ERRORS IN PROCEDURE EXECUTION—WRONG PROCEDURE Operators may use the wrong procedure mostly for good reasons

If there is no standard procedure but it is necessary to get a job done, then a pro-cedure must be created. In the Texas City accident of 2005 [2], operators found the pressure in the distillation column rising. They opened a 3-inch blowdown valve, which had been noted as potentially dangerous due to the large blowdown rate. The reason was that the controlled depressurisation valve was not working.

There is nothing wrong with creativity in developing new procedures. This is necessary when situations which have not been foreseen by the design engineers arise. Such creativity is often needed in maintenance tasks, such as clearing blockages. However, no such tasks should be undertaken without at least a job safety analysis and where changing of valve lineups or process parameters is planned, a mini-hazard and operability study. Even in an emergency, this kind of analysis should be made, because it is too easy to make an incident into an accident.

FIGURE 5.4 Operator-paced sequential control that uses a very early model of program-mable logic controller. The correct button is backlit when the system is ready to proceed with the next production step.

Errors in Performing Standard Procedures 45

CASE HISTORY 5.2 Procedure Adaptation

A ‘drum shredder’ was used to deal with drums of solid waste. The drums were fed into a hopper, with rotating knives, where they were cut into pieces, and the solid waste reduced while waste solvent was added as necessary to produce a ‘paste’.

The mixture was then pushed by a high-pressure concrete pump to an incinerator.

A problem arose due to some barrels already containing liquid, hidden beneath solids. In this case the mixture would become too wet. Pumping the solid part of the waste was still possible, but the liquid would run back through the solid, until a large liquid content built up, which could dangerously spill into the incinerator.

It was suggested that the solution to the problem would be to simply add more drums of solid waste; on analysis this was determined to be hazardous as it could lead to mixing incompatible solids or overloading the shredder. Instead, a system was developed for adding dry sand to the mix, which was confirmed to be safer.

An insidious problem in executing procedures is ‘trapping’. If a situation looks like a standard one, then the standard procedural response is performed. The result can be catastrophic if the actual situation is not as expected.

CASE HISTORY 5.3 Procedural Trapping

Operators were transferring gasoline from a refinery to a remote storage termi-nal. The flow rate at the terminal fell. This was not unusual; changes in pump performance, temperature or product viscosity could cause this (although not to any great extent with gasoline, but the operators did not know that). They responded in the usual way by increasing pumping rate. Unfortunately, the rea-son for the low flow rate at the terminal was caused by a leak in the pipeline.

About 20,000 barrels of gasoline were lost. Fortunately, there was no ignition, despite the release occurring at a high traffic intersection, and most of the gaso-line could be pumped up.

Incidents like the above have occurred on a multiproduct pipeline transferring kerosene in Cubãtao, Brazil, in 1983 [3] (with hundreds of fatalities occurring when the kerosene flowed through a village and ignited), and at Ufa, Russia, in 1989 in a liquefied petroleum gas pipeline.

Traps such as these can be readily prevented by adding just a little more instru-mentation—a flowmeter at each end of the pipeline and a pressure indicator for the pump discharge, together with proper emergency recognition hazard awareness and response training.

A ‘perfect trap’ is one in which the situation appears innocuous to the operator, when in fact it is dangerous or at least harmful. Other examples are given in Chapter 15.

46 Human Error in Process Plant Design and Operations

CASE HISTORY 5.4 A Perfect Trap

One situation which occurred for me arose during commissioning of a distilla-tion plant. Methanol solvent, distilled from the product, was to be returned to a ground tank. The tank had been installed, a manhole cover fitted and the pipe from the unit to the tank put in place. When pumping started, methanol was sprayed in all directions. The pipe had been put in place, but no hole had been cut into the manhole cover, and the pipe did not enter the tank. The pipe fitting had been done so well that it was impossible to see the difference between properly installed pipe and an incomplete installation.

Mislearning or erroneous teaching is a cause of errors in selecting the appropriate procedure. Frequently, accident reports refer to inadequate training. (See Chapter 7.)

Mislearning can also occur when operators move from one plant to another, but when their experience is not so directly transferable.

CASE HISTORY 5.5 A Normal Procedure Is Dangerously Inadequate Repairs were to be made on an acid tank. The tank was drained down and washed, then ventilated. Before allowing entry to the tank, the atmosphere inside was tested for breathable oxygen and for flammable atmosphere, both at the entry manhole, and at the top vent. The tank was signed off for work. When welders started welding about 1 hour later, an explosion occurred. Hydrogen had collected under an internal box intended to prevent inflowing acid from disturb-ing settlement. Because the box was inverted, the light hydrogen was prevented from being swept out of the tank during ventilation. Because the box was inac-cessible, the gas inside could have been tested only after tank entry and with use of a ladder, which did not occur to the gas tester.

CASE HISTORY 5.6 Wrong Procedure Due to Instrument Failure Instrument failures are a relatively frequent cause of performing the wrong pro-cedure. At Three Mile Island in 1979 [4], a stuck level gauge caused operators to struggle to prevent overfilling of a pressurisation vessel, when in fact the prob-lem was low cooling water level in the reactor vessel. In addition, safety valves had opened consistent with a high level. Actually a safety valve was stuck open and was the main cause of the low level.

Errors in emphasis in training were a factor in this accident too. The dangers of overfilling a reactor so that it could become hydraulically full, and possibly rupture, had been emphasised to a much greater extent in training than the dan-gers of low liquid level and meltdown had been.

Errors in Performing Standard Procedures 47

CASE HISTORY 5.7 An Unfortunate Departure from Procedure A kettle-type reactor producing phenylacetyl chloride reacted benzoic acid with thi-onyl chloride, a very corrosive and toxic compound of sulphur, oxygen and chlorine.

The reactor was filled with phenylacetic acid in sacks. The acid was then heated to melting and stirred. Thionyl chloride was added slowly because, although the reaction is endothermic and cannot run away, the reaction produces hydrogen chloride and sulphur dioxide. Too rapid a reaction would overpressure the system and overload the acid gas scrubbers.

In the actual incident, the phenylacetic acid was heated until 80°C was shown on the temperature indicator. In fact, the temperature was not so high in the bulk of the material. Solid caked residue had gathered around the temperature probe and the sensor was reacting to heat conducted from the heating coils. Instead of reacting, the thionyl chloride gathered at the bottom of the reactor. When, eventually, the mixture was heated sufficiently to react, the amount of thionyl chloride was large and reacted quickly. The pressure blew out the burst disk and hydrogen chloride and sulphur dioxide were vented to atmosphere.

ERRORS IN PROCEDURE EXECUTION—TOO MUCH