the human factor in safe plant operation lessons learned from investigation of some major incidents

8/13/2019 The Human Factor in Safe Plant Operation Lessons Learned From Investigation of Some Major Incidents

1/7


2/7

IChemESYMPOSIUMSERIESNo.115

The following comments taken from reports of incidents in theUK and abroad in recent years, show the influence of thenegative side of the human factor ie misunderstanding,failure to appreciate hazards and consequences, failure tofollow instructions. The positive side of the human factorincludes correct assessment and response to plant outputdata, adherence to plant instructions and company codes,attention to safe operation.An inexperienced electrician's mistake sparked off a fullscale emergency. The worker misunderstood instructions in aroutine trip test. A screwed plug blew out of a relief valvecausing an uncontrollable escape of process gas into thecompressor house.Instructions to the operators were very strict indeed but

the operators ignored them nevertheless. Operator errorsinvolved systematic, persistent and conscious violation ofclearly stated safety rules'.'The persons responsible for issuing the permit failed torecognise the significance of solid deposits in thepipeline'.

THE INCIDENTSThe types of incident mentioned above are not unique and thispaper describes incidents that the author has been involvedin investigating. The paper does not contain a detaileddescription of the investigations nor a discussion of howpotential causes of the incidents were assessed andeliminated to arrive at a consensus opinion asto the mostlikely cause. These are described in a full HSE report.3Plant MaintenanceThe first incident was on the main site flareline system.The system had evolved over many years, it was seldomshutdown, it was large, complex and had a high volume, lowpressure throughput of gas and gas liquids. The need aroseto replace a crossover valve which was passing gas betweentwo streams. A method was devised for isolating theparticular section of pipework; scaffolding was erected andthe line checked for liquid. A permit to work was thenissued. The permit recognised the possible presence ofpyrophoric ferrous sulphide scale and so contractors workingon the valve were instructed to wear self contained breathingapparatus to protect them against the possible presence oftoxic hydrogen sulphide vapours. A compressor was providedfor auxiliary air line breathing apparatus sets and a mobilecrane was brought in to support and lift the valve during themaintenance operation. Site rules required that thecompressor was fitted with a flame arresting exhaust boxhowever earlier mechanical failure meant that this rule wasnot complied with. As the valve flanges were being released

362


3/7

IChemE SYMP OSIUM SERIES No 115

the line sprang open and liquid poured out and fell to groundlevel \where it ignited, presumably on the compressor andenveloped two men on the scaffold staging in flame. Thebodies could not be removed from the site of the incident forabout 24 hours untilthe flames were snuffed using anitrogen purge.The sample point used to test that the line was liquid freewas remote from the part of the system where the job was tobe done. It was also prone to blocking with scale. _ Theremedies proposed to prevent similar occurrences were simplein that they were to mark valve bodies and stems to show theopen and closed positions and to provide drain and samplepoints on or close to identified critical valves in thesystem.A major point about this incident was that hazards involvedin the operation were recognised but the consequences ofthose hazards beinq realised were not thouqht throuqh andthen acted upon to prevent their occurrence.Plant ModificationsThe second incident occurred on the hydrocracker unit on theplant. The hydrocracker was used for the catalytichydroqenation of waxy sulphur containinq residues to qivemore valuable products. The hydrogenation reactors operatedat around 2 250psi and 350C with a throughput of about50,000 gallons per hour. Liquid from the reactor beds wascooled to around 50C to partially outqas hydroqen. Pressurewas then reduced to about 120 psi to remove further hydroqenbefore liquids were passed forward to be fractionated.Critical aspects of the plant operation, from the productionpoint of view, included control of reactor bed temperature tomaximise the product yield and control of hydroqen qualitybecause too much liqht hydrocarbon impurity could qive riseto excessive compressor vibration with the potential for lonqand expensive shutdowns.The incident itself centred around the principal highpressure/low pressure interface within the system. Liquidflow throuqh this interface between hiqh and low pressureseparator vessels could be controlled by either of twoparallel valves operatinq in the manual or automatic mode.In practice, both valves were used toqether to reduce vortexeffects in the hiqh pressure vessel. In the oriqinal designof the hydrocracker a turbine was included on the outlet sideof the hiqh pressure separator to utilise the energyavailable from the 2000 psi pressure drop. This turbine wasdesigned with low and extra low level protection to shut offliquid flow and thus prevent damaqe to it from breakthrouqhof hiqh pressure qas. Althouqh the turbine was removed inthe very early days of plant operation, the cut-offprotection switches remained^ This hiqh/low pressureinterface in the system relied on sinqle valve operation forprocess control and safety isolation. Not all operators

363


4/7


understood that the level control switches had a widerfunction than just protection of the (defunct) turbine.On the day of the incident the plant was on standby and onlya small amount of liquid feed was passing forward through theplant. The plant was on manual control and downstream thelow pressure separator was boxed in. Just after a shiftchangeover the plant blew up, shock waves were felt 18kilometers away, metal fragments of up to 2 tonnes in weighttravelled up to 1.2 kilometers from the scene of theexplosion. One contractor was killed by the fireballassociated with the explosion. There was no damage caused toother plant units on site by flying debris that led to anyescalation of the incident.A principal factor in this incident was failure tosuccessfully control the high pressure/low pressure interfacebetween two vessels designed for different duties. Thedownstream vessel was designed to handle the passage ofliquid at low pressure. It was not designed to withstand thehigh pressure that could result from gas breakthrough whenits liquid and gas outlets were shut. During a maintenanceperiod several years before the incident a solenoid on one ofthe flow control valves had been by-passed. This solenoidwas intended to dump air to the control valve on actuation bythe extra low level switch on the high pressure vessel. Thealarm signal announcing the trip condition had also beendisconnected in an instrument panel in the control room. Norecord of the modification, its approval, reasons forcarrying it out or analysis of the consequences could befound. it was suggested that trip function was a bitinconvenient as it caused unwanted plant stoppage.Removal of the solenoid from the control loop meant that theprotection provided by the extra low level trip was no longeravailable so that the system relied on the normal automaticprocess control to shut one valve and manual intervention toshut the other. With these critical valves mounted inparallel, any failure of either one could allow the highpressure vessel to empty of liquid. Loss of liquid sealwould then mean that high pressure gas could feed forwardinto the low pressure vessel. Loss of the trip functionmeant that any failure of process monitoring or misinterpretation of control room data by operators could resultin valves mistakenly being opened or left open causingloss of the liquid seal level in the high pressure vesselwith consequent gas breakthrough.The consequences of disconnecting vital trips was not fullyexamined nor was the significance of these trips to plantsafe operation appreciated. Although all the plant tripscontinued to be shown on the P I diagram, the reality wasthat the system relied on a single valve for both isolationand control. There was nothing to protect the plant againstthe possibility of human error.

364


5/7

IChemE SYMPOSIUM SERIES No 115

Systems of WorkThe third incident involved the cleaning of a floating rooftank used to store stabilised crude oil. With the waxynature of North Sea crude, sludge banks build up even instirred tanks. In an 80 metre diameter crude oil tank, banksof sludge had built up to a height of about 2 metres andcovered a large proportion of the base after only a few yearsof operation. One way in which these tanks could besuccessfully cleaned was for people to go inside them andremove the sludge either mechanically or by hand. To do thisthe tank had been drained and allowed to vent naturallythrough opened manholes but it was not purged nor providedwith additional mechanical ventilation. The contractorsemployed to remove the sludge had been used before and wereaware of site safety rules. They brought on site their ownhydraulic pumps, hydraulic tractor unit and diesel generatorsto provide hydraulic power. They also supplied their ownairline breathing apparatus for use inside the tank. Duringthe cleaning operation a fire started in the tank followed bya low power explosion in which one of the men working in thetank died. The investigation revealed that the sludge thecompany believed to have a flashpoint of about 15C actuallyflashed below 0C. It was likely, therefore, that therewould always be vapours within the flammable range somewherewithin the tank. The range of potential sources of ignitionfor such vapours included pyrophoric scale; generation ofstatic electricity on clothing, on flexible hoses etc;theproximity of diesel power packs to the tanks; hot surfaces onhydraulic pumps used within the tank etc. During the courseof the investigation to discover which was the most likelyof the many possibilities one of the contractors admitted tosmoking in the tank. This turned out to be custom andpractice for some of the cleaning gang including the outsidefire watchman, who himself occasionally went inside for asmoke. The site was petroleum licensed and the contractingcompany had provided a specially designated smoking cabin forthe contractors.The salient points in this incident were that standards ofsupervision and control by the contractor's company werelax; monitoring of the contractors' competence and actualstandards by the contracting company were not sufficientlythorough; observance of site procedures including dematching(which was a standing instruction) was poor but, in the end,disobeying fundamental safety rules either through ignoranceof the dangers or foolhardiness caused the incident.COMMENTSInspectionThese three incidents occurred before CIMAH safety reportsforthe sites had been completed and submitted to the HSE buteven if this were not the case it is guestionable whether HSE

365


6/7


inspectors reading the report or carrying out normalinspection duties on site would have been able to preventfour men dying. For instance, in the case of thehydrocracker examination of P I diagrams showed protectivesystems to be in place. On paper the interface between thehigh and low pressure sides of the system seemed acceptablewith both monitoring and alarm systems present. Finding thatthey were not, required painstaking inspection ininaccessible and remote parts of a physically large plant.Hindsight would lead to examination of a small part of arelatively small part of a large refinery, but when time isat a premium other parts of other plants may have to beomitted. Inspection has to be planned and targeted.ManagementThe incidents involved the negative aspects of the humanfactor and it is a function of safety management to controland avoid the unacceptable consequences of these negativeaspects. A determined person may succeed in carrying outdeliberate acts such as smoking in a controlled area, as inthe case of the tank fire. Nevertheless many things couldand should have been done to deny the man the opportunity tosmoke in the tank. In the case of the flareline, permitsystems were used but more rigorous examination of the jobshould have highlighted the problems of sampling on anoverhead line which was prone to scale formation. Plantsafety management has to commit time resources to monitoringthe effectiveness of laid down safe working procedures, totraining and supervision of workers, to modifications andupdating in the light of experience.CONCLUSIONSMany individual lessons can be drawn from these incidents andthese are described in the full report.3 However, the mainpoints of this paper are; firstly, that it is vitallyimportant for all persons involved with chemical plantswhether in a production or a safety role, to take fullaccount of the physical safeguards provided, to ensure theyare adequate and continue to be so and; secondly and equallyimportantly, that these persons are alive to the humanfactor, its management and control. The costs of neglect ineither area can be catastrophic.AcknowledgementsThe author would like to thank J L Sumner and W J McKay aswell as other colleagues within the HSE for their help andcomments on this paper.

366


7/7

IChemE SYMPOSIUM SERIES No 115

ReferencesDangerous Maintenance: a study of maintenance accidentsin the chemical industry and how to prevent them.Health and Safety Executive available through HMSO.Human Factors in Industrial Safety. Health SafetyExecutive.Fires and Explosion at BP Oil (Grangemouth) RefineryLimited at Grangemouth and Dalmeny, Scotland, 13 March,22 March, 11 June, 1987. Health Safety Executive.

367

the human factor in safe plant operation lessons learned from investigation of some major incidents

Documents