If a situation is unusual, it may require action which has never before been under-taken and which requires a previously unplanned action. This can go all the way from making small changes in procedures to extensive improvisations, which may involve significant engineering.
CASE HISTORY 11.1 A Difficult Decision Which Succeeded [1]
A unit producing light and heavy fuel oil was shut down for a period. The heavy fuel oil froze in the export pipeline to a ship-loading pier, 600 metres long.
Heavy fuel oil is a bit like asphalt. Unless heated to about 60°C, it will not flow.
There was much discussion about how to bring the pipeline back into opera-tion. The most extreme suggestion was to excavate a trench under it and burn oil in the trench. In the end the team assembled a few hundred welding transformers and three large diesel generators and heated the line electrically, by connecting power cables. The method worked.
Other less extreme examples of the need to make decisions and to plan are the following:
• The need to shut down piping which is leaking: Can the plant continue operating or does it need to be shut down?
• The decision on whether to shut down a plant where fluids are foaming and liquid is being transferred to a gas stream: Can operation continue, is it necessary to reduce the throughput or is a shutdown required?
• How do we remove a plug of plastic polymer which is stuck in a dump vessel?
• What do we do when all the product tanks are full and we no longer have storage capacity for the production?
In responding to situations like these, usually there is discussion about what the situation is, what the goal is and what should be done. Usually, it too involves some informal brainstorming.
Making the decision and selecting the approach requires knowledge. This includes knowledge about the plant, knowledge about the plant state, knowl-edge about engineering methods and knowlknowl-edge about the underlying physics
112 Human Error in Process Plant Design and Operations and chemistry of the plant processes. It can require knowledge of the physics of accidents.
Errors in this process are typically as follows:
• A method which does not work is selected. This is not always a real error;
sometimes you have to try before you really understand the problem.
• The necessary preconditions for the new plan are not understood, or not known. Insufficient attention is given to what could go wrong.
• The possible side effects or downstream effects of the plan are not known.
• A plan which has a high level of risk is created.
CASE HISTORY 11.2 A Decision That Failed
An example of insufficient attention of preconditions for safety is given in an incident documented by the U.S. Chemical Safety Board [2].
A pinhole leak was discovered in a crude unit on the inside of the top elbow of the naphtha piping, near where it was attached to the fractionator. The operators responded immediately, closing valves to isolate the line. Operation was contin-ued. It proved difficult to isolate the line and drain it, a situation which indicated that some valves were ‘passing’, that is, leaking internally. The leak reoccurred, and the valves were tightened.
A plan was made to replace the line without shutting down the plant. A work permit was issued which allowed the maintenance team to drain and remove the pipe. The draining was unsuccessful. The supervisor directed workers to make two cuts in the piping by using a cold cutting method. The cuts immedi-ately began leaking naphtha. As the line was being drained, naphtha was sud-denly released from the open end of the piping. The naphtha ignited and quickly engulfed the tower structure and personnel. Four were killed.
It was later found that a valve at the discharge end of the pipe had been pass-ing, and pressurised naphtha had leaked backwards into the pipe.
Apart from the frightening continuation of production, which involved a strong element of risk taking, possible hidden or latent hazards were overlooked.
The pipe could be back pressured; the possibility that downstream valves could pressurise the pipe were overlooked or ignored. The preconditions for safe oper-ations were not checked.
CASE HISTORY 11.3 A Decision without Considering Distal Consequences
A company produced a silicate-based window sealant which included zinc pow-der in the mix. One batch was mixed wrongly and began to generate hydrogen.
The supervisor told the employees to send the material to the chemical waste
Errors in Decision Making and Planning 113
disposal plant but to leave off the lid until the last moment when the drum was placed on a railcar.
When the drum was received at the disposal plant, it was lifted onto a trol-ley by a labourer. The drum exploded, and the lid cut into the man’s chest. He survived but even after recovery was too disabled to work.
In this case, the supervisor did not think far enough about the effects of his plan.
CASE HISTORY 11.4 Improvisation without Analysis
Figure 11.1 shows a bent propane drainpipe. It was caused when a forklift truck was used to support a pushrod (wooden spar) used to clear stuck product from a vertical blowdown drum. The idea was not bad in itself; it meant at least that an operator did not have to stand underneath the discharge hole cover, pushing the rod himself and waiting for material to fall. The hazard of the rising truck fork interfering with the pipe was overlooked, however. The lift of the truck hit a propane pipe and bent it. Luckily the pipe only bent; the connections at the ends of the pipe could have broken, with a potential for a large fire.
RISK TAKING AND RISK BLINDNESS
Taking risks is a fundamental and necessary part of some aspects of process plant operation. The kind and the level of risk vary, but these need to be kept under control.
FIGURE 11.1 Pipe bent by a forklift truck during an improvised dump tank–emptying procedure. Improvisations of this kind sometimes have to be made. It is important, though, before trying something new or of doubtful safety, that the hazards are identified the risks are assessed and precautions are taken.
114 Human Error in Process Plant Design and Operations
CASE HISTORY 11.5 Risk Taking
Georgie was an experienced rigger, with a long experience and a remarkable sense of balance. With help from his younger colleagues and a good crane operator/
driver, he could manoeuvre a 50-ton pressure vessel into place through structural steel framing with as little as 1-inch clearance.
Georgie was sitting on a 6-inch wide beam at about 20 metres height as a new tank was hoisted into place! He could adjust the lift alignment with a minimum of effort, with just a slight push from his fingertips.
A slight wind moved the vessel an almost imperceptible distance. One of the vessel nozzles caught on the lower steel structure. The vessel tipped, cutting Georgie’s legs at the thigh. He was dead by the time he was brought down from the high steel.
Riggers are a race unto themselves. Many rigger teams do not mix with other construction workers. They are often quite fearless. They are always confident in their own abilities—the job would be impossible without this.
In a modern, well-run construction site, the procedure used for alignment in the case history above would probably be forbidden, but Georgie had carried out the same kind of operation perhaps a hundred times. His confidence in his own expertise and his experience made him blind to risks. The accident was not the result of his own actions except that of putting himself in danger. The direct cause of the accident was an exter-nal force, the wind and the ever-present risk of loads catching on surrounding steel.
I have tried to determine the cause of such hazardous behaviours in interviews.
One of the causes which becomes quite clear from these is lack of imagination cou-pled with lack of direct experience of accidents. Experienced operators, fitters and maintenance artisans, especially the most skilled, are susceptible to this. A typical comment in a session of job safety assessment is, ‘I have worked in this job for over 40 years and have never seen that happen, so I don’t think it is possible’.
A successful strategy I have found for avoiding problems of this kind involves the following:
1. To require job safety analyses to be carried out for potentially hazardous tasks 2. To use a large collection of accident photographs to illustrate the safety
analysis; there is nothing like a good accident picture to convince a doubt-ing operator
The form of risk blindness shown in the case histories can arise in explicit deci-sion making during planning or in the instinctive performance of tasks which are routine.
The main problems with this type of risk blindness are the following:
• Inability to judge the level of risk
• Habituation, so that the hazards gradually become invisible
Errors in Decision Making and Planning 115
The ability to judge the level of risk, i.e. the probability of the risk, depends on experience of actual accidents and near misses. Accident reports posted on notice boards can help to widen experience. Even better are job safety reviews. These can well be the topic of toolbox talks.
RISK HABITUATION
Habituation involves performing a potentially hazardous task repeatedly with no adverse consequences until one day all goes wrong.
CASE HISTORY 11.6 Risk Habituation and Extreme Risk Taking Opening filters in pipelines is often necessary in order to prevent blockage.
The procedure involves closing the upstream and downstream valves, then opening the vent valve on the filter so that any pressure that can arise inside is released. Pressure can arise, especially if either the upstream or the down-stream valve is leaking (passing) or simply because of the residual pressure of operation.
In the actual accident in a paint factory, the vent valve gradually became blocked by paint residue, and the filter remained pressurised. When the mainte-nance worker opened the filter (by unscrewing four screws), the filter cover was not immediately blown off, because the gasket stuck. When he tried to remove the gasket with a blow of a hammer, the cover blew off, breaking his jaw.
Really good operators become cautious with time; they expect trouble. ‘Never walk under a crane, never stand in line with a blind flange and never trust a lad-der until checked’ becomes a mantra. For others, habituation is a truly dangerous phenomenon.
There are other forms of risk blindness. One is hazard blindness, in which the person simply does not know that something is dangerous.
CASE HISTORY 11.7 Hazard Blindness
Two fitters were asked to empty a tank of phosphoric acid and to remove depos-its blocking the outlet nozzle. Emptying the tank would take a long time, and production would be halted during the entire job. They decided to loosen some of the bolts on the manhole cover to speed up the process (80 bolts in all, all difficult to free).
When about 30% of the bolts were loosened, the bolts, being overloaded, and the manhole flange ‘unzipped’. The manhole cover was blown off by the weight of the acid, and the 60°C warm acid flowed out. One fitter was killed; the other was very seriously injured.
116 Human Error in Process Plant Design and Operations Lack of knowledge of physics, along with insufficient experience to make physi-cal judgements, is one of the main causes of the more serious accidents in process plants. A description of some of the more serious phenomena is given in Ref. [3].
One of the most prolific sources of data on risk blindness comes from the operation of machines. Numbers of cases and frequencies of incidents were collected and are pre-sented in Ref. [4]. There are large numbers of cases of operators reaching into or climb-ing into machines without ensurclimb-ing first that the machine is isolated and locked out.
DELIBERATE RISK TAKING
Some risk taking is an essential part of plant operations. Not all problem situations can be foreseen, and not all problem situations can be recovered without taking some risk.
In the bromination reactor incident described in Case History 15.11, operators and the supervisor knew that starting the agitator on a reactor in which a large quantity of bromine had accumulated was dangerous, with a possibility of reactor runaway.
Not knowing any other way to respond, they decided to start the agitator anyway.
CASE HISTORY 11.8 Considered Risk Taking
A blower providing air to a sulphur burner developed a heavy vibration, detected by all vibration sensors installed on it. The operators shut down the plant and stopped the blower and waited for the unit manager and operations engineers to arrive.
The unit managers were faced with two choices, that of restarting the blower to see whether the cause of the vibration had gone away and that of disman-tling the blower and inspecting the impeller. Dismandisman-tling and inspection would take several days and probably require a specialist to be flown in from Europe.
Several days of production would be lost. It should be recorded that the blower was no small piece of equipment; the impeller was 2 1/2 metres in diameter and weighed over 400 kilogram and normally rotated at 3000 rotations/minute.
The managers decided to start the blower ‘carefully’, with the operator’s finger hovering over the shutdown button. Before reaching full speed, one of the impeller blades, weighing 65 kilogram, broke off, was ejected into the discharge ducting, and broke a hole when it hit the first ducting elbow. Sulphur dioxide flowing back from the sulphur burner poured out like a waterfall, creating a large plume of toxic gas.
The impeller continued to rotate, because of the momentum, even though the blower was shut down quickly. The now unbalanced impeller caused enormous force and vibration, ripping out eight 2 1/2-inch bolts from the shroud support concrete and ripping out or shearing 24 bolts from the main impeller bearing.
The friction of the axle rubbing on the damaged shroud ignited lubricating oil, starting a 12 metres diameter pool fire.
On the good side, the fire was put out within 10 minutes, and the system was rebuilt and restarted within 12 weeks. No one was injured. The investigation showed that the problem started at a small imperfection in the impeller metal, which developed into a fatigue crack. The blade tore off when the fatigue crack became large enough.
Errors in Decision Making and Planning 117
It is known from interviews that the plant managers never envisioned the extent of the damage which could be caused. They took a risk with limited knowledge (which is almost always the case in risk taking). The balance of risks was not in their favour.
Whether the actual restart can be called an error or not is moot. Operators and operations managers have to take risks sometimes, when unusual situations arise. If the gamble pays off, they are regarded for their expertise. If it does not, their action is condemned as error. The only true errors in this kind of situation are in not per-forming an adequate risk analysis, preferably before the fact, and in not seeking all possible information before going ahead.
RISK TAKING AND RISK BLINDNESS IN MAINTENANCE
There are cases in which safety regulations and rules are deliberately broken. The reasons are varied; laziness, desire to finish a job quickly, high spirits and exuber-ance and the conviction that safety regulations are unnecessary nonsense. Examples of deliberate risk taking are the following:
• Man riding on transport belts
• Reaching into machinery to clear blockages
• Opening equipment without going through proper isolating, inerting, and venting sequence
• Entering confined spaces without checking
• Not performing routine scheduled checks
Many people are to some extent guilty of negligent risk taking. Take, for example, exceeding the speed limit by a small amount or not using a car safety belt. It is cor-rect to speak of guilt in this context, because the laws and regulations are clear. If an accident occurs, and the breach of laws or regulations is found to have contributed, punishment can be expected.
Negligent risk taking becomes particularly serious, firstly, when the consequence becomes severe; secondly, when the probability of accidents becomes high and thirdly, when the resulting injuries are to others. Operating a process plant beyond its safety limits and failing to test the safety system are typical serious forms of neg-ligence in plant operation management. Completing fraudulent records, or claiming that tests have been carried out or procedures are followed, exacerbates the culpabil-ity and in many countries is a criminal act.
Reviewing a number of cases of deliberate risk taking, several features are apparent:
• There is considerable pressure to meet production targets or to meet a restart schedule. The pressure can be related to pressure from senior management or be just derived from professional pride in doing a job effectively.
• Those responsible do not believe that the risk is high. They underestimate either the consequences or the probability.
118 Human Error in Process Plant Design and Operations
• A frequent factor is that persons are ignorant of the true status of safety systems. They assume that they are protected by ‘defence in depth’. For example, they may assume that operators will be able to stop accidents, even if alarm systems are out of action. They also rely on the conservatism built into safety assessments.
• There is no appreciation of just how wrong things could go.
• The person is unable to imagine the hazard.
• There is often ignorance of just what the safety regulations are.
Judging the probability of deliberate risk taking is difficult, because it varies so widely. Even in a well-run plant, with a management which is risk aware and which enforces safety regulations, sometimes there are individuals who take risks.
CASE HISTORY 11.9 Convenience and Efficiency before Safety During a major maintenance turnround on an oil and gas plant, several people were found working inside a vessel which had not been gas tested. The rea-son (excuse) they gave was, ‘The gas testing technician was overloaded, and we could not afford to wait the 2 hours that it usually took for gas testing to be completed. In any case, full gas freeing and ventilation had been carried out’.
In the investigation it was found that bypassing of gas testing was becoming a standard practice.
It is common in some plants for those responsible for approving permits to work (PTWs) to do so without visiting the work site. This to a large extent invalidates the whole PTW process. In many cases it can be seen that the PTW system cannot work properly, because it is not adequately staffed. This is, from observation, the most frequent example of deliberate risk taking in otherwise well-run process plants.
Preventing deliberate risk taking is one of the main objectives of ‘safety culture’
Preventing deliberate risk taking is one of the main objectives of ‘safety culture’