Process Safety Hierarchy

When new chemical plants are designed or existing plants are modified, a safety hierarchy must be applied. A detailed hierarchy is shown in Table 1-21. The hierarchy—in order of preference—is to use (1) inherent safety (see Section 1-13), (2) passive, (3) active, and (4) procedural strategies.

The process safety strategies discussed in this chapter include (1) human factors, (2) managing safety using the CCPS 20 elements of risk-based process safety (RBPS), (3) incident investigations, and (4) root cause analysis.

Human Factors

Operators sometimes make mistakes, and the consequences of those errors may be serious. A critical task analysis is one method to identify problems and develop appropriate safeguards to minimize the risks.¹ When designing a system, human factors should also be considered.² A few issues related to human factors include the following:

• Ergonomics: Can the operator reach what needs to be reached to work safely?

• Operability: Is the workflow designed to minimize taking shortcuts?

• Procedures: Are the procedures clear and easy to follow, and do they clearly explain the consequences of deviations?

• Maintenance: Is there access and capability to maintain equipment?

• Simplify: Are the equipment designs, computer operating screens, operating procedures, safety instructions, safety requirements, and so forth, designed to facilitate comprehension and understanding to minimize hazards and risks?

¹Center for Chemical Process Safety. Guidelines for Engineering Design for Process Safety. (New York, NY: American Institute of Chemical Engineers, 2012), p. 104.

²SACHE Faculty Workshop, Dow Presentation, “Human Errors and Human Factors,” 2017.

Operators make fewer errors when they are appropriately trained, not under stress, not fatigued, and not overloaded with work; when they have enough time for the task; and when they receive active feedback. With active feedback, operators know when they are doing well, and when mistakes are made. Table 13-1 shows the frequency of operator errors as a function of the work environment. Clearly, without active feedback the mistake rate increases by a factor of 10.

Table 13-1 How Often Do Operators Make Mistakes?

Source: “Incident Investigation: Overview,” https://www.osha.gov/dcsp/products/topics/incidentinvestigation/index.html.

Managing Safety

The 20 elements of RBPS discussed in Section 1-12 provides a comprehensive management system for process safety.³ The 20 elements provide guidance on how to (1) design a process safety management system, (2) correct a deficient system, and (3) improve process safety management practices. This management system must include an understanding of the following factors:⁴

• The hazards and risk of the facilities and their operations

• The demand for, and resources used in, process safety activities

• How process safety activities are influenced by the process safety culture within the organization

³AICHE Center for Chemical Process Safety. Guidelines for Risk Based Process Safety (Hoboken, NJ: Wiley Interscience, 2007).

⁴AICHE Center for Chemical Process Safety. Guidelines for Risk Based Process Safety (Hoboken, NJ: Wiley Interscience, 2007).

The management system must also include effectiveness measures, such as methods to measure performance and efficiency, so that resources can be applied in a prioritized manner to a large number of process safety needs.

Incident Investigations

Incident investigation is one of the 20 elements of RBPS discussed in Section 1-12. It must include (1) a formal process for investigating incidents, including staffing, performing, documenting, and tracking investigations; and (2) a method to identify incidents that are recurring.⁵ This method also manages the resolution and documentation of recommendations resulting from the investigation.

⁵AICHE Center for Chemical Process Safety. Guidelines for Risk Based Process Safety (Hoboken, NJ: Wiley Interscience, 2007).

For any incident, experience has shown that many of the 20 elements of RBPS are involved. Incidents almost always stem from a failure of the management system. Thus, by improving the management system, incidents can be significantly reduced.

The objectives of incident investigations are to identify the causes of incidents, understand the interrelationship between causes, and develop actions to prevent the recurrence of similar incidents.⁶,⁷ Investigations should include “near misses” or “close calls” that do not result in an incident but could have if the circumstances had been slightly different.

⁶“Incident Investigation: Overview,” https://www.osha.gov/dcsp/products/topics/incidentinvestigation/index.html.

⁷“A Step-by-Step Guide: Incident Investigations,” https://www.osha.gov/dte/grant_materials/fy11/sh-22246-11/IncidentInvestigationGuide.pdf.

Root Cause Analysis⁸

⁸W. Wilson. “Root Cause Analysis,” http://www.bill-wilson.net/root-cause-analysis.

An important tool in incident investigation is root cause analysis (RCA). It is in the evaluation of root causes where the team discovers systemic changes that can help prevent future incidents.

A root cause is an underlying cause of an incident that is not itself caused by more important underlying causes. In the very early days of incident investigations, most accidents were attributed to a single root cause. Since then, experience has shown that most incidents have multiple root causes. More recently, some incident investigators have redefined root causes as immediate causes.

Understanding root causes is important because they have the following characteristics:

• Are frequently not directly observable

• Relate to origins and sources

• Are established and entrenched

• Can spread out further than expected

• Are difficult to find and remove

• May expand if not identified

• Are often dirty since they soil everything they touch, meaning they have a widespread effect

When RCA practitioners discuss root causes, they are essentially talking about causes that have all of these characteristics.

The term underlying cause is frequently used to provide more detail related to causes. An underlying cause is a less obvious system or organizational reasons for an incident. The differences between underlying and root causes are shown in Table 13-2.

Table 13-2 Differences between Underlying and Root Causes of an Incident

Understanding the reasons for failed RCAs can help teams conduct more effective RCAs. Reasons for failed root cause analysis are shown in Table 13-3. Tables 13-2 and 13-3 demonstrate that strong, substantive, comprehensive, and well-managed actions and corrective action plans are essential. Effective leadership is the difference between failure and success.

Table 13-3 Reasons for Failed Root Cause Analyses or Failed Leadership of a RCA

An RCA discovers the underlying or systemic causes of an event, rather than just its immediate causes. Correcting only a single root cause may eliminate a symptom of a problem, but not the problem itself. If all the root and underlying causes are not identified and corrected, then the incident is likely to recur. Thus, a successful RCA identifies all root and underlying causes.

The tools used to conduct an RCA include brainstorming, checklists, logic/event trees, Five Why technique, timelines, sequence diagrams, and underlying cause determination. For simple incidents, brainstorming and checklists are sufficient, but for more complex incidents, the other tools are preferred. These tools are used to answer four questions: What happened? How did it happen? Why did it happened? What needs to be corrected?

The Five Why technique is an iterative method to explore the cause-and-effect relationships underlying a incident. It involves asking a minimum of five “why” questions. No hard rules exist for forming these questions. For a chemical plant incident, the questions could include “Why did this occur?”, “Why did that occur?”, and so on. This procedure is continued until a root cause is clearly identified. A rule of thumb is that five iterations are required, but more or less may be possible.

Hot Work

Hot work permits minimize the chances of ignition of flammable or combustible materials in a work environment. Hot work operations include welding, grinding, torch cutting, soldering, and use of any other ignition-producing sources. Hot work permits are valid for only one shift at a time. The procedure includes the following steps:

1. Ensure equipment is cleared of hazardous materials and isolated from the running process.

2. Take the necessary precautions to protect combustible or flammable materials from ignition by removing them or covering them with fire blankets.

3. Check for flammable vapors within 35 feet (10.7 m) of work areas using a flammable gas detection meter.

4. If flammable vapors are present in the area, then a hot work permit is denied until the flammable vapors are removed.

5. Post a fire watch in the area.

6. Ensure that a fire extinguisher is available in the area, and check to ensure that smoke detection, sprinkler, and alarm systems are working.

7. Inform operations and everyone in the area.

8. Obtain the necessary approvals and signatures and post the signed permit.

At the completion of the hot work, the operations supervisor confirms that all hot work is stopped and it is safe to go back to normal operations, and then signs a formal approval.

Energy Isolation (Lock-Out/Tag-Out—LOTO; Lock, Tag, Try)

Energy isolation prevents injuries or damage due to the release of stored energy from equipment. The stored energy may take numerous forms—chemical, electrical, gravitational, mechanical, pressure, or thermal. This practice is intended to prevent equipment from unexpectedly being set into motion and endangering workers or releasing hazardous chemicals into the work area.

Typical activities that require this practice include hot work on process equipment, vessel entry, cleaning equipment, entering a dangerous environment (rotating equipment or a vessel with an agitator), repairing electrical circuits, maintaining machinery with moving parts, clearing jammed mechanisms, and removing guards or safety devices.

The energy isolation procedure includes the following steps:

1. De-energize the equipment by isolating the energy source(s), which may require installing blind flanges; closing valves; draining chemicals; disconnecting electrical connections; releasing pressured lines such as hydraulic fluid, air, steam, gas, and water; and releasing spring-loaded devices.

2. Lock the de-energized equipment or electrical device to prevent reactivation. A gang lock device may be used to allow the device to be locked out by several maintenance trades and operations personnel.

3. Tag the equipment or device to warn against re-energizing the equipment. Tags alone can be used only when the equipment cannot be physically locked out—for example, some valves.

4. Try to re-energize the equipment to verify that the locking process works.

At the completion of the work procedure requiring the energy isolation, the operations supervisor is the last one to remove their lock after making certain that the device or equipment is safe to re-energize. The supervisor then signs a formal approval.

Confined-Space Entry (Vessel Entry)

This practice is used to prevent injuries to someone who is working in a confined space. The confined space could be a vessel, a diked area, or even reaching into a large pipe opening. Potential injuries include being overcome by a gas (e.g., nitrogen, carbon monoxide), being entangled with moving equipment, or being engulfed by fluids or powder entering the space. The procedure includes the following steps:

1. The equipment is isolated following a defined energy isolation procedure.

2. Clean/decontaminate the equipment.

3. An attendant (entry watch) must be present in the area at the point of entry at all times to help with emergencies.

4. Ensure that proper emergency equipment is present in the area (e.g., a fire extinguisher, winches, harnesses).

5. Continuously monitor the oxygen concentration in the confined space to ensure that it is at least 19.5%.

6. Add ventilation to the confined space or vessel to ensure the concentration of oxygen is maintained and the temperature is not extreme.

7. Provide a light with ground-fault circuit interruption (GFCI) to assist the person’s visibility in the vessel.

8. Provide a two-way radio for the attendant to summon help if required.

9. Provide an attendant’s log with sign-in and sign-out required to ensure accountability of persons entering and leaving the confined space.

At the completion of the confined-space entry, the operations supervisor confirms that it is safe to go back to normal operations and then signs a formal approval.

Inherently Safer Designs

Inherent safety is discussed in Section 1-13. A simple design feature includes the mechanical configurations of vessels, pumps, and pipelines. A simple design versus a complex design is illustrated in Figure 13-1.

Controls: Emergency Isolation Valves

Emergency isolation valves, sometimes called block valves, are installed throughout plants to isolate and shut down a process during unusual circumstances. These valves can be manually operated or operated by a control system or field analyzer. Emergency isolation valves are typically (1) installed in lines in and out of vessels containing hazardous materials, and activated when a line or hose develops a leak; (2) installed in sewer lines to prevent major leaks from contaminating a treatment facility; and (3) installed using double block and bleed systems as described in the next subsection. In addition, they are sometimes installed in plants so that materials can be transferred from a hazardous environment to a safe one. For example, when a vessel is exposed to fire, a normally closed isolation valve would be opened to transfer the material to a safe location away from the fire.

Block valves are used in a process to isolate a system for maintenance. In contrast, emergency block valves are used to isolate a system or shut down the process in emergencies.

Controls: Double Block and Bleed

Double block and bleed systems are installed to provide assurance that materials cannot flow. These systems are frequently used in vessel entry procedures to ensure that flow of a hazardous material will not occur during employees’ entry into the vessel. They are also used to prevent unsafe situations. For example, a double block and bleed system is used in the monomer feed lines between the monomer storage vessel and the reactor depicted in Figure 13-2. This prevents the reactor contents, including catalysts, from inadvertently backing up into the monomer tank. The reaction normally requires pumping the monomer from a storage vessel at low pressure into a reactor operating at a much higher pressure. If the monomer pump fails, then the reactor contents with the catalyst will back up through the pump into the monomer storage vessel. This will result in a catalyzed reaction in the storage vessel, leading to a runaway reaction. The storage vessel is not equipped to handle this situation.

The problem is eliminated by installing a double block and bleed system in the monomer feed line, as shown in Figure 13-2. If the pump fails, the double block and bleed is activated, and it is physically impossible for reactor contents to flow back to the monomer storage tank. Notice that the monomer lines may also include check valves, but they are not as reliable—check valves may leak.

Controls: Safeguards and Redundancy

Safeguards are discussed in Section 1-11 and are classified as either preventive or mitigative. For example, a reactor that controls a rapid exothermic reaction should have a number of redundant safeguards to prevent a runaway reaction, as shown in Figure 13-3. Redundancy also increases the reliability of the control system; the quantitative effects of redundancy are computed using fault tree analysis, as discussed in Chapter 12.

Controls: Explosion Suppression

As illustrated in Figure 13-4, an explosion suppression system detects a flame or combustion at the incipient phase of an explosion or fire. This detection system operates quick-acting valves to inject a combustion-quenching substance into the burning volume. The explosion suppression system illustrated in Figure 13-4 would prevent the explosion of the spray dryer. Explosion suppression systems can be installed in (1) process equipment to prevent damage to the equipment and (2) pipelines to prevent the combustion from propagating through the pipe to another place in the process.

Flame Arrestors

Figure 13-5 shows flame arrestors placed inline and at the end of a line to quench a combustion, preventing the combustion from propagating down a pipe or duct containing flammable material. The two types of flame arrestors have different design characteristics. The end-of-line flame arrestor prevents a burning gas from propagating back to the vessel from an external fire. These two types of flame arrestors have different design characteristics. The inline arrestor prevents a fire or explosion from propagating through a pipe from one vessel to another vessel.

Containment

A relief system discharging a hazardous material should have a containment system, as shown in Figure 13-6. (Also see Section 9-7 on relief effluent handling.) The containment system collects the relief effluent and prevents discharge into the working areas and environment. It is also important that a management system is used to ensure the containment system is properly maintained and operational. The Bhopal, India, plant had a containment system similar to the one shown in Figure 13-6, but due to poor management, including poor mechanical integrity, the system did not work when it was required, with catastrophic results.

An alternative is to add safeguards and redundancy to the reactor to prevent a high-pressure release from the reactor, thereby ensuring that operation of the relief will not occur. In this case, the safeguard system would require an acceptable reliability, with the reliability being determined through a fault tree or other detailed analysis. Another alternative is to contain the hazard in the reactor vessel by increasing the MAWP of the reactor to the maximum pressure under all scenarios, including operating and incidental pressures.

Materials of Construction

Corrosion occurs due to incompatibilities between process equipment materials of construction and process fluids. Corrosion failures can occur without warning, resulting in large incidents. The risk of such failures is reduced by fully understanding the internal and external environment of the process, by specifying use of corrosion-resistant materials of construction, and by including a corrosion allowance.¹⁴ Corrosion rates are determined experimentally in laboratory tests. Companies must monitor construction to ensure that the correct materials are used and construction standards are followed.

¹⁴Center for Chemical Process Safety. Guidelines for Design Solutions for Process Equipment Failures (New York, NY: American Institute of Chemical Engineers, 1998).

In one notable incident that occurred in an oil refinery, an error in the welding process was to blame: The welder used a weld material that was less noble than the tower’s material of construction. The corrosion transferred the less noble weld material to the tower. The weld seam around the entire tower eventually failed, and the tower fell with major adverse consequences—17 fatalities and a $100 million loss.¹⁵

¹⁵“Union Oil Amine Absorber Tower Accident.” TWI Services Company. www.twi.co.uk/content/oilgas_casedown29.html.

Process Vessels

Process vessels must be designed to withstand the temperatures, pressures, and corrosion environments of the process. Normally, the thickness of the vessel is chosen to withstand the pressure, and the thickness is increased for a corrosion allowance.

All process vessels that are designed to withstand a pressure should also be designed for full vacuum. This vacuum requirement allows for vacuum purging and incidental process vacuums—for example, steam cleaning of a vessel that is entirely blocked (no vents).

Deflagrations. Deflagrations are combustion fronts that move at speeds less than the speed of sound. See Section 6-10. Deflagrations in pipes or vessels without pressure protection result in pipe tears with lengths no longer than a few pipe diameters. The resulting pressure in a vessel or pipe having a contained deflagration is estimated using the following equations:

P2P1≈8 for hydrocarbon−air mixtures(13-1)

P2P1≈16 for hydrocarbon−oxygen mixtures(13-2)

Detonations. Detonations are reactions fronts that move at the speed of sound or faster. See Section 6-10. Detonation failures usually occur in pipelines or vessels with large length-to-diameter ratios.

For a vessel with an internal detonation, the pressure increases significantly:¹⁶

¹⁶Lees. Loss Prevention in the Process Industry, 4th ed., pp. 509–617 (Elsevier, 2012).

P2P1≈20(13-3)

When a pipe network is involved, because of pressure piling, P₂ can increase by as much as another factor of 20.

Detonation failures in pipe networks always occur downstream from the ignition source—usually at pipe elbows or other pipe constrictions, such as valves. Blast pressures can shatter an elbow into many small fragments. A detonation in light-gauge ductwork can tear the duct along its seams and produce a large amount of structural distortion in the torn ducts.

In piping systems, explosions can begin as deflagrations. The flame front may then accelerate by pressure piling to detonation speeds.

Miscellaneous Designs for Preventing Fires and Explosions

Many other design features can be implemented to prevent deflagrations and detonations, as well as fires and explosions in general. CCPS has published many reference books that can help in selecting the most appropriate design for a plant and process.¹⁷²⁰

¹⁷Center for Chemical Process Safety. Guidelines for Chemical Reactivity Evaluation and Application to Process Design (New York, NY: American Institute of Chemical Engineers, 1995).

¹⁸Center for Chemical Process Safety. Guidelines for Facility Siting and Layout (New York, NY: American Institute of Chemical Engineers, 2003).

¹⁹Center for Chemical Process Safety. Guidelines for Performing Effective Pre-Startup Reviews (New York, NY: American Institute of Chemical Engineers, 2007).

²⁰Center for Chemical Process Safety. Guidelines for Safe and Reliable Instrumented Protective Systems (New York, NY: American Institute of Chemical Engineers, 2007).

Preventing Dust Explosions

Key design features that are used to prevent dust explosions include the following:²⁴

²⁴U.S. Chemical Safety and Hazard Investigation Board. “Combustible Dust Safety.” 2018. https://www.csb.gov/assets/1/6/csb_2018_factsheet_combustibledust_05.pdf.

1. Use containment, inerting and purging to remove oxygen (see Chapter 7).

2. Eliminate ignition sources due to tramp metal, mechanical failure, overheating, electrical sparks, and static electricity. The tramp metal problem can be solved by adding magnetic traps that collect metal contaminants. To address mechanical failure problems, add detectors to identify failures, activate alarms, and initiate safe shutdowns. Any overheating problems can be solved by monitoring the temperature of bearings and belts (e.g., belts slipping), and activating alarms and shutdowns. To eliminate electrical sparks, use all explosion-proof rated electrical fittings (Class III and appropriate division; see Chapter 7). To prevent buildup of static electricity charges, use grounding and bonding.

3. Prevent the accumulation of dusts. High dust concentrations in equipment and in equipment vents can be reduced by using pneumatic dust collection systems (sometimes called bag houses). In addition, high dust concentrations outside of equipment due to leaks from flanges or equivalent can be prevented by adding gaskets and tightening the gasket flanges.

4. Mitigate dust explosions using vent panels and explosion suppression as described in Chapter 7.