“Accidents occur for one of two reasons. First is improperly trained personnel. These accidents can be eliminated by conducting robust and regularly scheduled training. The second cause is equipment failure, such as a pump, a valve or a faulty instrument reading. These types of causes are nearly impossible to prevent. But a proper HAZOP/CHAZOP (Control System HAZOP) study should identify these risks and result in the installation of mitigating safety functions that will minimize accident consequences.”
For more on this subject, go to www.controlglobal.com/ProcessSafety.html.
Standards Not Keeping up with Technology
Dr. Nancy G. Leveson, professor of engineering systems and the director of the Complex Systems Research Lab (CSRL) at MIT, shares her take on safety standards.
“Safety culture and management impact on safety has largely been ignored. Emphasis has instead been placed on physical systems and human operators. But we are now building process systems and working within global social and management systems that are much more complex. This complexity overwhelms our ability to understand the implications of decisions and to assure ourselves that all risk-related scenarios have been understood and mitigated.
The results of this complexity is demonstrated in the different nature of accidents today. We are starting to see an increasing number of accidents not caused by failures of individual components, but by dysfunctional and unsafe interactions among components. Each component worked as it was designed to do, but the overall design of the system led to an accident.
Standard safety engineering techniques of increasing component integrity and of adding redundancy will not increase system safety. What is needed are better ways of evaluating risk and identifying optimal decisions about tradeoffs and how specific risks will be controlled. Building inherently safe systems or preventing hazards is going to be much more effective and much less expensive than simply trying to mitigate damage.”
Anatomy of an Accident
Pete Atkinson, an engineer in manufacturing information systems at Boehringer Ingelheim Vetmedica, St. Joseph, Mo., describes a near-miss, the subsequent post mortem and resulting improvements.
“The most serious incident that I know of was a catastrophic failure of a transfer hose that burst during a clean-in-place (CIP) function. Operators in the area at the time of the failure narrowly escaped without any serious injuries, but only due to the fact that they were some distance away from the immediate area of the hose failure.
“Two operators were sprayed with hot caustic wash solution, but did not sustain any injuries because they were wearing protective equipment, including lab coats, safety glasses and hair nets. Their quick reaction to evacuate the area also helped them evade harm.
“The area sustained substantial flooding of CIP solution and water because the CIP system pump continued to pump out the entire contents of the wash-solution vessel. The tank volume was 1,000 liters, so you can get a picture in your head of the extent of the flooding that occurred with a hazardous chemical.
“Investigation revealed that operators had noticed that the hose had been kinked, but they judged it OK for use. An inspection was conducted on all transfer hoses in the building right after the incident. Of the 250 hoses inspected, about half were found to be near a point of failure and were removed from service. Many of our operators knew that a number of hoses had physical damage, but didn’t do anything about it.
“There were a number of corrective actions taken to ensure that a similar incident did not occur again. One was to invoke a control system alarm and automatic shutdown of the CIP skid pump upon a sudden loss of line pressure.
“We also started regular and documented inspections of all transfer hoses, including visual and pressure testing. Area procedures were written to instruct operators to visually inspect and reject any hose that showed any signs of abnormal wear or physical damage prior.
“Since this incident occurred and the above mentioned corrective actions were invoked, there have not been any similar incidents.”
The Trouble with Safety Standards
- Standards have not kept pace with new control system technologies.
- Alarm management standards are inadequate.
- Graphics standards don’t match operator needs.
- Standards focus too much on components and not enough on systems.
- Production mandates trump safety-standard enforcement.
- Lack of training on safety standards.
- Minor incidents not measured and analyzed.
- Safety reassessment neglected after process and control system changes.
Automation Not the Best Path to Safety
Automation, instrumentation and operator interface systems all play key roles in making a plant safe. But Joe Kaulfersch, a market analyst with Pepperl+Fuchs, says that designing inherently safer process plants is better than attempting to automate and control dangerous conditions.
“The future of process plant safety is inherently safer design. Inherently safer design can be defined as the design of processes and products with specific attention to eliminating hazards from the manufacturing process, rather than relying on the control of these hazards,” says Kaulfersch.
He says there are four questions designers should ask when they have identified a hazard.
- Can I eliminate this hazard?
- If not, can I reduce the magnitude of the hazard?
- Do the alternatives identified in questions 1 and 2 increase the magnitude of any other hazards or create new hazards?
- What technical and management systems are required to manage the hazards which inevitably will remain?
He says a chemical process is described as inherently safer if it reduces or eliminates one or more process hazards, and if this reduction or elimination is accomplished through changes that are permanent and inseparable. Approaches to the design of inherently safer processes and plants have been grouped into four major strategies:
- Minimize—Use small quantities of hazardous substances.
- Substitute—Replace a material with a less hazardous substance.
- Moderate—Use less hazardous conditions, a less hazardous form of materials or facilities that minimize the impact of a release of hazardous material or energy.
- Simplify—Design facilities that eliminate unnecessary complexity and make operating errors less likely and that are forgiving of errors which are made. For example, intrinsic safety wiring practices ensure that errors will not cause an electrically induced accident.
Protect Personnel First
The first goal of any safety program should be protection of personnel, and the best way to protect people is to get them out of harm’s way before accidents occur.
“Minimizing personnel within the plant exposes fewer people to risks,” says Warren Thompson, now retired but formerly with Citgo. “When I worked at Citgo, they moved their central control room outside of the refinery’s fence, and the console operators never entered the plant. Moving the control room outside the fence meant that it didn’t need to be blast proof.”
“Many gas plants operate in remote sites without on-site staff, and pipelines are operated from remote control areas. There is no reason why refineries and chemical plants cannot operate the same way,” he adds.
Industry veteran Romal Bhullar of Fluor seconds Thompson’s points. “Digital devices, fieldbus communication and closed-circuit television are reducing the need to be in process units or next to dangerous equipment for startup or monitoring. Remote monitoring also allows plants to bring external resources to bear when needed,” observes Bhullar.
“The location of control buildings needs to be revisited in light of current automation technologies. Most units don’t require local control rooms. Some refiners have operator shelters dangerously close or even in the explosion zones; a serious effort should be made to locate these to a safe environment,” says Bhullar.