Technical and physical solutions are only part of the larger equation since human operators can have a huge impact on operational safety.

Research from the British regulatory body Health and Safety Executive (HSE ) has identified what it considers to be the top-ten factors involving people, primarily the ones working in the control room. Some have a technological component, but here we are focused on the human element that goes wrong.  

Some of these can be solved with training, some are more technical in nature, and others are cultural. All of them should remind us that safety is more than hardware.

MORE

INCIDENT

Buncefield Layers of Protection

In a facility that generally runs with a high degree of stability, layers of protection that don’t get used can form holes, both figuratively and literally.

Examining the Buncefield fire in 2005 could be a textbook example of layers of protection and the “Swiss Cheese Effect.” It’s the illustration that if you take slices of Swiss cheese and lay them on top of each other, if there is a hole in the same position on every slice, now matter how many you stack up, that hole will go all the way through.  Buncefield had traditional layers of protection as part of its safety management system:

• Basic process control system (BPCS)
• Alarms
• Safety instrumented system (SIS)
• Physical containment

Each of these was a single point of failure with no redundancy. Each failed in its own way with disastrous results, so let’s look at them one by one.

MORE

On December 19, 2007. an exothermic reaction at T2 Laboratories, a Jacksonville, Florida-based chemical manufacturer, led to a runaway condition resulting in a massive explosion that killed four workers, injured 32 others and destroyed neighboring businesses.

That day, the workers were mixing a batch of methylcyclopentadienyl manganese tricarbonyl (MCMT), also known as the gasoline additive Ecotane. Although they had mixed and processed batches of Ecotane at least 100 times before (they started in 2004), they had persistently ignored some early warning signs that foretold the very real possibility of catastrophic failure. On the day of the disaster, a fire started and, within 10 short minutes, the process condition accelerated from a familiar problem they had faced before to a full-fledged disaster. The result was an explosion so powerful that a one-ton chunk of the steel reactor was flung into another building 400 feet away. 

A core element when implementing high plant safety standards is to closely analyze key processes so that imminent threats to safety can be identified and neutralized. An analysis of this infamous T2 Laboratories incident helps to reveal where mistakes were made and is helpful for safety engineers who a dealing with safety challenges at their own sites on an ongoing basis.

Incident analysis

Let’s analyze the T2 Laboratories timeline on the day of the disaster:

At 7:30 a.m. the day shift process operator began manufacturing “Batch 175” of the Ecotane from the control room adjacent to the process line. He engaged the automated process control system to load the reactor with the raw materials. An outside operator hand-loaded the reactor with blocks of sodium metal, and then sealed the reactor.

At 11 a.m., the process operator began heating the batch to melt the sodium and initiate the chemical reaction, while monitoring the temperature and pressure on the process control screen. Once the sodium melted, at 210°F, the process operator started the mixing process. In the process of mixing, as usual, the reaction created more heat. That heat continued rising in the reactor. At a temperature of 300°F, the process operator turned off the heating system as specified in the procedure, but as the mixture was exothermic, heat from the reaction continued to rise.

At a temperature of 360°F, the process operator initiated the cooling process. However, the cooling process never started. The control system cooling program called for water to inject into a jacket surrounding the reactor, but a malfunction occurred and the water never made it to the jacket. 

At 1:23 p.m., the plant operator reported the cooling problem to the owners and asked them to return to the site. Upon their return, one of the two owners went to the control room to assist. Fearing a fire, the owner rushed outside to tell workers near the reactor to evacuate as a precaution. The owner then went back into the control room.

At 1:33 p.m., the reactor burst and its contents exploded, killing the owner and the process operator who were in the control room and two outside operators who were exiting the reactor area.

According to the Chemical Safety Board (CSB) investigation, T2 Laboratories’ runaway exothermic reaction occurred during the first step of the MCMT mixing process. A loss of sufficient cooling likely resulted in the runaway reaction, leading to an uncontrollable pressure and temperature rise in the reactor. The pressure burst the reactor; the reactor’s contents ignited, creating an explosion equivalent to 1,400 pounds of TNT.

In hindsight, it might be easy to question why more water wasn’t added into the cooling system so that the rising pressure could be relieved earlier. While the answer to that question may appear simple now, in the heat of the moment, the disaster was caused by a lack of knowledge on the part of staff of the ongoing safety threats.

Lessons learned

At the time of the incident, no emergency instructions existed for addressing a loss of cooling situation. Standard procedures directed operators to fully open the water supply valve and the manual bypass valve in order to cool the reactor. A secondary (backup) source of water stored on site was not immediately available to the process operator in an emergency.

So, what was the root cause of the blast? T2 did not recognize the runaway reaction hazard associated with the MCMT it was producing. The chemical maker’s cooling system was susceptible to a single point of failure due to a lack of design redundancy. In addition, the company did not have the pressure relief capacity in place to safely vent an uncontrolled reaction. Chemists and chemical engineers involved in developing and operating the T2 MCMT process were also unaware of the need to perform runaway reaction testing, address emergency relief, and identify and evaluate previous process anomalies. 

The unexpected exothermic reactions were managed, on the fly, as they occurred, and the T2 employees were under the mistaken impression that the owner and chemical engineer could control any incidents.

This combination of lax safety standards, incomplete communication, human error and mechanical error can happen within any organization at any time. Preventing such events in the future depends on analyzing an existing process with an eye on safety gaps.  In the case of T2 Laboratories, if the possibility of a runaway reaction were modeled or analyzed, a conclusion would have been drawn for deploying a more comprehensive pressure release system and redundant cooling system.

A complete a hazard and operability study (HAZOP), could also have helped in identifying the need for testing to determine the thermodynamic and kinetic nature of the reaction. 

The learn more about steps to take for ensuring better plant and control systems process safety click here.

During the platform fire in 1988, virtually nothing went right, which allows us to draw lessons from a long list of events leading to the hazard.

In the aftermath of the huge fire on the Piper Alpha platform, July 6, 1988, it was clear that the fire started and escalated very quickly into a full-blown disaster due to a huge list of individual failures at every level of the process safety management systems. In many respects, virtually nothing in the safety process worked as it should have, and the result was 165 fatalities out of the 226 men on the platform, plus two more men on a rescue vessel. Property damage ultimately totaled several billion dollars.

Part of the problem of trying to examine this event is its complexity. The specific series of events that turned a process safety incident into a disaster began with a decision to change the mode of production on the platform. A mix of maintenance issues caused management to shift to an alternate mode that was rarely used and which put a higher level of stress (650 psi operating pressures rather than 250 psi normally used) on the platform’s equipment. Operators were also inexperienced with this production method. While this was the straw that broke the camel’s back, many other safety risk elements were punching holes in the layers of protection in place and waiting to help escalate the problem. The most basic process safety management concepts did not exist on the platform. The platform was poorly designed from a safety management standpoint. The match probably could have been struck in many places and times with similar results.

Consider what happened after the first explosion:

• Loss of electric power was almost immediate, and along with it public address, general alarms, emergency lighting, emergency shutdown capability, and fire protection systems.
• The offshore installation manager panicked and did not order evacuation soon enough, although evacuation paths were already largely blocked due to the layout of the living quarters and the lifeboats were inaccessible.
• The layout of the platform combined with inadequate blast panels and firewalls allowed the fire to escalate rapidly. The second explosion occurred within about two minutes of the first.

Reviewing a detailed sequence of events (well worth doing) provides insight into the process safety indicators. Many factors combined to create multiple holes through every layer of protection creating a process safety incident:

• Management driving production beyond safe levels
• Operators insufficiently trained
• Lack of experienced supervisors on the platform
• Poor maintenance practices
• Little use of redundancy for critical systems
• Loss of power caused safety systems to shut down
• Critical systems not physically protected
• Inaccessibility of safety and escape equipment for personnel, and
• Dangerous materials located near crew quarters.

This is the beginning of the list and in subsequent posts we will examine some of the human factors and maintenance issues in greater detail. For now, let’s look at some of the organizational elements.

The decision to change the platform to the alternate production method (Phase 1 rather than the normal Phase 2) with its higher pressures was one of expedience. Gas driers that were normally used were shut down for maintenance, and this shift allowed the platform to continue producing. The platforms in the group (Piper Alpha, Tartan, Claymore and MCP-01) were interconnected physically but management was not necessarily well coordinated.

Increasing the operating pressure by 250+ percent undoubtedly caused noticeable changes on the platform, particularly one with some of the maintenance issues cited on Piper Alpha. Small leaks increased, piping would probably vibrate and rattle, and there was apparently a report that at least one of the flares was roaring and was much larger. Nonetheless, whether anyone on the platform had sufficient experience to realize the implications was not clear. The evidence suggests there wasn’t. It is also unclear exactly which gas detectors were operating, if any, and reporting gas emissions.

Ultimately a process disturbance caused one of the two condensate pumps to trip (the other was shut down for maintenance), which caused a leak at the point where a safety valve had been removed and a blind flange put in its place but not fully tightened. The leaking condensate vapors filled that portion of the platform and eventually ignited. Within minutes, fires from new sources were beginning to engulf the platform causing all manner of safety systems to fail. Once it started, each new development brought in a fresh fuel source and nothing could be done.

From an operational standpoint, we could ask if the manager that called for the platform to shift to higher-pressure operation was aware of the maintenance condition of the equipment. Did any safety management questions enter his thinking?  The point that only one condensate pump was operating indicated there was no redundancy for that critical piece of equipment. Should that have changed the operating directive? Should the local operators and supervisors have made that point? Would it have mattered?

AREA OF ANALYSIS

Pressure sensors to warn of an impending reactor rupture, temperature sensors to trigger an alarm that a reaction is out of control. In some process units, there are more safety-related sensors than those for process control.

Instrumentation certified for use in safety applications is thoroughly studied and characterized to get that rating. In most cases, its reliability is as high as any electro-mechanical device can be, but any device can fail given the right conditions or simply wear out.

That’s why periodic proof testing is so critical to ensure the different elements of the Safety instrumented systems are ready to act upon the appearance of the hazardous conditions in the process.

MORE

All manufacturing operations require a safety plan. However, risks can only be minimized when that safety plan is studied, understood and faithfully enacted by the critical stakeholders. These considerations need to involve the human element.

 Consider how the human element affected the disaster that occurred at the Sayano–Shushenskaya hydroelectric power station in Khakassia, Russia, on August 17, 2009. First there was a loud bang from one of the operating turbines (Turbine 2). Then the turbine’s cover shot up through the ceiling and a 920-metric ton rotor was violently dislodged from its seat. Soon afterward, tons of water spouted from the cavity of the turbine and into the machinery hall. 

 At that moment, chaos ensued.

 The machinery hall and rooms below its level flooded. At the same time, the power station’s main control panel received the alarm, and power output fell to zero, resulting in a blackout. The safety system, which was dependent upon power to operate, was now rendered useless.

 The steel gates to the water intake pipes of the turbines, weighing 150 metric tons each, had to be manually closed. This was performed by opening the valves with hydraulic jacks and keeping them open from 8:35 to 9:20. The operation took 25 minutes, which is near the highest speed that such an operation allows. 

 The emergency diesel generator was started at 11:32. At 11:50, the opening of 11 dam spillway gates was initiated and completed at 13:07. 

When Turbine 2 broke apart violently, 75 people were killed and more than 40 injured. Both the turbine hall and engine rooms were flooded, and a collapsed ceiling contributed to 9 of the 10 turbines at the site being damaged or destroyed. 

Humans played major role

Human factors played a major role in the build up to the disaster and also, as the disaster unfolded, they worked to save lives. 

After the initial rupture, the water level rose, and employees raced toward the main entrance. Among the fleeing workers were supervisors in charge of safety and emergency response. On the fourth floor, operators telephoned their supervisors and their supervisors’ managers seeking guidance on a contingency plan. No answer.

The official report, released on October 3, identified poor management and technical flaws as the main causes of the accident.

The cascading nature of an unfolding disaster

Safety incidents rarely occur as the result of a singular independent occurrence, but rather result from a series of events and/or bad decisions that lead up to the accident. Over time, when small, overlooked detailed issues are addressed and/or fixed, accidents further down the road are averted.

For example, when Turbine 2 was placed under maintenance during the period extending from January to March 2009, after the repairs were completed, the turbine wheel was not properly rebalanced. This might have contributed to excessive turbine vibration between April and July which led to the turbine’s shut down (prior to the August 16 “emergency” restart). That was the day when Turbine 2 was hastily pushed back into operation by the Siberian Unified Dispatching Control Centre (UDCC) due to the Bratsk power plant fire some 500 miles away.

When recommended performance band limits are exceeded, the turbines will begin to vibrate due to the force of water flow. This, in turn, leads to degradation of the turbine over time, due to excessive vibrations and shocks. The problem was observed many times and yet the load on Turbine 2 was not reduced. During the morning of the accident, the plant general director, Nikolai Nevolko, was celebrating his 17th work anniversary. While he was away early in the morning to greet arriving guests, the levels of vibrations were very high because Turbine 2 was operating in the “not recommended” zone to meet grid demands.

Accountability has to be communicated clearly

None of the 50 staff present around Turbine 2 had authority to make any decisions about taking further actions to cope with the increasing vibrations. They had become accustomed to those high levels of vibration and chose to ignore them.  

The report of the accident listed former state-controlled utility chief Anatoly Chubais who was said to have approved an order to allow the plant to continue operating despite known problems and what the report described as “lack of an adequate evaluation of its current safety conditions.”

Clearly, human factors play a major role when it comes to safety and accident prevention.  

To better understand how some of the various mistakes that occurred over time should have been addressed and prevented, click here. To learn more about steps to take for ensuring better plant and control systems process safety click here.

INCIDENT

History has shown that industrial disasters are rarely the result of some single failure in a plant environment that is otherwise carefully operated and scrupulously maintained. In most situations, an incident, large or small, is the logical and inevitable result of a long series of compromises allowing deterioration of people and equipment.

The question, “Why did this happen?” could be replaced with “Why didn’t this happen sooner?” Such was the case at Bayer Crop Science’s plant at Institute, West Virginia, August 28, 2008.

While the actual events were different, the 2008 incident carried many echoes of the 1984 disaster in Bhopal, India, when MIC (methylisocyanate) gas was released from a Union Carbide pesticide plant, resulting in about 3000 immediate fatalities with thousands more suffering permanent and partial disabilities.

MORE

Operator and supervisor errors escalated a process safety incident into a disaster. Could people better trained in oil and gas safety procedures have prevented it, or stopped the process safety incident once the fire stated?

On the night of July 6, 1988, five operators were in the control room on Piper Alpha. That was the minimum compliment needed to operate the platform. Investigations after the disaster discovered that they had all been promoted one level above their normal position and were considered less experienced than the longer-term men that normally ran the platform. This was not a company that was known for a strong process safety culture. Meetings and briefings on the platform did not begin with a safety minute. Maintaining production was driven harder than maintaining a safe working environment.

Investigators examining the disaster after the fact wondered if, prior to the first fire breaking out at 21:58, the operators were aware of the larger-than-normal flare on the southwest side and what might be causing it. It was also unclear if anyone was paying attention to the gas detectors and what they might be revealing. On Piper Alpha safety instrumented systems were not well designed or deployed. As a case in point, the condensate pump B trip was likely caused by a sensor that was not configured to operate at the higher pressures necessary when working in Phase 1. Indications are that gas alarms were received in the control room, but the way the signals were displayed did not indicate immediately which detectors were sending alarms. Moreover, the gas detection system had a reputation for issuing false alerts so they might have been ignored as a matter of course anyway.

After the first explosion, operators had a very short window of time in which to respond and prevent further escalation because power was lost almost immediately. With no power, the fire suppression pumps couldn’t work, but that system was also prone to clogging.

Had trained operators been on duty, they might have been able to foresee what was likely to happen, and used the process control system to slow the escalation. Of course that assumes they had a clear understanding of what was happening and in which parts of the platform, which might not have been the case. The way things went, it was only a matter of minutes before the control room was lost due to its location next to the production modules

The OIM (offshore installation manager) has been singled out as contributing to the safety incident because reports say he panicked. Falling into a state of shock, he was unable to issue evacuation orders, the lack of which likely increased the number of fatalities, in whose number he was counted. Whether that was a matter of poor training or a problem with his temperament, the result was a human factor contribution to the hazard. As a result, as fireboats arrived, there was no one to give orders to begin fighting the fire until the master of one of the boats assumed a role as OSC (on-scene commander) and guided the efforts. By that time it was largely too late.

The combined losses of the control room as a means to facilitate countermeasures and a commander to guide the effort meant there was little that could stem the loss of the systems that could help extinguish the fires. Someone that knew the platform well enough to call for alternate evacuation routes that were still usable before the PA system failed might have saved some lives. He could have also directed the fireboats and perhaps brought them into action sooner. The fireboats probably wouldn’t have been able to extinguish the blaze, but they might have bought precious minutes to allow more people to escape. Some men had to jump from the 175-foot helideck level or the 68-foot level while others managed to climb down to the 20-foot level before jumping. Some of the evacuation craft were located where they were cut off by the fire and could not be reached soon enough.

On balance, all the human factors involved in the Piper Alpha disaster caused more problems than they solved, but they were not the only issue by any means. Process safety management and safety training failures were arguably the most critical. Inadequate safety systems should have driven an awareness of how important it was for people to work safely and be aware of the role everyone played in maintaining life on the platform.

Related Content

Russian Dam Disaster: Assessing the Cost of Failed Safety Practices

When disasters like the Sayano–Shushenskaya hydroelectric power station collapse in Khakassia, Russia, occur, it is difficult to…

Overcome the Element of Tragedy-Slide

The only way to draw positives from such an incident is to learn from the experience so that the same mistakes never happen agai…

Analyzing the Human Element of the Russia Dam Disaster

Having a safety plan in place is not enough to guarantee safety of manufacturing automation operations. In order for risks to b…

Learn more about our global Safety Systems operations

INCIDENT

The Williams Olefins Incident- The Day Multiple Safety Errors Led to a Major Chemical Plant Blast

Part 1: How the disaster happened 

The explosion, which occurred on June 13, 2013, took place when heat levels began to rise in an offline “reboiler”. This increase in heat created an intense amount of pressure due to liquid thermal expansion. The reboiler shell catastrophically ruptured, triggering a boiling liquid expanding vapor explosion (BLEVE) and fire. 

All it took was three minutes.  The Williams Olefins chemical plant in Geismar, Louisiana, which was routinely executing everyday operations, was instantly transformed into a scene of destruction, panic and mayhem. 

MORE