February 28, 2010

The future of Process Safety in India

A recent news item on February 26th indicates that in the immediate future, Oil Industry Safety Directorate (OISD) is likely to be announced as the single window agency to ensure safety in the oil & gas sector and is also expected to be vested with all necessary statutory powers to fulfill its responsibilities. Several other regulatory changes and announcements that are in the pipeline and expected to be unveiled over the next few months.
What is the future of process safety in India? Do not be surprised if a Chemical Safety Board, similar to the US is set up. Do not be surprised if investigation reports of incidents are put up on the web. But for this to happen, I feel there has to be a strong impetus to the Government to bring in such changes. I am only hoping that another Bhopal is not the impetus!
While on the subject, let us visit the subject of awards and incidents. In my experience, many companies have won many safety awards but then there is a fatal accident. An award for process safety performance cannot be judged by visiting the unit for a few days. It requires commitment day in and day out from top management to really achieve top class process safety performance. I feel that an organization would be better off if it sits back and takes a good look at its performance in process safety periodically.

February 26, 2010

Natural Gas Blowing of pipelines causes accident

The CSB has released a statement that mentions that the explosion at the Kleen energy plant in the US occurred during the blowing of new pipelines with natural gas to clear them of debris. There were a number of possible ignition sources.It appears that this is a "common" practice in power plants. I wonder if people are forgetting the basics: flammable gas + air + ignition source = Fire or explosion!
It is very dangerous to assume that ignition sources will not be present!

February 24, 2010

Monitor your Pressure Safety valves for fugitive emissions

An incident in the US highlights the need to ensure that operational checks are conducted to detect any fugitive emissions from PSV’s. It was reported that about 1.5 tonne of a toxic chemical had leaked from the PSV over a period of two weeks. The leak was finally detected when mass balances did not match. If you have PSV’s discharging to the atmosphere that are mounted on top of vessels tanks and other equipment, ensure that you implement a fugitive emission monitoring program to detect any leak from the safety valve. Many large atmospheric ammonia storage tanks have their PSV’s located on the tank top and any leakage from these valves cannot be detected from the ground level. With more and more habitation coming up near maximum accident hazard units, it becomes imperative that you implement a proactive monitoring PSV leak monitoring program.

Process safety - Do not forget the human being in your design!

Some experts predict that in the future, there will not be any control rooms, but operators and managers individually wearing hi tech equipment like personalized visual displays and control units that will be networked and will be used to control plants. Whatever the future, one thing is sure - the human is going to be around! And continue to commit the same mistakes!! Some examples of design "googlies" are given below:
1. If you install an orifice plate to restrict flow as part of your design, be sure one day it will be removed.
2. If you install an instrument on top of a vessel or equipment and expect the operator to note down the reading, be sure that the reading one day will be noted without the operator going to the top.
3. If you design a tank for full pressure and not for vacuum, when there is a chance of vacuum formation, be sure that the tank will collapse one day due to vacuum.

If you forget to think like an operator, be sure your design will fail one day!!
This also raises another point. In the future is it possible to operate a plant that does not depend on human beings? Ultimately, there will have to be a human being who is looking after that technology and he can also make mistakes!

February 23, 2010

Advanced instrumentation at Refinery

Please read this article

The Worlds Largest Foundation Fieldbus Project
Reliance Petroleum Limited Needed Foundation Fieldbus to Manage the Most Complex Refinery in the World

A picture of the control room is also given in the article.The article also mentions that over 200 of the commissioning staff were given troubleshooting training.

February 20, 2010

Jaipur oil depot fire - Sharing of Incident Report

Kudos to the Oil Industry Safety Directorate for posting the independent investigation committee report on the Jaipur oil depot fire. (Click MB Lall report in their website).As far as I know this is a first in India for sharing incident reports and this is a very positive change for process safety in India.
On reading the report, the following points come out:(I am quoting from the report)
1."Uncontrolled Loss of Primary Containment in the form of a jet of gasoline:Policy issues - Safety not given adequate priority".
2."It was observed that safety shut down system envisaging closure of all Motor Operated Valves (MOV) at the inlet and outlet, immediate to the tanks was provided in design and installation but had been decommissioned, a few years ago, probably after 2003, due to some operational issues. The exact timing of the above is not known to the current operating officers".
3."No External Safety Audit for last 6 years.Internal Safety Audit inadequate as it could not point out any deficiency in design or procedures & practices".
4. "The certifications such as ISO, NSC awards, Greentech awards, Ministry of Labour awards etc., are all based on documentation submitted by the organizations and not on field verifications and safety practices. The awards/recognitions mesmerize the higher management besides giving wrong signals about safety management systems leading to complacencies. It is, therefore, recommended that time and efforts be directed towards annual safety audits by involving non-company experts so as to have unbiased reports. The companies should be cautioned to be circumspect about utilizing agencies and organizations who claim to be providing expert safety advice and assessment"
Update 3.7.10:
A reader called Atul has sent me this query"But how can this be a case of individual fault ? My Brother in law was attending his fathers funeral at the time of accident and could do nothing about it.
In depot fires across the globe, its the Corporation which are at fault and fined. People are given compensation. In India, the employees are put into Jail! Is this a JUSTICE system which you are proud of?"
I request Atul to read my latest post on the subject in this link

February 19, 2010

Process Safety and Asset Integrity

Maintaining asset integrity is one of the key areas of process safety. As I observe more and more competition in the Indian Chemical Industry,I am beginning to observe a lack of long term focus towards maintaining asset integrity. With current high attrition rates in the chemical industry, it is only natural that a plant manager tends to "adjust" his focus on maintaining asset integrity to ensure that nothing happens during his tenure.This is also mentioned in the investigation report of the BP Texas refinery incident.Many organizations are implementing process safety management systems without a long term approach. Such systems will bring in more complacency than doing good.Another worrying factor is the lack of competency to manage asset integrity programs. I have observed many "in house" asset integrity teams influenced by their organizational culture in such a way that they get blinded to reality.Top management feels everything is hunky dory when suddenly something fails and everybody wakes up!The UK HSE chair has said "Never allow short-term business pressures to blind you to the real and potentially devastating human and business consequences of neglecting process safety and asset integrity"
I will end with a joke - I was chairing a HAZOP study for a Bio Ethanol Plant coming up in South Africa when one of the participants jokingly asked me "Does'nt all your negative thinking affect you?". Well, Process Safety is not about negativity, but about worrying about things that are so obvious to you but not obvious to others!

February 17, 2010

"Non observance of safety norms caused Jaipur oil depot fire"- investigation report

The investigation committee into the Jaipur oil depot fire has pointed out the lack of written operating procedures, absence of leak stopping devices and lack of understanding of hazards and risks as root causes of the incident. See this report for further details.
The committee also has recommended improving operating discipline. This requires a lot of commitment from top management. Operating discipline is easy to bypass in times of cost pressures. I have observed many times that incidents are caused when operating discipline is set aside even though management knows that it is being bypassed. Process Safety Audit reports should be given due weightage by management. The observations pointed out in the audit report are indicators that something is wrong and unless they are attended and root causes are found out, a big incident could occur. How many times can we be lucky?
See other opinions in this link

February 15, 2010

Hazards of natural gas - explosion in an US Power plant

On 7th February, an explosion was reported in a US power plant. The mayor of that place put it very nicely when he said "Something happened that should not have happened and something did not happen which should have happened".
The explosion involved natural gas. Many facilities use natural gas for power generation, heating and in furnaces. Natural gas is also a raw material for the manufacture of ammonia. Natural gas is like electricity - a bad master but a good servant. For it to be a good servant, your operators must know the hazards of inadequate purging (removal of oxygen from pipelines/vessels) before admitting natural gas.In fact the US Chemical safety Boards had just three days before the incident issued a warning about the hazards involved in natural gas purging - see this safety bulletin
See this link for a video posted on youtube about the incident.
My book details the various methods of purging of equipment and pipelines.

Separate your shutdown system from control systems

Today,for cutting costs,many plant owners are trying to incorporate shutdown actions using the control system itself. For example, if there is a control valve that has to close when a predetermined shutdown point is reached, the instrument air to this valve is cut off using a solenoid valve and the valve is designed to "fail close".You must always keep your shutdown system independent from the control system. This is important from an emergency safe shutdown point of view. There is an interesting case study presented in this link where the shutdown system was designed to be independent from the control system. The control system valve did not close during an emergency due to a failure of a solenoid valve but the separate shutdown system acted safely.
I have investigated many process incidents where the shutdown system was connected through the control system and it failed to operate. In fact in one of the Ammonia plants in Europe a friend told me that every critical shutdown valve is provided with redundant solenoids for greater reliability. Have a relook at all your critical shutdown systems. Its better to be safe than to be sorry!

February 13, 2010

Reacting in an emergency - Lessons from the Hudson River Landing

On 15th January, 2009, an airbus flight suffered bird hits on both engines after take off. The pilots had to react quickly and they landed the plane safely on the Hudson river thus saving lives. Split second decisions had to be taken and they took the right decisions. A beautiful simulation of the incident is given in this youtube link.
In a chemical plant emergency, all the years of training and experience will come into play. A wrong decision taken during the emergency could lead to an unsafe condition. Of course, if you have your shutdown systems working well, they will automatically shutdown the plant safely. But there are many other things the DCS operator has to do after a shutdown. This is where his training comes in. How are you training your plant operators to handle emergencies? Is experience from actual emergencies shared and lessons learnt? In India, many of us do not take mock drills seriously. Your lives may depend on it!
Plant operators and shift engineers are the first line of defense against a catastrophe and are you investing in their training?

Runaway Reactions - Run away if you do not have data!

A runaway reaction is an uncontrolled reaction that does not stop. It can cause catastrophic consequences like rupture of reactors and release of toxic gases. The understanding of reactive chemistry plays a big role in avoiding runaway reactions. Avoid the mistake of scaling up from R & D to plant production without understanding all the details of the reactions and its side reactions. The effect of change in operating parameters and batch recipe or quantity must also be understood. Recently a speaker at a seminar mentioned that many batch processes in India are being operated without complete knowledge of the reaction chemistry. I have also investigated number of incidents involving runaway reactions where operators were operating the batch without proper information on reaction kinetics.There are various scientific tools available to determine these data. Accelerating rate calorimeters, differential scanning calorimetry etc are some of them. Just because you have not experienced a runaway reaction incident, do not be complacent. The only hope of survival in a runaway reaction incident is to run away!
Watch this excellent CSB safety video on the hazards of reactions.

February 12, 2010

Don't Alarm your operator!

I have been following the subject of alarm management in a DCS (Distributed control system) with great interest. In many process incidents that I investigate (batch and continuous processes), I observe that the flood of alarms that appeared during the emergency effectively negates the usefulness of the alarm. The irony is that we bring in the DCS with its enormous capability and then realize that alarm management in the DCS is a big issue. The root cause of the problem is the misuse of the enormous capability of the DCS. When installing the DCS it is human tendency to assign all probable alarms, thinking that we are using the capability of the DCS! Now the International Society of Automation has brought out a standard called ISA 18.2 - management of alarms in process industries on June 23rd,2009. The definition of alarm as stated in the standard is "an audible and/or visible means of indicating to the operator and equipment malfunction,process deviation or abnormal condition requiring a response". How did we manage to forget this definition?

I was part of a team of process engineers and process operators in a World Scale methanol plant, where we sat down identifying whether each alarm that was provided was really necessary or not. To our surprise, at the end of the exercise, we had reduced the alarms by over 50%!. Today, there are alarm suppression software sold by various vendors, but I feel the solution is simple - DO NOT COMPLICATE THINGS AT THE BEGINNING ITSELF BY PROVIDING TOO MANY ALARMS!
To achieve the goal process Safety I am of the opinion that things must be kept simple. In other words, KEEP IT SIMPLE & SAFE (KISS!)

While on the topic of alarm management, I have also observed the other extreme in few cases - there weren't enough alarms provided. Such issues crop up not in process plants but in storage and transfer facilities where enough thought was not applied in identifying the alarms required.

February 11, 2010

Cars can be recalled but Chemical Plants cannot!

The papers are full of news stories about the car recalls for certain models by Toyota and Honda due to design glitches. In one incident, it was reported that a boy was killed when a fire occurred due to water entering a power window motor. In chemical plants, do we have the luxury of recalls? A design mistake may show up in a devastating way, killing many people. In todays plants, modifications are carried out for capacity increase, energy saving etc. But how sure are you that these modifications do not have design glitches? Cutting costs at the design stage has serious repercussions for process safety. Investment in good design costs money, but cutting costs in design may cost lives. Cars can be recalled but plants cannot. Does your organization have the capability for designing changes or modifications? Are you keeping yourself abreast about the latest design codes and standards? Think about it!

Avoid making your operators into procedural robots

I was reading an incident report of a ammonia pipeline rupture in the USA. The pipeline ruptured and released a large amount of ammonia. The case study report available in NTSB website indicates that even though the operator was receiving a large amount of alarms indicating a pipeline rupture, he attributed the drop in line pressure to less supply and more delivery. This skewed his troubleshooting abilities. How many of you are ensuring that your plant operators are trained to analyze data from DCS and troubleshoot the problem? There is no better defense than a trained and informed operator and your plant training programs should ensure this. During an emergency an operator cannot refer to procedures and all his training and knowledge will come to the forefront in troubleshooting the problem correctly.

February 9, 2010

The dangers of decommissioned equipment

Today's Times of India carries a news article mentioning that 7 workers were injured in a boiler blast when they were removing an abandoned boiler from the premises of an Industrial Explosive factory. It is reported that chemical residues on the floor caught fire and exploded when the workers were attempting to cut the pedestal of the boiler using hot work. How many of your plants, especially old ones, have decommissioned equipment that are not yet removed from service, while the rest of the plant is in operation? Decommissioned equipment that are left in situ pose dangers if they are not properly isolated by blinds. The best option is to remove the decommissioned equipment safely. Many incidents have also been reported in dead legs (piping that have stagnant liquid in them that corrode and leak after some time) after decommissioned equipment have been removed. These dead legs must be removed at the next available opportunity.
Study your complete plant to identify decommissioned equipment and develop a plan to safely remove them from service.

February 1, 2010

1 out of 1 or 2 out of 3?

Today many organisations are going in for two out of three redundant logic systems for trips. I often wonder how I managed to operate an ammonia plant 25 years ago, fitted with standalone pneumatic instrumentation and no DCS! With modern day electronics, isn't it expected that the reliability of an electronic transmitter will be better? Do not go in for two out of three transmitters just because it is more "reliable". Have you obtained data on mean time between failures of electronic transmitters? When you do a LOPA analysis do not go overboard. The risk criteria used in LOPA should reflect your organizations past incidents also. I have seen many overkills of LOPA studies done by consultants who just recommend two out of three systems at the drop of a hat!