Effective process safety management for preventing future incidents
Process unit startups and shutdowns are significantly more hazardous than normal oil refinery or chemical facility operations. A startup is a planned series of steps to take a process from an idle, at rest, state to normal operation. A shutdown is the reverse sequence.
The Center for Chemical Process Safety (CCPS), an industry-sponsored membership organization that identifies and addresses process safety needs within the chemical, pharmaceutical, and petroleum industries, determined that a majority of process safety incidents occur during a plant startup, even though it represents only a small portion of the operating life of a plant. Process safety incidents occur five times more often during startup than during normal operations, according to the CCPS.
Indeed, a 2010 study of incidents in the refining industry found 50% of process safety events occur during startups, shutdowns, and other cases that infrequently occur. This is because startup and shutdown periods involve many non-routine procedures, and these periods can result in unexpected and unusual situations.
To prevent these types of incidents from occurring, facilities should employ effective communication, provide workers with appropriate training, and have in place strong and up-to-date policies and procedures for hazardous operations such as startups and shutdowns.
The following released from the Chemical Safety Board (CSB) highlights three incidents that occurred during a startup or shutdown, and provides lessons learned in hopes of preventing future startup and shutdown incidents:
1. BP Amoco thermal decomposition incident that occurred March 13, 2001, in Augusta, GA, where three people died.
Workers were attempting to open a cover on a process vessel containing hot plastic when the cover unexpectedly blew off, expelling the hot plastic and killing three workers. A vapor cloud subsequently formed and ignited. The vessel, known as a polymer catch tank, was designed to receive partially reacted waste plastic that had been diverted from a chemical reactor when there were mechanical difficulties with other equipment during periods of startup and shutdowns.
The CSB investigation found 12 hours prior to the incident, an attempt was made to start up the production unit. During that time, workers experienced mechanical problems downstream of the reactor, and an unusually large amount of partially reacted material was sent to the polymer catch tank.
Decomposition reactions of this material produced gases, which caused the plastic in the vessel to foam and expand and travel to connecting pipes, where it then solidified and plugged the inlet to the vent line. This then prevented gases from escaping, and caused the polymer catch tank to become pressurized.
Among other things, the CSB found process hazards analyses concerning the polymer catch tank were inadequate, and process safety information inadequately described the design basis and operating principles for the tank.
2. First Chemical Corporation reactive explosion and fire occurred October 13, 2002 in Pascagoula, Miss., where three people suffered injuries.
At the First Chemical Corporation facility in Pascagoula, Mississippi, steam leaking through manual valves heated mononitrotoluene (MNT), a raw material used to produce dyes, rubber and agricultural chemicals, inside a 145-foot-tall chemical distillation column. The column had been shut down five weeks prior to the incident and was thought to be isolated and in standby mode.
During the shutdown, 1,200 gallons of MNT were left inside the tower and continued to be heated by leaking steam pipes.
During the days leading up to the explosion, the hot MNT began to decompose, forming unstable chemicals. This resulted in a runaway reaction and explosion that injured three workers, damaged plant equipment, and ignited several fires.
The CSB found the facility lacked an effective system for evaluating hazards and for sharing safety information between different facility operations.
3. Bayer CropScience pesticide chemical runaway reaction and pressure vessel explosion occurred August 28, 2008, where two people were killed.
At the Bayer CropScience facility in Institute, West Va., a runaway chemical reaction occurred inside a 4,500-gallon pressure vessel known as a residue treater, causing a vessel in the methomyl unit to explode. The methomyl unit used the highly toxic chemical, methyl isocyanate (MIC), in a series of complex chemical reactions to produce methomyl, a dry chemical used to make the pesticide Larvin. The incident occurred during the restart of the methomyl unit after an extended outage to upgrade the control system and replace the original residue treater vessel.
The CSB investigation found the standard Pre-Startup Safety Review (PSSR) and turnover practices were not applied to the methomyl control system redesign project. The CSB also found the equipment was not tested and calibrated before the unit was restarted. Finally, the CSB found operators were inadequately trained to operate the methomyl unit with the new distributed control system, or DCS.
Eleven best practices and principles
Lessons learned from the events include effective process safety management, which could have prevented these incidents. These 11 key principles should be followed at all times:
1. Implementing written operating procedures for startup following an emergency shutdown such as:
- Conducting and completing a thorough pre-startup safety review
- Following proper safe work practices for opening lines and equipment following a shutdown
- Conducting a management of change (MoC) analysis for equipment, processes and procedures that are not replacements in kind.
2. Written operating procedures need to have sufficient detail to avoid the likelihood of valve misalignments during startups and shutdowns. Written checklists and diagrams to verify proper valve positioning should be provided, if needed.
3. Operational variances were often made prior to these incidents during startup or shutdown where the impact of the change was not known. A review of the MoC policy should occur to ensure it adequately addresses changes due to operational variance. To maximize the effectiveness of MoC, the following activities should be included:
- Define safe limits for process conditions, variables, and activities—and train personnel to recognize significant changes. Combined with knowledge of established operating procedures, this additional training will enable personnel to activate the MoC system when appropriate.
- Apply multidisciplinary and specialized expertise when analyzing deviations.
- Use appropriate hazard analysis techniques
- Authorize changes at a level commensurate with risks and hazards
- Communicate the essential elements of new operating procedures in writing
- Communicate potential hazards and safe operating limits in writing
- Provide training in new procedures commensurate with their complexity
- Conduct periodic audits to determine if the program is effective.
4. Ensure the facility’s lockout/tagout (LOTO) program requires equipment is rendered safe prior to opening for inspection or maintenance. Equipment opening procedures should contain a stop work provision that requires higher levels of management review and approval when safe opening conditions, such as equipment depressurization, cannot be verified.
5. Ensure proper procedures are used to isolate equipment after a shutdown. Do not rely on a single block valve closure, which may leak. Instead, use a double block and bleed; insert a blind flange, or physically disconnect the piece of equipment to ensure it is properly isolated. For equipment placed in “standby mode” continue to monitor critical parameters, such as pressure and temperature, while the equipment is “offline” and ensure operating procedures address the conditions under which “standby” equipment should be deinventoried and shut down.
6. Computerized control systems should include a process overview and, as appropriate, material balance summaries to ensure full process oversight by operators.
7. In complex and critical process systems, multi-channel communication with feedback provides the best opportunity for operators to establish and maintain a mutual understanding of the process unit and its expected future state. During times of abnormal operating conditions, such as unit startup, the risk of operators having dissimilar or incompatible understandings of the state of the process unit is even greater, making effective communication vital and feedback essential.
8. Ensure operators are supervised and supported by experienced, technically trained personnel during unit startups and shutdowns and they are sufficiently trained on the control systems they will be operating. Consideration should be given to the use of simulators for training operators in abnormal situations during startups and shutdowns.
9. For high-hazard processes, establish a shift work policy to minimize the effects of fatigue. Individuals are poor self-assessors and are less likely to admit they are too fatigued to work safely. The shift work policy should aim to manage both normal shift patterns/rotations and temporary situations, such as turnarounds, by limiting the number of working hours per 24-hour period and the number of consecutive days at work.
10. Newly installed computer controls need to be calibrated and tested for functionality before being used in a unit startup.
11. Critical safety devices must not be bypassed during troubleshooting operations during unit startups and shutdowns.
Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media, email@example.com.