Process Safety and Asset Integrity

Maintaining asset integrity is one of the key areas of process safety. As I observe more and more competition in the Indian Chemical Industry,I am beginning to observe a lack of long term focus towards maintaining asset integrity. With current high attrition rates in the chemical industry, it is only natural that a plant manager tends to "adjust" his focus on maintaining asset integrity to ensure that nothing happens during his tenure.This is also mentioned in the investigation report of the BP Texas refinery incident.Many organizations are implementing process safety management systems without a long term approach. Such systems will bring in more complacency than doing good.Another worrying factor is the lack of competency to manage asset integrity programs. I have observed many "in house" asset integrity teams influenced by their organizational culture in such a way that they get blinded to reality.Top management feels everything is hunky dory when suddenly something fails and everybody wakes up!The UK HSE chair has said "Never allow short-term business pressures to blind you to the real and potentially devastating human and business consequences of neglecting process safety and asset integrity"
I will end with a joke - I was chairing a HAZOP study for a Bio Ethanol Plant coming up in South Africa when one of the participants jokingly asked me "Does'nt all your negative thinking affect you?". Well, Process Safety is not about negativity, but about worrying about things that are so obvious to you but not obvious to others!

"Non observance of safety norms caused Jaipur oil depot fire"- investigation report

The investigation committee into the Jaipur oil depot fire has pointed out the lack of written operating procedures, absence of leak stopping devices and lack of understanding of hazards and risks as root causes of the incident. See this report for further details.
The committee also has recommended improving operating discipline. This requires a lot of commitment from top management. Operating discipline is easy to bypass in times of cost pressures. I have observed many times that incidents are caused when operating discipline is set aside even though management knows that it is being bypassed. Process Safety Audit reports should be given due weightage by management. The observations pointed out in the audit report are indicators that something is wrong and unless they are attended and root causes are found out, a big incident could occur. How many times can we be lucky?
See other opinions in this link

Hazards of natural gas - explosion in an US Power plant

On 7th February, an explosion was reported in a US power plant. The mayor of that place put it very nicely when he said "Something happened that should not have happened and something did not happen which should have happened".
The explosion involved natural gas. Many facilities use natural gas for power generation, heating and in furnaces. Natural gas is also a raw material for the manufacture of ammonia. Natural gas is like electricity - a bad master but a good servant. For it to be a good servant, your operators must know the hazards of inadequate purging (removal of oxygen from pipelines/vessels) before admitting natural gas.In fact the US Chemical safety Boards had just three days before the incident issued a warning about the hazards involved in natural gas purging - see this safety bulletin
See this link for a video posted on youtube about the incident.
My book details the various methods of purging of equipment and pipelines.

Separate your shutdown system from control systems

Today,for cutting costs,many plant owners are trying to incorporate shutdown actions using the control system itself. For example, if there is a control valve that has to close when a predetermined shutdown point is reached, the instrument air to this valve is cut off using a solenoid valve and the valve is designed to "fail close".You must always keep your shutdown system independent from the control system. This is important from an emergency safe shutdown point of view. There is an interesting case study presented in this link where the shutdown system was designed to be independent from the control system. The control system valve did not close during an emergency due to a failure of a solenoid valve but the separate shutdown system acted safely.
I have investigated many process incidents where the shutdown system was connected through the control system and it failed to operate. In fact in one of the Ammonia plants in Europe a friend told me that every critical shutdown valve is provided with redundant solenoids for greater reliability. Have a relook at all your critical shutdown systems. Its better to be safe than to be sorry!

Reacting in an emergency - Lessons from the Hudson River Landing

On 15th January, 2009, an airbus flight suffered bird hits on both engines after take off. The pilots had to react quickly and they landed the plane safely on the Hudson river thus saving lives. Split second decisions had to be taken and they took the right decisions. A beautiful simulation of the incident is given in this youtube link.
In a chemical plant emergency, all the years of training and experience will come into play. A wrong decision taken during the emergency could lead to an unsafe condition. Of course, if you have your shutdown systems working well, they will automatically shutdown the plant safely. But there are many other things the DCS operator has to do after a shutdown. This is where his training comes in. How are you training your plant operators to handle emergencies? Is experience from actual emergencies shared and lessons learnt? In India, many of us do not take mock drills seriously. Your lives may depend on it!
Plant operators and shift engineers are the first line of defense against a catastrophe and are you investing in their training?

Runaway Reactions - Run away if you do not have data!

A runaway reaction is an uncontrolled reaction that does not stop. It can cause catastrophic consequences like rupture of reactors and release of toxic gases. The understanding of reactive chemistry plays a big role in avoiding runaway reactions. Avoid the mistake of scaling up from R & D to plant production without understanding all the details of the reactions and its side reactions. The effect of change in operating parameters and batch recipe or quantity must also be understood. Recently a speaker at a seminar mentioned that many batch processes in India are being operated without complete knowledge of the reaction chemistry. I have also investigated number of incidents involving runaway reactions where operators were operating the batch without proper information on reaction kinetics.There are various scientific tools available to determine these data. Accelerating rate calorimeters, differential scanning calorimetry etc are some of them. Just because you have not experienced a runaway reaction incident, do not be complacent. The only hope of survival in a runaway reaction incident is to run away!
Watch this excellent CSB safety video on the hazards of reactions.

Don't Alarm your operator!

I have been following the subject of alarm management in a DCS (Distributed control system) with great interest. In many process incidents that I investigate (batch and continuous processes), I observe that the flood of alarms that appeared during the emergency effectively negates the usefulness of the alarm. The irony is that we bring in the DCS with its enormous capability and then realize that alarm management in the DCS is a big issue. The root cause of the problem is the misuse of the enormous capability of the DCS. When installing the DCS it is human tendency to assign all probable alarms, thinking that we are using the capability of the DCS! Now the International Society of Automation has brought out a standard called ISA 18.2 - management of alarms in process industries on June 23rd,2009. The definition of alarm as stated in the standard is "an audible and/or visible means of indicating to the operator and equipment malfunction,process deviation or abnormal condition requiring a response". How did we manage to forget this definition?

I was part of a team of process engineers and process operators in a World Scale methanol plant, where we sat down identifying whether each alarm that was provided was really necessary or not. To our surprise, at the end of the exercise, we had reduced the alarms by over 50%!. Today, there are alarm suppression software sold by various vendors, but I feel the solution is simple - DO NOT COMPLICATE THINGS AT THE BEGINNING ITSELF BY PROVIDING TOO MANY ALARMS!
To achieve the goal process Safety I am of the opinion that things must be kept simple. In other words, KEEP IT SIMPLE & SAFE (KISS!)

While on the topic of alarm management, I have also observed the other extreme in few cases - there weren't enough alarms provided. Such issues crop up not in process plants but in storage and transfer facilities where enough thought was not applied in identifying the alarms required.

Cars can be recalled but Chemical Plants cannot!

The papers are full of news stories about the car recalls for certain models by Toyota and Honda due to design glitches. In one incident, it was reported that a boy was killed when a fire occurred due to water entering a power window motor. In chemical plants, do we have the luxury of recalls? A design mistake may show up in a devastating way, killing many people. In todays plants, modifications are carried out for capacity increase, energy saving etc. But how sure are you that these modifications do not have design glitches? Cutting costs at the design stage has serious repercussions for process safety. Investment in good design costs money, but cutting costs in design may cost lives. Cars can be recalled but plants cannot. Does your organization have the capability for designing changes or modifications? Are you keeping yourself abreast about the latest design codes and standards? Think about it!

Avoid making your operators into procedural robots

I was reading an incident report of a ammonia pipeline rupture in the USA. The pipeline ruptured and released a large amount of ammonia. The case study report available in NTSB website indicates that even though the operator was receiving a large amount of alarms indicating a pipeline rupture, he attributed the drop in line pressure to less supply and more delivery. This skewed his troubleshooting abilities. How many of you are ensuring that your plant operators are trained to analyze data from DCS and troubleshoot the problem? There is no better defense than a trained and informed operator and your plant training programs should ensure this. During an emergency an operator cannot refer to procedures and all his training and knowledge will come to the forefront in troubleshooting the problem correctly.

The dangers of decommissioned equipment

Today's Times of India carries a news article mentioning that 7 workers were injured in a boiler blast when they were removing an abandoned boiler from the premises of an Industrial Explosive factory. It is reported that chemical residues on the floor caught fire and exploded when the workers were attempting to cut the pedestal of the boiler using hot work. How many of your plants, especially old ones, have decommissioned equipment that are not yet removed from service, while the rest of the plant is in operation? Decommissioned equipment that are left in situ pose dangers if they are not properly isolated by blinds. The best option is to remove the decommissioned equipment safely. Many incidents have also been reported in dead legs (piping that have stagnant liquid in them that corrode and leak after some time) after decommissioned equipment have been removed. These dead legs must be removed at the next available opportunity.
Study your complete plant to identify decommissioned equipment and develop a plan to safely remove them from service.

1 out of 1 or 2 out of 3?

Today many organisations are going in for two out of three redundant logic systems for trips. I often wonder how I managed to operate an ammonia plant 25 years ago, fitted with standalone pneumatic instrumentation and no DCS! With modern day electronics, isn't it expected that the reliability of an electronic transmitter will be better? Do not go in for two out of three transmitters just because it is more "reliable". Have you obtained data on mean time between failures of electronic transmitters? When you do a LOPA analysis do not go overboard. The risk criteria used in LOPA should reflect your organizations past incidents also. I have seen many overkills of LOPA studies done by consultants who just recommend two out of three systems at the drop of a hat!

Sharing of process incidents in India

I really lament the lack of sharing of information and investigations of process incidents in India. The US Chemical Safety Board is doing excellent work by posting videos of incidents for the whole world to see! I can get more information about the BP Texas incident from the internet than I can get about the reasons for the Jaipur Oil depot fire! I was browsing around for details about incident reporting system in India and I chanced upon this website www.cairs.nic.in
I hope the site is kept updated and the information shared.
I am in the process of collecting incidents from friends and colleagues to share with all, without mentioning the organization's name. Unless we learn from past mistakes, the same incident will keep repeating. If any one of you feel like sharing some process incidents without mentioning the name of your organization, please send the details to me. I will put it up on the blog.

Off site chemical disaster management in India

My opinion about off site disaster management in India for chemical disasters is that a lot needs to be done. When I worked in Saudi Arabia, I volunteered to be part of the on site emergency team.The training I underwent for 5 years for just being a member of the on site emergency team was stupendous! We had not only to undergo 4 hours of practical training every month, but weekly refresher trainings also. I was also sent to a 5 day course on advanced emergency response course for hazardous materials and rescue where we learnt to deal with actual emergencies with live fires, gas leaks and personnel rescue techniques from top of distillation columns!!
In India, the off site response to a chemical accident is governed by the Chemical Accidents (emergency planning, preparedness and response) rules 1996.
However, I have seen videos of off site mock drills conducted in India and there is a lot of scope for improvement. I hope the NDMA (National Disaster Management Authority) will soon improve the situation.

MSDS availability and hamonisation

Today in the process safety seminar, a participant asked about the plethora of MSDS available on the net and which one to follow. There is work going on to standardize the MSDS internationally. Please visit this link for further details.

There is also an ISO standard ISO 11014:2009 available for MSDS.
But how many of your personnel know how to interpret the MSDS terms from a view of process safety? My book deals with such practical issues.

Learnings from Process Safety Seminar

Today I attended the Process Safety Seminar conducted by ICC at Chennai, where I had presented a paper on "Management of Change". The learning's from the seminar are as follows:
1. In an incident involving a blast wave, a magnetic hatch on the top of an ethylene tank flew open due to the blast wave as the hatch cover was facing the blast wave and the hinge was on the other side. This allowed ethylene to come out and add to the fire. One of the lessons learnt is - during a HAZOP study look at these issues. It may be a simple issue but an important one.
2. In another incident, a fired heater was supported on fireproofed support legs. During an incident of a coil rupture and a fire, the fire proofed support legs withstood the fire but the vertical metallic stack which was about 20 m in height could not and toppled on other equipment.
3. In a runaway reaction incident where the reactor exploded, the investigator was trying to determine the thermo chemistry of the reaction in a experimental set up. Unfortunately, the reaction temperature increased so rapidly that it destroyed the equipment in the lab! Luckily no one was injured.
4. IS14489:98 (Bureau of Indian Standards - Code of practice on Occupational health and safety audit)- this focuses mainly on OHS issues. However, a committee has updated it with process safety elements also, but the updated code of practice is yet to be released.
5. There was also talk about behaviour based safety, but I am not a fan of BBS. There is a good article from a union's perspective. See the pdf file "the steelworker perspective on behavioral safety"in this link

Hoses and Process Safety

The US Chemical safety board has reported an accident at a DuPont facility at Belle, West Virginia on Saturday. Apparently a braided hose connected to a one tonne phosgene tank ruptured. An operator who was exposed to the gas died the next day. For details see http://www.csb.gov/newsroom/detail.aspx?nid=302.
I am always wary of hoses in a chemical plant. They are silent killers. They may look good on the outside but may have been damaged inside. A facility that wants to ensure process safety must make a list of such hoses, their service and plan a program for replacement. Visual inspection of hoses may offer tell tale signs of hose damage. However, it is best that these hoses are replaced at a certain frequency even if they do not leak. Another option is to consider getting rid of the hoses altogether by replacing with properly designed piping.
I have witnessed a large fire due to a oil hose rupture in a gas compressor which happened in my shift about 25 years ago!The consequences were terrible.The whiplash effect of the ruptured hose sprayed oil over a wide area, contributing to the spread of the fire.

Pilot Error and Process Safety Management - The human connection

Today's paper indicates that Pilot's error caused the helicopter carrying Chief Minister Y.S.R to crash.The investigation report indicates "The cockpit voice recorder showed that there was poor crew resource management among them at any given stage of flying". They noticed a snag in transmission pressure on the instrument displays but failed to co-relate it with other indications associated with the snag. Both of them were busy trying to find out the cause of the snag, with the result that they were not aware that they were veering off course. Crew Resource Management (CRM) is a big issue in the cockpit of a plane or a helicopter. In simple terms, it is how jobs are shared during an emergency.
CRM is very relevant in chemical plant control rooms also. I have witnessed incidents due to wrong actions taken by control room personnel as there was no clear direction who would do what. Having said that, it becomes very difficult to compartmentalize actions during an emergency in a chemical plant. The practical solution to this is to have a senior control room operator monitoring the actions of the DCS operators and guiding them. The senior control room operator's job is like a conductor in an orchestra. Control Room Resource Management is one area where plant simulators can be used to train the personnel.
Another point which is in my mind is the provision of a voice recorder similar to that of a cockpit voice recorder and a CCTV camera in the control room monitoring the actions of the personnel during an emergency. Now I know this is going to get a lot of brickbats thrown at me but the purpose is not to spy on them. It is to make improvements in Control Room Resource Management after emergencies.

Emergency response to terror threats

Terrorism has brought about an added dimension to Process Safety Management. Recently an article mentioned that terrorists may target Indian refineries. Is your organization prepared to handle terror threats? The starting point for determining weak links in your security is by conducting a security vulnerability assessment. Do not assume your current security framework can take care of such threats. Also, prepare an emergency response plan in case the worst takes place. How are you maintaining your emergency isolation valves to shut off feed to the plant and to isolate affected sections? How good are your flare and venting systems protected against collapse during a major fire? How quickly can you safely shut off your plant and evacuate personnel? These are some of the questions that need to be answered.

Are you thinking about implementing PSM?

Twelve years ago, when I was a Dy. General Manager (PSM) in a large organization in India implementing PSM, there were hardly a few industries in India that had heard about PSM.Later, when I became a PSM consultant to the Industry in 2001, I had to struggle a lot to create awareness about PSM.Today the awareness about PSM has tremendously increased. But I am afraid that if organizations are not careful, PSM also will go the way of ISO 14001 and OHSAS 18001. In my opinion, the quality of certification audits for ISO 14001 and OHSAS 18001 has drastically reduced. PSM also should not go that way. To begin with, organizations must be careful when they get into PSM, because they need to know what they are getting into. Wherever I implement PSM, I first check whether the organization is ready - both from a cultural perspective and adequacy of technical competency for PSM. If these are lacking, the organization first needs to attack these issues. PSM is a never ending journey - the scope for continual improvement is immense. Technical competency is a big issue in PSM. Today I see some organizations that are operating hazardous plants who do not have the basic knowledge of chemical engineering principles and reaction chemistry! So, if you are thinking about implementing PSM in your organization, know what you are getting into!

Are your back up systems available?

On Thursday 14th January, it was reported that the entire radar systems at the Air Traffic Control (ATC) at the Indira Gandhi International airport at Delhi failed in the evening for about an hour. It was also reported that no takeoffs or landings could take place for more than two hours following the systems crash. The back up system also failed.The ATC system was finally restored at around 2030 hrs after reloading the system, with the entire procedure taking about three hours. The radar system collapse led to massive delays.
The above incident raises the importance of keeping back up systems always ready. A back up system is just that – it must back up when needed. Obviously something went wrong with the back up also. The only silver lining is that there must have been procedures for manual operation which was obviously put into place as there was no safety of flight issue. How good are your back ups for power supply for the DCS system? How often do you check them? Do not think that it will not happen. I had the personal experience of all 7 DCS screens of a methanol plant operating at full capacity, going blank all of a sudden! Develop procedures and train personnel for handling such situations.