safety - lessons relearned - inadequate isolations

52 www.tcetoday.com december 2013/ january 2014 For more information and a sample copy of LPB visit: www.icheme.org/lpb

LESSONS LEARNEDre

A new series of articles inspired by IChemE’s Loss Prevention Bulletin and the BP Process Safety Series: sharing lessons learned from accidents.

IN any facility that processes hazardous materials, any intrusive activity could allow the escape of hazardous

substances. Implementing adequate isolation practices is critical to avoiding loss of containment. Some of industries’ most serious accidents have been as a result of inadequate isolation. The primary cause of the Piper Alpha disaster was due to switching on a pump which had been taken out of service for maintenance and had not been adequately isolated. The BP Texas City disaster happened because operatives started up a raffinate splitter tower, while ignoring open maintenance orders on the tower’s instrumentation system (an alarm meant to warn about the quantity of liquid in the unit was disabled). Alongside these headline-making incidents there are many more that have caused injury or death because safety management systems for isolating plant are either inadequate or, even where they are robust, poorly implemented.

the nature of inadequate isolation accidentsWhen remedial or maintenance work needs to be done on plant or equipment, the question of safe isolation invariably arises. Tony Fishwick’s article on recurring accidents from confined spaces (tce 854) highlighted some of the tragic consequences which can arise from inadequate awareness and isolation of confined space hazards. The need for robust isolation procedures and practice in industry is generally well established and understood. However, regardless of whether it is due to a combination of inadequate, and/or poorly-implemented procedures, or possibly lack of training and/or supervision, accidents continue to occur.

Geoff Gill examines the lessons we should be learning

Isolation may be needed from any of the hazards routinely encountered in industry, namely electrical; pressurised systems; suspended loads; chemical/radiological/biological; and mechanical. The list is, of course, easy to compile. However, a trawl through the history of accidents where inadequate isolation played a part reveals that, even though the presence of a hazard was often recognised, an accident still occurred due to shortcomings including:• an inadequate understanding of the system being worked on;• operators and/or supervisors not being suitably qualified or experienced;• plant not being adequately decontaminated;• lack of supervision to ensure permits to work (PTWs) are correctly followed;• deviations from work plans not being adequately risk assessed;• the work area not being closely inspected prior to the job;• workers inadequately briefed prior to work;• failing to carry out checks to ensure all required safeguards are in place prior to job;• precise nature of work, status of plant and referencing of plant components not clearly specified on permits;• other plant personnel not fully aware of work being carried out;• plant inadequately labelled;• workers not personally checking that isolations are in place;• contingency plans not available • operators working under PTW not reading and understanding the permit conditions;• inadequate control of contractors;• inadequate communication between all involved in work;• inadequate justification and safeguards for work on live systems; and

Recurring accidents: inadequate isolations

Free to share IN the spirit of this series, you are

permitted to print, photocopy and redistribute this article as

many times as you like. Feel free to share it with your boss,

colleagues and reports. Together we can help to

reduce the number of workplace accidents.

For more information and a sample copy of LPB visit: www.icheme.org/lpb december 2013/ january 2014 www.tcetoday.com 53

LESSONS LEARNEDre


• long delays between atmosphere testing and work beginning.

the legal sectionCountries with extensive, well-regulated industries all have legislation that is similar in principle to that in the UK1,2,3. Factors to be considered include the nature of plant to be worked on together with associated hazards that require isolation, contingency arrangements, and the need to define safe systems of work. In the UK there are no specific regulations relating to isolation of plant and equipment, but, as is the case with all UK health and safety legislation, the underpinning legal requirements are enshrined in the Management of Health and safety at Work Regulations 1999. Practical guidance on safe process isolations is given in HSG253 – The Safe isolation of Plant and Equipment4. For electrical isolations, guidance can be found in HSG85 – Electricity at Work – Safe Working Practices5. The following practical guidance is based on HSG253.

the detailed legal requirementsUsing the UK as an example, a “suitable and sufficient” assessment of all the risks for all work activities for the purpose of deciding what means are necessary for safety must be carried out in accordance with regulation

Case study 1Phenol burns during maintenance (LPB 129)

An engineering fitter was badly burned by phenol spilling from a pipe attached to a valve that he was removing. A phenol transfer system consisted of two pumps, overhead pipework and a drainage system from the pump bodies as shown in the above figure. Number 2 pump was removed for overhaul three weeks prior to the incident because of a leaking gland assembly. The resulting open pipework was blanked off. Maintenance work was planned to coincide with the annual holiday shutdown when various pieces of plant were being overhauled. The discharge valve of number 2 pump (“number 5 ball valve”) required overhauling as it was passing. Process operators had blown the line clear with inert gas and drained the lines to the draindown tank via number 1 pump. Steam was turned off the valve once the lines had been blown out and electrical heating turned off. The plant was then handed over from production to maintenance staff and on the following day the full plant shutdown started. A fitter was instructed to remove the number 5 ball valve. The bobbin below the valve was removed and six of eight bolts removed from the top flange of the valve. At this moment the joint broke and around 5–10 l of phenol ran out of the pipework causing burns to the fitter’s shoulder, body, hands and legs. The fitter was, at one stage, unconscious and critically ill.

The investigation found that:

• the plant had not been handed over to maintenance staff using any formal hand-over procedure;

• the maintenance supervisor lacked knowledge of the precise state of the plant and his subsequent verbal instruction to the fitter was inadequate;

• the line in question had not been drained. The relevant engineering personnel did not recognise that blowing down of this system would be ineffective when number 2 pump was removed;

• there was no PTW for the job and therefore the possible hazards and risks had not been recognised;

• only gloves and goggles had been provided and it is not clear if these had been worn by the fitter; and

• no formal general training on hazard awareness, nor on the hazards of phenol was provided for employees.

An exampleAn operator was carrying out a routine pigging operation. On conclusion of the interlock sequence he opened the telltale bleed valve to ensure that the launcher was free of toxic and flammable gases. The gas test was negative. He then realised that he had omitted part of the procedure, requiring the interspace between the kicker line isolation valve and the pipeline isolation valves to be vented to flare. This procedure is normally carried out at the beginning of the operation. He opened the kicker line isolation valves and the pipeline isolation valves without closing the telltale door. This caused a gas release from the telltale bleed valve. If a process isolation deviates from the plan, whether controlled by PTW or operating procedure, then STOP! Re-evaluate the task. In this case, the interlock arrangements which permitted the human error to occur should then have been reviewed with a view to modification.

To charge roomsTo phenol tank

From pumphouse and tank area

Pump no.1Tank under stand

Pump no.2 which had

been removed

Transition pipe which had

been removed

Ball valve being removed

Plug fitted

10 cm phenol pipe

5 4 2 3

Layout of phenol pumps, main pipes and valves


LESSONS LEARNEDre


used to control work which is identified as potentially hazardous. For defined categories of less hazardous work of a ‘routine’ nature, authorisation via operating procedures/work instructions may be acceptable. Comprehensive guidance has been published by HSE in Guidance on Permit-to-Work Systems HSG 250 (ISBN 9780717629435).

2. DocumentationAccurate up-to-date reference information on all plant modifications should be accessible to all relevant workers (including short-term contractors) involved in planning and conducting the work. This includes:

• piping and instrumentation diagrams (P&IDs);

• process system schematics – unlike a P&ID these provide an overall view of the plant;

• piping general arrangements and/or piping isometrics;

• cause-and-effect diagrams; and

• loop diagrams.

Separate isolation certificates can be used as part of a PTW system, for example, where the isolation required is not detailed on the PTW. It is good practice to use separate isolation certificates for separate disciplines such as electrical, mechanical, process and inhibits of control and safety systems. The key issue is to enable effective communication, avoiding miss-understanding and confusion. Certificates and permits should be cross referenced.

3. Controlling interactions with other work/systemsAdequate control, security, monitoring and communication are needed, particularly:

• at shift handovers

• where support groups rely on the same isolation

• in areas where there is multiple responsibility for plant.

4. Controlling changes It is vital that any changes to the planned isolation scheme are both recognised and fully assessed. Changes to an isolation scheme could arise for a variety of reasons such as:• changes imposed by the condition of the plant;• changes to the scope of intrusive work as the work proceeds; and• inability to complete a job (eg due to an increase in the scope of work once it is under way, or the non-availability of spares). Any change to isolation arrangements should be reviewed, reassessed and authorised. The modified scheme should be captured in the work control documents (eg isolation certificates and P&IDs) to ensure full reinstatement at the end of the job.

3 of the Management of Health and Safety at Work regulations6. For intrusive work on hazardous plant and equipment this means the identification of all the hazards which are likely to be present, and implementing adequate means of isolating them.

Key stages of process isolation are:

• hazard identification;

• risk assessment and selection of isolation scheme;

• planning and preparation of equipment;

• installation of the isolation;

• draining, venting, purging and flushing;

• testing and monitoring effectiveness of the isolation; and

• reinstatement of plant.

safe systems of work for isolation activitiesThe following safe systems are required to ensure that isolation activities deliver the appropriate protection to workers.

1. Work control systemsControl of isolations for higher hazard activities is normally part of a PTW system. A PTW system is a formal recorded process

It is good practice to use separate isolation certificates for separate disciplines such as electrical, mechanical, process and inhibits of control and safety systems. The key issue is to enable effective communication, avoiding miss-understanding and confusion.

Case study 2TiCl4 release kills two contractors (LPB 200)Two contractors died while carrying out an inspection of the level measurement device of a titanium tetrachloride (TiCl4) evaporator. On disconnecting the signal wiring of the level measurement device, the process computer responded to this signal as “empty” and opened the control valve to fill the evaporator. The evaporator was not isolated prior to the start of the work, so it started to fill with TiCl4, without anyone noticing. Meanwhile the work continued and the level measurement device was removed. At this moment the evaporator overflowed releasing TiCl4 on the first and second level of the reactor building. The high level alarm was silenced by the panel operator. On contact with water (including air humidity), TiCl4 produces hydrogen chloride and TiO2, so a thick toxic white cloud was rapidly formed inside the reactor building. Two contractors working on the first floor could not locate an emergency ladder. Both were new to the installation and were trapped with very little visibility due to the thick white cloud. Both were later found dead. The main lessons to be learned from this accident are:

• the PTW system has to be used strictly. The installation was not properly isolated prior to the work;

• adequate training and supervision are necessary. This must include adequate information for contractor workers about safety in the installation, such as the use of safe evacuation routes;

• contractors cannot be relied upon to inform their personnel about the on-site safety information; a strict control system is necessary;

• improvement of control and alarm systems. There should be a clear difference between ‘no signal’ and ‘zero signals’ in the process computer. Also, an interlock system should be used to prevent overflow of the evaporator, and a better management of alarms should be introduced, to avoid neglecting critical alarms; and

• a management crisis team is necessary to ensure communications with external emergency services. A prompt alert for these services is also necessary.

For more information and a sample copy of LPB visit: www.icheme.org/lpb december 2013/ january 2014 www.tcetoday.com 55

LESSONS LEARNEDre


so why do accidents recur?Safety guru Trevor Kletz examined this subject in detail and provided a number of reasons. Principal amongst these are:• organisations fail to record and circulate the lessons learned from past accidents, and fail to encourage a search for past relevant accidents either for design purposes or for operator training;• experience and skills are lost when staffing is reduced, long-term employees retain memories of abnormal plant behaviour, near misses and, most importantly, why modifications were made;• hazards are not reassessed often enough. What was safe in the past is not necessarily safe now. Plant modifications may have affected the plant capacity to handle excursions safely;• supervisors are overloaded. They are the interface between management and workforce, ensuring that work flows smoothly. They should not be distracted with unnecessary tasks and detail, diverting attention away from safety;• change of design can lead to fatal conditions. There should be a formal system for assessment of proposed changes to plant and they should only be implemented after they have met the appropriate criteria. This should be enforced for field modifications; and• taking short cuts is a readily recognisable human behaviour but will result in unsafe working.

Case study 3 Explosion at the Phillips’ Houston Chemical Complex, Pasadena, 23 October 1989 (LPB 97)On 23 October 1989, the Phillips 66 Petroleum Chemical Plant near Pasadena, Texas, then producing approximately 6.8m t/y of high-density polyethylene (HDPE) plastic, suffered a massive series of explosions. 23 people died and hundreds were injured in an explosion that measured at least 3.5 on the Richter scale and destroyed much of the plant. The subsequent OSHA investigation highlighted numerous errors. Firstly, the air hoses used to pneumatically activate the valve (see Figure, right) were left near the maintenance site. When the air hoses were connected backwards, this automatically opened the valve, releasing a huge volatile gas cloud into the atmosphere. It is unknown why the air hoses were reconnected at all. Secondly, a lockout device had been installed by Phillips personnel the previous evening, but was removed at some point prior to the accident. A lockout device physically prevents someone from opening a valve. Finally, in accordance with local plant policy but not Phillips policy, no blind flange insert was used as a backup. The insert would have stopped the flow of gas into the atmosphere if the valve had been opened. Had any of those three procedures been executed properly, there would not have been an explosion that day. According to the investigation, contract workers had not been adequately trained in the procedures they were charged with performing.

Organisations fail to record and circulate

the lessons learned from past accidents,

and fail to encourage a search for past relevant

accidents either for design purposes or for

operator training.

An exampleA fatal accident occurred when contract workers were installing pipe from two production tanks to a third. Welding sparks ignited flammable vapour escaping from an open-ended pipe about 1.2 m from the contractors’ welding activity on tank 4. The explosion killed three workers who were standing on top of tanks 3 and 4. A fourth worker was seriously injured. The contract workers did not isolate tanks 2 and 3, which contained flammable vapour, prior to beginning the welding operation. Additionally, the open-ended pipe of tank 3 was left uncapped and provided the source of hydrocarbon vapour. Workers did not clean tanks 2 and 3 prior to beginning the welding job on tank 4. If the residual oil in tank 2 had been removed and both tanks flushed with water, the flammable vapour source could have been eliminated. LPB 213

easy steps to help avoid repetitions To prevent repetitions, consider the following:

• describe accidents in safety bulletins, emphasising reasons why they happened;

• follow up accident recommendations to ensure that they have been put into effect;

• never change a procedure until the reason for it is fully approved and understood;

• learn from accidents in other organisations, particularly those with similar processes;

• emphasise the importance of risk assessments and make sure that they are carried out;

• put this into effective practice using techniques such as safety information notes and emails; committee meetings;

Reactor loop

Flushing isobane line

Ethylene line

Vent (purge) valve

Demco valve

Typical piping settling leg arrangement

Product take off valve


LESSONS LEARNEDre


on- and off-the-job training courses; formal apprenticeships; computerised learning modules; and Toolbox Talks. Designers should be included in these communications.

practical actionToolbox Talks are an excellent practical way of reinforcing key messages regarding safe working practices and hazard awareness. The IChemE’s Loss Prevention Panel has produced a number which have particular relevance to safe isolation of plant7. They are designed to act as a stimulus for generating discussion about local situations and accidents. They are generally used as a short team-based exercise at the beginning of a shift. However, they can also be used in safety workshops to generate discussion, and can be followed up with a plant visit to understand more fully the circumstances of events experienced on the plant.

conclusionAs with any aspect of operating a major hazard facility, avoiding accidents due to inadequate isolation of plant equipment depends upon a number of factors. It depends upon the plant being well maintained to ensure hazardous materials always remain where they should be. It depends on high quality and up-to-date processes and procedures being readily available and understood by the users. It depends upon all parts of the workforce – executives, managers, supervisors and operators, each understanding their part in ensuring safety management systems remain fit for purpose and rigorously applied. And last but by no means least, it depends upon a safety culture where such things as learning, questioning, reporting and challenging are all part of the daily routine. tce

Geoff Gill ([email protected]) is an independent safety consultant

further reading1. European Framework Directive 89/391/EEC 2. EU-OSHA (2010), Safe Maintenance in Practice3. Government of Western Australia, Department of Commerce. Guidance Note, Isolation of Plant, 2010 4. The Safe Isolation of Plant and Equipment HSG 253. ISBN: 97807176617185. Electricity at Work: Safe Working Practices HSG 58 ISBN: 97807176658156. The Management of Health and Safety at Work Regulations 19997. IChemE Toolbox Talks: Isolation of Equipment for Maintenance; Identification of Equipment for Maintenance; Isolation of Electricity-Driven Equipment for Maintenance

Case study 4 Multiple fatality incident at the Tosco Avon refinery, Martinez, California (LPB 167)On 23 February 1999, a fire occurred in the crude unit at Tosco Corporation’s Avon oil refinery in Martinez, California. Workers were attempting to replace piping attached to a 45 m tall fractionator tower while the process unit was in operation. During removal of the piping, naphtha was released onto the hot fractionators and ignited. The flames engulfed five workers located at different heights on the tower. Four men were killed, and one sustained serious injuries. Among other things, the subsequent enquiry found that:

• Tosco Avon management did not recognise the hazards presented by sources of ignition, valve leakage, line plugging, and inability to drain the naphtha piping;

• management did not conduct a hazard evaluation of the piping repair during the job planning stage. This allowed the job to be executed without proper control of hazards;

• Tosco’s reliance on individual workers to detect and stop unsafe work was an ineffective substitute for management supervision of hazardous work activities; and

• Tosco’s procedures and PTW programme did not require that sources of ignition be controlled prior to opening equipment that might contain flammables, nor did it specify what actions should be taken when safety requirements such as draining could not be accomplished.

To overhead accumulator

11.0 psig

Naptha draw tray

Crude fractionation

tower

Plastic sheeting

Flange 2

Plastic pan

Indicates plugged

area

Naphtha stripper

12.0 psig

CL – Centerline drawing not to

scale

Vacuum truck

Hose suctioning material

from pan to vacuum truck

CL Elev. 35’

2-3/8”

CL Elev. 38’ 1”

Second cut CL Elev. 78’ 7”

First cut CL Elev. 104’ 6”

CL Elev. 112’ 3”

6” Naptha piping

8” Naptha vapour return line

Naptha release

CF

D I

E

B

Layout of the unit

Chemical Engineering MattersThe topics discussed in this article refer to the following lines on the vistas of IChemE’s technical strategy document Chemical Engineering Matters:

Health and wellbeing Lines 1, 11–15

Visit www.icheme.org/vistas1 to discover where this article and your own activities fit into the myriad of grand challenges facing chemical engineers

Our Loss Prevention Bulletin (LPB) is the leading source of process safety case studies with a 40+ year archive of lessons learnt.

Take a look at www.icheme.org/lpb

safety - lessons relearned - inadequate isolations

Documents