A preliminary hazards analysis of a fluid

catalytic cracking unit complex

James J. Rooney, Joe H. Turner and John S. Arendt
JBF Associates, Inc., Technology Drive, IO00 Technology Park Center, Knoxville,
TN 3 7932, USA

This paper presents the results of a preliminary hazards analysis of a fluid catalytic cracking unit
complex, and demonstrates how system reliability engineering can improve availability and refinery
profitability. The technical approach and some of the recommendations resulting from the analysis
are also given.
(Keywords: hazard analysis; reliability; productivity)

Turbulent economic conditions and uncertain petro- l Tri-potassium phosphate treating unit
leum use forecasts have complicated the decision- l De-ethanizer system
making process for managers in the hydrocarbon pro- 0 Associated dedicated utilities
cessing industry. Refinery managers are now challenged
The PHA examined accidents that could be caused by
with achieving higher equipment and unit availability
process equipment and human failures involving these
goals than ever before. The efficient allocation of
process areas, and that would result in significant
limited loss prevention resources for a refinery can make
economic consequences at the refinery. The postulated
the difference between profitability and being out of
failures consisted of loss of containment events that
business.
result in fires and explosions, such as piping flange
To decide how to best allocate their limited resources,
ruptures and pump seal ruptures, and loss of process
managers need to know: the hazards in their refineries
function events that cause partial or complete unit
that present the. greatest threat to refinery profitability
shutdowns, such as the failure of redundant pumps.
(economic risks); and the most cost-effective options for
The economic consequences considered in this study
dealing with these hazards. An economic risk-based
included equipment damage losses and business inter-
preliminary hazards analysis (PHA)Ie3 is an efficient
ruption losses ranging from total losses of production to
way to identify areas in a refinery or process unit with
small reductions in throughput. The cost of lost hydro-
unacceptably high risk. PHA also allows for the formu-
carbon inventory following a loss of containment event
lation of practical, cost-effective recommendations for
was not considered to be a significant economic loss for
increasing unit on-stream factors. The two specific
the process areas included in this study.
objectives of this PHA were first, to identify potential
In addition, we did not c,onsider the effects the
component failures that represent relatively high eco-
following hazards could have on the economic risk
nomic risks at the refinery; and second, to obtain the
associated with operating the FCCU complex: routine
information necessary for performing a detailed anal-
occupational hazards, sabotage, external events (e.g.,
ysis of each of the high-risk areas identified. In addi-
earthquakes, floods, tornadoes, or airplane crashes), or
tion, we provided numerous recommendations for
scheduled leakages.
improving FCCU complex availability based on qualita-
Our PHA results were based on a risk assessment of
tive insights gained during the analysis.
the frequency and economic consequences of FCCU
complex accidents. These estimates were derived from:
Areas the analysis covered a failure modes and effects analysis (FMEA) of FCCU
equipment; a review of previous incidents involving
The portions of the refinery considered in this analysis
economic losses; many hours of on-site inspection of
were the following process areas:
FCCU area facilities; and detailed discussions with
0 Fluid catalytic cracking unit operating, engineering, and maintenance personnel.
0 Gas recovery systems
l Debutanizer systems Economic risk concepts
Understanding certain concepts of reliability engineer-
Received I4 January 1988 ing and risk assessment is a prerequisite to understanding
0950-4230/88~020096-06S3.00
0 1988 Butterworth & Co. (Publishers) Ltd
96 J. Loss Prev. Process lnd., 7988, Vol 1, April
 Preliminary hazards analysis of a fluid catalytic cracking unit complex: J. J. Roonev et at.
the methods and results of this PHA. Economic risk
can be expressed as the product of the average fre-
quency of an event (the hazard of interest) and the
event’s average economic consequence. The economic
risk associated with the operation of the FCCU com-
plex, therefore, would be the average economic loss that
is due to events that cause loss of production or damage
to equipment in the complex. Hypothetically speaking,
if the complex were expected to be shut down twice a
year because of the failure of a particular component,
and the economic consequence of each component
failure were $100,000, then the economic risk (or, in
insurance terms, the expected loss) associated with this
unit would be 200,000 year-‘.
The economic risk for a unit can be reduced by
increasing the time between unscheduled unit shut-
downs and/or decreasing the time the unit is actually
shut down, given an unscheduled shutdown occurs. The
economic risk can also be limited by providing process
alternatives that minimize business interruption costs,
and by providing systems (e.g. fire protection) that limit
equipment damage resulting from an accident.
Technical approach
To identify component failures that would represent
high economic risk for the FCCU complex, the PHA
involved four steps (Figure I). In the first step, we used
failure modes and effects analysis (FMEA) techniques4*’
to identify events that could cause significant economic
Component operating
failure _.b
mode mode
Expected
4 time to -
restore
Component 1 Expected
failure - equipment
mode damage
step 1
I step 2
FMEA Consequence
Figure 1 The steps used in the PI-IA of the FCCU complex
losses at the FCCU complex. To perform the FMEA, we
collected the assimilated detailed information about the
design and operations of the plant, and the inspection
and maintenance activities at the FCCU complex. From
an examination of the P&IDS and process flow diagrams
of the unit, we identified all the major components or
process functions. We then determined all of the com-
ponent and functional failure modes that could force
the unit to shut down or to operate inefficiently and
have an associated economic loss.
In step 2, we evaluated the expected economic impact
of accidents caused by the component failures identified
in the FMEA. The estimates of the economic impact
included both equipment damage and business interrup-
tion losses resulting from the accidents. (Hydrocarbon
inventory losses were considered negligible and were not
included in the risk estimates.) The expected business
loss for each of the component failures analysed was
combined with the equipment damage cost estimate.
Each sum was then assigned to a total cost category for
an overall estimate of the economic consequences of the
failure.
In step 3 of the PHA, frequencies were estimated for
accidents resulting in economic consequences. Decisions
in assigning frequencies were based on actual plant
operating experience and the industry-average failure
experience for similar equipment.
In the final step of the PHA, we compared the
economic risks (consequence/frequency combinations)
Expected
-
b”lzess
d
I step 3 I step 4
assessment Frequency 1 Risk assessment
categorization
J. Loss Prev. Process Ind., 1988, Vol 1, April 97
Preliminary hazards analysis of a fluid catalytic cracking unit complex: J. J. Rooney et al.

posed by the potential component failures with the risk
criteria established by the refinery. Specifically, we used
the results of our analysis of the consequences and
frequencies of the component and human failures, in
conjunction with risk matrices and the refinery’s ‘un-
acceptable risk criterion,’ to identify: the important
contributors to risk; where improvement is needed; and
where efforts to reduce risk may be most cost-effective.
The preliminary hazards analysis
The procedure for identifying potentially high economic
risk events for the FCCU complex is based on an
analysis of many types of information and data col-
lected from a variety of sources in the refinery. Table I
lists the types of information used in the PHA.
Table 1 Types of information reviewed as part of the preliminary
hazards analysis
Description
FCCU process descriptions
Area plot plans
Process unit, utility systems, and area operation block diagrams
Main process flow sheets
Current P&IDS
Current inspection plans
Equipment failure and maintenance logs
A list of all FCCU feedstocks, intermediate products, and final
products, along with their values (per unit volume)
Replacement cost estimates for major components and for each
area
Alternate operatrng modes and production loss estimates for each
unit
In-progress or anticipated capital improvements
A list of all tank sizes, contents, and volumes (averaged over a
year)
All normal and emergency operating procedures
A list of all control room locations and the parameters that are
monitored and controlled
Reports on major accidents/incidents within the past 10 years
Inspection procedures, frequencies, and audit result reports
A description of the unit operator training programme
Unit or operation preventive maintenance schedules and equip-
ment or instrument testing schedules
Frequencies and durations of scheduled unit leakages for the past
10 years
Failure modes and e_D^cts analysis
The production of cat-cracked gasoline at a typical
FCCU complex involves many processing steps, and the
processing equipment is located in several areas of the
refinery. Figure 2 is a block diagram of the FCCU
processing steps considered in this analysis.
Because of the size of the FCCU complex, we divided
it into nine process sections to simplify our analysis. For
convenience, these process sections were divided into
16 functional equipment groups, which we called ‘pro-
cess subsystems’. Specifically, these process subsystems
and their relationships to the nine process sections
considered in this analysis are shown in Table 2.
From an examination of the P&IDS and the process
flow diagrams, we identified over 350 major com-
ponents of functions for the 16 FCCU subsystems. To
ensure completeness, a list of these components and
functions was compared with an equipment inventory
list. Next an FMEA4*’ was performed on these compo-
nents to determine all of the relevant component or
functional failure modes. All of the FMEA results were
reviewed with refinery personnel during three progress
review meetings6.
The following were the ground rules for determining
appropriate component failure modes:
0 The FCCU complex was analysed as it existed at the
beginning of the study. Anticipated modifications
to be made during the next turnaround (main-
tenance shutdown) were briefly reviewed but gen-
erally were not considered in the study,
0 Component failures were postulated to occur
during normal (full throughput) operation.
0 No credit was given for extraordinary (undoc-
umented) operating, emergency, or maintenance
procedures.
As a result of the FMEA and these reviews, a total of
904 component failures that could result in an economic
loss at the FCCU complex were identified. For con-
venience, a group of similar component failure modes
was often referred to as a ‘component failure type’.
Examples of component failure types are loss of

Steam to
Atmosphere refinery

t t

CO boiler Fuel Fuel Acid Fuel

Flare Flare gas gas gas Flare gas
Slurry
I I r, t t t
Cracking ractionatio as Debutanizing TPP
recovery treating
step step step step step
I
1
Decanting
1’ I t
LCCO Gasoline to Propylene to
oil storage storage
Figure 2 Functional block diagram of the FCCU complex

98 J. Loss Prev. Process lnd., 1988, Vol 7, April

 Preliminary hazards analysis of a fluid catalytic cracking unit complex: J. J. Rooney et al.
Table 2 Relationship between process subsystems and the nine
process sections
Process section Subsystem
Reactor feed Reactor feed
Reactor/regenerator Reactor/regenerator
Catalyst handling
Air blowers
Aeration air
CO boiler CO boiler
Fractionator Fractionator tower
Fractionator support
150 steam generator
Gas recovery Compressors
Condensers/towers
Debutanizer Debutanizer
De-ethanizer De-ethanizer
TPP treating Desulphurizer
Cooling water Cooling water
Surface condenser
containment events (e.g. piping ruptures) and loss of
process function events (e.g. redundant blower
failures).
Consequence assessment
In the second analysis step, we determined the expected
economic impact of accidents caused by the component
failures identified in the FMEA. The estimate!: of the
economic impact included both equipment damage and
business interruption losses resulting from the equip-
ment damage. For this PHA, the project team estimated
the economic consequence expected to occur as a result
of a particular component failure. Although the PHA
was not a worst-case analysis, the project team did
assign reasonably conservative estimates which recog-
nized that: when equipment fails unexpectedly, other
failure often occur; and humans often make mistakes
under stressful conditions. The conservative estimates
were developed through detailed discussions with
refinery personnel and were then compared with actual
loss experience data for the refinery.
Estimating the equipment damage from particular
accidents involves the use of engineering judgment to
determine the equipment that might be affected and to
what degree that equipment would be damaged. For
convenience, we defined broad economic loss categories
for the assignment of equipment damage losses (Table
3). Our evaluation of the level of equipment damage for
each component failure mode considered the following
factors:
l The process materials and conditions
0 The type of process equipment
l The proximity of the failed component to other
equipment
0 The existence of any engineered loss prevention
features (e.g. a fire protection system)
l The replacement costs of equipment assumed to be
damaged as a result of each component failure
Table 3 Consequence categories for economic losses
Category Definition (s)
0 0 to 10.000
1 10,000 to 32,000
2 32,000 to 100,000
3 100,000 to 320.000
4 320,000 to 1 million
5 1 million to 3.2 million
6 3.2 million to 10 million
7 10 million to 32 million
8 32 million to 100 million
9 100 million to 320 million
Based on the replacement costs for the equipment
considered in this analysis and our discussions with
refinery personne16, we assigned equipment damage loss
estimates for each of the potential accidents using the
economic loss categories in Table 3.
Every time an important component fails, operators
may be forced to reduce throughput or to shut the unit
down. Either of these actions will result in business
interruption losses for the total time that the unit is out
of service. To estimate the business interruption losses,
we determined the daily cost, if any, associated with
operating the unit in an alternate configuration and then
multiplied this cost by the estimated downtime for each
accident.
Table 4 lists normal operation and seven of the 33
Table 4 Example FCCU alternate operating modes
cost ($1000)
unit downtime
Number Description (T = days)
0 Normal operation
1 Feed reduced by 200 bbl h ’ (40P6,T
Hot standby (catalyst recirculating) (243.7)T
$ Loss of carrier air (with backup) 91.4+(121.8)T
4 Feed reduced by 600 bbl h ’ f121.8IT
5’ Loss of carrier air (no backup) l243.7lT
6 Feed reduced by 100 bbl h ’ (20.3lT
7d Loss of CO boiler (47.O)T
a The hot standby mode results when all feed flow to the reactor is
stopped while the circulation of hot catalyst is maintained by the
carrier air system. If necessary, torch oil is added to maintain the
reactor temperature at operating levels.
’ The FCCU complex operates in Mode 3 when the carrier air
supply to the reactor is lost and the combustion air is routed to the
regenerator through the carrier air line. Operating in this mode
requires a feed rate reduction of 600 bblh-‘. Also, for approxi-
mately 50% of the time, entering this mode results in a partial
slumping of the catalyst leg (which results in a longer startup
time)
c Mode 5 is caused by a loss of carrier air supply to the reactor
when combustion air is not available as a backup. All feed flow to
the reactor is stopped until the carrier air supply is restored. A full
slump occurs in the regenerator and in the spent catalyst leg.
Carrier steam is added to restore catalyst circulation
d A loss of the CO boiler causes the FCCU complex to operate in
Mode 7. In this mode, additional 600 steam must be ‘purchased’
from the refinery steam system in order to maintain normal
operation. Sufficient steam to replace the entire output of the CO
boiler is available from the refinery steam system 50% of the
time. When the entire 800 steam demand of the FCCU complex
cannot be supplied by the refinery steam system, the north blower
is shut down. The requirement for additional 600 steam is then
reduced from 100,000 h-’ to 35,000 h-l. A shutdown of the
north blower dictates a feed flow reduction of 400 bbl h ml
J. Loss Prev. Process Ind., 1988, Vol 1, April 99
Preliminary hazards analvsis of a fluid catalytic cracking unit complex: J. J. Rooney et al.

possible alternate operating modes (configurations) for Table 5 Event frequency category definitions
the FCCU complex and the formulas used to determine
the daily cost of operating in each of the modes. Notes Mean
time
that describe the more complicated operating modes between
and the assumptions we used to develop the daily cost failures
formulas are also listed in the table. The basic feed and Category Description (years) Definition
product value data provided by the refinery were used to 0 Extremely >320 Never expected to occur
develop the cost formulas given in Table 4. rare
The evaluation of the total time required for restoring 1 Rare loo-320 Not expected to occur during
the FCCU complex to normal operation (in days) the lifetime of the plant
considered such features as the following: 2 Unlikely 32-l 00 Expected to occur up to once
during the lifetime of the
0 The expected level of equipment damage plant
0 The expected logistics time for ordering long lead- 3 Probable 1 O-32 Expected to occur more than
time equipment once during the lifetime of
0 The repair time for damaged equipment the plant
0 Any administrative time required for cooldown, 4 Occasional 3- 10 Expected to occur several
times during the lifetime of
purging (safing), and heatup the plant
Component failures that do not affect normal operation 5 Likely l-3 Expected to occur up to once
were assigned restoration times of zero; they generally a year
have low-consequence estimates. The combination of 6 Frequent <l Expected to occur more than
the unit restoration time and the daily cost formula for once a year
the appropriate alternate operating mode was our esti-
mate of the expected business interruption loss for a
of the plant to failures that are expected to occur several
particular component failure.
times per year. Table 6 lists typical frequency category
For each of the 904 component failures considered
assignments used in this study for accidents caused by
for the FCCU complex, the expected business loss
particular component failures.
estimate (i.e., the product of the daily cost formula for
the operating mode and the restoration time) was Risk assessment
combined with the equipment damage cost estimate. The risk associated with a component failure is defined
The sum was assigned to one of the 10 economic as the product of the consequence and the frequency
consequence categories (Table 3) for an overall cost of the event’. In the fourth step of this PHA we used
estimate associated with the failure. All of the category matrices to present and compare the economic risk
definitions and cost estimates were developed in con- (frequency/consequence combinations) posed by FCCU
junction with refinery personnel. complex component failures with the risk criteria estab-
Since the’ equipment damage estimates in Table 3 are lished by the refinery.
ranges, t h e m i d - p o i n t s o f t h e e q u i p m e n t d a m a g e Figure 3 is an example of this type of risk matrix. The
categories were each added to the expected business matrix is divided into high- and low-risk areas. The
losses to obtain the total economic losses. The resulting criterion line (shown in the figure as a bold-faced line)
total cost was used to assign each component failure to a that divides the two areas was developed through dis-
total cost category. cussions with refinery personne16. Events above and
to the right of this line are high-risk events that, for
Frequency categorization the purposes of this analysis, are unacceptable for the
The third step of the PHA identified frequency refinery.
categories for accidents having the economic conse- Two observations are apparent from inspection of
quences identified in the second step of our PHA. this criterion line: first, component failures causing
Refinery and JBF Associates personnel used engineering accidents that have expected occurrence frequency esti-
judgment to assign each component failure to an occur- mates of extremely rare (category 0) are classified as
rence frequency category. These decisions were based low-risk events, regardless of their economic conse-
on the following factors: quence estimates. Second, component failures causing
accidents that have economic consequence estimates less
l Actual FCCU complex failure experience
than $10,000 (category 0) are classified as low-risk
l Industry-average failure experience for similar
events, even if they occur several times per year.
equipment
These component failures are considered low-risk
l Estimates, made by refinery personnel, of the fail-
events for two reasons. First, accidents that have
ure probability of any accident-mitigating systems
extremely rare frequencies are considered low-risk
or procedures
events because management recognizes that few benefits
Table 5 defines the frequency categories used in our are derived from attempting to reduce the risk associa-
analysis. These categories range from component fail- ted with events that are rarely, if ever, expected to
ures that are never expected to occur during the lifetime occur. Second, i n c i d e n t s t h a t h a v e l o w e n o u g h

100 J. Loss Prev. Process Ind., 1988, Vol 1, April

 Preliminary hazards analysis of a fluid catalytic cracking unit complex: J. J. Rooney et al.

Table 6 Typical frequency category assignments for FCCU complex component failures

Internal Catalyst
Component Leaks Ruptures Blocked flow Transfers closed Transfers open Transfers off explosion deactivated

Piping (1,000 ft) 3.2 1,o 1

Vessels, towers, 3,2 0 1.0 3 I,0
and tanks

Reactors 3.2 0 1 2.1 3

Relief valves 4 3

Control valves FC 5 2 4 2
FO 5 2 2 4
FS 5 2 2 2

Heat exchanger 4’1 2” 3

3‘ 1” 3

Fired heater, boiler 4” 5.4 2.1

Pump 5,4.3 6,5’
5.4”

Fan, blower 4” 6.5

Compressor 5,4.3 1 6.5
Hopper 1

Expansion joint/ 5,4.3 1.0

bellows

Screen, filter, 5
strainer
Cooling towers 1

a FC 1 fails closed, FO = fails open, FS = fails in place

’ This frequency assignment is for a tube failure
’ This frequency assignment is for a shell failure
d This frequency assignment is for a steam turbine-driven pump/blower
e This frequency assignment is for an electric motor-driven pump

F r e q u e n c y categary four-step PHA of the FCCU complex. The figure shows

the number of component failures assigned to each
frequency/consequence (risk) combination. Table 7
8 summarizes the number and percentage of low- and
i $3.2~10'
7 8 high-risk events for each of the nine process sections.
E Roughly 17% of the 904 events analysed (155 events) are
6 s
ki
~~$3.2~10~ 5 ?I classified as high-risk, or high economic risk, events.
R
9 $1x106 5 The largest percentages of high-risk events for the
2 $3.2x10'&
4
t FCCU complex occur in the fractionator (26070), the
; 3 H
Y SIxlO
a 2 .G .
Frequency category
cl 1 2 3 )1 5 6

$1x10* 9

8
Mean time between events [years) E $3.2~10'
: $1x10' 7 8
Figure 3 Sample risk matrix s
%$3.2x106 6 $

consequences are considered mere nuisances and are 5 t

3
-0 $1x106 r) 8
expected to occur frequently in a large industrial plant;
B $3.2~10~ t
they are, therefore, accepted as the normal costs of 3 a
i;
doing business in an oil refinery. B
$1x105
2;
The following section discusses the results of our 1 $3.2~10~
1
PHA of the FCCU complex. $lXlO~
0
320 100 32 10 3 1
The results of the preliminary hazards analysis Mean time between events (years1

The risk matrix in Figure 4 contains the results of the Figure 4 Risk matrix for the FCCU complex

J. Loss Prev. Process Ind., 7988, Vol 1, April 101

Preliminary hazards analysis of a fluid catalytic cracking unit complex: J. J. Rooney et al.

Table 7 Summary of process section results

unit operating strategy, a failure of the existing hot feed
charge pump would force a reduction in FCCU produc-
Low-risk High-risk Total tion for the following reasons because: first, the heavy
Process section events events events
charge heater is maintained in a cold shutdown state and
Reactor feed 6 3 (8%) 11 (7%) 7 4 cannot be put in service quickly enough to replace the
(8%) feed preheating that is lost when the hot feed charge
Reactor/regenerator 8 8 (12%) 3 8 f25%1 126 pump or strainer fails: second, the light charge heater
(14%) cannot entirely replace the feed preheating that is lost
CO boiler 3 0 14%) 3 (2%) 3 3 when the hot feed charge pump or strainer fails. The
(4%)
thermal limits of the light charge heater (the only other
Fractionator 1 2 4 (17%) 4 1 (26%) 165 major energy source) restrict the heater outlet tempera-
(18%)
ture to a point where insufficient preheating is available
Gas recovery 2 2 6 (30%) 25 (16%) 251
(28%)
for maintaining full production when the hot gas oil is
replaced with cold feed. Ccnsequently, the feed rate
Debutanizer 7 6 (10%) 3 1 (20%) 107
(12%) to the FCCU complex must be reduced by about
De-ethanizer 61 0 (0%) 61
200 bbl hh ’ if the flow from the hot gas oil pump or
18%)
(7%) strainer is lost.
TPP treating 7 3 (lO%f 0 (0%) 73 One alternative to installing a redundant hot feed
(8%) charge pump and strainer is to devise a means for
Cooling water 8 (1%) 6 (4%) 14 enabling the FCCU operators to quickly place the heavy
(2%) charge heater in service when a loss of hot gas oil feed
Total 749 155 904 occurs. However, the utility costs associated with safely
maintaining the heater in ‘hot standby’ would probably
be prohibitive. (The fast startup of a ‘cold heater’ is not
reactor/regenerator (25%), the debutanizer (20%), and recommended because of the increased risk of heater
the gas recovery (16%) areas. Most of these events are fires/explosions that are historically associated with
high risk because the component failures force large emergency heater startups.) Thus, if the future opera-
reductions in the feed rate to the reactor while com- ting strategy will require that the heavy gas oil heater be
ponents are being repaired or replaced. shut down during normal operations, a spare hot gas oil
The de-ethanizer and the TPP treating areas have the . pump and strainer should be installed.
lowest percentage of high-risk events in the FCCU
complex. The events in these areas result in low risk Recommendation 2-Replace the automatic catalyst
since they have little or no impact on the production of loader with a more reliable unit or have the manufac-
catalytically-cracked gasoline. The FCCU complex can turer completely overhaul the loader to bring it up to
be run at near full production rates while repairs are current p e r f o r m a n c e s t a n d a r d s . T h e a u t o m a t i c
made to the de-ethanizer and TPP treating equipment.
Table 8 High-risk events for the FCCU complex
High-risk events
The 155 events classified as high economic risk events Group Number of
number Component failure type events
were divided into two groups: Group 1 (events that
require further analysis); and Group 2 (events that do 1 Compressor, blower, or surface 11
not require a more detailed analysis since a more condenser transfers off
Heater has uncontrolled fire/explosion 6
detailed analysis would not provide insights that would Heater fails to start 1
lead to significantly greater economic risk reduction). Piping leaks or ruptures 13
Table 8 categorizes these 155 events by component Slide valve ruptures, transfers open, or 7
fails to close
failure type for each of the two groups. Risk-reduction Pump leaks or ruptures 18
engineering recommendations for the Group 1 events Heat exchanger tube ruptures or plugs 5
cannot be determined without further analysis. A Heat exchanger shell leaks or ruptures 27
Drum has less-than-adequate flow 1
detailed analysis would focus on identifying options for Heater tube ruptures 1
reducing: the average occurrence frequencies; the aver- Tank or drum leaks or ruptures 9
age consequences; or both the average frequencies and Tank or vessel floods 1
Seal pot ruptures 1
consequences of these events. The present analysis did,
2 Heater tube leaks 3
however, result in six general recommendations for Heat exchanger tube leaks 12
reducing the economic risk associated with the Group 2 Tower or vessel leaks 4
events. Tower or vessel has internal failures 1
Piping leaks or ruptures in the reactor/ 10
regenerator section
Recommendations Pump, loader, or fan transfers off 4
Strainer flow is blocked 1
Pump fails to start 7
R e c o m m e n d a t i o n I-fnstall a redundant hot feed Expansion joint leaks or ruptures 12
charge pump and associated strainer. With the current

‘I02 J. Loss Prev. Process Ind., 1988, Vol I, April

 Preliminary hazards analysis of a fluid catalytic cracking unit complex: J. J. Rooney et a/.
catalyst loader provides a continuous measured flow of
fresh catalyst to the regenerator to promote a stable
catalytic reaction rate. When the automatic loader is not
available, the FCCU complex uses a manually operated
‘batch’ catalyst-loading process. With the manual
catalyst-loading technique, approximately 1 ton per day
more catalyst is consumed than when the automatic
loader is used (at a cost of $1500 per ton). The recent
operating history of the automatic loader shows an
average availability of 50%. (Automatic loading is used
on the average of 6 months per year.) This represents
an annual operating cost, because of failures of the
automatic loader, of $270,000.
Recommendation 3-Evaluation the design of the cool-
ing tower fans, gearboxes, drive mechanisms, and
associated support structures to determine the root
cause of this equipment’s relatively high unreliability.
The analysis of the FCCU complex’s cooling water
system indicates that, on average, at least one cooling
tower fan is almost always down for repair or main-
tenance. During the summer months, fan failures and
preventive maintenance actions significantly reduce the
available heat rejection capability of the cooling tower.
The analysis team assumed that the failure of three or
more fans would require a reduction in FCCU complex
production in order to maintain proper FCCU complex
equipment temperatures. The cost of this reduction
combined with the relative likelihood of having three or
more fans out of service results in these fan failures
being classified as high-risk events. Based on discussions
with refinery personnel and a review of work orders, it is
likely that the relatively high frequency of fan failures
may be a result of motor-gearbox linkage misalignment
caused by.the degradation of component supports.
Recommendation 4-Coniinue nondestructive testing
and inspection of the expansion joints in the diplegs and
the catalyst standpipe and investigate recent expansion
joint technology to determine if there are other, more
reliable and cost-effective designs for expansion joints.
The results of this PHA indicate that failures of the
expansion joints in the diplegs and the catalyst stand-
pipe are high-risk events. Failure of these joints would
result in significant equipment damage in the reactor/
regenerator area and large business interruption losses
because of long repair times.
Recommendation 5-Ensure that a consistent pump
preventive maintenance programme is followed for the
identified high-risk pumus involved in the pump rota-
tion programme. Seven high-risk events in the FCCU
complex involve the failure of a standby pump to start
when needed. Each of these failures eventually results in
a substantial reduction in FCCU complex production
for periods of up to several days. Refinery personnel
have already recognized these potential problems and
implemented a programme to improve standby pump
reliability by rotating primary and standby pumps into
and out of active service.
Recommendation 6-Maintain the frequency and scope
of the existing inspection programmes for important
passive components. The first five types of component
failures (heater tube leaks, heat exchanger tube leaks,
vessel leaks, internal vessel failures, and piping leaks
and ruptures) each have production loss as their main
consequence. Since there are no additional, practical
actions that will mitigate the consequences of these
events once they occur, the risk to the plant is best
controlled by reducing the occurrence frequencies
through early detection of incipient failures. Early
detection would reduce the likelihood of unscheduled
shutdowns and reduce the probability of the leaks
becoming ruptures.
A separate surveillance programme for monitoring
the performance of these pumps should also be estab-
lished. Alternatively, we recommended that the refinery
evaluate the benefits of modifying the pump rotation
programme to include short-term operational testing of
the standby pumps, rather than long-term pump service
rotation. This testing programme will: increase standby
pump reliability; reduce the ‘wear out’ rate for pump
components; and reduce the workload of maintenance
personnel. The economic risk-reduction benefit of both
types of programmes could easily be evaluated and
compared in the detailed analysis.
Conclusions
Risk assessment techniques can play an important role
in reducing the hazards associated with the operation
of a petroleum refinery. As illustrated, practical and
achievable alternatives for risk reduction can be
identified based on the results of a preliminary hazards
analysis; and properly scoped analyses can often find
ways of improving a unit’s economics at little or no
capital expense.
Often even greater improvement to the availability of
an FCCU complex will result if those high economic
risk events requiring further analysis (Group 1) are
studied. Implementing the recommendations that are
sure to result from a more detailed availability or
reliability analysis of these Group 1 events will signif-
icantly reduce their frequency and/or consequence, thus
improving the availability of the FCCU complex and the
profitability of the refinery.
References
I Fussell.J. B. and Arendt, J. S. Nuclear S&O 1979, 20, (5).
541-550
2 Arendt, J. S. ‘Qualitative Risk Assessment of Engineered System,
AIChE 71st Annual Meeting Proceedings, 1978
3 Arendt, J. S. ‘Improving System Safety through Risk Assessment,
1979 Reliability and Maintainability Symposium Proceedings, 1979,
160-164
4 Vesely, W. E. ‘Fault Tree Handbook,’ NUREG-0492, U.S. Nuclear
Regulatory Commission, Washington DC, 1981, pp 11-2-H-4
5 Jordan, W. E., ‘Failure Modes, Effects, and Criticality Analysis,
Proceedings of the 1972 Annual Reliability and Maintainability
Symposium, 1972
6 Refinery personnel, meetings with JBF Associates, Inc. personnel;
March 17-19, 1986; April 28-May 2, 1986: and July 14-16, 1986
I Farmer, F. R. Nuclear Safety 1967, 8, (6). 539-548
J. Loss Prev. Process lnd., 1988, Vol 1, April 103