Hot spot detected in a chemical plant - La référence du retour d'expérience sur accidents technologiques

During night rounds in a chemical plant, hot spots with a strong burning smell were detected near a thermal oxidiser (RTO). The RTO had been heating up during the day and then put on standby once the set temperature (1050 °C) had been reached. The switch to treatment mode was not made due to a problem with the pressure control system in the VOC collection network. The operators noticed that red dots were present on the RTO structure and activated the equipment’s emergency stop button. The temperature in the main chamber exceeded 1500 °C, and there was no safety device to shut off the gas to the burner. The following day, the equipment was placed into a forced cooling configuration. During its investigation, the manufacturer noted that the inside of the heating chamber (consisting of ceramic elements) and the temperature probes needed to be replaced.

A fault was detected in the PLC software. The PLC would exit the standby mode without switching to another operating mode when the equipment was reheated. The loss of the RTO’s temperature control system resulted in the temperature limit conditions being exceeded and significant overheating of the equipment. At the time of the event, the program was in an unknown operating mode, and the safeguards associated with the RTO’s modes were not operational.

As the site had received formal notice to comply with the release limit values with a deadline approaching, the operator had tested the critical safeguards but not all the possible combinations or those of the accident (unknown mode). Many of the securities were functional at the end of the tests but were not operating under the particular circumstances of the accident. At the same time, the independent high-temperature safety device specific to the burner had a malfunction that was not identified during the tests as the RTO’s program masked it.

Following the accident, the operator developed detailed test protocols for the burner. A matrix was built representing the 1000 possible transitions of the PLC from one operating mode to another. The operator simulated several faults to check the operation of the actions planned for the 68 critical transitions highlighted. It also established 15 slaves independent of the modes, particularly disconnecting the gas supply.

The accident analysis highlights technical control errors on the part of the oxidiser installer and the service provider who supplied the pilot burner.