distribution Tray Pluggage

A video inspection of the inside of the reactor internals showed some catalyst pellets and support
balls on the distribution trays, but not in any significant amounts and not from every catalyst bed.
Migration of catalyst from the bed down to the distribution trays can cause pluggage, which can
cause flow distribution problems. The catalyst can migrate if the catalyst support screens are
damaged or have holes in them. One way to determine if distribution trays were plugged or
whether there was some other impediment to flow is to look at the pressure drop across each
catalyst bed during operation. However, Tosco did not measure the pressure drop across each
bed, only the total pressure drop across the reactor. The catalyst migration observed inside the
reactor after the accident did not appear to be significant enough to interfere with distribution of
flow.

                            Catalyst Coking

Coke deposits in catalyst beds are indicative of internal reactor problems, such as uneven liquid
distribution.  The videotape of internal inspection of all three reactors after the accident showed
that fused coked catalyst pillars had formed in Bed 4 of all three Stage 2 reactors.  The other beds
in all three reactors did not have coke pillars. Reactor 1 had a catalyst pillar on the bottom of Bed
4 at least several feet high with a circumference of I'lO" at the bottom and 1'7" at the top  of the
pillar.  Reactor 2 also had a catalyst pillar on the bottom of Bed 4 which was approximately 5 feet
high, 2'6"  in circumference at the bottom and 1'6" in circumference at the top of the pillar.  In
Reactor 3, a pillar of fused catalyst was found in the center of Bed 4, extending 8 foot upward
from the catalyst bottom support grid and measuring in diameter about 2 feet at the base and 8
inches at the top.

Coke deposits in Bed 4 of Stage 2 reactors have been found in previous turnarounds. Coke
pillars or balls forming in the catalyst are usually due to low flow or poor mixing. Coke can form
at temperatures as low as 800 to  1000F. Large coke pillars are usually formed over a long time
and are not likely to be the result of one excursion.  Large formations of coke in a catalyst bed is
not a fully understood process. High temperatures can cause coking, but coking on the catalyst
necessitates higher operating temperature to achieve desired reaction conversion. Also,  coking
can interfere with flow distribution which in turn can cause localized hot spots in the bed.
Therefore, the presence of coke pillars in Bed 4 only of Stage 2 indicates some flow distribution
and excessive temperature problems were occurring.

                            Bed 4 Operating Problems

Temperature instability in Bed 4 of the Stage 2 reactors have been noted on prior occasions,
which may have been evidence of flow maldistribution.  More operational problems had been
                                            36

-------
experienced with Bed 4 in Stage 2 than with other beds. For example, in June/July of 1995,
Technical Services noted that optimization was especially difficult to achieve in the fourth beds of
Stage 2.  In particular, controlling the Bed 4 inlet temperature appeared to be more difficult
compared with other beds.

Incidents involving Stage 2 Bed 4 temperature excursions had been documented in Reactor 1, on
three prior  occasions. One of these incidents occurred two days before the January 21 accident.
These are discussed in more detail in Section 3.3.3.2 of this report.  Inspection of Reactor  1 after
January 21, 1997 showed that one thermocouple located in the center of Bed 4 was slightly
bowed, possibly indicating extremely high operating temperatures.

As a result  of a temperature excursions(s) that occurred on July 23, 1992, special operating
guidelines were drafted in August, 1992 for Reactor 3, Bed 4.  The temperature differential across
Bed 4 was to be limited to 25F and the temperature increases were to be made at half the
recommended  rate given for other beds. However, these draft procedures were never
incorporated into the Standard  Operating Procedures.

                           Bed 4 Phase Change

One factor  that may have contributed to the temperature excursion  was a change of phases (liquid
to gas and vice versa) in Bed 4. It is common to have all gas phase in the lower beds of the
reactor. Even at the top of the reactor, the process fluid is generally about 95% gas by volume.
Beds 4 and 5 tend to have all vapor during normal operations.  Tosco performed flash calculations
that indicated that the reactants transitioned from wet to dry catalyst within Bed 4 of Reactor 3.
Beds in which  some of the catalyst is wet and some of the catalyst is dry are particularly
susceptible to hot spots since the  reaction rate and mechanism of heat generation and removal are
different for wet, partially wet and dry catalyst. Temperature gradients are more sensitive to
liquid distribution in the transition zone than in flow regimes where the catalyst is either
completely wet or dry.  Therefore, liquid distribution to the inlet of the catalyst bed is critical to
temperature stability, especially in beds where a transition between phases occurs. The flow
regime in Bed  4 possibly contributed to the formation of a "hot spot."

                           Bed 4 Distribution Design

The distribution trays above Bed  4 in each Stage 2 reactor were of a different design from  the
distribution trays above other catalyst beds in Stage 2.  This could have been a factor explaining
why Bed 4  had more flow distribution and operational problems.  Bed 4 had no downcomer tray
and the chimneys on the distribution tray were of a different design. (See Appendix D for details).
The original Isocracker had four catalyst beds. Beds 1, 2, 3, and  5 were the same design as they
were in the original Isocracker. When Tosco upgraded from the Chevron Isocracker to the
Unocal Unicracker design in  1986, another bed of different design was added and called Bed 4.
The modified reactor internals along with the other changes made at the time was then licensed by
                                            37

-------
Unocal as a Unicracker.  Tosco stated that they were not able to determine if the design of
distribution to Bed 4 was the cause of the coking problems.

                           Levelness of Distribution Trays

To achieve uniformity of flow, distribution trays must be fairly level.  Several problems with
Reactor 3 distribution trays were identified in an inspection in February 1992. The Bed 5 quench
pan had thinned, Bed 4 and Bed 5 quench pans were bowed downward, and some of the
distributor hanger support bolts for Bed 4 were missing. These items appeared on the
maintenance work list for the January  1996 turnaround.  However, no documentation was
available to indicate whether this maintenance had been completed.  Therefore, it is uncertain
whether these problems still existed at the time of the accident and whether they could have been
a factor in causing the temperature excursion.

Some distortions of the distribution trays were seen from the internal inspection of all three Stage
2 reactors conducted after January 21, 1997. In Reactor 3 above Bed 4, about 1A of the quench
tray was bent downward.  The tray had slipped down about 12 inches below the tray support ring,
and the manway was lifted 12 inches above the adjacent tray sections. The quench pan above Bed
4 appeared to be bowed downward. The upper surface of the Bed 4 catalyst had about a two foot
deep depression in the center.

The inspection after January 21 in Reactor 3 showed that the quench tray manway above Bed 5
was warped about 3  inches above adjacent tray sections. The Bed 5 quench pan had dropped
down in one place and was touching the top of the sawtooth downcomers on the next tray. This
seems similar to damage described from the  internal inspection report in 1992 of "5th and 4th bed
quench pans bowed down in center. 5th more severely, actually resting on distributor tray." The
downcomer tray in Bed 5 appeared to be wavy in some sections as though it had been pressed
down between the tops of the chimneys of the distributor tray below.

The post-accident inspection revealed that the quench tray above Bed 4 in each of the reactors
appeared to have been disturbed.  The pipe rupture would have caused a very large pressure drop
in the lower part of the reactor because the pressure in the reactor was approximately 1560 psig
as compared to the ambient pressure of 0 psig. Therefore, damage to distribution trays may have
been a result of the dramatic pressure decrease during the pipe rupture. Because of this, it was
not possible to determine with certainty whether unlevel distribution trays were a causative factor
in the accident.

Investigators were able to rule out a number of possible causes of the temperature excursion:

                    3.3.2.2  Catalyst Condition

The catalyst had been in use for a year and it had already been sulfided.  Therefore fresh reactive
catalyst was not a likely cause.
                                           38

-------
As mentioned earlier, the Stage 2 reactors were operating with partially deactivated catalyst,
which reduced the cracking/saturation reaction. Investigators considered the possibility that
reactivation of the catalyst combined with raising feed temperatures might have contributed to the
temperature excursion.

At approximately 7:00 pm, some cracking was occurring in Stage 2 but the temperature
differentials across each bed were still less than normal. Under the direction of management,
operators were gradually increasing temperatures in Stage 2 to restore catalyst activity.  The strip
chart indicated that the reactor inlet temperature was increasing gradually as planned, no sudden
control changes or temperature increases were noted.  A slow, steady rise in inlet temperature
from 625F to 640F occurred over a time period of 4 hours. At 7:36 pm, the reactor inlet
temperature was 640.2F on the data logger.

Operators were also working on reducing the nitrogen content in Stage 1 effluent in order to run
clean feed through the Stage 2 reactors.  The operators expected that the Stage 2 catalyst would
eventually clean itself up, if it was a temporary poisoning.

According to county investigators, the catalyst manufacturer deactivated with nitrogen
compounds some of the same  type of catalyst used with Stage 2 and conducted some tests to see
if they could induce  a rapid temperature rise.  They could not produce a temperature excursion.
Based on consultation with engineers with hydroprocessing experience, EPA investigators do not
believe that the process of reactivating catalyst in Stage 2 contributed to the temperature
excursion.

                     3.3.2.3   Feed Temperature

There were no sudden increases in reactor inlet temperature that would have caused the feed to
become too hot.  The strip chart shows a slow steady rise in reactor inlet temperature, which
never rose above 640F. Also, the rapid temperature rise first occurred in Bed 4 and not in the
three beds above it.

                     3.3.2.4   Oil and Recycle Gas Flowrate

The recycle hydrogen compressor did not fail and flow data from strip chart and computer
printouts showed no interruption in recycle gas flow. Thus lack of recycle gas flow was ruled out
as a cause of the excursion.

The rate  of recycle gas and oil feed did not appear to be a problem.  The oil feed flowrate was
approximately 6,000 BPD in each of the Stage 2 reactors and was above the minimum required
flowrate  as specified in the operating procedures.  The inlet recycle gas rate appeared to be
sufficient for the amount of oil being feed to the reactor. The ratio of inlet (excluding quench) gas
to oil flow was about 11,000 SCF/bbl and exceeded the design minimum of 6,000 SCF/bbl. If the
gas rate is too low, the tendency for channeling and maldistribution of gas and oil flow within the
                                           39

-------
catalyst bed, and thus local hot spots, increases.  Although a  catalyst pillar was found in Bed 4,
investigators believe its cross-sectional area is too small to have much adverse effect on flow
distribution.

                    3.3.2.5  Quench Flow to Bed 5

Because Bed 5 temperatures went out of control, investigators focused on the role of quench flow
to Bed 5.  The quench flow is controlled by the single Bed 5 inlet temperature, which is recorded
both on the data logger and the strip chart. The quench valve above Bed 5 fully opened on
automatic control in response to Bed 5 inlet temperature exceeding its controller set point.  On
the strip chart, the set point temperature appeared to be between 640 and 650F.  By 7:36 pm on
January 21, the Bed 5 inlet temperature had dropped back to about 625F on the strip chart
(below the set point), so the quench valve automatically closed.

At approximately 7:37 pm, the extra No. 1 Operator switched the Bed 5 quench flow controller
from automatic to manual control and closed the quench valve. He did this because he was
concerned about possibly losing temperature in the reactor system  as a result of the decreased
Bed 5 inlet temperature. EPA investigators estimated that the quench valve to Bed 5 was closed
at least one minute, perhaps two minutes,  before it was later opened by the Stage 2 Board
Operator. This was estimated by correlating temperatures and times from the data logger to
temperature peaks on the strip chart (also accounting for time offset in strip chart pens) for Bed 5.
This strip chart also recorded quench flow to Bed 5.  Because quench was closed manually, the
Bed 5 inlet temperature rose above its set point to about a maximum of 670F on the strip chart.
The data logger historian recorded the Bed 5 inlet temperature as 660F between 7:36:40 and
7:38:40, for about 2 minutes.

Also by 7:37 pm, all four Bed 5 outlet temperatures (as recorded by the data logger) were rising.
By 7:38 pm, one of the Bed 5 outlet temperatures had reached 717F and another had reached
876F. At approximately 7:39, the quench valve was opened manually by the Stage 2 Board
Operator, who was not aware that it had been closed.  Quench flow rose and reached almost full
scale on the strip chart at approximately 7:41 pm. Temperatures continued to rise in Bed 5 until
the explosion.

If quench had been left on automatic control, it would have lowered the Bed 5 inlet temperature
but it would not have responded to rising Bed 5 outlet temperatures. In order to determine if the
temporary lack of quench was an aggravating factor in the accident, EPA performed a simplified
heat balance based on a Bed 5 inlet temperature of 860F, the maximum temperature reached at
7:34:20 pm. The purpose of these calculations was to see if the heat generated within Bed 5
could have been cooled by maximum flow of quench gas, if the quench valve had been left fully
opened by the operators when the Bed 5 inlet first abruptly increased.  The results indicate that
maximum quench flow to Bed 5 would have been insufficient to cool Bed 5 back to a normal
operating temperature of 650F. At least three times the maximum design quench flow would
have been required to cool Bed 5 back to normal operating temperature.
                                           40

-------
The calculations take into account only the amount of cooling capacity available and do not
factor in actual heat transfer rates, which means that actual heat transfer rate would have been
slower than assumed in the calculations. Therefore, with the best heat transfer rate, the maximum
quenching would not have been sufficient. However, the calculations assume that the entire bed
contents would have undergone an accelerated reaction.  Only one Bed 5 inlet temperature
reading was available, so it is assumed that this temperature was fairly uniform across the inlet of
Bed 5. The calculations used the maximum design quench capacity of 32 million standard cubic
feet per day (MMSCFD), as referenced in the Unicracker manual provided by the licensor.

The results of the heat balance calculations are not unexpected.  Quench capacity is typically
designed to handle minor temperature excursions. The significant increase in Bed 5 inlet
temperature accelerated the reaction rate, which in turn, accelerated the generation of heat from
the reaction.  The hydrocracking reaction rate doubles for approximately every 20F increase in
temperature.  Therefore, an increase of 223F would have increased the reaction rate by
approximately 4000 times. The elevated temperatures in Bed 5 went beyond the point where they
could be effectively controlled by quench.  The reaction rate could only be slowed down by
lowering the hydrogen partial pressure, which requires depressuring.

              3.3.3   Control of Temperature Excursion

If additional quench gas is unable to control a temperature excursion in a hydrocracking reactor,
then lowering the partial pressure of the hydrogen will slow the reaction; this is normally
accomplished by depressuring.  Depressuring not only reduces the hydrogen partial pressure, but
reduces the stress on the reactor shell and connected piping. In some situations, stopping the oil
feed is enough to slow down the reaction. In other cases, feed may be continued to serve as a
heat sink.

Operators at the Hydrocracker Unit had available written emergency operating procedures which
were dated October 1991.  The procedures covered 23 different emergencies, and how operators
should handle each part of the Hydrocracker Unit (Hydrogen Plant, Stage 1 and Stage 2) during
an emergency. One of the emergency procedures covered how to handle temperature excursions.
This procedure was also posted on the control board.  For a temperature excursion on Stage 2,
the procedure required the Stage 2 Board Operator to take the following actions:

(1)    For any reactor temperature point 5F above normal, change reactor controls to return the
temperature point to normal.  This may include reducing trim furnace outlet temperature,
increasing quench to hot beds, speed up IIR compressor or add quench to reactor inlet via FIC-
729.

(2)    For any reactor temperature point 25F above normal, do the following: Hit the "six
shorts" unit alarm,  close appropriate oil feed control valve, reduce trim furnace firing, circulate
maximum hydrogen through hot reactor, and maintain normal unit pressure.  Reduce temperature
in hot reactor to 50F below normal operating level as quickly as possible. Add quench to reactor
                                           41

-------
inlet as needed via FIC-729. Continue to cool reactor at a rate of 100 per hour to SOOT or
100F below operating temperature prior to shutdown, whichever is lower.

(3)    For any reactor temperature 50F above normal or if any reactor temperature exceeds
SOOT, immediately activate the 300 psi/minute depressuring system which causes the following:
       (a)     IIR compressor shuts down.
       (b)     Stage 2 charge pump shuts down.
       (c)     Makeup hydrogen to Stage 2 stops.
       (d)     Trim furnaces trip.
       (e)     Recycle gas from HPS Separator Overhead stops.
       (f)     Recycle gas to HDS No.  1&2 Unit stops.

The written emergency procedures also contained specific instructions for each of the other
Hydrocracker Unit operators for assisting the Stage 2 Board Operator during any of the above
three cases of temperature excursions.

Although some of the temperatures observed by operators on the data logger monitor exceeded
800F during the January 21 incident, the operators did not depressure the unit as required by the
emergency procedures.

                    3.3.3.1  Awareness of Emergency Situation

The operators initially did not take the specified steps to control the temperature excursion
because they did not comprehend that the temperature excursion was  real. There were several
reasons why they were unsure of the situation that was occurring the evening of January 21:

                           Confusing Temperature Readings

The data logger temperatures on the control room monitor were fluctuating between high, low,
and zero readings, and then back to normal, causing the operators to believe the readings were in
error. Just prior to the explosion, one operator reported that at least half of the thermocouples on
the data logger for Stage 2 were not working properly. Based  on post-accident testing, it was
determined that the data logger displays "0" when the temperature reading is over 1400 F.
Operators did not understand the significance of these "0" readings.

                           Problems with Temperature Monitoring

Operators thought temperature data might be erroneous because the data logger had experienced
malfunctions at times.  The data logger had been malfunctioning only  one day earlier on January
20. On January 10, 1997, the data logger was taken out of service and a new temperature
monitoring system, known as a Foxboro Intelligent Automation (I/A)  distributed digital control
system, was installed to display reactor temperatures in the control room.  During the time that
the Stage 2 I/A system was operational, operators reported that over half of the temperature
                                           42

-------
points were periodically dropping to 0. The Stage 2 temperature monitoring system was switched
from the I/A system back to data logger on January 20 because the I/A was incorrectly calculating
the weighted catalyst averages. It was averaging in zeros for seven of the twelve points per
thermocouple bundle because the additional seven points were not wired into the I/A system yet.
In addition, operators had experienced computer problems with Stage 1 I/A system in the past
and stated that the problems they saw on the Stage 2 data logger looked similar to those
problems.

During September 1996, the  Stage 2 data logger failed to perform properly on two occasions.
Once, the data logger stopped updating twice and had to be reset by instrument technicians to
restore service. On  another occasion, it was reported that the data logger had stopped working
and repairs were made to restore it to service.  Operators relied on board mounted instruments to
continue operating the unit. In July 1996, the Stage 2 Reactor  3 outlet temperature signal to  the
control board as well as the data logger display was lost, apparently due to a failed  thermocouple.

In the past, operators had seen the Stage 1 data logger display "lock up", meaning the
temperature readings did not change.  According to the operators, it was difficult to determine
that there was a problem with the display until it was noticed that the temperatures had not
changed in response to  a control change.

                            Strip Chart vs. Data Logger Data

The Stage 2 Board Operator  heard the data logger alarm for the high Bed 4 outlet and Bed 5  inlet
temperature and stated  that he acknowledged the alarm on the data logger.  However, the control
board strip chart for Bed 4 looked normal because the Bed 4 outlet point that caused the alarm is
not the same point that  is linked to the control board display. The Bed 5 inlet temperature
increase was displayed on the control room strip chart, but dropped back to normal after the
quench valve to Bed 5 fully opened.

                           Audible Temperature Alarms

A Bed 4 outlet (point 2) temperature and the Bed 5 inlet temperature exceeded both the high
temperature alarm setting of 780F and the +50F over normal alarm setting on the data logger.
The operators stated that they heard one high temperature alarm on the data logger for Bed 4
outlet and Bed 5 inlet high temperatures. From operator statements, it appears that there was no
delay between the occurrence of the Bed 4 outlet and Bed 5 inlet high temperatures and the
alarms received because of them. Operators did not receive additional audible high temperature
alarms from the data logger, despite Bed 5 outlet and reactor inlet and outlet temperatures later
exceeding high temperature alarm set points. Operators did not immediately notice the Bed 5
outlet, reactor inlet and outlet temperatures rising above critical limits.

There was a different alarm system for the temperature points on the strip charts than for those
points on the data logger.  The alarm for temperature points (center inlet and outlet of bed) on the
                                           43

-------
control board was a flashing light on the control board.  Alarms for data logger temperatures
produced an audible alarm and flashing light on the control board. The numbers on the data
logger screen would turn from black to red and blink on the screen. When the acknowledge
button was pushed on the data logger keyboard, the reading stopped blinking but the background
color remained red. When the temperature came back into normal range, the red background
reverted to black.

The data logger must be reset to receive new audible high temperature alarms. In post-accident
tests for +50F above normal temperatures,  the data logger would not re-alarm while it was in the
abnormal condition when the acknowledge button was pressed on the keyboard.  It also took 2.5
minutes for the alarm to clear when the temperature dropped to non-alarm levels.  During the
January 21 incident, the Bed 4 outlet (point 2) and Bed 5 inlet temperatures rose and returned  to
normal, according to the data logger historian file (see Section 1.2.4.3  and Table 2), which should
have cleared the alarm status on the data logger. The Stage 2 Board Operator stated that he
acknowledged the alarm on the data logger.

It seems clear from the data logger tests that for the +50F above normal condition, the data
logger alarm cannot be reset in a reasonably short time.  This situation would prevent operators
from receiving high temperature alarms from other points in the reactor.

                           Makeup Hydrogen Flow and Recycle Hydrogen Purity

Operators were confused by makeup hydrogen flow dropping to zero.  Typically, an increase in
reactivity consumes more hydrogen and causes an increase in demand for hydrogen. This was
what operators normally expected to see during a temperature excursion.

Increased pressure in the recycle gas caused the makeup hydrogen flow to decrease because the
makeup hydrogen to Stage 2 was pressure controlled. The increase in pressure was due to
formation and buildup of methane in the recycle gas, which increased its density and pressure.
When the temperature excursion began, the methane was generated from a high temperature
reaction called hydrogenolysis.  Hydrogenolysis created great amounts of methane and heat. This
reaction normally occurs at temperatures over SOOT.

The increase in methane content caused a drop in the hydrogen purity of the recycle gas.
Operators did not know that the recycle gas (hydrogen) purity had dropped because of a time lag
in receiving analysis from the hydrogen purity analyzer. The hydrogen purity readings appeared
normal to the operators prior to the explosion (92.7% at 7:36:18 pm).  A post-incident study by
Tosco of the analyzer and sampling system determined that the time required for the analyzer to
indicate a change in the process was approximately 7 minutes.  This meant that the normal reading
at 7:36:18 pm was actually the hydrogen purity of the recycle gas 7 minutes before, due to the
analysis lag time.  A low hydrogen purity alarm occurred at 7:41:26 pm, very close to the time of
the explosion, confirming that purity had dropped because of an increase in the methane content.
                                           44

-------
This 7:41 pm alarm was caused by the  methane produced seven minutes earlier when the
temperature excursion began at 7:34 pm.

                           Accessibility of Temperature Data

Operators did not have access to all the Stage 2 reactor temperature data in the control room
because some of the readings could only be obtained at the field panels outside underneath the
reactors.  The operators typically used the field panels to verify questionable control room
readings or temperature excursions. For example, during a temperature excursion that occurred
on January 19 (see Section 3.3.3.2), operators obtained verification of temperatures from the field
panel before taking any action.  On January 21, an operator went outside to the field panel to
obtain temperature data as had been done in past practice.  Operators inside the control room did
not take any action to depressure the unit because they did not believe the data logger. The
control room operators were not able to understand the garbled radio transmissions from the No.
2 Operator outside. If the control room operators had received a report of high temperatures, this
might have caused them to activate the depressuring system.  Two more operators went to  check
on the No. 2 Operator outside. The explosion occurred just after the two operators left the
control room.

When the field panels were installed in January 1996, operators asked management to bring this
temperature data into the control room. They expressed concerns to management about having to
obtain temperature data from the panels outside. Operators were told by management that  the
readings from the additional thermocouples available from the field panels could not be made
available in the control room due to cost and that they should "just live with it".

The Stage 2 Board Operator stated that it was very time-consuming to read and record
temperatures from the field panels. To take readings from a field panel required about 45 minutes.
Operators stated that they took readings from the field panels once per day, called them in by
radio and logged them onto an entry log.

Tosco management personnel provided conflicting information about the purpose of the panels,
and why they were installed under the reactor.  The Production Area Supervisor said that he did
not know why the panels were installed under the reactor as opposed to in the control room,
although he did say their function was to give additional data points with which to monitor  the
reactor temperatures.  The Production Technical Services Manager stated that the thermocouples
were added as an engineering project to better detect hot spots in the beds and to determine
weighted catalyst averages.  A contract engineer had recorded the readings for this purpose.  The
Production Technical Services Manager's understanding was that the panels were never intended
to be used by the operators to operate the unit, but to collect data to determine if installation of a
new I/A temperature monitoring system was justified.  The Control Engineer did not know  why
the panels were installed under the reactor, but thought that the panels had been used to help
Technical Services monitor catalyst activity rather than used as  an operating tool.
                                           45

-------
No Management of Change (MOC) was developed and /or implemented for the field panel
installation and use. No written operating procedures were incorporated into SOPs for obtaining
data from the field panels during normal or abnormal conditions. Based on the data collected from
the panels, Technical Services concluded in June of 1996 that the points in the Stage 2 reactors
with the highest temperatures were those which could only be read at the field panels.

On January 20, 1997 the use of the I/A system was discontinued because the I/A was incorrectly
calculating the weighted catalyst average temperature (WCAT). If the I/A system had been
properly connected to all 96 thermocouples and accurately calculating WCATs,  the operators
would have had immediate access to all Stage 2 reactor temperature data in one place in the
control room. This might have  given them more time to respond to increasing temperatures,
especially those temperatures from thermocouples which tended to read higher than other
monitoring points.

Testing of the I/A equipment and software should have occurred before they were put into actual
use. MOC# 150108 dated February 5,  1996 covered "Planned Changes to Existing Hydrocracker
Control System." This document included work on the transfer of temperature information from
the existing PC-based monitoring system to Plant Information (PI) computer system and I/A
systems after unit startup.  Although it is not clearly stated to which part of the Hydrocracker
Unit this transfer applied, investigators assumed that it applied to Stage 2 since the I/A system
was already in use for Stage 1.  The MOC stated that the new equipment and software would be
tested before the system was commissioned.

In addition to operational problems, operators had no advanced notification that the I/A
temperature monitoring system  was to be implemented on January 10, 1997.  They were not
instructed how to use or access information from the new I/A system. The  Stage 2 Board
Operator said he was not involved with any MOC for the change to the I/A system.

The Production Area Supervisor stated that there was no MOC for the switch to I/A for Stage 2
because it was a display change only with more data points. He acknowledged that there were no
formal training sessions on the Stage 2 change to I/A, just on-the-job (OTJ) training, and that
Stage 2 operators were already  qualified on the I/A in general from being qualified on Stage  1.

                           Radio Communications

According to operators, the radio transmission from the No. 2 Operator who was  sent  outside on
January 21, was fuzzy with excessive static sounds. Operators had indicated in the past that
radios did not always provide reliable communication because of bad batteries, busy channels, and
no designated emergency channel.
                                           46

-------
                    3.3.3.2  No Emergency Depressuring Used

Even after operators realized, moments before the explosion, that the Reactor 3 outlet and inlet
temperatures had climbed above SOOT, they did not depressure the reactor as the emergency
operating procedures required.  The 100 psi/min and 300 psi/min emergency depressuring
systems, installed in 1986, were intended to be used to rapidly reduce pressure and reaction rate
and bring a temperature excursion under control. Instead of depressuring, the operators began to
adjust quench gas flows in order to cool the reactor.

                           Prior Temperature Excursions

Operators did not depressure the reactor because their past practice to control large temperature
excursions had been to increase quench, reduce reactor inlet temperatures, and/or stop feed flow
to the reactor.  Many of the operators reported that they have experienced numerous temperature
excursions, but most could recall only one instance when the unit was depressured using either the
100 or 300 psi/min system. One operator indicated that the depressuring system had been used
only once in the last five years, perhaps only twice in the last ten years. Documentation was
available for three previous temperature excursions that occurred on July 23, 1992; March 19,
1996;  and January 19, 1997, summarized below:

                                  July 23. 1992

As operators were raising temperatures in Stage 2 to start  cracking, temperature excursions
occurred at about 1 pm in Bed 4 outlet of Reactor 3 and Bed 1 outlet of Reactor 1. Adding
additional quench hydrogen was not effective in  controlling the excursion. Feed was stopped and
the  100 psi/minute depressuring  system was activated, resulting in a grass fire at the flare. Some
of the documentation for this event references temperature excursions in Reactor 2, so it is not
clear whether the excursion occurred in two or all three Stage 2 reactors.

                                  March 19.  1996

On March 19, 1996, there was a temperature excursion in  Stage 2, Reactor 1, which  began in
Bed 3 and progressed to Beds 4  and 5. During  this excursion, the Bed 4 temperature was over
SOOT for 13 minutes and reached a maximum of 1000T.  The maximum estimated reactor outlet
temperature during the excursion was 920T. The operators did not activate the emergency
depressuring system.  The operators stopped oil  feed to Reactor 1 about 17 minutes after Bed 3
outlet temperature exceeded SOOT and about 3 minutes after the Bed 4 outlet temperature
exceeded SOOT. About 7 minutes after feed was discontinued, temperatures at the outlet of Bed
4 began to fall.  Within another 6 minutes, the reactor outlet temperature began to fall. As a result
of the incident, the temperature control guidelines for Stage 2 reactors were reissued on April 4,
1996 to the operators, posted on the control board and reviewed in safety meetings.  These
guidelines were:
                                           47

-------
       (1)     Maximum axial or radial temperature differentials in a catalyst bed must be held to
              less than 45F.
       (2)     Bed inlet temperature must be reduced if any temperature rises 5F above normal.
       (3)     Oil feed to a reactor must be stopped if any point is 25F above normal.
       (4)     The unit must be depressured at 300 psi per minute if any point is 50F above
              normal or over SOOT.

                                  January 19. 1997

At about 10:20 pm on January 19th, a temperature excursion occurred in Bed 4 of Reactor 1.
The center outlet temperature in Bed 4 increased from 653F to over SOOT during a 20-minute
period. Operators did not activate the emergency depressuring system. During this excursion, the
automatic quench control was overridden and more quench flow was added manually to Beds 2
and 4.  Bed inlet temperatures came down, but the Bed 4 center outlet temperature continued to
increase to more than SOOT as indicated on the control board display.  The No.  2 Operator went
outside to check the field panel  and reported temperatures in excess of 900T. Feed to the reactor
was stopped and fuel gas flow to the trim furnace was reduced. About 5 minutes after pulling the
oil feed, the Bed 4 center outlet temperature reached a maximum of 998T. The temperature then
decreased, falling below SOOT in about 1  minute. The operators then continued lowering Reactor
1 temperatures to  5SOT, and reintroduced feed approximately one hour later.

                           Supervision

Emergency depressuring was not employed before the explosion on January 21, even though the
operators realized in the last few minutes before the explosion that temperatures did exceed 800
F. The operators did not have authority to delay this decision.  Because operators did not activate
the required depressuring for this and prior temperature excursions, supervisory roles and
responsibility for enforcing practices were reviewed as possible root causes for this accident.

Tosco's Hydrocracker Training Manual stated that No. 1  Operators should provide leadership for
the rest of the operators for work and personal safety, environmental protection, energy
conservation and maintenance-cost containment.  They must thoroughly know the operations of
the entire unit to provide proper guidance and resolve problems in a timely manner. They must be
able to respond to emergencies  in a calm,  composed and effective manner. The  manual also
stated that "However,  since the No. 2 Operators have a primary responsibility to tend to the
equipment, the No. 1 Operators should always  give them  first chance to correct any problems.
The No.  1 Operator should only intervene when the situation clearly calls for such actions. The
No. 1 Operators walk a fine line. They should be on top of things and provide leadership for the
operation of the Complex, but they should always avoid doing  the jobs of the No. 2 Operators."

The Training Manual also stated that the Stage 2 Board Operator is authorized to initiate
emergency steps for controlling a runaway reaction without first consulting with the No.  1
                                           48

-------
Operator.  The Stage 2 Board Operator is responsible for taking decisive steps to minimize the
danger of a runaway reaction.

In the event of a Stage 2 temperature excursion, the Emergency Operating Procedures stated that
the No. 1 Operators should: 1) Advise Stage 2 Board Operator as needed.  2) Notify the Tract -A
Foreman by radio and ask him to coordinate the activities of other units.  The procedures for
responding to a temperature excursion (as discussed in Section 3.3.3 of this report), were listed
under the section for the Stage 2 Board Operator in the Emergency Procedures.

Although it is the Stage 2 Board Operator who would normally activate the depressuring system,
the No. 1 Operators did not ensure that standard operating or emergency procedures were
followed when temperatures exceeded SOOT on January 21 or on previous occasions. The Stage
2 Board Operator stated that all qualified operators have authority to shutdown the unit and
everyone in the control room had this authority.

Tosco management stated in a meeting with investigators that although they knew of the January
19,  1997 temperature excursion right after it  occurred, they were not immediately aware that the
temperature had gone as high as 900F.  The actual temperature reading was not written on any
of the operator or supervisor logs.  The Production Area Supervisor stated in an interview that to
his knowledge the SOOT limit had not been exceeded while he has been supervisor. The
Production Area Supervisor stated that failure to use the emergency depressuring system for a
temperature exceeding SOOT would be considered a serious matter and could be subject to
disciplinary action although to his knowledge no operator has ever been disciplined for not
initiating this action as required.

There was no formal delegation of authority for No. 1 Operators to have management
responsibilities.  Two No.  1 Operators were on shift the night of the explosion. There was no
written policy for designating who is in charge of operations when two No. 1 Operators are on
the same shift.

The shift supervisor for the Hydrocracker had responsibility for other units in his zone (Tosco's
refinery operations are divided into three zones for management purposes) and was not always
on-site at the Hydrocracker.  The Hydrocracker Unit is part of one zone, which also included the
following units : No. 3 HDS, No. 3 Reformers, No. 1 HDS, No. 2 HDS, Butadiene, Benzene
Saturation System, Reformate Fractionation, Alkylation Plant, #2 Hydrogen, API Separator,
Wastewater Treatment Plant, No. 1  Isomerization, MTBE plant, No. 2 Reformer.

                           Training

Training for the Hydrocracker operators was reviewed to determine if operators had the necessary
preparation and knowledge to operate the Hydrocracker reactors safely. Tosco's  Hydrocracker
Training Program document, dated May 1989, discussed runaway reactions and how to respond
to them by using the emergency depressuring system.
                                           49

-------
The following guidelines for dealing with an uncontrollable temperature rise are stated in the
Stage 2 Control Board section of the training manual:

       "1.     When any reactor temperature as indicated by the Moore controllers is 5F above
              normal, you must change the control set points to bring it back to normal. Consult
              the Emergency Procedures Manual for methods to accomplish this.
        2.     When any reactor temperature as indicated by the Moore controllers is rising and
              is 25F above the normal temperature, you must pull the oil feed out of the hot
              reactor. You can leave the oil in the other reactors.
        3.     When the temperature continues to rise and is 50F above normal (or has exceeded
              SOOT, whichever is reached first), you must activate the 300 psi/min depressuring
              system and dump the contents of the Second Stage to the flare.

       As the board person, you are authorized to take these steps without first consulting with
       the No. 1 Operator. You are responsible for taking decisive steps to minimize the damage
       of a runaway reaction."

One of the Hydrocracker operators (then on loan to the Training Department) stated that most of
the training for the Hydrocracker operations is on-the-job training instead of classroom training.
Each operator performed a task under review of other operators. Operators took an  an oral
exam given by a supervisor and senior No. 1 Operators.   Operators had no formal  training
sessions on the Stage 2 change to I/A system, just on-the-job training, according to the
Production Area Supervisor.  In interviews, most of the operators stated that they  knew the
conditions that required emergency depressuring, but acknowledged that depressuring was rarely
used as required for extreme temperature excursions.  This on-the-job practice unfortunately may
have lead operators to believe that temperature excursions could usually be controlled without
using depressuring. Operators may not have understood the elevated risk of losing control of the
reaction at temperatures near SOOT, which is why depressuring is required.

Training records for the Hydrocracker showed no documentation for unit-specific initial,
supplemental or refresher training. The Production Training Supervisor stated that Hydrocracker
unit-specific refresher training had not yet been developed because the  Training Department was
not sure what was required for refresher training.  Some training that was conducted during the
utility shift and weekly safety meeting might have constituted refresher training (such as
emergency procedures and drills) but this training had not been documented as refresher training.

Some operators had received some reactor safety training, which was given by a consultant.  The
training included the causes and prevention of temperature excursions in hydroprocessing
reactors. Six of Tosco's 25 Hydrocracker operators, including two who were on the evening shift
on January 21, attended this training.  Operators were told during the training that unchecked hot
spots could result in catastrophic failures of reactors or piping.
                                            50

-------
It is unknown whether all Hydrocracker operators at Tosco received training on the following:
operating with deactivated catalyst, how the hydrogen purity analyzer operated, or the impact of
methane formation in pressure control of recycle gas.  The operators did not know that when the
temperature of the thermocouple went beyond 1400 F, the data logger would show zero
readings.

                           Emergency Depressuring System Reliability

One operator stated that the depressuring system does not always work right and is not reliable.
The Production Area Supervisor stated that to his knowledge, he doesn't believe the depressuring
system can be tested, certainly not on-line.  The Control Engineer stated that the depressuring
system can be tested and that it was tested in 1986 when the unit was first brought on line as a
Unicracker. He was not aware of any tests since 1986, but he said he  would not be expected to
be involved in subsequent tests. Testing procedures for the 100 and 300 psi/min depressuring
system were described in the 1986 Unicracker Process Manual, although Tosco did not
incorporate them into their operating procedures.

Operators had encountered difficulties when the depressuring system was activated for
temperature excursions in the past. These difficulties included grass fires at the flare  (July 22 and
23, 1992)  and a generation of a cloud of flammable vapor (July 22, 1992). The 100 psi/min
depressuring system was automatically activated on July 22 when the recycle gas compressor
tripped. These experiences could have contributed to the operators'reluctance to employ
emergency depressuring and reinforced operators' decisions to handle severe temperature
excursions by other means.

                           Procedures

Investigators reviewed the Hydrocracker Startup and Shutdown procedures, Emergency
procedures and the Standard Operating Procedures (SOP).  Emergency procedures had not been
updated since October 1991. Most of the SOPs have not been updated since 1991. Some of the
procedures did not match equipment and instrumentation in the process flow diagram (PFD),
process and instrumentation diagrams (P&IDs) or discussion of equipment in the HAZOP study.
Operators may not have followed written procedures if the procedures were outdated, no longer
matched process conditions or equipment, or were no longer relevant.  Operators also performed
several tasks for which there were no written procedures.

One example of a  mismatched procedure was in the Emergency Operating Procedures for the
situation of reactor temperatures 5F or 25F above normal. In this case, the Emergency
Operating Procedures instruct operators to add quench to the reactor inlet by activating FIC-729
and not to add emergency quench to the reactor outlet (chain valve). The process flow diagram
and P&ID only show a hand-operated quench flow valve after Bed 5, (HC-729A on the PFD and
HV-729A on the P&ID). The HAZOP study (see Section 3.3.4) stated that an open  or leaking
emergency inlet quench valve HV-729 could cause a deviation of "more flow" of hydrogen to
                                           51

-------
reactor. However, the HAZOP did not identify these quench valve(s) HC-729 or HV-729
specifically as a means to control either high temperature or "more reaction" deviations in the
reactor. So it was not clear if quench could be added to reactor inlet or outlet or perhaps both.

An example of a SOP that may have no longer been relevant was SOP#20 which required that
when operators depressured Stage 2 they must first manually close the makeup hydrogen control
valve from Stage 1 to Stage 2 to prevent a depressuring of Stage 1. This valve reportedly would
not close because the control valve wiring was apparently damaged in March 1989 and was never
repaired. According to design, activation of the emergency depressuring system would
automatically close this valve. Tosco management did not know whether this procedure was still
valid as of January 21. SOP #20 was undated.

Temperature operating limits varied among the different documents providing operating
instructions. For example, the Hydrocracker Operating Limits document stated that the Stage 2
reactor outlet temperature maximum is 690F, while SOP #9- Reactor Operations-Summary of
Limits and Guidelines stated that the Stage 2 reactor maximum outlet is SOOT.  The
Hydrocracker Operating Limits stated that the trim furnace tube wall temperature maximum is
1000F, while SOP#9 stated that the trim furnace skin temperature is 950F maximum. The Stage
2 startup procedures stated that no bed temperature rise should exceed 30F, while SOP#5 & #9
stated that there should be no more than 40F rise per bed. It is assumed that this applied for the
maximum  average temperature difference, since SOP#25 said to use average temperature of the
bed instead of the  individual points when evaluating the maximum reactor bed outlet
temperatures. The inconsistent temperature operating limits could have led operators to  not take
limits seriously.

SOP#5 dated March 8, 1990  stated that Unocal's recommendation called for no more than 30F
temperature differential per bed, however, it noted that Tosco's experience had shown that 40F
per bed was well within safety limits.  SOP#5 noted that "In fact often times we must operate with
such a high delta temperature to balance out cracking in the entire reactor system."  But this SOP
also stated that "A reactor bed will become increasingly unstable as the bed differential
temperatures get higher and higher. A bed can develop runaway reactions and one will have a
dangerous situation on hand."

In a Technical Services memorandum dated April 4, 1996, new operating guidelines for Stage 2
reactors were proposed based on temperature data from additional thermocouples installed in
January 1996 and the March  19, 1996 temperature excursion.  One of the guidelines was to
maintain a maximum 45F radial and 45F axial temperature differential.  The 45F maximum
temperature differential applied to both control room and field readings.

In March of 1996, Technical  Services noted that Reactor 1 Bed 1 outlet radial differential
temperatures remained as high as 54F. In June of 1996, Technical Services engineers found that
five out of fifteen Stage 2 reactor beds had axial and radial differential temperatures greater than
                                           52

-------
45F. In July 1996, Technical Services reported that five beds had maximum temperature
differentials between 45-55F and two beds had maximum temperature differentials above 55F.

There were other indications that operators perhaps could not always stay within operating limits
or follow written procedures.  SOP#2 stated that the quench valves in the Stage 2 should not be
opened up more than 50% (or more than 75% for Bed 4, which has a bigger quench valve). But
the SOP also said that the quench valves may have to be opened up too much in order to maintain
a flat temperature profile for the catalyst beds (that is, keeping the outlet temperatures from all
beds as close to each other as possible). Some operators explained a different problem with the
quench valves; although the control board setting indicated they are closed, some hydrogen flow
would continue.  To compensate for the quench valve leaking, operators would operate the bed
above each quench valve at higher bed outlet temperatures. Written procedures (SOP#2) directed
operators to maintain same outlet temperatures for each bed, but stated that this is rarely possible
because the trim furnace was usually a limitation (firing too hard).

Some operating practices were left up to operator judgment and discretion, since there were no
written procedures for:

         Operating with deactivated catalyst
         Shutdown of one reactor and transference of its feed into two parallel reactors
         Dealing with leaking heat exchangers during startup
         Operating reactor without the data logger functioning
         Reading temperatures at outside field panel
         Safely operating during possible instrument malfunction or when temperature
         indications were judged unreliable.
         Raising bed temperatures to compensate for leaking quench valves.

The Production Training Supervisor in the Production Department stated that the Hydrocracker
does not have all of it procedures formalized or included in Tosco's procedure management
system.  In interviews, Tosco management acknowledged that the operating procedures  are
incomplete.  Updated procedures for the Hydrocracker had not yet been developed.

Procedures for the Hydrocracker Unit Stage 2 were not kept current with changes in process,
equipment or operating practices and did not appear to have been tested for integration in the
operating environment.  For example,  the written procedures were not updated to reflect
installation of the I/A system, including thermocouples added in the reactors, the temperature field
panels installed underneath the Stage 2 reactors, and temperature display hardware in the
Hydrocracker control room. In another example, MOC #15004 indicated that a change in
operating procedures was required but the written procedures were not updated. This MOC
involved making a piping change so that hydrogen can be supplied to HDS/HDA Unit  (see Figure
2) from #2 Hydrogen Plant when the #1 Hydrogen Plant is down. In February of 1996, the
catalyst in all top beds of Stage 2 were replaced with a more reactive catalyst. No changes were
                                           53

-------
made to the written operating procedures to reflect the catalyst change and the increased risk of
temperature excursions due to increased reactivity.

The written procedures did not address the potential hazard for reading temperatures at the
outside panels when reactor temperatures exceeded operating limits.  The procedures did not
consider human factors such as incorrect acts, acts out of sequence, failure to take action, and
acts taken which were not appropriate or necessary.

Recommendations from incident investigations were not incorporated into written procedures.
For example,  the recommendations shown below emerged from the Adverse Happening Report of
July 23, 1992 and were drafted into SOP#49 but the draft was not formally approved and
incorporated into procedures.

         Limit pre-cracking bed inlet temperature increases to 20F per hour.
         Once cracking has been initiated, limit bed inlet temperature increases to  10F per
          hour.
         Limit any single bed inlet temperature increase to  2F maximum per move.
         Limit the Reactor 3, Bed 4 temperature differential to a maximum of 25F.
         After cracking has been initiated, limit Reactor 3,  Bed 4 inlet temperature increases to
          half the above recommended values for the other beds. It appears that excess heat
          transferred from the beds above tend to boost the inlet temperature of the next lower
          bed more than desired, e.g. a 2F change can easily be boosted to a 3-5 of or even
          higher increase.
         Do not raise Reactor 3, Beds 2 and 4 inlet temperatures at the same time.
         Look into the adequacy of the bed inlet temperature controllers.

In January 1992, a more reactive catalyst was installed in the  Stage 2 reactors.. A temperature
excursion on July 23, 1992 resulted in suggestions on the Adverse Happening Report to raise
temperatures  in Stage 2 a bit slower next time as the new catalyst is still  "hot."

                     Safety and Performance Goals

One negative  consequence of using the 300 psi/min depressuring system is that it completely shuts
downs the Stage 2 reactors, halting production. One operator stated that there is a lot of
expectation from the Engineering Department to produce barrels and keep up temperatures.
Tosco management stated that they did not know why operators did not depressure  Stage 2
during past temperature excursions. They stated that perhaps the operators took pride in keeping
the unit operational.

Tosco may have had problems balancing production goals with maintaining safe temperature
limits. Because of the firing limitations of the trim furnaces; sometimes bed temperatures would
have to be increased to compensate for the heat needed. In March of 1996, Technical Services
stated that to  reduce high bed temperature differentials,  trim furnace firing would have to be
                                           54

-------
increased to maintain the desired reaction conversion level.  However, they also noted that with
charge rates above 32 MBPD, there was little capacity left in the trim furnaces without reducing
rate or increasing diesel production.

On April 11, 1996, Technical Services acknowledged that poor Stage 2 reactor stability would
probably not allow them to achieve less than 0.5% butane content in the light hydrocrackate
product.

In July 1996, Technical Services reported that operators were not able to reduce diesel
production to target levels due to Stage 2 Reactor bed temperature differentials. Five beds had
maximum temperature differentials between 45-55F and two beds had maximum temperature
differentials above 55F. The maximum temperature differential limit is 45F.

Supervisors and operators did not appear to have been given guidance to resolve conflicts
between safety and performance goals. For example, no guidance was given on how to achieve
desired production rates within specification without exceeding operating limits such as maximum
bed temperature differentials and maximum trim furnace firing.

Operators felt that they were expected to keep the Hydrocracker operational under a number of
adverse operating conditions.  For example, operators would get data only from control board
strip charts (data from Moore controllers), when the data logger was not functioning.   One
operator felt that they were "running blind" when they relied only on center point reading from
the Moore controller.  Several occurrences of Stage 2 reactor operations continuing despite
instrument malfunction were previously discussed in Section 3.3.3.1.

The Production Area Supervisor said that relying only on temperature data from the control board
would not be an acceptable situation; this would be insufficient information to operate the reactor
and the reactor would have to be  shut down. This supervisor said he was not  aware of any period
in January 1997 when both the temperature logger and the I/A were not functional at the same
time.

The reactor feed/effluent heat exchanger flanges tended to leak during every startup because of
thermal stress on the piping.  These leaks sometimes resulted in smoking and vapor clouds.
Operators would use steam rings (shrouds) and steam lances to disperse vapors at the leaking
flanges. The staging in front of the Stage 2 exchangers was used by operators to attach steam
lances.

          3.3.4      Process Hazard Analysis (PHA)

A process hazards analysis (PHA) technique known as a hazard and operability study (HAZOP)
was performed for Stage 2 during the period June  1 through July 31, 1994 (baseline).  The
purpose of a PHA is to identify safety hazards and operability problems, associated  causes and
                                           55

-------
consequences, safeguards, and risks. The analysis helps determine where improvements to the
process design and operation are needed.

The 1994 Stage 2 HAZOP was reviewed by investigators to see if the safety hazards involved in
the January 21 accident has been identified, and if so, how they were addressed.  This was done to
determine if some deficiency in the HAZOP contributed to the accident. The HAZOP study
included Stage 2 equipment and associated piping, which were divided into discrete nodes for
systematic analysis. For each hazard scenario identified in the HAZOP, safeguards were
identified, which included both manual and automatic means for detecting, preventing, or
mitigating the identified hazard. Recommendations were made by the HAZOP team when
existing safeguards were not considered adequate.

One of the stated assumptions for the HAZOP was that the baseline HAZOP took credit for
procedures being in place. The 1994 HAZOP also stated that "However, not all of the unit
procedures have been completed.  The operations representative is assisting in the development of
unit procedures."

One of the stated assumptions that was applied throughout the HAZOP study was that "the I/A
system provides a great deal of flexibility with alarms and indications for the operators.  This
study considered only those alarms and control indications noted on the P&IDs." It is not clear
whether the HAZOP team assumed use of the Stage 2 I/A temperature monitoring system, which
was not yet in place. However, the P&IDs only included those temperature indications, alarms,
and controls associated with the data logger and Moore controllers/indicators. The Process
Hazard Analysis Manager (who was not PHA Manager when the 1994 PHA was done) could not
clarify whether use of the I/A system had been assumed by the Stage 2 HAZOP team.

In any case, the  I/A system was not reliably functional in Stage 2 and was not used to provide
temperature indications at the time of the preparation of the PHA in 1994.  Temperature alarms
that would have been available with the I/A system were not in fact available to  the operating
employees at the time the PHA was prepared.  The I/A system provided temperature readings but
was not a controller of the bed temperatures for Stage 2.

The level of detail in the HAZOP safeguards for Stage 2 reactors were not specific as to which
type of instrument control systems were in place. It  only specified whether there was, for
example, an alarm, flow indicator or automatic or manual controller to control the process
parameter.  For  example, for higher reactor temperatures, one of the safeguards listed was that
temperature alarms were available for all beds.  It was not specified whether these alarms were
connected to the data logger or the I/A system. Alarms were not installed for those temperature
points that were read at the field panel; however the  field panels were not in place in 1994 when
the HAZOP was done.

Another assumption stated for the HAZOP was that  the results of a catastrophic fire at the
Hydrocracker Unit were not addressed in the HAZOP.  The loss of individual components or the
                                          56

-------
effect on individual pieces of equipment were discussed, as were the effects of loss of a reactor,
etc.  The HAZOP team assumed that fire detection was limited to operator observation and that
there were no fixed hydrogen sulfide or combustible gas detectors in the unit.  The HAZOP team
assumed that most of the areas of the plant were protected and could be accessed with fire
monitors and with other fire fighting equipment.

The HAZOP listed higher temperature as a possible deviation in the operation of a reactor.  The
causes for higher temperature identified were loss of quench control,  high inlet feed temperature,
channeling due to coking or poor inter-bed distribution, reduction in hydrogen flow or oil flow for
any reason. The possible consequences listed for higher reactor temperatures were operational
upset; possible reactor temperature excursion, possible unit shutdown, catalyst coking and
possible reactor damage resulting in fire.  Safeguards listed for these consequences were manual
manipulation of quench flow control valves, bed temperature alarm availability, automatic quench
flow increase, automatic trim furnace outlet temperature control, availability of oil flow and valve
position in the control room, and operator emergency procedures in place.

Depressuring or use of the emergency quench was not specifically mentioned as a safeguard.  The
HAZOP  assumed properly functioning  equipment and personnel and did not take into account
human and other factors such as those identified in the January 21 accident, which included
instrument problems, data misinterpretation, failure to follow procedures, and alarms not
activating.

The January 21 accident not only involved higher operating temperatures, but a rapidly
accelerating hydrocracking reaction. For "more reaction" deviation in the reactors, safeguards in
the HAZOP were listed as 1) numerous compressor alarms available in control room, 2) reactor
bed temperature deviation alarms in control room, 3) quench flow controllers can be manually
manipulated and 4) temperature indicator and alarm was available for temperature deviation of
trim furnace outlet hydrogen. Manipulating quench may control the reaction if temperatures have
not gone too high, but only if the operators have the data readily accessible to them to take timely
action. Emergency procedures, depressuring or use of the emergency quench were not mentioned
as a safeguard against serious consequences.

For higher temperatures in flow from the Stage 2 reactors through the feed/effluent exchangers,
the causes listed in the HAZOP were higher temperature upstream, open bypass valve for
exchanger feed, and fouled or plugged exchangers. The consequences listed were higher
exchanger effluent temperatures, possible increased trim furnace firing and possible rate reduction.
Consequences of pipe rupture, explosion and fire (such as those that occurred on January 21)
were not identified.  Safeguards listed were operator monitoring of reactor outlet temperatures
and local exchanger outlet temperature gauge.  The temperature alarm system (such as the reactor
outlet high temperature alarm) or depressuring were not listed as possible safeguards.

The HAZOP addressed loss of oil flow upstream as potentially causing a high temperature wave
in the Stage 2 reactors and identified as a safeguard the "automatic activation of the 100 psi/min
                                           57

-------
depressuring station." This safeguard is in fact not automatically activated for loss of oil flow
through the reactors, but requires operator intervention to manually activate the 100 psi/min
depressuring station. The 100 psi/min depressuring system is only automatically activated if the
IIR compressor fails.

The HAZOP was not updated to consider Hydrocracker design changes including the change of
control room equipment, addition of field temperature indicators and methods of controlling
temperature. In general, human factors were not addressed as part of Process Hazard Analysis.

The hazard analysis did not consider the consequences of the failure of the data logger, the
control room temperature monitoring system or the 100 and 300 psi/min emergency depressuring
systems.

          3.3.5      In-Plant Emergency Notification

Many contractors working nearby were injured on January 21 as the result of being in trailers
located less than 100 feet from the Hydrocracker Unit reactors.  These contractor trailers were
not designed to withstand explosion and fire. Operators inside the control room did not notify
contractor personnel of the potential explosion hazard or sound an emergency alarm. The
Emergency Operating procedures state that if a Stage 2 reactor temperature is 50F above normal,
or exceeds SOOT, the Stage 2 Board Operator should hit the "six shorts" alarm.  Six short blasts
of the unit call horn indicate that the process unit is experiencing some type of operational
problem that could present danger to the people working in the unit. Contractors are trained that
when the process unit emergency alarm is sounded, they should immediately stop work, shutdown
all ignition sources and proceed via a safe route to a designated evacuation area.

4.0    Causes of the January 21 Accident

       Based on all the information collected and analysis of data, investigators determined the
causes of the pipe rupture and the temperature excursion. Further analysis of process safety
management practices and other information gathered  during the investigation was used by
investigators to determine the root causes and factors which contributed to the failure to control
the temperature excursion and contributed to the occurrence of the fatality and injuries on January
21, 1997.

       4.1     Cause of the Pipe Rupture

The immediate cause of the hydrocarbon release and subsequent fire was a failure and rupture of a
Stage 2 Reactor 3 effluent pipe due to excessively high temperature, likely in excess of 1400F.
This high temperature was initiated by a reactor temperature excursion that began in Bed 4 of
Reactor 3 and  spread through the next catalyst bed, Bed 5. The excessive heat generated in Bed
5 raised the temperature in the reactor effluent pipe. The excursion was not brought under
                                           58

-------
control because the Stage 2 reactors were not depressured and shut down as required when the
reactor temperatures exceeded allowable limits (SOOT).

       4.2    Cause of the Temperature Excursion

When heat generated from a hydrocracking reaction is not uniformly dissipated across the catalyst
bed, an area of higher temperature is created (a hot spot), which can accelerate the reaction rate in
that area and in turn, create more heat.  On January 21, a hot spot apparently occurred in Bed 4 of
Reactor 3 which temporarily elevated one of the Bed 4 outlet temperature points.

The immediate cause of the temperature excursion in Bed 4 was probably poor flow and heat
distribution within the catalyst bed. Past problems with temperature control in this bed and the
excessive coke deposit buildup are evidence of this poor distribution.  The coke pillars found in
Bed 4 after the accident were likely formed over a long period of time and were not the result of
only the January 21 excursion.  The presence of the coke pillars indicate uneven liquid
distribution, which in turn, caused temperature hot spots that probably occurred in the beds
during their operating history.  Occurrence of coke pillars in only Bed 4 of all  Stage 2 reactors
reveal that the flow distribution in the fourth catalyst beds was somewhat different from the other
catalyst beds.

Tosco stated in their report that the flow regime  in Bed 4 was a possible factor that contributed to
formation of the  hot spot.  Their explanation was based on flash calculations they performed,
which indicated that the reactants transitioned from wet to dry catalyst within  Bed 4 of Reactor 3.
Tosco explained that beds in which some of the catalyst is wet and some of the catalyst is dry are
particularly susceptible to hot spots. Their analysis also supported poor flow distribution as a
cause of the temperature excursion.

Historically, Tosco had problems with temperature instability in Bed 4, which  led Tosco to
develop special operating limits and guidelines for this bed.  However, these guidelines were not
incorporated into the written operating procedures. Although Bed 4 had a differently designed
flow distribution system than the other catalyst beds, investigators do not have enough
information to conclude whether the different design contributed to operating  problems with this
bed.

Other possible reasons were considered and ruled out as the likely causes of the temperature
excursion, based on information and evidence available.  These factors were discussed previously
in Section 3 and  included: closing of the Bed 5 quench valve, deactivated catalyst, feed
temperature too  high, loss of recycle hydrogen, plugged distribution trays, and insufficient oil or
gas flowrate.

Investigators could not determine whether the internal damage to the distribution trays and
quench zone was a cause of the excursion since the damage might have been an effect of the
                                            59

-------
incident.  For example, the distorted distribution trays could have been a result of the rapid
depressuring after the failure of the effluent pipe.

       4.3    Failure to Control Temperature Excursion

Initially, the operators did not take appropriate steps to control the temperature excursion because
they did not comprehend that a temperature excursion was happening.  There were several
reasons why operators were unsure of the situation including:

          The data logger temperatures were fluctuating between high, low, and zero readings,
          causing the operators to believe the data was in error.

          Operators did not know that the readings on the data logger defaulted to zero when the
          temperature exceeded the range of the data logger.

          Operators thought temperature data might be in error because the data logger had
          experienced malfunctions at times.  It had malfunctioned one day prior to the accident.
          Operators believed that opening the quench valve to Bed 5 controlled the temperature
          excursion because the Bed 5 inlet temperature reading that had risen abnormally
          returned to normal. The Bed 4 outlet temperature reading also returned to within
          normal range.

          The temperature data on the Bed 4 strip chart appeared normal and did not verify the
          high Bed 4 outlet temperature on the data logger. While this is consistent because  a
          different Bed 4 point was displayed on the strip chart, operators may have expected to
          see more than one Bed 4 outlet point rise during an excursion.

          Hydrogen makeup decreased, not increased, as operators expected during an excursion.

          Operators were confused by makeup hydrogen flow dropping to zero. Operators were
          unaware that the methane buildup in the recycle gas caused the makeup hydrogen flow
          to drop.

          Operators did not know that the recycle gas (hydrogen) purity had dropped because of
          the time lag for receiving analysis from the hydrogen purity analyzer.

          Operators did not immediately notice that the Bed 5 outlet, reactor inlet and outlet
          temperatures had risen above critical limits.  Operators did not receive additional
          audible high temperature alarms from the data logger.

          Operators were distracted from noticing that Bed 5  outlet temperatures were increasing
          because they were busy trying to control the trim furnace firing.
                                           60

-------
The operators heard and responded to a high temperature alarm for the Bed 4 outlet and Bed 5
inlet high temperatures, but did not receive any other audible high temperature alarms despite Bed
5 outlet and reactor inlet and outlet temperatures also exceeding high temperature alarm set
points.  One Bed 4 outlet and the Bed 5 inlet temperature exceeded the +50F over normal alarm
set point, but post-accident tests showed that the data logger would not re-alarm in this situation
when the acknowledge button was pushed on the data logger keyboard. Testing also showed that
it took 2.5 minutes for the +50F alarm to clear when the temperature dropped to non-alarm
levels.  Therefore, for the +50F above normal condition, the data logger alarm cannot be reset in
a reasonably short time.  This situation would prevent operators from receiving high temperature
alarms from other points in the reactor.

Even when operators realized, moments before the explosion, that the reactor outlet and inlet
temperatures  had climbed above SOOT, they did not depressure the reactor as the emergency
operating procedures required. Instead they began to adjust quench gas flows in order to cool the
reactor. Operators did not depressure the reactor because their past practice to control
temperature excursions had been to increase quench, reduce reactor inlet temperatures, and/or
stop feed flow to the reactor.

       4.4    Root Causes and Contributing Factors

Root causes are the underlying prime reasons,  such as failure of particular management systems,
that allow faulty design, inadequate training or deficiencies in maintenance to exist. These, in
turn, lead to unsafe acts or conditions which can result in an accident.  The contributing factors
are reasons that, by themselves, do not lead to the conditions that ultimately caused the event;
however, these factors facilitate the occurrence of the event or increase its severity.  Because of
the complexity of causes for this accident, no distinction has been made between the root causes
and contributing factors.  However, they are presented together in relative order of importance.
The root causes and contributing factors identified below for the January 21 accident have broad
applications to a variety of situations and should be considered lessons for industries that operate
similar processes, especially for chemical and petroleum refining industries.

                Conditions to Support and Encourage Employees to Operate Reactors in a
                 Safe Manner Were Inadequate.

Although Tosco management indicated in its safety policy that safety was a priority, it failed to
implement its safety policy consistently for all levels of the company. This lack of emphasis for
safe operation of the Hydrocracker Unit led to risky practices.

On past occasions, the emergency depressuring system was not used to control excessive
operating temperatures in Stage 2 reactors as required by Tosco's written emergency operating
procedures.  Tosco management did not take sufficient  corrective action that would ensure use of
the emergency depressuring system.  A conflict existed between prescribed procedure and past
practice; past practice was to verify data and get control of reactor temperatures without
                                            61

-------
depressuring. Inaction on the part of management may have been interpreted by operators as
unspoken management support of operators' actions to control severe excursions without
shutting down the Hydrocracker.

When operators had not followed prescribed emergency depressuring procedures in the past, they
had not encountered any operating problems as a result. Operators were able to bring
temperature excursions under control by other means without equipment damage.  However, they
had encountered difficulties when the 100 psi/min depressuring system was activated. These
difficulties included grass fires at the flare and a release of flammable vapor.  Grass fires at a flare
usually are caused by spillover of liquid from the flare to the ground. Normally, a knock-out
drum separates liquid from gas before the gas continues to the flare, but under extremely heavy
flow release conditions, the drum's separation capacity may be exceeded.  This problem would be
more severe if the 300 psi/min depressuring is activated since more flowrate is involved.
Depressuring creates an upset condition in the unit for which operators must be prepared and
trained. For example, on one occasion when the 100 psi/min depressuring was automatically
activated, the splitter lost liquid level, which in turn, caused a pump seal failure. The pump seal
failure resulted in a vapor release.  These negative experiences may have contributed to operator
reluctance to employ emergency depressuring and reinforced operators' decisions to handle
severe temperature excursions by other means.

Operators kept the Hydrocracker Unit running despite adverse operating conditions, such as some
reactor temperature data not quickly accessible (available only at field panels), malfunctioning
temperature instrumentation, leaking exchanger flanges, leaking quench valves, poor radio
performance etc. Running the Hydrocracker Unit to full capacity caused control problems for
operators and made it difficult to maintain safe temperatures. Documentation indicated that
sometimes production was limited by the trim furnace firing capacity.  Fluctuations in trim furnace
firing caused operators to make many manual adjustments to reactor temperatures.

One operator stated that there is "a lot of expectation to produce barrels." Use of the 300 psi/min
depressuring system is very disruptive and halts production since the unit must be shut down and
then later be restarted.  Operators were naturally reluctant to shut the unit down and be
accountable for the negative consequences of interrupting production.  However, the risk of
runaway  reactions in the hydrocracking process dictates that operators must quickly stop flow of
feed or depressure even at the risk of sometimes shutting the unit down unnecessarily.

In rebuilding Stage 2 reactors and controls after the  January 21 accident, Tosco designed the
depressuring system to automatically activate when temperatures rise abnormally high.  Therefore,
depressuring is no longer an operator decision under specified conditions. However, the root
causes  associated with operator actions and attitudes regarding production versus safety need to
be addressed in order to prevent other accidents.

Maximum bed temperature differential  limits were stated inconsistently in various documents.
Tosco was not operating within the original catalyst bed temperature limitations (maximum of
                                           62

-------
30F differential per bed) as recommended by Unocal in 1986 (Hydrocracker licensor), even
though they had changed to a more reactive catalyst. The basis for allowing higher bed
differentials (maximum of 40F average and 45F axial and radial) is not clear.  Operators were
not always able to maintain bed temperature differentials even within the highest limit cited, 45F.
The operating temperature guidelines reissued on April 4, 1996 as a result of an excursion did not
define the normal temperatures that must be maintained.  Increasing bed temperature differential
limits increases the risk of temperature excursions.

Written documents indicated that operators found it necessary to increase bed temperatures to
stay within other operating constraints such as maintaining minimum conversion per bed,
maintaining production rate and shifting higher temperatures to beds to reduce trim furnace firing,
and compensating for leaking quench valves.  Documentation shows that Tosco management was
aware of the conflicts between  safe operating limits and performance goals but took no action to
address these conflicts. Management's lack of regard for firm operating limits contributed to a
culture where operators may not have taken the limits seriously. Operators were aware that they
had taken chances in the past by operating with malfunctioning instruments and without the data
logger.  When performance goals and risks were not defined by management, decisions about
hazards and risk were left up to operator discretion.

                 Human Factors Were Poorly Considered in the Design and Operation of the
                 Temperature Monitoring System.

The control room was not designed and planned with a proper fit of people, equipment and
environment,  which limited operators' ability to quickly recognize and respond to a temperature
excursion.  The temperature monitoring system for Stage 2 Hydrocracker reactors was inadequate
for operating  a complex reaction under high temperature and pressure. Operators were required
to adjust temperatures (many times manually) and remain within certain constraints while
achieving target production goals. Operating constraints and production targets often changed
depending on feed characteristics, output needs, catalyst age and other operating conditions.
These constraints included maintaining a specified bed temperature profile, not exceeding trim
furnace firing capacity, achieving specified product conversion, not exceeding reactor and catalyst
bed temperature limits, avoiding hot spots in beds, and  minimizing coking of catalyst.

In order to operate the Hydrocracker efficiently and safely, sufficient reactor temperature data is
critical and needs to be readily accessible.  The operators were using three different
instrumentation systems to obtain reactor temperature data.  These systems were not integrated
and thus required more effort to effectively monitor the reactor conditions. The May 1989
Hydrocracker Training Program document described the control room as a "hodgepodge"  of
instruments and acknowledged that replacement of instruments had not followed any overall plan.
Without the necessary temperature data, operators could not readily detect or respond to hot
spots in a catalyst bed, and runaway reactions could occur.  During the January 21 incident,
operators relied on the strip chart data to make decisions, since data from the field panel was not
readily accessible and they did not believe the data logger readings. The strip charts gave an
                                            63

-------
incomplete picture of the reactor condition since the charts only displayed a few of the total
thermocouple readings.

The field panel temperature data was needed by operations for safe and efficient operation of the
Stage 2 reactors.  Operators were instructed by management to collect and record field panel data
daily. Most of the highest (most critical) temperatures were those that could only be read outside
at the field panels. Obtaining field panel temperatures required too much time, which did not
allow quick decisions to be made. When a temperature excursion does occur, getting temperature
data immediately is vital for operators to be aware of the situation and respond appropriately in
time.  On the night of the accident, minutes were lost while the outside operator was trying to
relay field panel readings.

The installation and use of field panels to acquire additional temperature data was not managed
appropriately.  No management of change process was conducted to consider the impacts of using
the field panels. The purpose of the installation of the field panel was not clear to all personnel
associated with the Hydrocracker.  Some thought the temperature panel was an experiment to
determine if a capital expenditure was worthwhile, while operators relied on it for additional
temperature monitoring. Also, there was no defined time line for when data from the additional
thermocouples would be available in the control room. Poor communications existed between
management and operators on this issue. Operator concerns about the panels were not addressed.

Operators had to manage with conflicting temperature information from the different systems.
Management recognized this conflict in the standard operating procedures, but no procedures
were in place to specify how to operate when one of the instrument systems was malfunctioning.
There was limited redundancy of temperature readings, which did not allow an accurate
assessment of possible instrument malfunction. The only redundant temperature points were
those on  the control board strip charts which displayed only the center inlet and outlet of each
bed.

Operators did not have hydrogen purity  information needed to assess the situation on January 21
because of a seven minute lag time in getting information from the hydrogen purity analyzer.  This
delay contributed to operators not being aware of excessive methane generation as the
temperature excursion began.

There was limited automatic control of quench flow since the controllers used only one
temperature point per bed. Responding  quickly to temperature excursions in some cases required
the operators to override the automatic quench controller in order to control hot spots in the
catalyst bed near temperature points that were not linked to the quench valve controller.
Operators would open the quench flow valve using manual control versus the automatic control.

When multiple temperature points exceeded the high temperature alarm setting, no additional
alarms could be received until the first high temperature alarm was acknowledged and reset.  The
high temperature alarm was set at 780F, which meant operators might not be aware of a problem
                                           64

-------
until temperature had almost exceeded the maximum safe operating temperature of the reactor.
Yet the operators were required to take steps to control temperatures 25F above normal
(without depressuring) as stated in the emergency operating procedures. On January 21, some of
the Bed 5 outlet temperatures increased by more than 25F, but board operators were distracted
by trim furnace firing and did not notice the Bed 5 and reactor outlet temperatures rising. The
design of instrumentation was not well integrated and was not adequate to address the situations
of temperature rising very rapidly, and many temperature points exceeding limits.

                 Supervisory Management Was Inadequate.

It appears that supervisory control of operations for the Hydrocracker was deficient and
contributed to the lack of adherence to required emergency procedures.  Inconsistent application
of the use of emergency operating procedures was tolerated.   Supervision was not present at the
unit even though there had been a succession of operating problems just prior to the final
temperature excursion that lead to the explosion and fire.  The No. 1 Operator was present to
provide leadership for the other operators, but his authority to make sure required procedures are
followed was not clear.

Supervisors were not always aware of temperature excursions or maximum reactor temperatures
that had been experienced in the past. Management was not aware that Stage 2 had been
operated without the data logger functioning. In some cases, supervisors did not know which
procedures were or were not in effect. An example of this is  SOP#20 which instructed to
manually close the makeup hydrogen control valve before activating emergency depressuring.

Supervisors failed to recognize all the hazards associated with the Hydrocracker Unit startup and
operation.  These hazards included allowing operators to access field panels during potentially
severe temperature excursions, allowing operations of heat exchangers that leaked chronically,
and having  continued operation of Stage 2 reactors when the  data logger was out of service.
Supervisors also did not have a plan for implementing the use of the I/A temperature monitoring
system and were not following management of change procedures that would have identified the
consequences of change to the system and prepared operators for its use.

Root cause investigations conducted for previous excessive temperature excursions were
inadequate. It appears that not all temperature excursions were documented, and management
may have been unaware of the serious nature of some of the excursions.   Management did not
investigate why operators were reluctant to follow emergency operating procedures, and failed to
develop solutions to address the causes.  The failure to fully investigate several "near miss"
temperature excursions and address causes of these incidents  demonstrates the lack of proper
management oversight and concern.  The lack of attention sends the wrong message to operators
about the real danger posed by the temperature excursions. In addition,  no abatement efforts
were made  in regard to excessive reactor bed temperatures, other than reissuing guidelines.
                                           65

-------
                 Operational Readiness and Maintenance Were Inadequate.

Poor facility functional operability and poor maintenance were contributing factors in the
accident.

Twice in January of 1997, operators had to rely on single bed inlet and outlet temperature points
from the Moore (strip chart) controllers while switching from the I/A system to the data logger
and vice versa. No interim system was available to ensure that the operating employees had
sufficient operating data to safely operate the reactors.

For ten  days in January of 1997, Stage 2 was operating with a new temperature monitoring
system that was not fully functioning (the IIA system).  No pre-startup safety review was
conducted for the implementation of the Stage 2 I/A system.  The I/A system was not reading all
the thermocouple temperatures and was incorrectly calculating weighted catalyst temperature
averages.  Operators had also  experienced recent operating problems with the data logger, which
was one factor leading operators to doubt data logger readings on the evening of January 21.

One type of alarm for the data logger was not functioning properly.  The temperature rise in Bed
4 outlet and Bed 5 inlet on January 21 exceeded the alarm setting of more than 50F above
normal.  Post-incident data logger testing demonstrated that the data logger alarm would not re-
alarm for another high temperature when the acknowledge button was pushed on the data logger
keyboard. The data logger alarm for greater than 50F above normal would also not reset itself in
a reasonably short time (less than 2.5 minutes) after the temperature dropped back to normal.
This situation would prevent operators from receiving high temperature alarms from other points
in the reactor.

Unreliable radio communications equipment  were used by operators. The radios were required to
relay both routine and emergency information between the outside operator and  the control room
personnel. Based on operator statements, problems existed with maintaining proper battery
power and having enough channels available to accommodate communications needs.  Problems
maintaining battery power were acknowledged in SOP# 30 dated May 1990 and apparently these
problems had still not been addressed by the  time of the January 21 accident.

The Stage 2 quench valves would not fully close all the time and operators had to make
adjustments to bed temperatures to  compensate, which sometimes resulted in higher bed
temperatures.  The higher the operating temperature of the bed, the more likely the possibility of
temperature runaway since reaction rate increases with temperature.  Adjusting temperatures to
compensate for leaking quench valves may have made it more difficult for operators to stay within
prescribed bed temperature differential limits.

Operators were expected to deal with adverse situations without adequate operating procedures
or technical support from management. The deactivated catalyst may not have contributed to the
accident, but the conditions  causing the deactivation and the lack of preparation  to handle this
                                           66

-------
situation show deficiencies in operational readiness and operating procedures.  For example, the
catalyst deactivation started when feed from three reactors was forced into two reactors because
of lack of room in tankage needed to divert some of the feed.

A wiring problem identified in SOP#20 would not have allowed operators to depressure Stage 2
without first manually closing a hydrogen control valve. This situation existed because of wiring
on the control valve that had been damaged in March 1989 and, according to SOP#20, was never
repaired. The emergency depressuring system was not tested regularly to ensure it would
function when needed.

Operators operated with heat exchangers that chronically leaked during startup.  These leaks
required maintenance intervention during startup to stop the leaks and created  operating hazards
from flammable vapor clouds. These leakage problems delayed startup of the unit in January
1997.

Tosco identified the need to replace missing support bolts for distribution trays in Stage 2 reactors
for the January  1996 maintenance turnaround. The documentation for this needed work was
incomplete and  investigators are not certain if the work was done.

The section of effluent pipe that ruptured had been ultrasonically tested for metal thickness only
once (in 1991) during its 33 years of life. A single pipe metal thickness measurement is not a
reliable way to predict an accurate corrosion rate for piping in hydrogen service.

               Operator Training and Support Were Inadequate.

The Hydrocracker Training Manual was out of date and did not reflect changes made to the
process over time.  The unit-specific training at the Hydrocracker was mostly on-the-job training
with little or no classroom training.  Also, documentation of unit-specific training was limited. An
example of too much reliance upon on-the-job training included the past practice of controlling
severe temperature excursions without depressuring.  Management had not developed required
unit-specific refresher training.

The technical information system in place was less than adequate for safe operation of the
Hydrocracker.  Operators lacked adequate training on instrumentation; they apparently did not
know the limitations of some of the monitoring and control instruments used in Stage 2. For
example, they did not understand the significance of zero readings on the data logger.   Operators
had not received training on the new I/A temperature monitoring system installed for Stage 2
when it was operational for 10 days in January.

The operators did not understand the significance of a sudden decrease in makeup hydrogen flow.
This decrease conflicted with the operators'  past experience involving temperature excursions,
which had generally caused makeup hydrogen flow to increase. Not all the operators had
                                           67

-------
sufficient training on the reaction kinetics of hydrocracking and the importance of taking
prescribed actions once temperatures have exceeded certain limits.

                 Procedures Were Outdated and Incomplete.

The lack of complete,  specific, and integrated operating instructions for the Hydrocracker Stage 2
contributed to the failure to control the temperature excursion. Because operators were used to
operating with outdated procedures, they may not have taken written procedures as seriously as
they should have when they chose to control extremely high reactor temperatures by means other
than depressuring.

Written operating procedures were out-of-date, and were not updated as multiple changes were
made to the Hydrocracker Unit. A change was made to use a more reactive Stage 2 catalyst in
March of 1996, but the written operating procedures were not updated to reflect this change in
process chemistry.   The procedures were not updated as changes were made to  the temperature
monitoring system.  The operating procedures did not match equipment in the unit or in the
control room.  The operating procedures did not match descriptions of operations and equipment
described in the process hazard analysis.

Conflicting guidance regarding bed temperature differential limits was provided in different
documents as discussed in Section 3 of this report. Having different operating limits for the same
operating variable may have contributed to operators not understanding or not taking stated limits
seriously.  After the July 1992 temperature excursion, the catalyst manufacturer and Technical
Services recommended that the temperature differential of Bed 4 of Reactor 3 be limited to a
maximum of 25F.  This recommendation was contained in a draft SOP with guidelines for raising
rate of cracking, but it was not incorporated into the approved written procedures.

Bed temperature differential limits were not clearly stated in the procedures. Investigators
assumed that average differential is the difference between the average outlet and average inlet
temperatures.  Tosco's written standard operating procedures and startup operating procedures
do not explain the difference between maximum average and maximum bed temperature
differential limits.

Recommendations from several incidents and accidents at the Hydrocracker Unit were not
incorporated into the written procedures. Written operating procedures did not  exist for dealing
with many of the conditions or situations that operators were  handling in the time leading up to
the accident on January 21, such as operating with deactivated catalyst,  transferring feed from
three reactors to two,  and suspected instrument malfunction.  There was no written operating
procedure developed or implemented that provided clear instructions for safely checking the field
panels.  Decisions about risks involved with field panels were  left to the discretion of the
operators.
                                            68

-------
No written procedure was available to manage the change from the temperature indication data
logger to the I/A temperature display on January 10, 1997 or the switch back to the data logger
on January 20.  Process safety information and operating procedures regarding the change were
not updated as required by MOC procedures.

The SOPs did not reference conditions when emergency operating procedures should be
implemented.  Consequences of deviation from operating limits (such as fire and explosion) were
generally not addressed or mentioned in the written operating procedures, although they were
listed in a separate document.

                 Process Hazard Analysis Was Flawed.

Hazards were not properly identified through a current process hazard analysis, causing a
misunderstanding of risks associated with temperature excursions, design changes, equipment
modifications, and operating anomalies.  Possible hazards from changes made in the control room
or instrumentation were not adequately considered through management of change procedures.

The 1994 HAZOP study assumed that indicators and alarms for all bed temperature readings were
available in the control room. While this assumption was valid  for the 1994 HAZOP,  it would no
longer be valid after the field temperature readout panels were installed in January 1996.
Checking temperatures at the field panels became the accepted  practice to verify elevated or
questionable reactor temperatures. Operators were put at serious risk when they went to check
field panels while the reactor may have been exceeding its safe, maximum allowable temperature
of SOOT.  The failure to recognize hazards associated with operators using the field temperature
panels was a factor contributing to the operator fatality.

Potential risk involved with reading field temperature panels during abnormal conditions was
never evaluated because no safety analysis of this activity was conducted.  Management did not
respond in a timely manner to operators' concerns about having the locating the temperature
panels under the Stage 2 reactors.  Safe work practices were not developed or implemented for
reading temperatures from the field panels. Likewise, no established written procedures or
training was developed to tell operators when it was safe or unsafe to check field temperature
panels. The HAZOP assumed that necessary procedures were in place for all operations.

The HAZOP for Stage 2 of the Hydrocracker Unit did not address all existing known hazards and
operating abnormalities and was not appropriate for the process as it actually existed.  In several
instances, the HAZOP was flawed in that it was not based upon the way the process actually
operated at the time the analysis was conducted. It is not clear if the HAZOP assumed that the
I/A temperature system was functional or not.

Control  of temperature within critical operating limits is essential for safe operation of the
Hydrocracker.   The use of the 100 and 300 psi/min emergency depressuring systems  was not
mentioned in the HAZOP as a safeguard for reactor temperature excursions.  The HAZOP did
                                           69

-------
not address loss or dysfunction of temperature monitoring systems or emergency depressuring
systems.  The HAZOP mistakenly stated that automatic activation of the 100 psi/min emergency
depressuring would occur for the emergency condition of loss of oil flow through the reactor.
The 100 psi/min depressuring is automatically activated only if the recycle gas compressor trips.
The HAZOP did not address the use of emergency quench to the inlet of the reactor as was
discussed in the Emergency Procedures for a temperature excursion.

The process hazard analysis did not adequately address previous incidents that had a likely
potential for catastrophic consequences in the workplace, such as previous reactor temperature
excursions and failure to maintain temperatures below SOOT. The HAZOP did not identify fire
and explosion as consequences from extreme temperatures in reactor effluent piping and
feed/effluent exchangers.  The HAZOP did not correctly identify the frequency and thus the risk
of hydrocarbon and hydrogen sulfide releases from exchanger flange leaks, because it ranked
these occurrences as not likely over plant lifetime, when actually these leaks occurred frequently.
The HAZOP did not identify excessive methane generation from a temperature excursion as a
cause of low hydrogen purity.

                 Barriers Against Hazardous Work Conditions Were Inadequate.

The Tosco employees and contractors who were  injured during the explosion and fire were not
properly alerted to or protected from hazardous work conditions.  Contractors were not notified
that the unit was experiencing operational problems. Operators did not follow emergency
operating procedures that required them to sound the process unit emergency alarm so that
contractors could  evacuate.

5.0    Recommendations

As described in the Root Causes and Contributing Factors section above, the root causes of this
accident are complex and interconnected. Investigators developed recommendations addressing
the root causes of the accident to prevent a reoccurrence or similar event at this and other
facilities. Taken individually, the recommendations described below may not convey the
significance to prevention of a recurrence or of a  future similar accident; together, however, they
illustrate how multiple layers of protection work to prevent catastrophic incidents.

Tosco has implemented many of the recommendations from their own investigation report and
from the CCCHSD investigation report, which were both finalized in May 1997. A list of actions
undertaken by Tosco is in Appendix I.  The recommendations in this report apply not only to
Tosco but are good practices that should be carefully considered for possible implementation by
hydroprocessing operations at other facilities as well as other process industries.
                                           70

-------
              Management System Policy and Implementation

Tosco, and all industry management, must implement and maintain an environment that fosters
safe operations day after day.  Management must actively demonstrate a commitment to safety by
ensuring that operating decisions are not based primarily on cost and production and that
employees at all levels of the organization can articulate the company safety policy.  This
commitment includes defining realistic performance goals and operating risks, and communicating
these effectively to all employees. Facility management must set safe, achievable operating limits
and enforce practices to maintain operations within those limits.  Tosco needs to establish a firm
policy that limits are not flexible and must not be exceeded, and that if necessary, production rates
should be reduced to stay within operating limits.

Facility management must ensure that employees fully understand the need to use and follow
emergency  systems and procedures.  Management must design, thoroughly examine and test
emergency  systems and procedures to ensure their effectiveness and to minimize negative
consequences to the process and to safety if such procedures or systems are used.

Management must ensure that all procedures,  especially emergency procedures, are up-to-date
and reflect all current practices. Mangers must insist that all procedures be followed and that
operating limits be observed; when procedures or limits are not followed or observed,
management must determine the underlying reasons, such as an evaluation of whether the limits or
procedures are faulty, and take immediate corrective action.

              Human Factors Considerations

The Hydrocracker temperature instrumentation and controls at Tosco should be designed
considering human factors so that there is a good fit  of people, equipment and environment
consistent with good industry practice.  The system should be reexamined and revised as
necessary to enable appropriate operator  monitoring and intervention. Hydroprocessing facilities
should consider,  as Tosco has addressed consolidation and  integration of all temperature
indicators for hydrocracker reactors in one control system with all temperatures displayed in the
control room.

Facilities with complex reactions and process flow systems, such as hydrocracking, should
consider use of a system that requires less operator manual  manipulation to stay within critical
operating limits.  For example, computer  monitoring and control of critical process parameters
may allow operators greater flexibility and management of the  process. For hydrocracking, use of
a computer system would allow quench control to be linked to more than one temperature point
or be programmed to respond quench control can be linked to more than one temperature point
in the system or be programmed to respond based on a wider variety of temperature situations.
The computer can also be programmed to make incremental temperature changes based on a
input rate, allowing easier start up  and shut down of the unit.
                                           71

-------
Hydroprocessing facilities should consider having a backup system of critical temperature
indicators, to allow redundancy of temperature data.  Such redundancy will help to identify
instrument problems with confidence and allow continued  safe operation when one temperature
system is malfunctioning. Industry in general, should examine the process parameters that are
critical to safe operation and consider redundant instrumentation as a backup in case of instrument
malfunction.

The temperature indication and control system used at the  Tosco Hydrocracker should have an
alarm system that has sufficient high priority alarms that can be received independently of one
another.  Other industries should examine their process monitoring and control instrumentation to
ensure that in emergency or upset situations, control room operators are  appropriately notified of
the status of critical parameters so the operator can take necessary steps to correct the situation.
Safety critical alarms should be distinguished from other operational alarms. Alarms should be
limited to the number that an operator can effectively monitor. However, ultimate plant safety
should not solely rely on operator response to a control system alarm.

Tosco should improve or eliminate lag time in recycle gas analyzer and provide additional
capability for the detection of recycle gas abnormalities. Tosco may want to consider the use of a
continuous real-time analyzer dedicated to Stage 2 recycle gas analysis.

Human factors and risks from temperature control malfunctions should be incorporated into the
unit's process hazard analysis.

              Supervision

Tosco management should consider formal delegation of task assignment authority to No. 1
Operators.  A shift supervisor should be present at the unit during emergency or abnormal
situations or when a greater potential for problems exist, such as startup after maintenance or
introduction of new equipment. As an interim step, additional supervisory coverage should be
provided until procedures are updated and training is improved.  Tosco management should
consistently enforce proper actions and promptly address any improper actions with respect to
emergency procedures.  Supervisors should ensure that procedures for hazard analysis and
management of change are followed.

Supervisors must  ensure that operators are trained and tested to implement emergency
procedures.  Supervisors should be educated on the hazards associated with all aspects of
operation, startup and shutdown of Hydrocracker Unit and should conduct thorough pre-startup
and pre-shutdown safety reviews. Supervisors should identify critical operating limits and ensure
that operating conditions stay within safe limits.  Events in which operating limits have been
exceeded should be thoroughly investigated by supervisors to determine the root causes of these
events. Equipment, and procedural and job performance issues that relate to such events should
be corrected.
                                            72

-------
Tosco management, and industry, must investigate all deviations from expected process
conditions and procedures to understand the underlying reasons for these deviations; especially
for safety critical parameters.  If the underlying reasons are not sufficiently identified and
addressed, then the deviations can reoccur. The investigation process should include soliciting and
responding to operator input regarding operating practices and procedures.  Tosco management
must investigate Hydrocracker temperature excursions and determine the cause and corrective
action necessary to prevent such excursions such as engineering and design changes necessary to
ensure uniform flow distribution within the Hydrocracker catalyst beds. Facilities should freely
exchange safety related lessons learned among others within their industry.

             Facility Readiness and Maintenance

All facilities should establish requirements for equipment integrity and not operate unless integrity
is maintained.  Tosco should properly maintain reactor internals to ensure that the
hydroprocessing equipment can be operated within established safe operating limits.  All
temperature instrument systems that are critical to safe operation and emergency shutdown
equipment must be maintained in reliable operating order.  Equipment functions, including alarms
and radios, should be tested regularly.  Facilities must address any problems with emergency
systems immediately and not operate until these systems are  fully operational.  Practice emergency
drills should be held on a regular basis.

Since it  is not unusual for problems to develop when equipment is first being used or started up,
management should have technical and maintenance support personnel available at the unit during
startup of new equipment or after major maintenance has been performed.

Tosco should develop a permanent  solution for the problem  of leaking heat exchanger flanges and
make the necessary changes to prevent hazardous hydrocarbon leaks. Also, quench valves should
be maintained so that they do not leak.  The facility's maintenance program should include
implementation of a mechanical integrity testing and inspection program for vessels and piping
that is consistent with current process industry recommended practices.

              Training and Support

Tosco and all industry must provide training for operators when any changes to temperature
indication and control systems are made. Management should provide training for operators on
the reaction kinetics of hydrocracking, and causes and control of temperature excursions. The
training should include the behavior of the hydrogen  system in the Hydrocracker,  especially
during severe temperature excursions.  Operators should be trained to understand the limitations
of the process instruments, the instrument default values,  and how to handle potential instrument
malfunctions. All operators should be retrained on the use of the emergency depressuring system,
and the  rationale for implementing emergency procedures.
                                            73

-------
              Procedures

Every hydroprocessing operation should develop written operating procedures to cover all
anticipated phases of operations.  Management should develop a format for operating procedures
which provides specific steps for each operational phase including reference to equipment and
controls in the control room. This format should also address operating limits for each phase and
the consequences of deviation from those operating limits. Facilities need to implement a method
of reviewing and updating procedures so that approved and tested changes are incorporated into
the procedures document.

Tosco must revise procedures to reflect current operating methods and equipment and consolidate
all previous SOPs, memos, and procedures into one manual for ease of operator use. The
procedures should include instructions for operators to follow when instrument problems are
suspected or other process upsets or anomalies occur.  The operating procedures need to be
updated with a description of the instrumentation default values and limitations.  Tosco should
specifically review and re-issue operating procedures related to temperature excursions at the
Hydrocracker.

Although these recommendations regarding procedures are directed at Tosco, all industry should
examine their procedures to ensure that similar conditions are addressed.

              Process Hazard Analysis

Facilities should evaluate process hazards based on actual equipment and operating conditions
present and used in their own operations.  The PHA should reflect the actual instrumentation and
equipment in use at the time the PHA is done. Tosco should revise their PHA based on the actual
temperature instrumentation in use and the procedures available. The use of emergency systems
should be appropriately specified in the PHA and the descriptions of emergency equipment or
systems described in the  PHA should match the equipment in the field.  Tosco should ensure that
use of 100 psi/min and 300 psi/min depressuring systems and emergency quench are correctly
described in the PHA.

Risks or operating problems identified from actual operating practice, near misses or accidents
should be addressed and  evaluated in the process hazard analysis.  For example, the PHA needs to
identify excessive methane generation as a possible cause of low hydrogen purity.  The process
hazard analysis process should have input and review by operating personnel.  The process hazard
analysis should consider  the failure of critical operating systems, such as temperature monitors or
emergency operating systems.

Tosco needs to review and update the Stage 2 Hydrocracker process flow diagrams, and process
and instrumentation diagrams to reflect current equipment configuration.  Management of
Change (MOC) reviews  should be conducted for all changes to process, equipment or procedures
                                           74

-------
to ensure that all necessary hazard or safety reviews are executed, training is conducted and
document control is executed.
                                            75

-------
APPENDICES
Appendix A  References

1.      Report on the January 21, 1997 Hydrocracker Incident at the Avon Refinery. May 29,
       1997. Tosco Refining Company, Martinez, California.

2.      30-Day Written Final Report, Hydrocracker Explosion and Fire, Tosco Avon Refinery,
       January 21, 1997. February 19, 1997. Tosco Refining Company, Martinez, California.

3.      72-hour Written Follow-up Notification, Hydrocracker Explosion and Fire,  Tosco Avon
       Refinery, January 21, 1997.  Tosco Refining Company, Martinez, California.

4.      Summary Report to the Board of Supervisors on the Investigation of the Causes of the
       Tosco Avon Refinery Incident of 1-21-97.  May 29, 1997.  William H. Alton and Laura L.
       Brown.  Contra Costa County Health Services Department, Martinez, California.

5.      Laboratory analysis of 5 air samples in Contra Costa County.  January 21, 1997.  Bay
       Area Air Quality Management District. San Francisco, California.

6.      Citations and Notifications of Penalty Issued to Tosco Avon Refinery for Violations of
       California Labor Code. July 10, 1997. Department of Industrial Relations, Division of
       Occupational Safety and Health, State of California. CAL OSHA Concord District
       Office, Concord, California.

7.      Documentation Worksheets for Citations and Notifications of Penalty Issued to Tosco
       Avon Refinery for Violations of California Labor Code. July 10, 1997. Department of
       Industrial Relations, Division of Occupational Safety and Health, State of California.
       CAL OSHA Concord District Office, Concord, California.

8.      Notes from Meeting between EPA investigators and Tosco management. July 28,  1997.

9.      Notes from Meeting between EPA investigators and CCCHSD investigators. July  17,
       1997.

10.    Management Oversight and Risk Tree (MORT). October 1996. Conger & Elsea,  Inc.,
       Woodstock, Georgia.

11.    Management Oversight and Risk Tree Manual.  1996.  Dorian Conger and Ken Elsea,
       Woodstock, GA.

12.    Videotape of Contra Costa County Board of Supervisor's meeting, Agenda Item D. 7
       April 22, 1997.  Contra Costa County Television, Martinez, California.
                                         A-l

-------
13.     Videotape of Contra Costa County Board of Supervisor's meeting, Agenda Item D. 7 June
       3, 1997. Contra Costa County Television, Martinez, California.

14.     Reactor Safety In Hydroprocessing.  March 1987.  Charles S. McCoy, Orinda,
       California.  Paper No. AM-87-56 presented at the 1987 National Petroleum Refiners
       Association Annual Meeting, San Antonio, Texas, March 29-31, 1987.

15.     Hydrocracking, Section 4.4 ofPetroleum Refinery Enforcement Manual.  June, 1980.
       Prepared for US Environmental Protection Agency, Washington, DC by PEDCo-
       Environmental,  Inc., Arlington, TX.  National Technical Information Service Document
       No. PB84-188861,

16.     OSHA Instruction TED 1.15, CH-1,  Section XY: Chapter Z, Petroleum Refining
       Processes.  Draft. November 7, 1995.  OSHA Office of Science and Technology
       Assessment.

17.     Petroleum Refining for the Nontechnical Person. 2nd edition. 1985. William L. Leffler.
       PennWell Books, Tulsa, Oklahoma.

18.     Petroleum Refining,  Technology and Economics. 1994. James H. Gary and Glenn E.
       Handwerk. Marcel Dekker, Inc., New York, New York.

19.     Chemical and Process Technology Encyclopedia. Hydrocracking.  1974. Douglas M.
       Considine, ed. McGraw-Hill Book Company, New York, New York.

20.     Guidelines for Investigating Chemical Process Incidents.  1992. Center for Chemical
       Process Safety,  American Institute of Chemical Engineers,  New York, New York.

21.     Notes from meeting between EPA investigators and Richard Palmer of Palmer and
       Associates in Mill Valley, CA.  July 18, 1997

22.     Chemical Engineers'Handbook. 1973. Fifth edition. Perry, Robert H. And Chilton,
       Cecil H., editors. McGraw-Hill Book Company, New York, New York.

23.     CAL OSHA Investigation Summary and Narrative of Tosco Refining Company Event of
       1/21/97. June 5, 1997.  Investigation Investigation Summary Number 201480126,
       Reporting ID 0950622, OSHA-36 Number 361162992, Inspection # 125766932.

24.     Marks' Standard Handbook for Mechanical Engineers, "Table 8.7.3- Properties of
       Commercial Steel Pipe".  1987.  Ninth Edition. Eugene A. Avalone and Theodore
       Baumeister III,  editors.  McGraw-Hill Book Co. New York.
                                        A-2

-------
25.    Annual Book of ASTM Standards, Volume 01.01-Steel-Piping, Tubing, Fittings.
       "ASTM Designation A 335/A335M-94.  Standard Specification for Seamless Ferritic
       Alloy-Steel Pipe for High-Temperature Service."  1995.  American Society for Testing
       and Materials, Philadelphia, PA.

26.    Annual Book of ASTM Standards, Volume 01.01-Steel-Piping, Tubing, Fittings.
       "ASTM Designation A 530/A530M-92a.  Standard Specification for General
       Requirements for Specialized Carbon and Alloy Steel Pipe."  1995. American Society for
       Testing and Materials, Philadelphia, PA.

27.    Annual Book of ASTM Standards, Volume 01.01-Steel-Piping, Tubing, Fittings.
       "ASTM Designation A 370-94. Standard Test Methods and Definitions for Mechanical
       Testing of Steel Products." 1995. American Society for Testing and Materials,
       Philadelphia, PA.

28.    Independent Review of the Contra Costa County Health Services Department of the
       Tosco Avon Refinery Incident of January 21, 1997.  January  1998. The National Institute
       for Chemical Studies, Charleston, West Virginia.
                                          A-3

-------
Appendix B  History of Major Process Changes

1963                Hydrocracker was constructed under a license from Chevron Research
                    Corporation and put into service.  Unit was known as the Isocracker.
1976                Tosco purchased Avon Refinery from Phillips Petroleum.
1978                Original Honeywell analog electronic controllers and recorders for Stage 2
                    were changed to Foxboro Spec200 analog electronic controllers.
1986                Modifications were incorporated in accordance with a technology license
                    from Union Oil of California making the unit a Unicracker. Modifications
                    included a depressuring system, new reactor thermocouples, new hydrogen
                    quench rings in Stage 2, new internals in Stage 2, and new single loop
                    digital controls (Moore 352 controllers) for the hydrogen quench system.
                    An additional bed (Bed 4) was added which had a larger quench valve than
                    the other existing four beds.
 1986               A Foxboro Videospec Distributed Control System (DCS) was installed on
                    Stage 1 and the Hydrogen Plant.
 1989               The low pressure section of Stage 2 was converted to Moore 352 single
                    loop digital controllers and PC based data loggers for Stage 1 and Stage 2
                    were installed.
 1990               The Videospec DCS system for Stage 1 and the Hydrogen Plant was
                    replaced with Foxboro Intelligent Automation (I/A) DCS system .
Jan 1992            Catalyst was changed to Z-753 type (106) in Stage 2 reactors.
 1994               The Stage 1 I/A system was upgraded by providing  additional consoles and
                    alarm displays.
Jan 1996            Major maintenance turnaround occurred.  The Stage 2 catalyst  (Criterion
                    Z-753) was removed and sent off for regeneration and then recharged to
                    the lower four Stage 2 beds. The top beds in Stage 2 were charged with a
                    new type (more active) of catalyst (Criterion Z-763). The Stage 2
                    thermowells and thermocouples were replaced with 12- point array style
                    thermocouples. Additional thermocouples added were installed with field
                    panel display only. The top quench distributors were modified.
Dec 24, 1996        The Stage 1 monitoring points were brought  into the I/A system.
Feb 16, 1996         Hydrocracker was started up.
Jan 10, 1997         The 40 temperature monitoring points displayed on  the Stage 2 data logger
                    were transferred from the data logger to the I/A system.
Jan 12-15,1997       An unscheduled maintenance turnaround occurred to repair tube leak in a
                    Stage 1 heat exchanger.
Jan 20, 1997         Stage 2 points were removed from I/A system and returned to data logger.
                                          B-l

-------
Appendix C  Stage 2 Hydrocracker Process Flow Diagrams
                                                                        3
                                                                        u
                                                                        O 0 


                                                                        '^1
                                                                        0)
                                                                        M
                                                                        I/)
                                      C-l

-------
  Control Room
Shutdown  Panel
TO
                     FAST:
                     300 psi
                    per minute

                        C-2
             /v
           Frofn
           E-1G26
                                                 SLOW:
                                                                   Smrt-Off
                                                                  Stag* 2 Charge
                                                                     Pump
                                      XH^-Ixt
                                    ToC-15
                                   ooon Rv?l
                                Kiwck-Oirt Drum
d
                                                       >jI*'  Trim Funrtaee

                                                       ,.._..^.  ttocy
                                                        (S-
                               PrcssurE
                                Header

                                  30 inch

                                  Header
                                                         I  ReMet System |
                                                         1 Btawrfciwn DrurtJ
                                                                         0 inch iinft
                                                                          to
                                          1.1 Tufbint
                                                          To C-i Low
            Figure C-2         2 Emergency Depressuring System
                               Simplified Diagram
                                     C-2

-------
Appendix D  Interbed Quench and Distribution Sketches
                  B
                  B
                  B
                               rmnnn
                           B
                              -nfl
                                              4- -
                                 -f		H
                               pmirrm
                         Bed
                (Drawing is not to scale)
                                                         Distribution tray (slotted chimnmeys)
           Quench ring
           Quench tray
           Quench pan
           Downcomer tray
            Distribution tray (sloped chimmeys)
_j_ 4	 Quench ring
   4        Quench tray
   *        Quench pan
                                                          Distribution tray (slotted chimmeys)
            Wire mesh screen
            Layer of inert ceramic balls

            Catalyst pellets

             Layer of inert ceramic balls
             Wire mesh screen
 Figure D-l  Stage 2 Reactor Internals Sketch
                                         D-l

-------
  Two 8"x12" holes
     Side Detail
                        Top View
                       Quench ring     ^   Reactor

                                         wall
Quench pan
                       Downcomer tray
                                                    Side  and  End Details

                                                    Sawtooth downcomer
                        2" tall x 10" wide

                            Sloped chimney
     Slotted chimney   Distribution tray w/chimneys     '7  ' Y
         TI i  r         ^z~s*^                 ^'
            LJ
      2W dia. x 3" tall
                                                   o
                                                   o
                                                   o
                                              4" dia. x 8" tall
Figure D-2   Stage 2 Reactor Interbed Quench and Distribution Details
                                     D-2

-------
Appendix E  Stage 2 Reactor Thermocouple Points per Instrument Display
Bedl
Location of
Thermocouple
Bed inlet
Bed middle
Bed outlet
Total
Strip
Charts


1*
1*
Data
Logger


5
5
Field
Panel

2
5
7
Total

2
10
12
Bed 2, 3, and 4 (per bed)
Location of
Thermocouple
Bed inlet
Bed middle
Bed outlet
Total
Strip
Charts
1*

1*
2*
Data
Logger
5

5
10
Field
Panel
5
4
5
14
Total
10
4
10
24
Bed5
Location of
Thermocouple
Bed inlet
Bed middle
Bed outlet
Total
Strip
Charts
1*


1*
Data
Logger
1

4
5
Field
Panel
4
2
1
7
Total
5
2
5
12
*This point is also the same point displayed on data logger.
                                        E-l

-------
Appendix F  Average Bed Differential Temperature for Reactor 3 (pre-incident)

Reactor 3 catalyst bed temperatures at 20:00:00 (data logger time) or 7:08 pm actual time

Reactor inlet
Bed 1 outlet
Bed 2 inlet
Bed 2 outlet
Bed 3 inlet
Bed 3 outlet
Bed 4 inlet
Bed 4 outlet
Bed 5 inlet
Bed 5 outlet
Reactor outlet
Pt.l
OF
632.2
659.1
625.8
639.4
619.2
628.1
620.3
632.6

657.0
641.3
Pt.2
OF

640.6
623.5
629.1
616.3
623.8
618.5
628.3

646.3

Pt.3
op

645.6
625.7
634.4
622.0
627.7
622.1
630.0
629.3


Pt.4
op

645.5
630.2
635.1
621.2
630.2
624.3
630.5

648.9

Pt.5
op

653.5
629.3
640.4
623.1
626.2
620.9
632.3

645.9

Avg.
op
632.2
648.9
626.9
635.7
620.4
627.2
621.2
630.7
629.3
649.5
641.3
AT
across
Bed, of

16.7

8.8

6.8

9.5

20.2

According to the strip chart, about 10 hours before the accident, the quench to Bed 5 began to
decrease. This means that the poisoning had started to affect Bed 5 at approximately 9:30 am
January 21.  The strip charts for Beds 3 or 4 also show the quench falling off at approximately the
same time.
                                          F-l

-------
Appendix G  Agency Personnel Involved in Tosco Accident Investigation

David Chung, Senior Chemical Engineer
U.S. EPA
Chemical Emergency Preparedness and Prevention Office (CEPPO)
Washington, DC

Kathleen Franklin, Chemical Engineer
U.S. EPA
Chemical Emergency Preparedness and Prevention Office
Washington, DC

Gordon Woodrow, Environmental Scientist
U.S. EPA Region 9
Superfund Division, State Planning and Assessment Section
San Francisco, CA

N. Ake Jacobson, Chemical Engineer
U.S. EPA Region 9
San Francisco, CA

Ron Anderson, Chemical Engineer
USEPA contractor, Ecology and Environment, Inc.
Superfund Technical Assessment & Response Team (START)
San Francisco, CA

Carla M. Fritz, Safety Engineer
California Dept. of Industrial Relations
Division of Occupational Safety and Health
Concord, CA

Richard Roberts, Safety Engineer
California Dept. of Industrial Relations
Division of Occupational Safety and Health
San Jose, CA

Jean Patterson, Investigator
California Dept. OF Industrial Relations
Division of Occupational Safety and Health
Bureau of Investigations
San Francisco, CA
                                         G-l

-------
Andy Salcedo, Regional Safety Engineer
U.S. Dept. of Labor
Occupation Safety & Health Administration, Region 9
Office of Technical Support
San Francisco, CA

William H. Alton, P.E., Hazardous Materials Consultant
Contra Costa County Health Services Department
Environmental Division
Martinez, CA

Laura L. Brown, Hazardous Materials Consultant
Contra Costa County Health Services Department
Environmental Division
Martinez, CA

Jeffrey Gove, Air Quality Inspector II
California Bay Area Air Quality Management District
Enforcement Division
San Francisco, CA
                                          G-2

-------
Appendix H  Participants on Tosco Avon Refinery Root Cause Analysis

U.S. Environmental Protection Agency
       Craig Matthiessen, Sr. Chemical Engineer
       David Chung, Senior Chemical Engineer
       Kathleen Franklin, Chemical Engineer
       N. Ake Jacobson, Chemical Engineer
       William Weis, CERCLA Enforcement Case Manager
       Gordon Woodrow, Environmental Scientist
       Ron Anderson, Engineer - Ecology & Environment (contractor)
U.S. Occupational Safety and Health Administration
       Andy Salcedo, Regional Safety Engineer
California OSHA
       Dick Roberts, Associate Safety Engineer
       Carla Fritz, Compliance Safety Engineer
Bay Area Air Quality
       Jeffrey Gove, Air Quality Inspector
       Mohamad Moazed, Air Quality Engineer
       Dick Wocasek, Air Quality Engineer
Facilitator
       Dorian Conger, General Manager - Conger & Elsea, Inc.
                                         H-l

-------
Appendix I   Follow-up Actions Undertaken by Tosco as of June 1997

After the January 21, 1997 Hydrocracker accident, Tosco installed a number of features:

       Complete control of the Stage 2 on the I/A system (a computerized distributed control
       system.
       Maintained hard-wired shutdown buttons.
      Bed temperature differential greater than 60 degrees automatically activates quench flow.
       Computer controlled temperature ramping for reactor start-up.
      Increased response time (from 7 to 3.5 minutes) for the hydrogen purity analyzer.
       Replacement of reactor internals (distributor trays, quench rings, etc).
      Added two more reactor effluent temperature points.
       The Plant Information (PI) system will store average  temperature data for a year.  The
       control room will store temperature readings every 2 seconds for a six month period.

Tosco has installed temperature deviation safeguards for the  following conditions:

      Any temperature point in the reactor more than 5F and 15F above normal activates an
       audible alarm.
      Any temperature point in the reactor more than 25F  above normal activates the
       emergency hydrogen quench system, adds hydrogen,  stops feed, and shuts down the trim
       furnace for a single reactor.
      Any temperature point in the reactor more than 50F  above normal or any 2 points over
       SOOT automatically activates the 300 psi/min depressuring system. If one point goes over
       800 degrees, the system "remembers" it for 10 minutes. If another temperature point goes
       over 800 degrees within that same 10 minute period,  then the automatic shutdown will be
       implemented.
      Any two of the three thermocouples in the reactor effluent pipe over SOOT activates  the
       300 psi/min depressuring system, which shuts down all three reactors.

Instrumentation (thermocouple) default values are now displayed as ****  instead of defaulting to
zero (any point over 999.99T will default to ****).  The operators can click on the  ****  to see
what the temperature was, if it was less than 1400T. A reading from bad thermocouple will be
displayed as 999.

Operators received training on 62 different operating procedures, three days of training on the I/A
system, four hours of training on reaction kinetics. They will receive an 8-hour training session
on runaway simulations on the I/A system. Management discussed with the operators the need to
shut down the plant without fear of disciplinary action if safety is in question.  Tosco is working
on over 100 different procedures.
                                           1-1

-------
Appendix J   Glossary
API
ASTM
autoignition
BAAQMD
blind flange
BPD
BTU
bull plug
CAA
CAIT
CAL OSHA
CCCHSD
CEPPO
CERCLA
Cr
CSB
DCS
Deadband
Dead zone
E&CF
FCC
flash
calculation
Flow controlled
FOIA
American Petroleum Institute
American Society for Testing and Materials
Instant self-sustained combustion of flammable materials in contact with air when the
materials are at a temperature high enough to self-ignite.
Bay Area Air Quality Management District (State of California)
Also known as a solid blank. A solid metal disc with bolt holes to allow it to be fitted to a
pipe or vessel for positive closure.
Barrels per day
British Thermal Unit- a unit of energy
cylindrical solid piece of pipe stock which is threaded into a pipe coupling or flanged to a
pipe opening.
Clean Air Act
EPA's Chemical Accident Investigation Team
California Division of Occupational Safety and Health
Contra Costa County Health Services Department
EPA's Chemical Emergency Preparedness and Prevention Office
Comprehensive Environmental Response, Compensation, and Liability Act
Chromium
U.S. Chemical Safety and Hazard Investigation Board
Distributed Control System- computerized instrument controls.
A predetermined amount of change between two measured values, such as temperature
readings.
An area inside the catalyst bed where little or no flow is occurring, resulting in increased
residence time in this area.
Event and Causal Factors
Fluid Catalytic Cracker
Calculation of rate of phase change from liquid to vapor for hydrocarbons under specific
operating conditions (temperature, pressure, concentration).
(As opposed to manually controlled). Automatic control of a process stream that uses its
measured flowrate as input to an instrument called a controller which automatically opens
or closes a control valve to maintain a specified (set point) flowrate.
Freedom of Information Act
                                        J-l

-------
HAZOP
gas oil
HDA
HDN
HDS
HPS
HRB
I/A
IsoparafFm
IIR
LED
LPS
M
MBPD
MgO
MM
MMSCFD
Mo
MOC
MTBE
multiplexer
nipple
Hazard and Operability Study
A middle-boiling point range (450-800 of) fraction which is an intermediate product from
a crude oil separation or distillation processes.
A process that reduces the level of aromatic compounds in diesel to by reacting them with
hydrogen.
Hydrodenitrogenation- a hydrogen process that separates nitrogen components from a feed
stock.
Hydrodesulfurization- a hydrogen process that separates sulphur products from a feed
stock.
High Pressure Separator
Rockwell hardness number, HR using the Rockwell B scale. The number is derived from
the net increase from a test indentation as a force on the indenter is increased from a
specified preliminary test force to a specified total test force and then returned to the
preliminary test force.
Foxboro Intelligent Automation distributed digital control system.
A branched hydrocarbon consisting of single carbon-carbon bonds.
Isocracker Ingersoll Rand (hydrogen recycle compressor)
A semiconductor diode that converts applied voltage to light and is used digital displays on
instruments.
Low Pressure Separator
Thousand
Thousand barrels per day
Magnesium Oxide
Million
Million standard cubic feet per day
Molybdenum
Management of Change
Methyl tert-butyl ether. A oxygenated additive used to increase the octane rating of
blended gasoline.
A electrical device with input cards that convert millivolt signals from the thermocouple
wires to digital signals which are sent to a computer (data logger) in the control room.
A short piece of small diameter pipe
J-2

-------
NTSB
off-test
olefin
paraffin
PFD
PHA
PI
P&ID
PMS
ppm
psi, psia, psig
Pressure
controlled
PSM
reaction
kinetics
SCBA
scf
SCF/bbl
SCFD
skin
temperature
SOP
U.S. National Transportation and Safety Board
A term used to describe product or streams that do not meet manufacturing specifications.
A straight chain hydrocarbon having double carbon-carbon bonds.
A straight chain hydrocarbon consisting of single carbon-carbon bonds.
Process Flow Diagram
Process Hazards Analysis
Plant Information computer system- Used for management purposes.
Process and Instrumentation Diagram
Performance Monitoring System. A computer system continually gathers data from over
1,000 instruments in the refinery and displays critical information to operators in different,
often distant, parts of the refinery. Uses a Foxboro Spectrum Monitor to display.
parts per million
unit of pressure: pounds per square inch, pounds per square inch absolute, and pounds per
square inch gauge. Absolute pressure includes the pressure of the ambient atmosphere
while gauge pressure does not.
Automatic control of a process stream that uses a measured pressure to control another
process variable such as heat or flowrate. The pressure is input to an instrument called a
controller which automatically opens or closes a control valve to maintain a specified (set
point) pressure.
Process Safety Management
Quantitative study of the rate at which a chemical reaction occurs, the factors on which this
rate depends, and the molecular acts involved in the chemical reaction.
Self-Contained Breathing Apparatus
Standard cubic foot- volume of an ideal gas at standard conditions of 14.7 psia and 60F
(petroleum and gas industry).
Standard cubic foot of recycle gas per barrel of oil feed
Standard cubic feet per day
Temperature of exterior metal shell of vessel.
Standard Operating Procedure
J-3

-------
Sulfiding
Temperature
controlled
Temper
embrittlement
thermocouple
thermowell
TRI System
turnaround
USEPA
WCAT
zeolite
Fresh or regenerated catalyst must be activated by sulfiding prior to its use. Sulfiding
involves heating the catalyst at a controlled rate while contacting it with hydrogen sulfide
which converts the metal oxides to metal sulfides, the form most active for hydrogenation.
Automatic control of a process stream that uses a measured temperature to control another
process variable such as heat or flowrate. The temperature is input to an instrument called
a controller which automatically opens or closes a control valve to maintain a specified (set
point) temperature.
A condition in which thick walled vessels are subject to high stress during rapid
temperature change. Under these conditions the steel is brittle and may fracture. The
effect is more severe at low temperatures and with the vessel under pressure.
A thermoelectric device for measuring temperature, composed of a two wires of dissimilar
metal in a circuit. The electrical potential difference generated between the points of
contact (2 junctions) of the wires is used as a measure of temperature difference.
A metal tube into which a thermocouple or thermometer can be inserted for measuring the
temperature in a pipe or vessel. The tube is closed at one end and externally threaded or
flanged at the other end so it can be fitted to a coupling in the pipe or vessel.
Tosco reliability system. TRI was a tool for scheduling, planning, tracking, and
documenting plant systems and equipment maintenance. The TRI system has been
replaced by a new system called IMPACT.
Major maintenance of equipment following shutdown of operations for an extended period
of time.
U.S. Environmental Protection Agency
Weighted Catalyst Averaged Temperature
A type of catalyst made from aluminum-silicate based materials characterized by a very
porous structure.
J-4

-------