Incidents Continue to Happen
Incidents Continue to Happen
Following the 2005 Buncefield explosion and fire, the head of the U.K.’s HSE Hazardous Installations Directorate, Gordon MacDonald, challenged companies to answer these three questions[1]
- Do we understand what could go wrong?
- Do we know what our systems are to prevent this happening?
- Do we have information to assure us they are working effectively?
As the examples below demonstrate, when an incident occurs that has a cause factor related to bypassing of safeguards, the answer to at least one of these questions is generally “no”.
Formosa Plastics Vinyl Chloride Explosion (April 23, 2004)
https://www.csb.gov/formosa-plastics-vinyl-chloride-explosion/
Investigation:
The U.S. Chemical Safety and Hazard Investigation Board (CSB) determined that this incident occurred when an operator drained a full, heated, and pressurized PVC reactor. The CSB believes that the operator cleaning a nearby reactor likely opened the bottom valve on an operating reactor, releasing its highly flammable contents.
Opening the bottom valve on the operating reactor required bypassing a pressure interlock. The safeguards to prevent bypassing the interlock were insufficient for the high risk associated with this activity. Two similar incidents at FPC USA PVC manufacturing facilities highlight problems with safeguards designed to prevent inadvertent discharge of an operating reactor. “The design of a bypass must be highly reliable, effective, and secure. The Formosa-IL bypasses all lacked physical controls needed to make them secure, in that anyone could access and use the bypasses. In addition, failure to provide indication of the bypass condition meant that the condition could be undetected, compromising the effectiveness of the safety equipment.”
Recommendation:
Review the design and operation of FPC USA manufacturing facilities and implement policies and procedures to ensure that site-wide policies are implemented to address necessary steps and approval levels required to bypass safety interlocks and other critical safety systems.
Sterigenics Ethylene Oxide Explosion (August 19, 2004)
https://www.csb.gov/sterigenics-ethylene-oxide-explosion/
Investigation:
The CSB investigation report indicated: “Interlocks installed to prevent the inadvertent opening of a chamber door include nitrogen filled door gaskets and chamber pressure sensors. Employees, using a password supplied by managers, can override both interlocks.” In this event, supervisors and operators were not adequately trained on the hazards of the process, and therefore made a decision to bypass safeguards based on incorrect information.
Recommendation:
Ensure that all employees with passwords capable of modifying the sterilization cycle sequence have process experience and training that enables them to make safe process decisions. Training should emphasize flammability hazards and the need for gas washes when the chamber is empty of products to be sterilized.
Buncefield Oil Storage Depot Explosion and Fire (December 11, 2005)
https://www.hse.gov.uk/comah/buncefield/index.htm
Investigation:
The COMAH report "Buncefield: Why did it happen?" indicates the following causes of the vapor cloud explosion and fire that occurred when a storage tank was overfilled with gasoline:
Because those who installed and operated the [independent high-level] switch did not fully understand the way it worked, or the crucial role played by a padlock, the switch was left effectively inoperable after the test.
Failure of the [automatic tank gauging] system was the other immediate cause of the incident. The servo-gauge had stuck (causing the level gauge to ‘flatline’) – and not for the first time.
Recommendation:
Operators of Buncefield-type sites should, as a priority, review and amend as necessary their management systems for maintenance of equipment and systems to ensure their continuing integrity in operation. This should include, but not be limited to reviews of a) the arrangements and procedures for periodic proof testing of storage tank overfill prevention systems, b) the procedures for implementing changes to equipment and systems to ensure any such changes do not impair the effectiveness of equipment and systems[2].
[2] U.K. HSE final report: Safety and environmental standards for fuel storage sites
Caribbean Petroleum Refining Tank Explosion and Fire (October 23, 2009)
https://www.csb.gov/caribbean-petroleum-refining-tank-explosion-and-fire/
Investigation:
Similar to Buncefield, this incident occurred when a gasoline storage tank at the bulk petroleum storage tank terminal overflowed, resulting in a vapor cloud explosion and subsequent fire. According to the CSB report, “The automatic gauging system at CAPECO […] had a history of repeated failures and prolonged out-of-service periods. On the night of the incident, the float and tape device inside Tank 504 became stuck and the transmitters for Tanks 107 and 409 were not receiving data from the side gauge on Tank 409; therefore, data on the tank liquid level and a calculated fill rate into 409 were not available in real time on the computer.”
Operating with unreliable or failed instrumentation has the same potential consequences as bypassing a safeguard. Plants should have a written process for responding to failed instruments that meets the intent of this safe work practice.
Recommendation:
Automatic overfill prevention systems need to be engineered, operated, and maintained to achieve an appropriate safety integrity level.
Bayer CropScience Pesticide Waste Tank Explosion (August 28, 2008)
https://www.csb.gov/bayer-cropscience-pesticide-waste-tank-explosion/
Investigation:
In this incident, operators sometimes bypassed interlocks that should have kept a valve closed. Supervisors did not enforce the policy for control of bypassing safety interlocks, either, and “commonly left their passwords logged in to allow operators to bypass safety systems considered troublesome during startup”[3]. This resulted in a runaway reaction that caused a vessel to explode and an intense fire to burn for four hours.
Recommendation:
Validation of all PHA assumptions to ensure that risk analysis of each PHA scenario specifically examines the risk(s) of intentional bypassing or other nullifications of safeguards.
[3] U.S. CSB Investigation Report – Pesticide Chemical Runaway Reaction Pressure Vessel Explosion
A Sense of Vulnerability Is Healthy – Just because it has not happened yet (or here) does not mean it will not happen in the future!
- Is a sense of vulnerability a critical part of the mindset of every employee and contractor?
- Do you require consistency in practice from everyone in the organization?
- Do you have systems in place to determine if inconsistencies exist?
- Do people believe that “yes, it can happen here”?
- Do people believe that “yes, we have similar vulnerabilities”?
- Have you experienced similar incidents but without consequences (i.e., near misses)?
- Do you combat organizational overconfidence that can be stimulated by past good performance?
- Do discussions on potential vulnerabilities take place between operations and senior leadership?
Prevent Normalization of Deviation
“The gradual process through which unacceptable practice or standards become acceptable. As the deviant behavior is repeated without catastrophic results, it becomes the social norm for the organization."
–Sociologist Dr. Diane Vaughan (The Challenger Launch Decision, 1996)
“A gradual erosion of standards of performance as a result of increased tolerance of nonconformance"
–CCPS Glossary
Signs of Normalization of Deviations – Does this describe your organization?
- If a deviation is absolutely necessary, are there defined steps that must be taken (i.e., a written variance procedure)?
- Do these defined steps (or variance procedure) require a detailed risk assessment and approval from multiple levels within the organization?
- Are the expectations clear that no one individual alone is permitted to determine whether a deviation is permissible?
- Do you allow operations outside established safe operating limits without a detailed risk assessment?
- Are willful, conscious, violations of established procedures tolerated without investiga-tion or without consequences for the persons involved?
- Can employees be counted on to strictly adhere to safety policies and practices when supervision is not around to monitor compliance?
- Are you tolerating practices, or conditions that would have been deemed unacceptable a year or two ago? For example:
- Do you allow routine bypasses during plant start-up without additional means of managing risk?
- Are all employees empowered to stop work for any situation deemed unsafe?
Evaluate Your Program
To determine if your company or facility could improve its safeguard bypass program, consider the following.
Do you have the following items:
- A documented process for managing bypass procedures, bypass permits, or temporary MOCs?
- A list of safety critical equipment, including instruments?
- A defined maximum time a function is allowed to be in bypass?
- Roles and responsibilities of persons involved in bypass activities?
- Training and competency of persons involved in bypass activities?
- Compensating measures that should be in place before bypass activities are conducted?
- Job observations performed on bypass activities?
- Levels of authorization for process control changes?
Have you audited your bypass permits/temporary MOCs and discussed the results of the audits? Was there evidence that:
- Permits were not completely filled out (i.e., no verification of compensating measures)?
- Permits were not signed?
- Permits showed evidence that the compensating measures were not in place for the duration of the bypass?
- The personnel performing the bypass were not trained?
- The person approving the bypass was not trained?
- Permit conditions were not communicated within the subject work team?
- Work was not coordinated between work groups (permit writing group vs. group(s) that perform the work?
- Bypass extended beyond the authorized period of time?
- Certain technical provisions of the permit/temporary MOC were not followed?
Have you evaluated your bypass audit program?
- To ensure the quality of the audit process (i.e., protocols, sampling strategies, etc.)?
- To ensure the competency levels of the auditors?
- Does your Bypass procedure reflect the desired intent and is this intent adequately de-tailed in procedural instruction?
- Is the “goal” of your program to complete the permit or to use the permit as a tool to facilitate the execution of safe work?
- Does the execution of the procedure yield the intended results? Are you evaluating your program for:
- Procedural Compliance – are actions and tasks in compliance with procedural requirements? (Paper Control), and
- Program Health – is your system providing the intended results? (Actual Execution)
- Are operators trained on how to respond to failed instruments?
- Do you know of any site or company incidents related to bypassing?
- Have you discussed the results and causes within your organization?
- Do you know of any site or company near misses related to bypassing?
- Have you discussed the results and causes within your organization?
Continually Improve Your Program
Are you considering improvements to prevent future incidents? Here are some ideas you may want to consider:
• How frequently do you review CSB, Process Safety Beacon and other relevant incident communication having learning potential with all members of the organization?
• Do you track specific bypass-related metrics that can be used to determine program ef-fectiveness and improve performance?
• Have you benchmarked your program against other programs in your industry?
• How often do your senior managers visit the field to inspect bypass status?
• Do you have a requirement to periodically update your program?
• Do your workers (those closest to the work), have an easy method to suggest improvements to your program?