Tesoro Anacortes Refinery Disaster

The Naphtha Hydrotreater (NHT) at Tesoro Anacortes removes impurities (sulfur and nitrogen) from naphtha to prepare it for catalytic reforming. This is a critical refinery process unit.

The system used two parallel banks of shell-and-tube heat exchangers (Banks A/B/C and D/E/F) for energy recovery, designed to reduce furnace load by preheating feed streams with hot reactor effluent.

The heat exchangers were commissioned in 1971—approximately 39 years of continuous service at the time of the incident. They were constructed from carbon steel (SA-515-70) and operated at high temperatures (500°F - 650°F) and high pressure (600+ psig) in a hydrogen-rich environment.

Material selection was based on API 941 Nelson Curves, which define safe operating zones for carbon steel in hydrogen service based on temperature and hydrogen partial pressure.

The heat exchangers had a dual function: transfer heat efficiently between hot and cold process streams, and maintain absolute pressure containment of hydrogen and hydrocarbon mixtures.

The reliability requirement was zero loss of containment due to auto-ignition potential—any leak or rupture would immediately result in fire given the chemical properties of the streams.

Over decades of service, internal deposits accumulated on tube surfaces, inhibiting heat transfer. This fouling required the system to operate at progressively higher temperatures to maintain efficiency.

A "clean-and-switch" maintenance routine was used: one bank would be taken offline for cleaning while the parallel bank remained in service. This created a cycling operational pattern.

Startup after cleaning was a non-routine, transient operation involving thermal cycling and pressurization stresses. This was not the steady-state condition the equipment had been designed for.

Frequent flange leaks occurred during startups. These were managed with steam lances to disperse vapors rather than treated as stop-work triggers indicating a deeper problem.

On April 2, 2010, during startup of the cleaned Bank D/E/F, Exchanger E experienced catastrophic rupture. The shell separated at both circumferential and longitudinal weld seams.

The rupture occurred suddenly, below relief valve setpoints, providing no opportunity for protective systems to respond.

The failure resulted in immediate, high-energy release of hydrogen and naphtha vapor. Auto-ignition occurred instantly, producing a massive fireball.

Seven operations personnel were killed. All were experienced staff performing routine startup operations in close proximity to the equipment.

Normalized Deviation: The frequent flange leaks during startups had become routine. They were treated as a maintenance nuisance rather than signals of system stress or abnormal operating conditions.

Instrumentation Gaps: No temperature sensors existed between the heat exchangers. Operators could not see actual shell-side temperatures—they had to infer conditions from inlet and outlet measurements.

Inspection Limitations: Standard inspection protocols did not target High Temperature Hydrogen Attack (HTHA) because the design data said the equipment was operating in the safe zone. HTHA damage is microscopic and invisible to conventional inspection methods.

The equipment was operating quietly. There were no vibration anomalies, no thickness losses detectable by ultrasonic testing, no external corrosion. All physical evidence suggested the equipment was fit for service.

HTHA is a materials degradation mechanism where atomic hydrogen diffuses into steel and reacts with carbides in the metal structure to form methane gas.

Methane molecules are too large to escape, so they accumulate as internal bubbles, causing fissures and progressive loss of material strength and ductility. This occurs at the grain boundaries within the metal.

The mechanism is particularly damaging in the Heat Affected Zones (HAZ) near welds, where the material structure has been altered by welding heat but not subsequently heat-treated.

The anomaly in this case: The failure occurred at operating conditions that were supposed to be below the carbon steel Nelson Curve—in what API 941 defined as the "safe zone."

Exchanger E had been silently embrittled over years of operation. The internal structure had lost load-bearing capacity, but this was invisible to inspection and monitoring.

During pressurization on startup, the vessel was subjected to hoop stress. The degraded material could no longer withstand the design loads.

The failure was sudden and total. There was no progressive leaking, no detectable precursor. The shell ruptured instantaneously when the stress exceeded the remaining material capacity.

Personnel were required to be present at the "long-winded valve" during startup—a manual operation requiring continuous human presence in the hazard zone during the highest-risk phase of the operation.

Design Phase: Inherently safer material selection. Stainless steel would have been immune to HTHA, eliminating the mechanism entirely at higher initial cost.

Monitoring: Instrumentation to validate actual temperatures between exchangers. Operators were managing the process blind to the actual thermal conditions in the equipment.

Hazard Assessment: Validating HTHA inspection assumptions. The assumption that "we are in the safe zone" was based on design data, not measured operating conditions.

Operational Culture: Treating flange leaks as stop-work triggers rather than routine maintenance issues. The normalization of abnormal conditions collapsed risk perception.

Human Impact: Seven fatalities, all experienced operations personnel. The organization lost institutional knowledge and highly skilled staff.

Asset Impact: Total loss of the NHT heat exchanger banks. The refinery unit was shut down for approximately seven months for investigation and rebuilding.

Industry Impact: The incident forced a fundamental re-evaluation of API 941 Nelson Curves. Post-incident analysis concluded that the carbon steel Nelson Curve is inaccurate and cannot be relied upon to prevent HTHA.

The failure revealed that industry-standard materials selection guidance had a hidden margin of non-conservatism. Compliance with code did not guarantee immunity from the physics of materials degradation.

The "Design Data" Trap: Managing aging assets based on original design data is dangerous when actual operating conditions have drifted over time. Fouling changed the thermal profile; the original Nelson Curve analysis no longer reflected reality.

Silent Degradation: Mechanisms like HTHA give no visible warning until rupture. The asset looked fine by every available inspection method, yet it was profoundly degraded.

Standards Are Lagging: Compliance with industry codes does not guarantee safety. The physics of failure can operate outside the boundaries defined by consensus standards.

Normalization of Deviance: When abnormal conditions (flange leaks, high startup temperatures) become routine, risk perception collapses. The organization stops questioning whether these conditions are acceptable.

Similar patterns exist in other aging process systems operating at the limits of material capabilities, particularly where inspection methods cannot directly measure the degradation mechanism.