REPEATED ACCIDENT CAUSES CAN WE LEARN?

Similar documents
THE BAKER REPORT HOW FINDINGS HAVE BEEN USED BY JOHNSON MATTHEY TO REVIEW THEIR MANUFACTURING OPERATIONS

A large Layer of Protection Analysis for a Gas terminal scenarios/ cause consequence pairs

The Risk of LOPA and SIL Classification in the process industry

Safe management of industrial steam and hot water boilers A guide for owners, managers and supervisors of boilers, boiler houses and boiler plant

PSM TRAINING COURSES. Courses can be conducted in multi-languages

OPERATING PROCEDURES

USING HAZOP TO IDENTIFY AND MINIMISE HUMAN ERRORS IN OPERATING PROCESS PLANT

The Relationship Between Automation Complexity and Operator Error

Module No. # 01 Lecture No. # 6.2 HAZOP (continued)

SEMS II: BSEE should focus on eliminating human error

Identification and Screening of Scenarios for LOPA. Ken First Dow Chemical Company Midland, MI

DETERMINATION OF SAFETY REQUIREMENTS FOR SAFETY- RELATED PROTECTION AND CONTROL SYSTEMS - IEC 61508

Safety Engineering - Hazard Identification Techniques - M. Jahoda

Impact of the Esso Verdicts on Engineering Practice First Published in Engineers Australia, March 2001, reprinted with permission

NORMAL OPERATING PROCEDURES Operating Parameter Information

Process Safety Management Of Highly Hazardous Chemicals OSHA 29 CFR

Safety in Petroleum Industry

Every things under control High-Integrity Pressure Protection System (HIPPS)

Dynamic simulation of Texas City Refinery explosion for safety studies

Introduction to HAZOP Study. Dr. AA Process Control and Safety Group

HUMAN FACTORS CHECKLIST

Lessons Learned from the Texas City Refinery Explosion Mike Broadribb

WELL TEST HAZOP CAPABILITY STATEMENT

Process Safety Value and Learnings Central Valley Chemical Safety Day March 20, 2014

HOW LAYER OF PROTECTION ANALYSIS IN EUROPE IS AFFECTED BY THE GUIDANCE DRAWN UP AFTER THE BUNCEFIELD ACCIDENT

AUSTRALIA ARGENTINA CANADA EGYPT NORTH SEA U.S. CENTRAL U.S. GULF. SEMS HAZARD ANALYSIS TRAINING September 29, 2011

Proposed Abstract for the 2011 Texas A&M Instrumentation Symposium for the Process Industries

Hazard Operability Analysis

Introduction to Emergency Response & Contingency Planning

Process Safety Journey

Buncefield Standards Task Group (BSTG) Final report

SAFETY SEMINAR Rio de Janeiro, Brazil - August 3-7, Authors: Francisco Carlos da Costa Barros Edson Romano Marins

Requirements for Reduced Supervision of Power Plants, Thermal Liquid Heating Systems, and Heating Plants

BROCHURE. Pressure relief A proven approach

Training Title IDENTIFY OPERATIONAL UPSETS, REVIEW & VALIDATE IN OIL & CHEMICAL PLANTS

MAHB. INSPECTION Process Hazard Analysis

VALIDATE LOPA ASSUMPTIONS WITH DATA FROM YOUR OWN PROCESS

Increasing the Understanding of the BP Texas City Refinery Accident

Using Reliability Centred Maintenance (RCM) to determine which automated monitoring systems to install to new and existing equipment

Impact on People. A minor injury with no permanent health damage

QUANTIFYING THE TOLERABILITY OF POTENTIAL IGNITION SOURCES FROM UNCERTIFIED MECHANICAL EQUIPMENT INSTALLED IN HAZARDOUS AREAS

Eutectic Plug Valve. SIL Safety Manual. SIL SM.015 Rev 0. Compiled By : G. Elliott, Date: 19/10/2016. Innovative and Reliable Valve & Pump Solutions

General Duty Clause. Section 112(r)(1) of CAA. Chris Rascher, EPA Region 1

Causal Analysis for Incident and Accident Investigation

PREDICTING HEALTH OF FINAL CONTROL ELEMENT OF SAFETY INSTRUMENTED SYSTEM BY DIGITAL VALVE CONTROLLER

RESILIENT SEATED BUTTERFLY VALVES FUNCTIONAL SAFETY MANUAL

Combining disturbance simulation and safety analysis techniques for improvement of process safety and reliability

Safe Work Practices and Permit-to-Work System

Solenoid Valves used in Safety Instrumented Systems

Session One: A Practical Approach to Managing Safety Critical Equipment and Systems in Process Plants

SUP 15 Health & Safety Management Pressure Systems. Unified procedures for use within NHS Scotland

Frequently Asked Questions Directive 056 Facilities Technical

INFORMATION FOR THE PUBLIC ABOUT A COMAH ESTABLISHMENT


Delayed Coker Automation & Interlocks

"Although a good start with a good project, others are as much a hostage of the "human factor".

Introducing STAMP in Road Tunnel Safety

View from south west showing fire at flare drum (photograph courtesy of the Western Mail and Echo Ltd)

Risks Associated with Caissons on Ageing Offshore Facilities

Technical Standards and Legislation: Risk Based Inspection. Presenter: Pierre Swart

THE HUMAN FACTOR IN SAFE PLANT OPERATION: Lessons learned from investigation of some major incidents


Proposal title: Biogas robust processing with combined catalytic reformer and trap. Acronym: BioRobur

Point level switches for safety systems

REQUIREMENTS FOR VALIDATION OF MATHEMATICAL MODELS IN SAFETY CASES

Reliability Assessment of the Whistler Propane Vaporizers

FIRE AND EXPLOSION HAZARDS WITH THERMAL FLUID SYSTEMS

FP15 Interface Valve. SIL Safety Manual. SIL SM.018 Rev 1. Compiled By : G. Elliott, Date: 30/10/2017. Innovative and Reliable Valve & Pump Solutions

Nitrogen System Contamination

Advanced LOPA Topics

National Safety Council 94 th Annual Congress and Expo. Commitment to a Proactive Safety Culture: Abnormal Situation Recognition and Management

Safety Manual VEGAVIB series 60

Reliability of Safety-Critical Systems Chapter 4. Testing and Maintenance

Safety Manual. Process pressure transmitter IPT-1* 4 20 ma/hart. Process pressure transmitter IPT-1*

Operating Instructions

Transient Analyses In Relief Systems

HUMAN FACTORS INTEGRATION FOR A NEW TOP TIER COMAH SITE OPTIMISING SAFETY AND MEETING LEGISLATIVE REQUIREMENTS

SAFETY PRECAUTIONS FOR THE BLACK BEARD S BEACH WATER PARK

4-sight Consulting. IEC case study.doc

Pneumatic QEV. SIL Safety Manual SIL SM Compiled By : G. Elliott, Date: 8/19/2015. Innovative and Reliable Valve & Pump Solutions

The Protection of Silos From Over. Pressurisation During Filling

ANNEX AMENDMENTS TO THE INTERNATIONAL CODE FOR FIRE SAFETY SYSTEMS (FSS CODE) CHAPTER 15 INERT GAS SYSTEMS

Level, Pressure, and Density Instrumentation for the Petrochemical Industry

Successful Implementation of Dry Gas Seal in High Pressure Recycle gas Compressor at Hydrocracker & Effect of Gas composition on DGS Performance

API th Edition Ballot Item 7.8 Work Item 4 Gas Breakthrough

Using LOPA for Other Applications

COMMON MISUNDERSTANDINGS ABOUT THE PRACTICAL APPLICATION OF IEC 61508

Pressure Relief Valves is there a need when there are EDVs?

This manual provides necessary requirements for meeting the IEC or IEC functional safety standards.

Hydraulic (Subsea) Shuttle Valves

EXPLOSIVE ATMOSPHERES - CLASSIFICATION OF HAZARDOUS AREAS (ZONING) AND SELECTION OF EQUIPMENT

IGEM/SR/15 Edition 5 Communication 1746 Integrity of safety-related systems in the gas industry

Engineering Safety into the Design

DeZURIK Double Block & Bleed (DBB) Knife Gate Valve Safety Manual

Solenoid Valves For Gas Service FP02G & FP05G

INHERENTLY SAFER DESIGN CASE STUDY OF RAPID BLOW DOWN ON OFFSHORE PLATFORM

International Association of Drilling Contractors North Sea Chapter HPHT Guidance on MODU Safety Case Content

TRI LOK SAFETY MANUAL TRI LOK TRIPLE OFFSET BUTTERFLY VALVE. The High Performance Company

Knowledge, Certification, Networking

BERMAD Fire Protection Hydraulic Control Valves

Transcription:

REPEATED ACCIDENT CAUSES CAN WE LEARN? Peter Waite Technical Director, Entec UK Limited Over the last twenty years major process industry accidents have continued to occur despite the introduction of new regulations, (e.g. Offshore Safety Cases, COMAH and PSM), the efforts of safety professionals and widespread dissemination of the lessons learned from incidents. There are some striking similarities between several of the well reported major accidents such as Piper Alpha, Pembroke Cracker, Texas City and Buncefield. Not all of these have been brought to the attention of all the disciplines which may be affected. This paper will consider two aspects in some detail (the interaction of instrumentation and human factors) to identify the common features which led to disaster despite the design safety, instrumentation and control systems which were designed to manage high liquid levels. INTRODUCTION Despite the best efforts of process engineers, equipment engineers and their safety advisers together with the supervision of the regulators, major process accidents continue to occur. Standards of manufacture, inspection and testing have been upgraded and the reliability of instruments and control systems have improved but have still failed to prevent accidents when they and the operators are faced with unusual situations, often described as abnormal or upset conditions. These may occur as a result of external disturbances, such as lightning strikes disrupting power supplies, or sudden changes to operating conditions, flow rates or mechanical failures. Even systematic hazard identification and risk assessment methods have not been able to foresee and help operators prevent accidents. Experience gained from the study of accidents, reports and the general lessons to be learned, quoted by such as Kletz (e.g. 2001), suggest that many accidents are caused by either misinterpretation of information received by operators from the instrumentation and control systems, or alternatively by the instrumentation and control systems not being able to deliver sufficient information to diagnose and control the situation. Either of these could be described as human error but really come about because of a gap in understanding between the operators mental model of the plant or process and the instrument and control designers understanding of what the operator needs to know. (Often the design has not distinguished between the needs of operational control and control in abnormal/upset situations). This paper addresses one particular category of accident cause that appears to recur on a regular basis, albeit in different types of plant. Many accidents have arisen from the over filling of vessels. This is despite the fact that it is a well recognised potential cause of accidental releases of hazardous materials and safeguards are normally in place to prevent it occurring. The salient features of a number of these accidents are outlined followed by an analysis of the contribution of excess liquids to the accidents. The reasons for the control systems or operators not taking appropriate action are then discussed. Finally proposals to prevent and/or mitigate these (and similar) accidents in future are proposed. LIQUID OVERFLOW A simple case would be a liquid storage vessel close to ambient pressure as shown in Figure 1. Even before the Buncefield investigation recommendations it would be expected that such tanks for the storage of high hazard liquids would be equipped with a level monitoring device, a high level alarm and high high level trip to shut-off incoming flow. Figure 1 shows a system of generic overfill protection for atmospheric liquids storage. Overfilling of the tank would result in the release of liquid through tank roof vents, as occurred at Buncefield (Newton et al. 2008). Atmospheric storage is equipped with secondary containment in the form of bunds to contain liquid spills but volatile liquid releases will lead to the formation of a vapour cloud which will escape the bund. The high level alarm, high-high level alarm or trip and the actual overflow level are relatively close but separated by sufficient storage volume to allow operator action to shut off inflow before the next level is reached. There should also be a means of continuously monitoring the liquid level so that the operators can foresee when the normal fill limit will be reached. Until recently there were still some tanks which relied upon manual dipping of tanks before delivery of a liquid parcel to ensure that there was sufficient capacity to accept the consignment. It appears that operators may now regularly rely upon the high level alarm as an operational warning of a full tank, in the knowledge that there is a high-high level alarm/trip as back-up. However this effectively removes one level of protection as the high level alarm is designed as a back-up if the operator fails to respond to the continuous level monitor. It should be noted that in the majority of hydrocarbon atmospheric storage tanks constructed since the 1980s overfilling does not threaten the integrity of the storage tank as they will have been hydrostatically tested to the 157

removal, combined with lack of accurate information on liquid level (Pembroke Cracker). Figure 2 shows a typical arrangement similar to Texas City (Mogford 2005). There is level detection but the alarms are only set around the normal operating range. Therefore there are no alarms or trips set to prevent flooding or overflow above this range. But the operators adopted the practice of filling the column above the normal operating maximum during start-up to avoid difficulties if the minimum level was reached during the fluctuating conditions until stability was established. On the day of the accident the operators did not realise how full the column became and had no instruments to warn them or trip system to prevent overflow. A similar situation occurred at the Pembroke Cracker in 1994 (HSE 1997) when a blocked outlet in the debutaniser column caused an accumulation of liquid. It was not Figure 1. Generic overfill protection for atmospheric storage of flammable liquids maximum fill level and the normal contents are less dense than water. At Buncefield operators failed to realise how quickly the storage tank was filling, particularly after an increase in flow rate to the tank. This suggests that the liquid level was not being monitored and for normal operational control reliance was placed on High and High-High level alarms, thus permanently reducing the levels of protection. If the High-High Level Alarm/Trip was inoperative then there would be no additional levels of protection, because there was absolute reliance on the High Level Alarm as the operating control or monitoring device and no backup. Hailwood (2009) discusses this in more detail and the methods for improvement. EXCESS LIQUIDS IN PROCESS Accidents have been caused by flooded columns and excess liquid in knock-out drums. In some cases columns have been deliberately over filled above normal operating levels (to make start-up easier, e.g. Texas City) and in other cases operators have failed to detect a blocked outlet (Pembroke Cracker). Knock-out drums have been overfilled due to a combination of inadequate/unavailable liquid removal capacity (Piper Alpha), or failure to switch to rapid liquid Figure 2. Typical arrangement of Process Vessel/Column Splitter or Fractionation. 158

possible for the operators to ascertain the liquid level as this was not directly recorded and no high level alarm was in place although all the columns in the fractionation unit were operated on level control they only operated over the normal level range. Also, in the same incident at Pembroke when the process fluids were vented to flare, liquid was knocked out as intended, in the flare knock-out drum. (Figure 3 shows the salient features of the knock-out drum.) But as the cracker unit was operating in an unusual condition (following trips of fans and pumps in the fractionation section and shut down of other units on the refinery), the liquids were lighter than expected. Therefore instruments measuring level using pressure gave erroneous liquid levels. Although operators checked the sight glass level gauge they could not establish the actual level because the level was outside the range covered by the sight glass and no interface could be seen. As a result the operators assumed (wrongly) that the level was low and falling and the compressor could be restarted to assist in the removal of liquids accumulating elsewhere by re-establishing the correct flows through the fractionation unit. In addition the high level in the knockout drum should have resulted in the manual activation of the rapid dumping of liquid to a slops tank. When the plant was rebuilt a high reliability automatically activated rapid dumping system was installed. COMMON THEMES The methods employed by the operators for overcoming practical problems did not follow the procedures envisaged by the designers of instruments and alarm/trip systems and possibly by any HAZOP studies. The designs had furnished measurement and control either side of the normal operating conditions but had not foreseen the need to provide additional information on level or alarms/trips when the liquid accumulations would lead to carry-over. Where there is a large gap between the normal operating range and these unacceptable levels the operators may be aware of the extra capacity that they can use for convenience and which would not result in an incident unless they fail to track the situation and so grossly overfill a vessel. Clearly at Texas City operators were distracted or several operators became involved. At Pembroke the operators did not monitor liquid accumulation as there was a false positive outflow being recorded. If instrumentation was provided then the startup procedure could include resetting the setpoint/high-level/high-high level alarms and trips. But the management of change procedure is often so laborious that this is impractical. The ability for a supervisor to make short term changes to instrument settings and then to restore them to normal value, would make it practical to make temporary changes but would need to be documented, passed from shift to shift, and monitored to ensure that the normal operational settings were restored as soon as possible. As well as keeping the alarms operative, it might emphasise to operators that they are working in abnormal conditions. Obviously designers could consider this option and its practicality should be discussed with operations representatives. In other cases (e.g. Buncefield) operators failed to monitor instruments continuously recording levels so that progress in filling tanks could be followed and the time to fill the vessel estimated. Rather reliance has been placed on alarms/trips which are designed as layers of protection against the operator s failure to take appropriate action. Thus the levels of protection are eroded and a failure of the alarm/trip system will lead to overfill. In some cases the level may be deduced by the instrument system indirectly via measurement of pressure (often misleadingly described as liquid head) and an assumption on normal density. Clearly in these cases overfill can occur when lighter than normal liquids are present and if there is no alarm to alert the operators or trip to initiate shut-down. Note that liquids arising from process blow down will often be lighter than normal process streams because additional liquids will condense at the lower temperatures arising from the Joule-Thompson effect. These lighter fluids may also contribute to greater liquid accumulation in overhead reflux drums. Figure 3. Flare Knock-Out Drum. POTENTIAL FOR IMPROVEMENTS There are several approaches to review of the process plant and its safe operation which may be considered to identify whether the causes discussed above could arise again and whether mitigation could be provided:. HAZOP this is often considered to be hardware oriented and applied at various stages during design. It could therefore, capture and avoid some of the problems before hazardous materials are introduced. However HAZOP examinations may become too mechanical and when considering Level MORE THAN for example may see the operational level high level alarm and considering the headspace before a column 159

may be regarded as flooded think that there is adequate time for an operator response, without realising that there may be intentional overfill at start-up, for example. Startup and shutdown are often reviewed in HAZOP but the team may not explicitly consider the need for process conditions outside the range of normal operating settings of instruments. This is where the input of experienced operators is vital. Other deviations may be relevant for example Composition OTHER which should identify any issues over lower density fluids but a HAZOP team may not always examine how instruments are being used to measure level and that deviations on level and composition may be related.. Various forms of risk assessment, which may consider specific scenarios or a set of generic failure cases. In either case the frequency of challenges to the safety systems is assessed together with the scale of potential consequences so that the need for risk reduction measures determined. These measures may be specified in terms of levels of protection, or more recently in terms of the SIL (Safety Integrity Level) Classification as defined in IEC61511. However the assessments of the effectiveness of safety measures makes assumptions about how they will be used, the number of challenges (demands) on them and the frequency of testing and/ or maintenance.. Human Factors Assessments will often be focussed on issues of layout and adequacy of resources, skills, experience, awareness, supervision and technical support. This latter group of issues has been addressed in methods such as the Entec Staffing Assessment (Energy Institute 2004) which considers whether the operators and their support are adequate for dealing with abnormal situations, particularly those which might lead to process accidents. The support considered will include information supplied by the instruments and control systems and the actions that these will perform for the operators (including remotely operated valves and automatic shut down mechanisms). The method includes physical assessment of scenarios where a team, including operators discuss the development and control of abnormal, high workload situations. The teams are encouraged to discuss how they identify problems, diagnose the causes and then how they would bring them under control. These scenario assessments can be used to determine whether the instruments are providing the operators with adequate information and also examine whether the operators can suffer distractions which prevent them monitoring or controlling the evolving scenario. Ultimately there may be a need to invoke the emergency shut-down system and this has to be considered in the context of whether it would operate in time for the scenario to be brought to a safe conclusion. A very important consideration is the culture of the operating teams and whether they would be willing to initiate a shutdown, if necessary without reference to higher authority. This type of scenario assessment can be performed outside the staffing assessment method and will serve as identification of any misunderstandings of how level measurements and alarm/trips are designed to work as well as identifying where additional information or instruments may be required. However, it is not the intention of this paper to add to the number of alarms provided on a plant but rather that safety alarms be identified separately as such and level alarms/trips set where they will act as safeguards and not as a normal operating level which may not be relevant for start-up, for example. CONCLUSIONS Several high profile major accidents have occurred due to high liquid levels not being recognised by operators. There are several reasons why operators may fail to recognise or act on high liquid levels, these include:. Inaccurate measurements of level where the instrument relies on an assumed density;. The high level has not been covered by the instrumentation scheme, which assumes normal operating conditions and that procedures will be strictly followed;. Operators have come to rely upon alarms or trips which are intended to be used as back-up safety devices;. Operators are distracted and not available to respond when a critical level is reached. Therefore the designers need to have a more practical approach to how the system may be challenged and allow for deviations outside the normal operating conditions, particularly in situations where operators will be aware there is considerable additional head space that can be utilised before dangers can arise. Also operators need to be aware of how instruments are measuring level and whether they rely on parameters that can vary, such as density. They should also be aware of where the instruments can only give information over a restricted range. Rather than wait for accidents to occur the actions of operators in response to difficulties during unusual operating conditions, either during the physical, scenarios examination in staffing assessments or by separate desktop, talk through or walk through workshops to identify how deviations from standard, defined operating procedures may lead to dangerous situations such as overfill, or flooding. Simulators may have an important role to play, particularly if they can be used to show the effects of instrument malfunctions on the operators perception of plant status. In this way it is hoped that potential sequences leading to accidents can be anticipated, and barriers introduced so that lessons may be learned without having accidents. ACKNOWLEDGEMENTS The author would like to thank the referees and colleagues who have made helpful suggestions to improve this paper. However the observations and opinions are the author s 160

own and do not necessarily reflect the views of Entec UK or any of its Clients. REFERENCES Energy Institute, 2004, Safe staffing arrangements user guide for CRR348/2001 methodology: Practical application of Entec/HSE process operations staffing assessment methodology and its extension to automated plant and/or equipment. Hailwood, M., 2009, Lessons from Buncefield in Loss Prevention Bulletin 206. Health and Safety Executive, 1997, The explosion and fires at the Texaco Refinery, Milford Haven, 24 July 1994: A report of the investigation by the Health and Safety Executive into the explosion and fires on the Pembroke Cracking Company Plant at the Texaco Refinery, Milford Haven on 24 July 1994, ISBN 0 7176 1413 1. Kletz, T. A., 2001, An Engineer s View of Human Error 3rd ed IChemE, ISBN 0-85295-430-1. Mogford J., December 9th 2005, Isomerization Unit Explosion March 23, 2005 Final Report Texas City, Texas, USA. Newton, Lord, Drysdale, D., Baxter, P., Powell, T., Leinster. P. and Ashton D., 2008, The Buncefield Incident 11 December 2005. The final report of the Major Incident Investigation Board ISBN 978-0-7176-6270-8. 161

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback