Loss Prevention Bulletin

Improving process safety by sharing experience

Revisiting the Tacoa

Issue 290, April 2023

Power Plant
boilover

Are all critical safety

systems created
equal?
Four good practices
from PSM audits
Ageing plants –
Corrosion is the real
enemy (Part 2)
Implementing inherent
safety in design
Accidents of the
future – Part 10

LPBcover290.indd 1 30/03/2023 14:25:36

 TRAINING
LIVE ONLINE ON-DEMAND FACE-TO-FACE IN-COMPANY

Learn with IChemE

IChemE is a market leader in process industry training with an extensive range of courses to help
you develop your chemical engineering and process safety knowledge. Courses are delivered both
online and face-to-face.

Upcoming courses
LIVE ONLINE

■ Advanced Process Safety Considerations for ■ HAZOP Study for Team Leaders and Team Members
Hydrogen Projects
■ Layer of Protection Analysis (LOPA)
■ Bowtie Analysis and Barrier-Based Risk Management
■ Managing Human Factors
■ Fundamentals of Process Safety
■ Pressure Systems
■ Hazard Identification Techniques
■ What Engineers Need to Know About Hydrogen Safety
■ HAZOP Leadership and Management

FACE-TO-FACE

■ Bowtie Analysis and Barrier-Based Risk Management ■ HAZOP Leadership and Management
■ Fundamentals of Process Safety ■ Layer of Protection Analysis (LOPA)
■ HAZOP Study for Team Leaders and Team Members ■ Managing Human Factors

LIVE ONLINE

All our courses can be delivered in-company, on-site or online.

LPB 290

Bowtie Analysis and Barrier-Based

Risk Management
10 May, Manchester, UK
From 23 May, 10:00 BST, Online
Learn about the bowtie risk assessment methodology and how to
apply it effectively to facilitate risk-based decision making.

www.icheme.org/training

LPB 290 Courses FP AD.indd 1 30/03/2023 16:28:43

 Loss Prevention Bulletin 290 April 2023 | 1

Contents
2 Case study — Revisiting 15 Ageing plants – Corrosion
Loss Prevention Bulletin the Tacoa Power Plant is the real enemy but
boilover 40 years on there are other problems
Articles and case studies
Ewan Stewart recounts the story (Part 2)
from around the world of Venezuela’s deadliest industrial Corrosion is one of the most
Issue 290, April 2023 disaster where an explosion in a potentially damaging losses to
fuel oil tank at the Tacoa Power any industrial property. In the
Editor: Tracey Donaldson Plant resulted in 150 people losing second part of his paper, Robert
Publications Director: their lives. Canaway describes common types
Claudia Flavell-While of corrosion which are found in
Subscriptions: Hannah Rourke 7 Are all critical safety industrial plants and highlights four
Designer: Alex Revell systems created equal? corrosion-related case studies.
David Black discusses the
Copyright: The Institution of Chemical
importance of maintaining 22 Proven techniques for
Engineers 2023. A Registered Charity in
England and Wales and a charity registered engineering documentation for effective implementation
in Scotland (SCO39661) fire protection systems and other of inherent safety in
emergency response assets to
ISSN 0260-9576/23 ensure those critical safety systems
design
are available when needed and Rajender Dahiya explains the
The information included in lpb is given in important role leadership plays
good faith but without any liability on the
function as intended.
in implementing ISD concepts
part of IChemE
11 Four conduct of and provides insight into how
Photocopying incremental success can help
operations best practices establish a culture that
lpb and the individual articles are protected
by copyright. Users are permitted to —lessons learned from embraces ISD.
make single photocopies of single articles PSM audits
for personal use as allowed by national Adam Musthafa discusses four 27 Accidents of the future –
copyright laws. For all other photocopying
permission must be obtained and a fee
positive conduct of operation part 10
paid. Permissions may be sought directly observations from process safety The tenth instalment of this series
from the Institution of Chemical Engineers, audits relating to shift handover; predicts that a mis-used fulcrum
or users may clear permissions and make disciplined operational surveillance and lever system will result in a
payments through their local Reproduction and logging; defining clear serious injury and a trip will fail to
Rights Organisation. In the UK apply roles and responsibilities; and operate which will result in a major
to the Copyright Licensing agency implementing a proactive process accident hazard.
Rapid Clearance Service (CLARCS), 90 safety observation programme.
Tottenham Court Road, London, W1P
0LP (Phone: 020 7631 5500). In the USA
apply to the Copyright Clearance Center
(CCC), 222 Rosewood Drive, Danvers, MA
01923 (Phone: (978) 7508400, Fax: (978)
7504744).

Multiple copying of the contents of

this publication without permission is
always illegal.

Institution of Chemical Engineers

Davis Building, Railway Terrace,
Rugby, Warks, CV21 3HQ, UK

Tel: +44 (0) 1788 578214

Fax: +44 (0) 1788 560833

Email: tdonaldson@icheme.org
or journals@icheme.org
www.icheme.org

© Institution of Chemical Engineers

0260-9576/23/$17.63 + 0.00

290contents.indd 2 30/03/2023 14:23:49

 2 | Loss Prevention Bulletin 290 April 2023

Incident

Case study — Revisiting the Tacoa Power Plant

boilover 40 years on
Ewan Stewart, Senior Process Engineer at Wood & Queensland Joint
Chemical Engineering Committee Chair
investigations were undertaken on behalf of the Venezuelan
Summary government, these were never made public. Fortunately, as
Venezuela’s deadliest industrial disaster occurred on the years have passed, information has been leaked via court
19 December 1982. An explosion in a fuel oil tank at proceedings, articles in the local broadsheet, El Nacional, and
the Tacoa Power Plant, then operated by Electricidad de first-hand accounts of those that were there and survived. In
Caracas, had already claimed the lives of two operators. this write-up, I hope to build on earlier publications, and to fill
However, as the resulting fire continued to burn, emergency some gaps of not just what occurred, but how and why.
personnel, onlookers, and media gathered in the vicinity
— all unaware of the ominous heat wave creeping to the La Planta Termoeléctrica Tacoa
bottom of the tank. Suddenly, a heel of undrained water Officially part of the Ricardo Zuloaga Generator Complex, the
was vaporised, ejecting the tank’s contents in a violent facility was named Tacoa after the seaside village in which it is
eruption which gushed burning oil down the steep hillside. situated. The original Tacoa thermo-electric power station was
Caracas suffered severe blackouts as the grim news built on reclaimed land next to its sister Arrecifes plant in the
emerged. 40,000 people were evacuated. 500 were injured 1950s, and this was supplemented with the Tacoa expansion
and more than 150 lost their lives.
plant in the late 1970s. The overall complex supplied 1700
Keywords: Fuel oil, tank, fire MW of power to the greater Caracas area.
The site is instantly recognisable for its picturesque
surroundings and for the three gigantic red and white chimney
Prólogo stacks of the expansion plant. These soar high above the
I can remember when I first learned of this incident. I had been facility, which is sandwiched between the cerulean blue
reading Incidents that Define Process Safety when I found Caribbean Sea and tropical green hills. When the 1970s
the double-page dedicated to the Tacoa tragedy. Shocked expansion was made, the only area to install two heavy fuel oil
at the magnitude of destruction from a single tank, my initial
curiosity was stalled by the Spanish-English language barrier.
For years the incident remained inaccessible, although I have 1200 MW Tacoa 170MW Arrecifes
often wondered exactly what happened that day. Last year, as expansion power plant
the 40-year anniversary approached, I decided to give things
another go. This time I had the help of unlocked archives, a
vastly improved google-translate, and several experts who
were able to direct me towards reliable source material.
Avid LPB readers will know that as of January 2021, the Loss
Prevention Bulletin has been fully accessible for all IChemE
members, and a search of the records revealed that the Tacoa
tragedy was covered in issue 57 of this publication (https://
www.icheme.org/media/5781/lpb_issue057p026.pdf).
Few might be aware that the (USA) National Fire Protection
Association also has a freely searchable archive. After some
sleuthing, I discovered that the NFPA had been invited to the
scene to provide advice in the wake of the incident. A three- 340MW original
Tacoa power plant
page account of their findings in Fire Service Today appears
to be the source for much of the information that is currently
available in English. However, this stops short of detailing the
Figure 1 – The Ricardo Zuloaga Generator Complex. Tanks 8
failings that led to the incident’s escalation.
and 9 were located at the site of the modern-day demineralised
Frustratingly, I have learned that many aspects of the Tacoa water tank (visible behind the tip of the expansion plant’s
tragedy are to this day, still up for debate. Although official middle stack)

© Institution of Chemical Engineers

0260-9576/23/$17.63 + 0.00

290Stewart.indd 2 30/03/2023 14:50:55

 Loss Prevention Bulletin 290 April 2023 | 3

tanks (no. 8 and 9) was high on the hillside. This topography steam coil, leaving a single coil in operation. Although this was
would play a role in the tragedy to come. enough to clear the feed line temperature alarm, conditions
within tank no. 8 remained far from normal.
Ignición de un fuel oil pesado One might be curious as to how a heavy fuel oil is able
produce a flammable atmosphere. The answer is a combination
A key mystery in this incident is the behaviour of the process
of blending and inappropriate temperature. Firstly, the
fluid, number 6 fuel oil. Also known as residual fuel oil or
specification for number 6 fuel oil allows for lighter ends
bunker C, this is primarily produced from the bottom cut of
to be combined with the residual oil to achieve a reduced
a refinery’s distillation column. Known for being tar-like and
viscosity, provided that flash point limitations are met. Varying
sluggish, number 6 fuel oil cannot be pumped without first
degrees of blending can produce fuel oils with wide-ranging
heating it. Each of the Tacoa expansion plant’s fuel oil storage
characteristics far removed from the original residual oil. The
tanks were equipped with six internal steam coils for this
purpose. Late on 18 December, night shift operators recorded evidence suggests that the alarms and trips at the Tacoa power
abnormally high temperatures in the feed line from the storage plant were configured for a different blend to that which was in
tanks to the fuel oil burners. Consequently, staff isolated one the tanks at the time of the incident. Despite the flash point of
the fuel oil being 71°C, the high temperature alarms were set
at 80°C, with the boiler feed observed as high as 88°C. The
lighter components of the blended fuel oil were being boiled-
off within the tank.
Shortly before dawn the next morning, a three-man crew
drove up the steep and narrow road to check the level on
tank no. 8. This was necessary to facilitate offloading from a
docked tanker. Whilst one operator remained in the vehicle,
the other two climbed the access stairway to the roof of the
55m diameter 17m tall tank. As the men opened the gauging
hatch, hot hydrocarbon vapour interspersed with the air
creating an explosive mixture. The source of the subsequent
ignition is much contested and will likely never be known. The
most widely accepted theory is that there was an attempt to
illuminate the dip tube for reading either with a match, lighter
or a non-intrinsically safe lamp.
What followed was a massive explosion that ripped off

knowledge and
competence
the tank’s conical roof. The two operators on the roof were
launched into the air and killed. The third crew member was
narrowly able to escape as severed oil lines fed a growing fire
in the tank’s containment dike. By the time he reached the
safety of the control room, a gigantic black plume loomed over

engineering
and design
the facility from menacing flames high on the hillside.

Proteccion contra incendios inadecuada

It soon became clear that Electricidad de Caracas had no
contingency plans for a fire in their fuel oil storage tanks. The

systems and
procedures
company lacked a fire-brigade, and their staff had no training
or instruction. Three water storage tanks located higher on
the hillside held a dedicated firewater reserve, and this was
supplemented as required by seawater pumps. Despite this,
there does not appear to have been any coordination of the
electricity company employees to obtain water from these
sources.
The emergency response was delayed by more than 20
minutes as the first fire engines navigated tortuous roads to
reach the remote site. Worse still, the track leading to the
burning tank was dangerously exposed to a sharp drop on
one side. It was too steep and narrow for anything other than
an off-road vehicle. Firefighting apparatus arrived from across
the region over the next few hours, with engines parked in the
Figure 2 – (Top to bottom) streets below, unable to access the elevated fire.
1. Fuel oil overheated above its flashpoint. Carrying what equipment they could, responders made
2. Opening of gauging hatch allows air to intersperse with their way up to the burning tank on foot. It was then that the
hydrocarbon gas. Ignition source unknown. neglected condition of the fire response systems became
3. Explosion expels tank roof. Two operators killed. apparent. Of three firewater pumps, only two units were

© Institution of Chemical Engineers

0260-9576/23/$17.63 + 0.00

290Stewart.indd 3 30/03/2023 14:50:56

 4 | Loss Prevention Bulletin 290 April 2023

operational. As a result, there was insufficient pressure for

any hydrant or cooling line to reach the inside of tank no. 8.
Further, a dedicated 2,000-gallon foam concentrate tank was
found to be completely empty. Under any circumstances,
extinguishing an open tank fire of this size would be extremely
difficult; the lack of water and foam made this task impossible.
The order was given to let the tank burn itself out. However,
given the intensity of the fire, action was still required to
prevent spread to the neighbouring dikes.
Despite the challenging access, the fire department were
eventually able to position a small pumper truck on the hill
overlooking tank no. 8 and had also managed to procure
several barrels of foam concentrate. However, the necessary
plant water to combine with the concentrate could not be
sourced; the available connection, a coarse thread NPT
(National Pipe Thread), was incompatible with the fine thread
NH (National Hose) utilised by the fire department. Desperate
for any means to access the water, responders decided on a
risky improvision. As the fire raged on close behind them, they
set to work fabricating a connection with open flame cutting /
welding torches.
Whilst the responders scrambled on the hillside, a crowd
had started to gather around them. The press had quickly
arrived and were broadcasting live on-scene coverage.
Locals and holidaymakers were drawn to the spectacle, some
congregating on the beach, and others on the streets below
the tank’s steep dike walls. Many ascended the hill to get as
close as possible to the action. The ensuing fiesta atmosphere
betrayed the severity of the situation. Something very
unsettling was beginning to take place within the tank…

Ingredientes de la ebullición
What happened next was a situation that no-one was prepared
for. In fact, it was unprecedented. Both the NFPA and the
American Petroleum Institute (API) had long held the position
that no. 6 fuel oil, a refined product, was not subject to boilover.
This stance was substantiated by loss history and experimental
efforts to induce such an occurrence. Despite this, it is evident
that a boilover did occur that day.
With the loss of the tank roof in the initial blast, the resulting
Figure 3 – (Top to bottom)
open-top tank fire satisfied the last of three requirements for a
4. Loss of tank roof results in open-top tank fire.
boilover to occur. The other two ingredients; the presence of
5. Heat gradient starts to develop within tank as hot residues
water, and an oil with wide ranging boiling characteristics, had
sink.
been present all along.
6. Heat wave reaches water heel resulting in rapid expansion
There are many means through which water can accumulate
into steam. A violent boilover occurs expelling the tank
in fuel oil storage, for example via leakage of a steam coil, or
contents.
rain ingress through non watertight components. Although
there were some attempts to shift blame on the fire department
for applying water to the tank, these accusations were later hydrocarbon components, including both light ends and viscous
rebuked. The consensus appears to be that small concentrations residues, for a heat wave to be generated within the tank. In
of water in the fuel oil supply were expected as part of the an open tank fire of this nature, it is predominantly the lighter
marine bunkering. Over time, the water would separate into a components that are consumed at the surface. The unburned
layer that would be periodically drained; this operation had not heavier components, heated intensely by the fire, form a layer
been carried out for an extended period prior to the incident. which is heavier than the surrounding oil. Gradually, this hot
It is unclear why the water was not drained during the fire. dense layer sinks and grows within the tank. At around midday,
Perhaps the necessary valves were engulfed by the dike fire, or six hours after the initial outbreak, the heat wave had reached
maybe the precaution was not deemed necessary as a boilover the tank’s water heel at a temperature between 150 and 315
could not have been anticipated. degrees Celsius.
Contrary to what was believed at the time, it is apparent Initially, the water would have superheated beyond 100
that the heavy fuel oil fire in tank 8 had a sufficient range of degrees Celsius due to the hydrostatic head of oil above it.

© Institution of Chemical Engineers

0260-9576/23/$17.63 + 0.00

290Stewart.indd 4 30/03/2023 14:50:57

 Loss Prevention Bulletin 290 April 2023 | 5

And then, suddenly, the water would have flashed into steam,
expanding by as much as 2000 times, ejecting the contents of Tacoa expansion plant LEGEND
Power plant
the tank in a vicious eruption.
Original Exhaust stack
Tacoa plant Fuel oil tanks 8 & 9
Volcán hecho por el hombre
Water storage tanks
Those on the ground observed a gigantic fireball rise out Road
of the tank and into the sky. The intense radiant heat was Path of boilover
accompanied by a storm of searing rain. Burning oil spilled Arrecifes Elevation Contours
over the dike, pouring over settlements and through the power (20m intervals)
streets underneath the steep dike wall. Molten asphalt from plant Beach
the roads mingled with the oil creating a noxious mixture which SCALE
250m
continued to flow downhill, destroying everything in its path;
cars, fire trucks, helicopters. A small beach, some 300m from
the tank 8 was consumed in flames as those that could jumped
into the sea.
There are many harrowing accounts of the boilover; stories
of heroism, trauma, and great personal loss. The exact death
toll is unknown; however, estimates are in the region of 150. Of Figure 4 – Map of the Tacoa Power Plant and surrounds
these were 40 uniformed firefighters, dozens of civil defence recreated by author from google-earth, photos, and videos.
workers, 17 plant employees, 10 media workers, and scores Indicative only.
of civilians. The tragic events at Tacoa accounted for one
of the highest single incident losses of firefighters until this similar size and construction. After several hours of exposure,
unfortunate record was settled by the collapse of the World the roof of tank 9 lifted, but did not fully detach. Much of the
Trade Centre towers on 11 September 2001. extraordinary helicopter footage available online of the Tacoa
Whilst secondary to the human cost, the damage to property tragedy shows tank 9 on fire, whilst tank 8 lies blackened
was enormous at an estimated $50M USD ($150M in 2023 and crumpled on the hillside above. As a precaution against
terms). This included the destruction of 60 vehicles and most another boilover occurring in tank 9, the army evacuated
of the fire apparatus on scene, as well as fire damage to 70
40,000 people from the area. The second boilover never came
occupied dwellings. Miraculously, the power plants remained
and the fire in tank 9 burnt out two to three days later.
relatively unscathed due to their concrete perimeter walls.
The fire in tank 8 was extinguished by the sudden inrush
of air during the boilover. However, as the burning oil flowed
Mejoras en seguridad
over into the downhill containment dike, this resulted in a The events of 19 December 1982 left a permanent scar in the
sustained fire around tank 9, another heavy fuel oil tank of psyche of thousands of Venezuelans. The public demanded

Figure 5 – Image extracted from “Incidents that Define Process Safety” shows the aftermath. Both tank 8 (foreground) and tank 9
(background) appear blackened and crumpled. Notice the steep drop-off of the dike walls and settlements underneath.

© Institution of Chemical Engineers

0260-9576/23/$17.63 + 0.00

290Stewart.indd 5 30/03/2023 14:51:00

 6 | Loss Prevention Bulletin 290 April 2023

answers, however, these were not forthcoming. The official part of this shift, the facilities were renamed as the Josefa
report of the investigative commission was known to consist of Joaquina Sánchez Bastidas Generator Complex. In the years
six volumes, however only a superficial 12-page summary was that followed, Venezuela has suffered from a prolonged
released due to ongoing litigation around the incident. socioeconomic crisis, which persists to this day. With a lack of
Electricidad de Caracas made widespread changes to the government funds to maintain public infrastructure, it appears
plant following the tragedy. Aided by the completion of a that the generator complex has fallen into disrepair and is no
supply pipeline to the generator complex, the company shifted longer operational. In recent years, return of power generation
its dual-fuel turbines to run predominantly on natural gas. capability to Tacoa has become highly politicised against the
Tanks 8 and 9 were removed, and in their place was installed backdrop of a national generation deficiency and frequent
a huge, demineralised water reservoir to feed the boilers. The mega-blackouts. However, rumours persist that the plants are
fire protection systems on all other fuel oil storage tanks were being permanently dismantled.
upgraded to include a dedicated ring main and anti-spark The enduring legacy of the Tacoa tragedy is that the NFPA
systems. As further measures to eliminate potential ignition and API updated their guidance to recognise the potential for
sources, a hot work permit system was enforced, and smoking boilover in fuel oil storage tanks. This change has influenced
was prohibited throughout the plant. the safe design, operation, and emergency response of
The electricity provider also made improvements to the plants around the world. Whilst this is clearly a positive, it is
operation of its fuel oil import and storage facilities. Procedures disappointing that many of the other contributing factors from
were introduced to put more scrutiny on incoming marine this incident were never disclosed. By not sharing freely our
tankers; each cargo would be tested prior to offloading and if lessons learned, we do an injustice to those affected. Worse
the flash point was found to exceed a minimum limit, the load than that, we condemn others to a similar fate. Forty years on,
would be rejected. Similarly, systems were put in place to limit it is surely time for the official investigations to be made public,
the temperature generated in the storage tanks; at all times this and for Tacoa’s full story to be known.
was limited to at least 3 degrees Celsius below the minimum This article would have been much shorter had it not been
accepted flashpoint. This ensured that flammable vapours for the help of Rixio E Medina. I would like to dedicate it to the
could no longer be generated in the tanks. memory of his dear friend, boss, and mentor, Ibrahim Alfonzo
The company took extensive precautions to prevent the Ferrer. Ibrahim was the Corporate Manager of Industrial
escalation of future incidents. Emergency response plans Protection at Lagoven (formerly Exxon in Venezuela) and
were written up, regularly reviewed, and updated. Working was one of the many that perished in the Tacoa tragedy. I
groups were formed with local fire departments, bringing all also extend my gratitude to Miro Popić, Maikel Popić, and
parties together for the discussion of safety and training issues. Eric Omaña for the reference material they have generously
Additionally, a dedicated emergency brigade was established provided.
onsite. This was equipped with tankers, rapid intervention
trucks, and all other apparatus necessary to guard vigil over the
facility. Editor’s note
Ramin Abhari’s latest graphic
El capitulo final
novel depicts the events that
So, what has now become of the Tacoa power plant, 40 years took place at the Tacoa Power
on? The vital infrastructure of the Ricardo Zuloaga Generator Plant 40 years ago and can be
Complex went on to provide reliable electricity to millions of accessed at
Venezuelans for years after the incident. During this era, the https://www.icheme.org/
country’s generation and power grid was described as “the knowledge/loss-prevention-
envy of Latin America”. bulletin/free-downloads/
In 2007, Electricidad de Caracas was nationalised, bringing cartoons/lpb-cartoons/
its assets under the control of state-owned, Corpoelec. As

© Institution of Chemical Engineers

0260-9576/23/$17.63 + 0.00

290Stewart.indd 6 30/03/2023 14:51:01

 Loss Prevention Bulletin 290 April 2023 | 7

Safety practice

Are all critical safety systems created equal?

David Black, Baker Engineering and Risk Consultants, Inc., USA
Background
Summary
Our company is engaged with helping operating companies
Industrial facilities generally embrace good practices related in the oil, gas, chemical, petrochemical, and related industries
to maintaining comprehensive Process Safety Information be at optimum readiness to respond to emergencies. Various
(PSI) and making sure that Management of Change policies approaches are used, but the effort often includes activities
include proper documentation updates. However, those such as protection system design reviews, fire hazard analyses,
practices are not necessarily applied uniformly to fire protective system inspections and testing, and policy/procedure
protection and emergency response assets and systems. development.
This can lead to significant problems when attempting
When clients are asked if they consider fire protection systems
to use fire and emergency assets or when conducting
to be safety-critical assets, the answer is almost without fail, “Yes,
inspections, testing, maintenance, or repairs (ITMR) of
of course.” The question typically asked next: “Do you maintain
these assets. This article will discuss the importance of
and document those systems with the same rigour as process
maintaining engineering documentation for fire protection
safety critical systems?” often receives very different answers.
systems and other emergency response assets by applying
If the answer is anything less than an enthusiastic “Yes!”
the same discipline and attention given to other PSI to
then there is likely an opportunity to make improvements in
ensure those critical safety systems are available when
the management and documentation of fire protection and
needed and function as intended.
emergency response systems.
Keywords: Fire protection, emergency response
Fire Protection Systems – typical documentation
findings
Introduction
All too often we identify major discrepancies in documentation
Global safety practices have evolved over the past 30
related to a facility’s fire protection and emergency response
years to include a strong awareness of the importance of systems. Typical discrepancies often include:
maintaining proper documentation. The best practices
ensure that unit design data, such as Process Flow • inaccurate, incomplete, or outdated firewater plot plans;

engineering
and design
Diagrams (PFDs), Piping and Instrumentation Diagrams • missing engineering documentation on firewater delivery
(P&IDs), operating procedures, etc., are rigorously systems such as water spray, deluge, gaseous suppression,
maintained and updated throughout the lifespan of a etc.;
facility, and that changes to critical documents are managed • multiple versions of critical documents, with significant
carefully through good Management of Change policies. conflicting information between versions;

systems and
procedures
Where there is regulatory oversight of process safety, • inspection, test, and maintenance records that lack needed
the maintenance of Process Safety Information (PSI) information or that are outdated.
documentation is a pillar of that regulatory structure.
The level of attention paid to a facility’s PSI may vary, but Firewater plot plans
most operating companies incorporate at least the following One of the most encountered discrepancies listed above is
basic tenants for their PSI: outdated or inaccurate firewater plot plans.
• Documentation is kept in an accessible location known Typically, a basic firewater plot plan should show, at a
to all stakeholders; minimum, a precise, accurate, and to-scale layout of the firewater
piping below ground; the precise locations of isolation valves,
• Documentation is strictly controlled to allow access to
hydrants/manifolds, and system risers; and the locations of fire
the information as needed, but ensures that no changes pump installations.
can be made without proper review and approval; In most cases, we have found that client firewater plot plans
• PSI document changes and updates are included in meet the basic needs as described above, but often omit other
the tasking associated with Management of Change important details.
(MOC) policies and an MOC task cannot be considered Better quality plot plans include additional details such
closed-out until the PSI documentation is fully updated as notations indicating the diameters and compositions of
to reflect the physical or procedural changes in the underground firewater piping, water spray and deluge system
operation. designed flow rates and pressures, fire pump designed flow rates

© Institution of Chemical Engineers

0260-9576/23/$17.63 + 0.00

290Black.indd 7 30/03/2023 14:17:14

 8 | Loss Prevention Bulletin 290 April 2023

Figure 1– Firewater flooding at site

and pressures, firewater source details, types of isolation valves riser in the form of a placard or adhesive label. These details
(post-indicating, butterfly, etc.), and so on. are also provided on engineering drawings and specifications
Most often missing from the documents are adequate details that are usually delivered to the client when those systems are
regarding multiple isolation or control valves in close proximity commissioned.
to each other. This is especially problematic if the valves are not In the case of design drawings and specification packages,
properly labelled in the field, or if field labelling does not match experience has shown that these packages are often misplaced,
the labelling on the plot. This can lead to delays in isolating lines discarded, or simply “disappear” sometime after the system is
for critical repairs, as well as mistakes in closing a critical line installed. Attempts to locate system design data may take hours
during an emergency event. or days, if they are found at all.
In many cases, plot plans do not reflect all significant changes To help ensure that the most important data is readily available,
that have been made to the site’s firewater system after it was most professional fire protection installers will provide a rigid
originally installed. Piping additions, upgrades, or changes made metal placard with the design details stamped into it, then affix
to these systems are often not captured on the plot plan. In some the placard to the riser with a wire or other robust fastener.
cases, a single plot plan paper copy may have been updated In some jurisdictions, providing such labelling is required
(red-lined) to reflect changes, but other copies maintained in by applicable building or fire codes. This helps ensure that
the files or distributed throughout the facility do not show those important data remain on display at the point where testing and
changes. inspection parties are likely to need it most.
Other methods to post the design data on the riser usually
Delivery system documentation
involve an adhesive label applied to the riser pipe, with pressure
A plant’s fire sprinkler systems, water spray systems, or deluge and flow requirement data handwritten on the label in permanent
systems are usually designed to address specific needs of the ink. These forms of display are not as sturdy as metal placards,
equipment or area being protected. Systems are expected to but as long as the riser and sticker are kept clean, dry, and out
deliver a minimum density of firewater over a covered area of exposure to direct sunlight, the data can remain available and
based on the specifications used for the design. For example, readable for many years.
vessels containing Liquefied Petroleum Gases (LPGs) are often Unfortunately, hydraulic data placards can become detached
protected with an automatic water spray system designed to over time. Wires or other fasteners used to secure them to the
deliver1 0.25 gpm/sq. ft (10.2 lpm/m2). The required total flow risers can corrode or break, allowing the placards to detach and
rates and operating pressures for these systems are dependent fall to the floor in a riser room, potentially getting lost or thrown
on the sizes of the piping and nozzles used, the length of piping away.
throughout the application area, and other factors. The pressure Adhesive labels can wear out, or the adhesive can degrade
and flow requirements are often displayed on the system’s to the point where the labels detach, and they then often get
discarded as trash. Even if labels remain attached to the riser,
1
API-2030, “Application of Fixed Water Spray Systems for Fire Protection the ink can fade due to environmental exposure, smudge from
in the Petroleum and Petrochemical Industries”, 4th edition, American moisture or condensation (if a non-permanent marker or ink was
Petroleum Institute, Sept. 2014 used), or otherwise become unreadable over time.

© Institution of Chemical Engineers

0260-9576/23/$17.63 + 0.00

290Black.indd 8 30/03/2023 14:17:16

 Loss Prevention Bulletin 290 April 2023 | 9

Ultimately the system design data needs to remain available in Other types of system documentation
its original forms, thus the original engineering data package for
each system should be kept on file and updated as needed. While there are many other types of systems and categories
of documentation that are important to maintain, the above
Fire pump and water source documentation examples are amongst the most critical in a facility. The
discrepancies discussed above are amongst the most common
The heart of any water-based fire protection system is the fire types encountered during fire protection studies at operating
pump or pumps used to supply the necessary pressure and facilities.
flow to the delivery points. These pumps are among the most
Other types of systems that rely on important design, ITMR,
critical protective equipment in a facility, and their design
and related documentation include gaseous suppression
documentation, piping diagrams, ITMR records, etc., are
systems, mobile apparatus (fire trucks, trailers, etc.), fixed and
critical to keeping them operating as intended.
semi-fixed foam delivery systems, fire and gas detection, and
Fire pumps are designed and built to ensure that they
alarm systems, just to name a few.
perform in adverse conditions. The pumps and their
Vendors and contractors that provide and/or install these
prime movers (most commonly either an electric motor
systems are usually required to provide a full engineering
or diesel engine) are designed to specifications based on
package along with all operating and maintenance documents,
the requirements of the firewater application systems they
procedures, and cautionary / advisory documents related to
support. Fire pumps must be able to deliver the maximum
that system. Responsible parties in an operating facility should
expected firewater demand flow and pressure to ensure a fire
not only understand the documentation needed to care for
can be controlled with minimal escalation and damage. Failure
all the different protective systems employed in their facility,
of a fire pump or pumps during an emergency can mean the
but also ensure that documentation remains available and is
difference between success or failure of the response effort.
properly maintained.
Firewater demands can change anytime a new unit or
storage facility is built. Fire pump design details should be
reviewed any time a site undergoes a significant change to
Why documentation matters
ensure that the pump(s) and related components can handle Fire protection systems documentation plays an important role
changes to the firewater demand. in emergency response, system ITMR activities, training, and
Fire pump operational and performance testing also rely when planning site changes or expansions.
on the availability of accurate and up-to-date documentation.
Performance testing relies on knowing a fire pump’s design Emergency response
ratings for flow and pressure, since that is used as the Identifying and addressing gaps in documentation for fire
benchmark to determine if a pump is performing as intended. protection systems may not seem like critical priorities – that
The records of previous tests are very important to establish is, until you realise that you need that information urgently.
trends over time and to note any changes to the system that Emergency response situations always require urgent access to
may explain or help diagnose problems if they arise during the right information.
testing. During a fire there is rarely time to track down needed
In many cases, test records are maintained, but noted documents such as emergency response plans, fire pre-plans,
discrepancies recorded on those documents do not result in a firewater plot plans, etc. In the case of emergency response
work order or other action to remedy the noted discrepancy. plans and fire pre-plans, those documents help ensure that
critical tactical information is in the hands of responders and
incident commanders during the firefight, and it must be
available and accessible without delay.
In the case of firewater plot plans, the urgency may not be
as evident, but consider the case where a facility experiences a
significant explosion followed by a fire. Even a relatively minor
explosion can do significant damage to above-ground firewater
piping in the vicinity of the blast. Ruptured firewater piping is
like a cut in a major artery – the firewater can “bleed out” from
a ruptured segment and deprive intact portions of the system
of flow and pressure where it is needed to combat the fire.
To limit that impact, responders must quickly isolate ruptured
segments of the system and divert flows to surviving hydrants,
firewater monitors, and fixed systems.
Emergency responders must rely on accurate and detailed
firewater plot plans to find and operate the valves that will
“stop the bleeding” in the ruptured segments of the firewater
network. Without that documentation, isolation will be delayed
while they attempt to locate and identify the needed valves.
In a rapidly developing fire situation, this delay can turn an
otherwise manageable situation into a catastrophe.
Figure 2 – Firewater flow measurement Even during a less urgent situation, prompt isolations may be

© Institution of Chemical Engineers

0260-9576/23/$17.63 + 0.00

290Black.indd 9 30/03/2023 14:17:17

 10 | Loss Prevention Bulletin 290 April 2023

necessary when there are unexpected leaks or breaches in a Expressly adding or including fire protection and similar
firewater system. In some cases, isolations may be preventive systems to your corporate or site policies governing PSI
– sections need to be isolated before damage can occur. For documentation will help ensure that your systems and
instance, during a sudden freezing weather event, segments documentation are maintained with equal rigour and
subject to freeze damage may need to be isolated and drained discipline.
to prevent freeze-related ruptures, and to keep other areas • Include fire protection, detection, and emergency
operational. Finding and operating isolation valves in this case response assets in your company MOC policy
may not be as time-critical as in a fire emergency, but without Ensure change management applies to protection systems,
access to a detailed and updated firewater plot plan, staff could just as it does for process equipment. This must include
spend unnecessary hours trying to locate, identify, and operate managing changes to documentation, just as is done for
the proper valves. P&IDs and operating procedures.
• Conduct periodic audits of protection systems’
ITMR activities documentation
Inspection activities require appropriate documentation Even well-intended facilities can let their attention to
to locate equipment quickly and accurately when needed protection systems lapse. The duties and responsibilities of
observations or measurements must be taken. Isolation valves staff cover so many details that not everything can always
need weekly or monthly inspection and exercising. Sprinkler or be an area of focus and diligence. Structuring periodic,
deluge risers need to be checked for valve alignments, proper focused audits of the policies and practices that govern
pressure readings, etc. fire protection and emergency response assets will help
Documentation becomes more critical during system identify areas for increased attention and improve the
tests. Plot plans and other forms of documentation help execution and outcome of policies.
testing parties better understand the kinds of results they
should expect from their tests and to aid in the diagnosis of Conclusions
unexpected test results. Maintaining good documentation and managing change
Maintenance and repair activities also rely on proper properly is just as important for fire protection and emergency
documentation to help plan repairs, stage activities, and ensure response assets as it is for process equipment and related
that the maintenance/repair activities don’t cause unnecessary safety systems. Unfortunately, fixed fire protection systems are
impairments to other areas of the facility. too often the “forgotten” assets in a site’s emergency response
toolkit. They are easy to take for granted.
How to maintain proper documentation and Instead of allowing fire protection systems to languish,
manage changes competing with process safety systems for budget and
attention, sites should align the two types of safety systems,
The following first steps will help establish the needed
managing them with identical sound policies and resources.
practices to keep fire protection and emergency response
This includes maintaining the appropriate documentation.
systems, and their attendant documentation, available and
To do otherwise leaves a site relying on the “tribal
updated.
knowledge” of emergency response departments to know
• Include fire protection, detection, and emergency where to find things, how they behave, what they’re meant to
response assets in your company PSI policy do, and how to take care of them.
Recognise that non-process safety systems and Tribal knowledge is always a useful thing but relying on it to
connected process safety systems have equal importance. keep your site ready for an emergency is an unnecessary risk.

© Institution of Chemical Engineers

0260-9576/23/$17.63 + 0.00

290Black.indd 10 30/03/2023 14:17:17

 Loss Prevention Bulletin 290 April 2023 | 11

Safety practice

Four conduct of operations best practices —

lessons learned from PSM audits
Adam M Musthafa, Indonesia
first at the drum before being pumped back to the production
Summary separator which in turn reduced H2S content in the crude oil
export.
Conduct of operations is the performance of operational
and management tasks in a deliberate and structured This practice was not communicated to the day shift.
manner1. The aim is to have predictable and consistent One day, the night shift operator kept the drain valve to the
personnel actions, capable and stable processes, and knockout drum open at the end of the shift. Liquid from the
reliable equipment and plant operations2. During process compressor scrubber slowly but continuously flowed to the
safety audits, we discussed with the frontline workers and knockout drum until it was almost full. Fortunately, the operator
observed workplace conditions and process equipment noticed it on time before the liquid overflowed to the flare
to understand how the organisation formalises the stack. He started both knockout drum pumps to normalise the
communication process, control equipment status and level and stop the flow from the scrubber.
process parameters and how operations activities are While this near miss involved some design issues, we
carried out. This paper discusses four positive conduct will focus on the handover process in this paper. Upon
of operations observations from process safety audits in investigation, one of the root causes was found to be that
various major hazard facilities. the handover did not include this specific event of manual
Keywords: Conduct of operations, shift handover, draining. Blaming the worker for not having the required
surveillance, logging conversation adds no value to the management system.
It is vital to dig deeper to understand why handovers are
sometimes ineffective.
During audits, workers were asked why some of these
Complete and high-quality shift/crew handover handover processes are not conducted properly. Usually, the
Shift/crew handover unfortunately is one of the processes frontline worker says that they are not given enough time to do
that is prone to become a tick-the-box activity. Over time, so. Personnel leaving their station to go off-duty will be always
shift changes can become incomplete, informal, or completely eager to leave, so there is time pressure not only at a personal
skipped3. Some audits have found that the shift handover level but also from peers, and especially so if the site worker
form is signed without discussion between the party utilises a common transport means like buses or transport
leaving the workplace and the one who will take over the vessels (offshore). Their concern is that if they spent too much
responsibility. In a major hazard facility, even a small mistake time discussing for handover, they will cause their colleagues
and miscommunication can lead to major consequences. That to have to wait for them at the transport.

systems and
procedures
is why safety critical communication like shift/crew handover
should not only include the exchange of information through Handover Meeting Shift Start Meeting
a standardised format, but also feedback and confirmation
that the receiver fully understood the information being Shift A to Shift B Within Shift/Crew +
communicated. Figure 1 shows the overall flow of information Crew A to Crew B Mandatory Reading
assurance

within a shift operation with the handover meeting being the

first critical meeting.
In an oil gas plant, there was a high potential near miss of
having high level at a flare knockout drum. The high-level Daily Coordination Meeting
alarm and trip function at the knockout drum was bypassed at
the time awaiting spare parts to repair the sensor. The night Production – Maintenance – HSE –
shift had a habit of draining the compressor scrubber manually Other Support Function
(remote opening of the actuated valve from the control
room) to the knockout drum to avoid the sour liquid taking
its normal route to the production separator. This was done
to reduce the consumption of the H2S scavenger and avoid
culture

Start the Day

out-of-specification export as the condensed liquid from the
compressor scrubber contained a significant amount of H2S.
By routing this to the knock-out drum, the H2S was flashed Figure 1 – Critical flow of information in operations

© Institution of Chemical Engineers

0260-9576/23/$17.63 + 0.00

290Musthafa.indd 11 30/03/2023 14:44:51

 12 | Loss Prevention Bulletin 290 April 2023

Handover checklist Shift logs and structure round sheets

Guide the discussion to be structured and avoid missing topics: Facilitate discussion with actual data and time of occurrence on:
Any safety or asset integrity issues (incidents, near misses, and • Process parameters and identified anomalies (including
any unwanted events) critical alarms)
• Special activities conducted during the shift/crew • Specific equipment issues
operations • Structured round data collection missed/ not completed
• Ongoing, suspended, and terminated work permits • Specific events/ activities
(including lockout & tag out and change of locked valve
position)
• High-risk works precautions and specific instructions
• Bypasses of safety systems
• Discussion on the shift log and structured round sheets
(see next column)

Table 1 – Checklist and shift logs and structure round sheets function in handover discussion

Crew handover is more critical as the incoming personnel A handover is a form of safety-critical communication. The
may not be able to contact the outgoing crew if they leave organisation should consciously provide adequate time for this
the platform using a helicopter or transportation vessel. In process to be completed properly.
one of the upstream oil and gas plants, the time for handover
is formally set for a minimum of forty-five minutes. The Disciplined operational surveillance and
superintendent would formally declare that it is time for logging
handover when the incoming crew arrive, and everyone will
start the discussion together. Personnel will leave and go to In addition to monitoring the information available in the
the transport together once all personnel have completed their control room, operators should physically inspect their
handover properly. equipment on regular tours or rounds1. Operations surveillance
Checklists, structured round sheets, and shift logs are used or structured rounds is a means of early identification of any
to guide the discussion (see Table 1). The handover checklist abnormalities, deviation from the normal operating condition,
will guide the discussion to be structured and avoid missing and potential equipment degradation. Operator round sheets
information, while the shift logs and structured round sheets typically document the status/condition of field equipment
will provide additional information related to the time of every few hours2. During the surveillance or structured
occurrence of specific events, activities or parameter reading. round, the operator usually also conducts field data collection
For operators, this handover not only includes the parameters (especially those not nodes at control room/ DCS), performs
and activities conducted during the shift but also the anomalies basic equipment care, and conducts a visual inspection of the
they faced and what action had and had not been taken. The equipment for any signs of degradation.
handover form will also be submitted to the supervisors not The commonly identified weakness is not having a structured
only to verify that the process had been completed but also and formal expectation, procedure, and form to conduct
to allow the supervisor to give additional feedback and or the surveillance and logging. Some operations let each unit
information in case something is missing. develop their own format of logging form with different levels
In cases where outgoing or incoming personnel are not and scopes of surveillance. Other operations do not specify
able to conduct the handover in person, the personnel shall the frequency of surveillance or structured round, and in this
inform the outgoing production supervisor. The handover form situation, it is generally found that the practice degrades over
should still be used, and later the supervisor will hand over time. In the worst scenario, the operator just writes the same
the information to the relevant personnel accordingly using parameter with the morning reading without reading the
the same form. When there is complex work or a situation that gauge/ indicator again at the site.
requires the personnel to be at the site together to discuss, In one upstream oil and gas site, the structured round is fully
they will inform the supervisor or superintendent to provide defined with the recommended route, checklist of equipment
more time for them to go and discuss at the specific location. to be visually inspected, what to inspect, the frequency

System/ Acceptance
Action Frequency Response to deviation Observation
Equipment criteria
Gas generator Record gas 3 / shift Normal operating Report to the supervisor
(GM-101) exhaust range is 700-
temperature 850oC Initiate investigation

Inform the instrument technician

to confirm instrument accuracy

Table 2 – Example of structured round checklist

© Institution of Chemical Engineers

0260-9576/23/$17.63 + 0.00

290Musthafa.indd 12 30/03/2023 14:44:51

 Loss Prevention Bulletin 290 April 2023 | 13

at which each piece of equipment needs to be inspected, for people to depend on each other and assume it is “someone
acceptance criteria for the visual inspection/checks, and else’s” responsibility2. This resulted in “nobody” assuming any
response required in case deviations are identified (see Table 2). responsibility in case any anomaly needed to be attended to.
By having the acceptance criteria and action to be taken In another organisation, the responsibility to maintain and
written, the operator gets “why” the structured round is coordinate process hazard analysis (PHA) was given to process
required and important. When people understand the “why”, engineers (three of them available with one manager). While
they take the task more seriously. The acceptance criteria given the manager was accountable, they did not have the time to
also shifted some level of decision-making and analysis to the be the administrator of the system, and ultimately there was
frontline level, increasing their engagement level and helping no systematic implementation as nobody was specifically
the organisation to identify signs of weaknesses early. maintaining the system. Each engineer waited for the manager
The implementation of the structured round is also measured to instruct them to do a specific task on maintaining the PHA
and verified periodically. The number of deviations to planned system. During the audit, no approved PHA facilitator list had
round frequency and the number of deviations identified been developed. No refresher training for the PHA system
during the round are measured as leading indicators. The was conducted. There was no risk communication conducted
indicators are reviewed by management periodically and once the PHA for a particular plant was conducted to
intervention is given whenever there are signs of weakening relevant personnel. Only tracking of HAZOP action items was
implementation discipline. Not only have the surveillance and conducted as part of PHA system administration.
logging become consistent, but they also become a reliable In an organisation with clear roles and responsibilities, each
system. equipment group was assigned an equipment owner. The
list of owners was posted and everyone in the organisation
Clear roles and responsibilities knew to whom they should discuss if they had concerns,
questions, or needed to modify something. The same thing
Workers should clearly understand their authority,
was implemented for systems or business processes. These
responsibility, and required interfaces with other work groups2.
owners and delegates not only had personal ownership and
Everyone must understand clearly and acknowledge their
accountability of the system but also become the subject
responsibility. All equipment and system/business processes
matter expert on each equipment and/or system. Overlapping
should be “owned” by a competent person who is responsible
responsibilities are identified and eliminated. A simple
for monitoring and verifying the equipment or system’s health,
tabulated list approved by senior management can be very
managing any changes and modifications, and maintaining the
effective to set and communicate this accountability (Table 3).
equipment’s integrity and system effectiveness. The ownership
should be as specific as possible. This should not be a group
of people, for example, “process engineers”, or the ownership
Proactive process safety observation program
will degrade. Unsafe condition and unsafe act reporting where personnel
In one of the audits in a utility plant that has multiple conduct a walk or observe a task being conducted and identify
systems, three panel operators were working together. Upon positive and doubtful/ unsafe items has been a best practice
being asked who has the final responsibility to attend to any of in industry for more than 30 years. However, one aspect that
the boilers, gas turbines, nitrogen generators, waste treatment, most organisations are still struggling with is how to implement
and firewater system, the operators responded that all three a similar program in process safety.
shared the same responsibility. No one was assigned to There is no doubt that process safety and asset integrity
particularly take responsibility for any specific unit. would benefit from the same observation program. However,
For a major hazard facility, such arrangement should be the challenge here is not that people do not care about
avoided. Even when the work can be shared in day-to-day their equipment, but that they do not know what to report.
operations, each operator should be given a specific unit that Some personnel may struggle to identify what constitutes
has their “ownership”. When the ownership is distributed and an equipment integrity issue. Others who are trained and
everyone needs to look after everything, it is quite common experienced may have seen the same condition for years

Integrity owner Manager

Equipment group
Name (position) Name (position)
… … …
… … …
… … …

Process safety management System coordinator System coordinator

system elements Name (position) Name (position)
… … …
… … …
… … …

Table 3 – Example of equipment integrity owner and PSM element coordinator/owner list

© Institution of Chemical Engineers

0260-9576/23/$17.63 + 0.00

290Musthafa.indd 13 30/03/2023 14:44:51

 14 | Loss Prevention Bulletin 290 April 2023

that they no longer have the sensitivity to such issues. Some observations that were process safety-related were monitored
may even be reluctant to see or admit to degrading critical to understand personnel awareness and the imperative of
equipment as an issue (status quo bias). process safety.
In one of the audits, one chemical plant published a booklet
to help people identify asset integrity issues during site visits Conclusions
and safety walks. This booklet not only helped newer workers
Conduct of operations is about how to make daily operations
to identify issues with asset integrity at an earlier stage but
and operations management tasks structured and systematic.
also refreshed more experienced workers on what good
This paper discussed some best practices from various major
equipment working conditions should look like. Some of the
hazard facilities. Firstly, the organisation should invest time
examples shown in the booklet included:
and resources (to develop proper tools) to enable complete
• proper drain and vent or piping with end cap/blind and high-quality shift/crew handover to happen. Secondly,
• picture comparison between acceptable vs non-acceptable disciplined operational surveillance and logging requires
corrosion levels on the valve, piping, and other equipment properly designed sheets with adequate information such as
acceptance criteria and action in response to any deviation.
• drain valve with splash guard for hazardous service
Thirdly, clear roles and responsibilities should be established in
• picture comparison between cracked fireproofing or safety-critical activities, including maintaining barrier integrity.
damaged insulation vs fireproofing and insulation in good Finally, to allow the organisation to implement a proactive
condition process safety observation program, the collective competency
• picture comparison between proper bolting vs long and/ of the organisation should be enhanced by providing the
or short bolting on joints and other relevant equipment right tools and information to allow them to contribute to the
• picture comparison between properly supported program.

HAZARDS33HAZARDS33HAZARDS33HAZARDS33HAZARD
instrument/equipment vs long non-supported instrument/
equipment Reference
HAZARDS33HAZARDS33HAZARDS33HAZARDS33HAZARD
• picture of how junction boxes and the electrical enclosure
should look like (complete bolting, proper sealing, etc.)
1. Center for Chemical Process Safety. (2007). Guideline for

HAZARDS33HAZARDS33HAZARDS33HAZARDS33HAZARD
Risk Based Process Safety. Hoboken, New Jersey: John
• lifting gear with proper colour coding Wiley & Sons, Inc.

HAZARDS33HAZARDS33HAZARDS33HAZARDS33HAZARD
• correct position of valves (inlet and outlet block valves of 2. Center for Chemical Process Safety. (2011). Conduct of
PSV should be locked open) Operations and Operational Discipline. Hoboken, New

HAZARDS33HAZARDS33HAZARDS33HAZARDS33HAZARD
• fire extinguisher pressure is acceptable based on the Jersey: John Wiley & Sons, Inc.
green-coloured area or other visual cues on the pressure 3. Center for Chemical Process Safety. (2018). Essential

HAZARDS33HAZARDS33HAZARDS33HAZARDS33HAZARD
gauge. Practices for Creating, Strengthening, and Sustaining
Process Safety Culture. Hoboken, New Jersey: John Wiley

HAZARDS33HAZARDS33HAZARDS33HAZARDS33HAZARD
Leaders should encourage the reporting of bad news3. By
having more people engaged in observing and raising process & Sons, Inc.
4. Center for Chemical Process Safety. (2007). Risk Based

HAZARDS33HAZARDS33HAZARDS33HAZARDS33HAZARD
safety and asset integrity issues, anomalies and equipment
degradation can be identified earlier. In this organisation, Process Safety. Hoboken, New Jersey: John Wiley & Sons, Inc.

HAZARDS33HAZARDS33HAZARDS33HAZARDS33HAZARD

Hazards33
HAZARDS33HAZARDS33HAZARDS33HAZARDS33HAZARD
co

C nt a y
nt
al c

HAZARDS33HAZARDS33HAZARDS33HAZARDS33HAZARD
e M
l f lo
19

or se

HAZARDS33HAZARDS33HAZARDS33HAZARDS33HAZARD
7–9 November 2023, Birmingham, UK
s

HAZARDS33HAZARDS33HAZARDS33HAZARDS33HAZARD
HAZARDS33HAZARDS33HAZARDS33HAZARDS33HAZARD
Join the major hazards community at Hazards 33 to:

HAZARDS33HAZARDS33HAZARDS33HAZARDS33HAZARD
connect with your peers build networks share good process safety practice

HAZARDS33HAZARDS33HAZARDS33HAZARDS33HAZARD
Hazards 33 will promote sharing and learning in process safety via:

HAZARDS33HAZARDS33HAZARDS33HAZARDS33HAZARD
technical presentations█ facilitated discussion/Q&A
█ exhibition stands █

plenary speakers █ workshops █ networking/social time

HAZARDS33HAZARDS33HAZARDS33HAZARDS33HAZARD
█

HAZARDS33HAZARDS33HAZARDS33HAZARDS33HAZARD
IChem

Find out more and register online.

E
Safe

www.icheme.org/hazards33
HAZARDS33HAZARDS33HAZARDS33HAZARDS33HAZARD
ISC
LPB 290

e
ty

t
Cen

HAZARDS33HAZARDS33HAZARDS33HAZARDS33HAZARD
HAZARDS33HAZARDS33HAZARDS33HAZARDS33HAZARD © Institution of Chemical Engineers

HAZARDS33HAZARDS33HAZARDS33HAZARDS33HAZARD
0260-9576/23/$17.63 + 0.00

HAZARDS33HAZARDS33HAZARDS33HAZARDS33HAZARD
290Musthafa.indd 14 30/03/2023 14:44:56
 Loss Prevention Bulletin 290 April 2023 | 15

Safety practice

Ageing plants — corrosion is the real enemy

but there are other problems (Part 2)
Robert Canaway, Suregrove Limited, UK
refinery was shattered into 4000 pieces (17 August 1999 – 7.6
Summary magnitude).
Much has been written about the ageing of plants and Passive fireproofing
concerns have been raised about the useful lifespan of
industrial plants. This has arisen because most companies This decays with time due to moisture ingress (particularly
have had to prolong the deployment of their facilities where freezing conditions occur during winter). The ice
beyond their intended life due to: formed expands and lifts the passive fireproofing away from
the structure – the trapped water causes structural corrosion.
• worldwide growth increasing demand for products There is some progress in using different materials such
• prohibitive costs for new replacement plants as mastics in place of the concrete, but the compound has
• state employment requirements to be non-flammable, must not melt under severe ambient
• sales (often complete plants) to buyers conditions or heat generation, and be cost effective.

The main concerns are corrosion, erosion, wear and tear and Obsoleteness
obsoleteness. This has accelerated with advances in electronic systems. A
Corrosion is the real enemy costing owners millions per good DCS system will often last less than ten years even when
annum in every country. It is one of the most potentially upgrades are applied.
damaging losses to any commercial, private, or industrial

engineering
Some in-line instrumentation cannot be rectified unless

and design
property. An estimated one-sixth of all new worldwide steel the plant is shut down (with extended periods between
production is used to replace corroded metal — corrosion turnarounds this has become a concern).
problems are increasing in frequency and severity, not It is interesting to note that some older systems still in use
decreasing. The reasons for this are declining material today have, in fact, a higher reliability than some of their
quality (cheaper, less sustainable products are demanded modern counterparts as they were ‘built to last’.
for plants under design/construction) and inadequate
corrosion control engineering combined. Poor material selection
Keywords: Corrosion, ageing plant Cheap materials used for corrosive services (e.g., sour water
strippers processing water containing acetic acid are often
constructed from carbon steel). Where the acid condenses
Critical aspects which can lead to failures and will eventually lead to vessel failure.
remedial measures (continued from Part 1) Poor quality steels with high impurities represent an
opportunity for corrosion to progress. Change of process
Firewater systems conditions which cause accelerated deterioration (more
Systems in older sites may have been designed with poor severe temperature, pressure, acidity, alkalinity). High sulphur,
deluge coverage (e.g., sphere or bullet wettage). There are acidic or salty feedstocks require material upgrades to avoid
guidelines in NFPA for the water rates in litres/m2/min and rapid deterioration.
the items to be deluged. Firewater systems often leak though The use of material selection process/utility diagrams or
corrosion as the headers are buried underground. Modern corrosion identification PFDs/UFDs is highly recommended.
sites tend to use non-metallic firemains but these are of low In most mature plants the corrosion areas are known by the
strength. One aspect which should be evaluated is subsidence operator/owner.
and collapse of ground through instability particularly from Figure 1 a is a typical flowsheet marked up to indicate
an earthquake event. For example, the firemain at Izmit expected high corrosion areas.

© Institution of Chemical Engineers

0260-9576/23/$17.63 + 0.00

290Canaway.indd 15 30/03/2023 14:21:03

 16 | Loss Prevention Bulletin 290 April 2023

Naphthenic H2S/
Acid Recycle H2 Sulphidation Difficult areas to inspect –
Naphtha unfortunately these areas
Flash Gas
may experience the highest
1st Stage HP Amine
VGO
Reactor Absorber corrosion rates

Kerosene

Reactor Effluent Air Hot HP Cold LP Main

Cooler (REAC) Separator Separator Fractionator
Ammonium
Bisulphide Distillate

2nd Stage
Reactor
Tower

Unconverted Oil

Figure 1 – High corrosion areas identified on PFDs Figure 2 – Tower top

Difficult plant areas so a section can be removed and replaced.

Some operators use patch welded repairs which is not
Difficult plant areas e.g., vertical pipework for overhead lines
recommended for pressurised services – even for water services.
which can corrode but cannot be easily inspected due to the
Patch welds will corrode at the welded edge and are not
elevation and compactness against the vessel top section.
completely reliable.
A dead leg register for a site might contain 15000 items
which should be eliminated.
Control rooms and substations
Pipelines Upgrading existing facilities requires a thorough study to
ascertain the following:
Pipelines are particularly vulnerable when they are subject to:
• The true blast resistance of the building in bar which may
• inadequate cathodic protection (none fitted or failure to
vary from 0-0.7. Explosion prediction models can then
operate)
be used to generate pressure contours (allowing for an
• a change of soil conditions along the route accidental gas release, cloud drift and delayed ignition). If
• stray electrical currents close-by the predicted overpressure is larger than the building design
• biological effects parameters, then the building will not withstand the explosion
• water crossings, beach approaches forces. Re-constructing the building may be impractical
• stressing (cost prohibitive) so the options will be relocation to a less
hazardous area or construction of an annex which will be able
• blockage from hydrates, wax
to survive a blast situation. If DCS is replacing an old control
• low points allow water accumulation on the bottom system, the space required is often considerably less and this
segment may be a suitable option (control room personnel safety and
• gas lines may be subject to ‘slug-flow’ which occurs after systems protection).
cooling of the gas and formation of liquid. • Control rooms, substations and plant buildings with poorly
Also, in mature sites there may be buried lines and accidents sealed non-gas-tight doors and cable transits expose ignition
have occurred when excavating ‘live lines’. sources and create hazardous enclosures. These deficiencies
Repairs using clamps and wrapping which vary enormously. are often found on ageing plants and should be corrected.
A simple G-clamp used to squeeze the pipe to prevent Positive pressurisation inside each building will prevent toxic
leaks, sealing compound and wraps are used in low pressure and/or flammable gas ingress.
services. Welded sleeves can be used where the repair can • Poorly designed HVAC systems encourage gas ingress and do
take the maximum allowable working pressure, but these not remove heat generation from electrical devices causing
are expensive (a 48-inch line 100 bar pressure rated welded them to overheat. Often the design did not cater for heat
sleeve might cost USD 500000). dissipation and the high ambient temperatures experienced
All piggable pipelines should be checked by an intelligent at various locations in the world. Buildings should have clean
device every five years. The device travels along the route to air intakes facing away from the process and also dampers
find wall thinning and once this is ascertained to be a risk to activated by in-line gas detectors. If the building is under
the design pressure the pipeline should be re-rated and/or closed air condition, then the heat rise should be calculated to
repaired. Pipelines are often constructed using 23 m lengths find out whether the equipment can still function properly.

© Institution of Chemical Engineers

0260-9576/23/$17.63 + 0.00

290Canaway.indd 16 30/03/2023 14:21:04

 Loss Prevention Bulletin 290 April 2023 | 17

Damper in
ducting Gas Detector
Block valves (locked open) often corrode (liquid
accumulates at the valve), and they need to be repositioned
(or rotated) to eliminate pockets (refer to API codes).
Plant AHU Fresh Air Relief devices including pressure relief, bursting discs can
also fail due to worn out parts or fouling, it is useful to run a
pre-pop test on all valves and produce a schedule of failure
Could install a metal
box escape facility with Old numbers. This should be lower than 1% but if it is up to 10%,
own BA air supply and control
provisions for 50 people increased frequency of testing is required (i.e., shorter time
building
intervals between inspections). Testing should always be
carried out on the ‘as found condition’ not after cleaning up.
Figure 3 – Control building requirements Some older sites have process areas, spheres or bullets
which are not connected to a flare relief system. It is a safer
• Use of polyurethane sealers for cable entries is to be option to connect to a flare system for relief cases and
avoided – this type of sealant is flammable and porous environmentally better. There is often no or limited duplicity
(with age). in older sites. The reason for this is that turnarounds were
more frequent, and these were then serviced every two years.
Boilers/furnaces7 In modern units some plants run in excess of three years
between turnarounds. It is not recommended to allow any
Boiler/furnace condition deterioration begins with loss of
PSV to remain in place over 36 months between tests.
firebox integrity, and this can cause hazardous situations as
Relief caseloads should be re-examined to ensure the relief
air ingress results in the formation of explosive gas mixtures
valves are of sufficient capacity versus the latest codes.
(start-up) and obviously tube condition – pin-hole leaks, stress
corrosion at hairpin bends, cracking of tube walls caused by Blowdown (depressurisation systems) are usually designed
over-firing. There is a useful life standard; 20,000-60,000 to API 521 where the pressure should be reduced to 50%
hours before replacement is typical. operating in 15 minutes or 7 barg. The blowdown loads
are split into fire zones (segments) so that a phased plant
Cross connected flue gas ducting is often found which can
shutdown will not overload the flare system.
lead to operational problems for the stack and furnace and
also increased lining corrosion.
Operators should make sure that there is enough dilution
Drains/Sewers9
steam capacity to lower temperatures and prevent damage. Problems occur with sludge or blocked gullies. In one case in
Sometimes older plants are found with primitive burner South America the owner decided to excavate their sewers
management systems which have poor interlocking of safety after 60 years’ operations – there was over 600 tonnes of
devices. All fuel lines should have double isolation (not using hydrocarbon sludge/soil in the sewer.
the control valve as one blocking valve). Rainwater drainage on mature sites should be checked
when pooling occurs as this indicates the laterals are blocked
Heat exchangers with silt. If the plant does not drain the water will create a
humid atmosphere and enhance external corrosion of the
Shell and tube exchangers can be subject to fouling, and this
plant and damage to the passive fireproofing.
creates an environment for plugged tubes, corrosion and/or
erosion. Besides foliage growing in drainage gullies other debris can
accumulate such as gloves, plastic, solid product and so on. A
Condition of stab reboilers (flanged mounted on column) is
flow test (using firewater) will determine blockage points.
also a concern as the tubes often develop unnoticed failures
and the design cost saving is not warranted.
Plate exchangers are often noted to develop leaks with
Offshore facilities/jetties
ageing. They offer a neat space saving solution in some Marine facilities require special attention – due to the
services but are not as robust as shell & tube designs. high risk of corrosion from chlorides and water interfaces.
Air coolers have poor mechanical strength and may not be Uninterrupted painting coats are required, neoprene sleeving
robust enough for any significant changes in temperature or for jacket legs extending 3 metres above the sea level and
pressure (when revamping the plant). below can be used.
Marine growth (barnacles) which form a thick layer will
Flare/vent/blowdown increase the drag around the structure. Unfortunately, due to
river and ocean pollution many facilities can suffer blockages
Older plants often do not have any spare capacity in their relief
including the firewater pump caissons. Seawater/river water
systems so connecting more or increased relief loads requires
for cooling must be equipped with filtering systems which are
expansion of the collection system. There is some benefit in
capable of removing trash.
using balanced pressure safety devices to cater for higher
back pressures.
These systems are also subject to slow corrosion caused
Water systems11
by sulphur/chloride deposits condensing in the pipework. Any metallic system which handles, processes or stores water
Often material selection needs to be upgraded in plants with in any form will corrode. The main concern is that these areas
acid gases. Turning to Incoloy for flare headers is extremely are usually left until there are flooding issues because water is
expensive. not deemed a hazardous substance. By the time rectification is

© Institution of Chemical Engineers

0260-9576/23/$17.63 + 0.00

290Canaway.indd 17 30/03/2023 14:21:05

 18 | Loss Prevention Bulletin 290 April 2023

applied the system can often be beyond repair. Refrigerated tanks often are double wall with insulation
Many operators are deploying polyethylene or between. The insulation deteriorates with time and needs to
polypropylene piping: be replaced or supplemented. This can often be seen by ice
formation on the outside wall in areas where the insulation is
underperforming. Double or triple walled tanks should not be
Mechanism Failure cause Repair action de-commissioned unless they have exceeded their approved
lifespan or problems have been detected. Warming up and
Internal corrosion – Acidic or alkaline Low pressure systems
re-cooling stresses the tank welds and may contribute to
resulting in deep pitting conditions, free water can be replaced with
promotes corrosion, PE or PP failures. Normally these tanks are in clean/dry service so the
oxygen ingress, light inner tank should not corrode.
rust congregating in
Cup tanks (which have an outer bund for spillage retention)
dead legs, low points
should always have annulus drains for removal of rainwater.
External corrosion – Weathering (rain, Low pressure systems
bare surface pitting snow), humidity or can be replaced with Inspection of tanks is a difficult task requiring careful
water spray causes wet PE or PP scanning of all areas. The use of polymer-based coatings for
conditions, change of the bottom 2-3m is often helpful in controlling water-based
soil line conditions for
buried lines
corrosion.

Pressurised storage
The advantage of substitution to polymer material is the Spheres and bullets are more resilient to corrosion. This is
elimination of corrosion (non-acid services, moderate because they are usually handling water-free clean products
temperatures and pressures) but these materials do not have and the product vapour pressure maintains an oxygen
high strength and can be damaged by vehicles being used
free environment. The main concern is when these items
on-site (cranes and maintenance vehicles).
are insulated, and the storage temperature is lower than
ambient. Water condenses under the insulation resulting in
Leak detection on pipelines pit corrosion.
Basic material balance devices cannot pick up small leaks Particular attention needs to be paid to the condition of the
due to accuracy limitations. Significant leakage is detected shell welds (completeness and any corroded areas), the leg
by pressure loss or gas detection. There are guidelines for joints (where they are attached to the shell) – a deflector plate
re-pressure testing. Attempts to counteract loss of pressure by can be installed. Inspection should check for corrosion under
increasing flow is the wrong selection (reference Ufa LPG leak the fireproofing coating to avoid collapse (some spheres
4 June 1989 where trains ignited an LPG leak in a valley). develop longitudinal cracks in the legs due to corrosion
caused by trapped water). Elimination of flanged connections
Fire/gas detectors and small fittings below the liquid level should be considered.
Mounded bullets (buried in soil) are often deployed to
These should be regularly tested and replaced as the detector
avoid the risk of Boiling Liquid Expanding Vapour Explosion
often becomes poisoned by atmospheric pollution. Many
(BLEVE); however, inspection is difficult to find corroded
older sites have ‘common fault’ fire and gas alarms which
areas.
indicate a malfunction but do not identify the precise location
(detector number). It is interesting to note that newer designs BLEVE (Boiling Liquid Expanding Vapour Explosion) risk
often have twice as many detectors in the field than older can be eliminated by drainage away from underneath the
designs. sphere or bullet shadow and routing spillage to an open
impounding pit.
Atmospheric storage tank floor plates
Steel structures8, 9, 10
corrosion
All steel structures will eventually corrode normally at high
Atmospheric tanks corrode at slow rates – usually from water
stress points, welds, bolted connections and at ground
being present over the floor plates and this causes pitting
interfaces. These should have been adequately painted
(see case study 2). This is accelerated by floor plates being
during construction and also regularly repaired. When
in contact with the underlying soil and moisture (absence of
revamping a mature site, the weight loading may increase,
insulating barrier). API recommends that an internal inspection
and additional supports are required.
should be carried out on a ten-year cycle unless inspection
Most warehouses are built using a structural frame and it is
data dictates otherwise.
the roof which is likely to suffer weathering and/or corrosion.
Roof corrosion occurs on unpainted surfaces and underside
Many occupied buildings are built of reinforced concrete and
where condensation deposits chemicals such as sulphur. Tank
have a long lifespan.
shells are more resilient but there can be corrosion at the
circumferential weld between the shell and floor plates.
Scanning of the floor and annular welds should reveal
Caverns/underground facilities
anomalies but even this is not 100% reliable. Leaks for Caverns and undersea voids are suitable for storage of
products are often detected by site personnel (smell or hydrocarbons, waste gases. However, they have a finite
observation). lifespan before leakage occurs.

© Institution of Chemical Engineers

0260-9576/23/$17.63 + 0.00

290Canaway.indd 18 30/03/2023 14:21:05

 Loss Prevention Bulletin 290 April 2023 | 19

Dust accumulation platforms which are subject to aggressive sea conditions

and topsides exposed to increased sea wave height.
Many processes generate dust and in confined locations
this may become airborne and be ignited to cause severe The key decision will be whether to continue operation or to
explosions (see case study 4). Dust accumulation particularly retire the facility.
in confined areas such as buildings is always a risk and a health
Retirement is usually based on:
hazard.
• declining demand for the products from the plant
Concluding remarks • the costs to continue and the net profit
This paper illustrates some of the key aspects in assessing the Decommissioning can be expensive (removal of offshore
condition and corrective measures for ageing plants. structures) and demolishing and removal of existing plant is
Areas which require particular attention are: often demanded by authorities.
• Condition of the facilities in particular the remaining Key identifiers
thickness of all pipework, vessels, towers, drums, internals,
and the expected lifespan. Inspection data is essential to • Change of feedstock and its impact on the existing plant,
assess the plant status. e.g., switching from a sweet crude feed to one which has
• Any record of thermal cycling — too many startups / high sulphur or contains naphthenic acids.
shutdowns – a new ethylene cracker which experiences • Change of processing conditions – higher pressure,
20 SUs or SDs in its first year will have aged ten years. temperature, concentration, e.g., increasing the partial
• Exposure to abnormal process conditions (severe pressure pressure of hydrogen bearing streams, solids such as sand
or temperature and/or change of composition or flow rate entering the plant.
of processed fluids). This may alter the erosion/corrosion • Inadequate inspection data. Some sites have little or
rates significantly. no data on the condition of lines, pipelines and the
• Weathering – particularly on coastal plants (jetties and equipment; vessel nozzles may be in poor condition.
structures which enter the sea; or are exposed to saliferous Three sets of thickness measurements are needed to be
environments and high ambient temperatures). able to trend the corrosion rate.
• Submerged structures (such as support jackets which • Poor testing regimes for valves, infrequently operated
corrode or can collect marine growth causing drag systems.
effects). • Inadequate ‘mothballing’ activities to protect unused plant
• Flooded jacket steel structures members in offshore from corrosion and deterioration.
• Poor storage of delicate spare parts, e.g., failure to store
rotors for compressors in accordance with manufacturers’
instructions.
Figure 6 – Retirement point • Incorrect gaskets, blind plates which do not meet the
pressure rating of the line.
Net Profit v Maintenance • Mismatch of materials particularly bolted connections.
Note: the wrong bolt sizes are often found, short bolting
40
Retirement Point?
and high stress levels caused by incorrect torquing
35
30
procedures.
Millions of USD

25 • Operation of systems, items way beyond their intended

20 working life, e.g., bolted aluminium reboilers where
15 connections have deteriorated due to the softness of the
10 material should have been replaced every 15 years but
5 are found to have been in place for 30 years plus.
0 • Obsoleteness – non-availability of plant components –
0 10 20 30 40 50 60
leads to failure to replace instruments which are defective
Lifespan Years (or using inferior replacements).

Once the maintenance costs including any ongoing

Case studies
repairs approaches the net profit it is usually time to retire About 70% of losses occurring in industry can be traced back
the plant. Any reduction in profit (for example a declining to corrosion and most of these are concerning pipework
oil reservoir with higher water production) may lower the failures releasing flammable materials which ignite and
net profit) but unfortunately maintenance costs do not go cause serious fires/explosion. Corrosion can be prevented
down with age. but this requires investment in comprehensive inspection
Some plants may be energy inefficient indicating a and corrective maintenance. There are other problems such
revamp is required to recover more of the waste heat or as retention of obsolete designs which should have been
more modern equipment which uses less energy. replaced, and inadequate control /monitoring systems or
allowing dust accumulation.

© Institution of Chemical Engineers

0260-9576/23/$17.63 + 0.00

290Canaway.indd 19 30/03/2023 14:21:05

 20 | Loss Prevention Bulletin 290 April 2023

Case Study No.1

On 22 November 2016, an isobutane release and fire
seriously injured four workers in the sulphuric acid
alkylation unit at a refinery in Baton Rouge, Louisiana.
During removal of an inoperable gearbox on a plug valve, Holes Pits
the operator performing this activity removed critical
bolts securing the pressure-retaining component of the
valve known as the top-cap (see illustration). When the
operator then attempted to open the plug valve with a
pipe wrench, the valve came apart and released isobutane
into the unit, forming a flammable vapour cloud. The
isobutane reached an ignition source within 30 seconds
of the release, causing a fire and severely burning four
workers. Pits

Handwheel Gearbox Holes

The tank inspection was inadequate for ageing tanks

and the advanced pit corrosion was not identified. This
Support Valve Stem eventually made two holes in the bottom plate allowing a
Bracket toxic chemical to be released into the environment.

Case Study No.3

Top-Cap
On 23 October 2009, a large explosion occurred at
the CAPECO facility in Bayamón, Puerto Rico, during
offloading of gasoline from a ship. A 5-million gallon
aboveground storage tank overflowed into a secondary
containment dike. The gasoline spray formed an aerosol,
resulting in a large vapour cloud that ignited after
This type of valve should have been replaced or clear reaching an ignition source in the wastewater treatment
working instructions should have been given to the area of the facility. The blast and fire from multiple
maintenance crew. secondary explosions resulted in significant damage to 17
Warning signs are useful to indicate direct connections of the 48 petroleum storage tanks and other equipment
to the internal process for this type of configuration, but onsite and in neighborhoods and businesses offsite. The
the best risk reduction measure is replacement. fires burned for almost 60 hours. Petroleum products
leaked into the soil, nearby wetlands and navigable
waterways in the surrounding area.

Case Study No.2

A chemical storage terminal tank leaked in Charleston, a) Manual tank gauging
West Virginia on 05 November 2017 and contaminated
the local water supply leaving thousands of residents
without clean drinking water. The 20-foot-diameter Float
tanks were most likely constructed in the late 1930s. and Tape
The cylindrical shell and cone roof were of an obsolete,
single lap-riveted construction. The tanks contained a
0.25 inch lap-welded bottom that inspectors estimated
to be a replacement for the original lap-riveted bottom. b) Automatic Tank
Gauge (ATG)
The bottom interior of tank 396 was found to have deep,
isolated pits or crevices near the shell (side) of the tank
in addition to two holes on the tank floor, approximately Side Gauge
0.75 inches and 0.4 inches in diameter, which were the
source of the leak.

© Institution of Chemical Engineers

0260-9576/23/$17.63 + 0.00

290Canaway.indd 20 30/03/2023 14:21:08

 Loss Prevention Bulletin 290 April 2023 | 21

Purchasing aged facilities

Multiple physical causes contributed to Tank 409 overfill:
Before acquiring assets from an owner, due diligence should
• Malfunctioning of the tank side gauge or the float be undertaken. In particular, examination of all inspection
and tape apparatus during filling operations led to records and the plant availability data, review of the
recording of inaccurate tank levels. maintenance budget over the past five years, the loss record
• Normal variations in the gasoline flow rate and including near miss register and actual losses both in terms of
pressure from the ship without the facility’s ability physical damage and business interruption.
to identify and incorporate the flow rate change in
real time into tank fill time calculations may have References
contributed to the overfill.
1. Plant Ageing, Management of equipment containing
• Potential failure of the tank’s internal floating roof due
hazardous fluids or pressure, HSE Research Report
to turbulence and other factors may have contributed
RR509, HSE Books, 2006
to the overfill.
2. Plant Ageing Study – Phase 1 Report, ESR/
No independent D0010909/003/Issue 2, A Report prepared for the Health
separate overfill
maintenance programme

and Safety Executive, 27th February 2009

Lack of formal discharge

prevention
measurement prone
Float and tape level

No high level alarm

safeguards
Computer system
card unreliability

3. Energy Institute Document “Guidance for Corrosion

Hourly readings

and transmitter

No preventative
of tank level by

Management in Oil and Gas Production and Processing”

procedure
to failure
operator

4. NACE Corrosion Engineer’s Reference Book, 3rd Edition

Overfill of Tank 409

5. API 571, Damage Mechanisms Affecting Fixed Equipment

Initiating
event in the Refining Industry
6. HSE Research Report 076, “Machinery and Rotating
Inadequate level control
and monitoring system Equipment Integrity Inspection Guidance Notes”
No No automatic 7. API Recommended Practice 573, “Inspection of Fired
independent overfill Boilers and Heaters”
high level prevention
alarm system 8. Concrete Repair According to the New European
Standard EN 1504, Prof Dr Ing M Raupach, RWTH
Aachen,
9. EN 1504, “Products and systems for the protection and
Case Study No.4
repair of concrete structures”
On 12 September 2010 in Cumberland, West Virginia 10. BS EN 12696:2000, “Cathodic Protection of Steel in
an explosion in the production building was caused by Concrete”
combustible titanium and zirconium dusts that were
11. ISO 14692-4:2000, “Petroleum and natural gas industries
processed at the facility. The explosion originated in a
-- Glass-reinforced plastics (GRP) piping - Part 4:
blender containing milled zirconium particulates and
Fabrication, installation and operation”
was ignited by frictional heating or spark ignition of the
zirconium arising from defective blender equipment. 12. BS EN 61508:2002 Functional safety of electrical/
The hydrogen gas produced by the reaction of molten electronic/programmable electronic safety-related
titanium or zirconium metal and water, possibly from systems
wash-down or the water deluge system, may have also 13. IEC 61511 Functional safety – Safety instrumented
contributed to the explosion. A dust collection system systems in the UK process industries
was not installed (refer the practices recommended 14. E/C&I Plant Ageing: A Technical Guide for Specialists
in NFPA 484 for controlling combustible metal dust managing Ageing E/C&I Plant
hazards). 15. AEA Technology, Developments in electrification systems
– Life expectancy of electrical equipment, AEATR-
EE-2005-030, June 2005
Press Blade 16. HSE CRR 428(2002), Principles for proof testing of safety
Damage instrumented systems in the chemical industry
17. EEMUA 191:2007 Alarm systems - a guide to design,
management and procurement

Most solid organic materials (and many metals and some

nonmetallic inorganic materials) will burn or explode if
finely divided and dispersed in sufficient concentrations.
Even seemingly small quantities of accumulated dust can
cause catastrophic damage.
Suspended dust burns rapidly, and confinement
enables pressure build-up.

© Institution of Chemical Engineers

0260-9576/23/$17.63 + 0.00

290Canaway.indd 21 30/03/2023 14:21:09

 22 | Loss Prevention Bulletin 290 April 2023

Safety practice

Proven techniques for effective implementation

of inherent safety in design
Rajender Dahiya, AIG PC Global Services, Inc., USA
protecting lives from an incident that never happened.
Summary Yet today, ISD remains a hidden gem in the process
Inherently safer design (ISD) is a concept that intersects industries. While it is not always possible to eliminate hazards,
science and art, challenging the status quo to eliminate ISD should be the first approach to risk management rather
or reduce risk. Some companies within the process than accepting the process hazards and immediately focusing
industry have successfully used ISD as an effective risk on hazard management by controls. There are various
management tool to help them achieve world class narratives and theories being put forward as to why there
performance. has been low adoption. Misperception from value conflicts,
This paper explains the important role leadership plays engineering biases and implementation missteps have surfaced
in implementing ISD concepts and provides insight into as leading contributors.
how incremental success can help establish a culture that This paper focuses on how to bring down confusion, and
embraces ISD. Scenarios where project teams experienced successfully implement ISD.
a challenge in surfacing new solutions through ISD reviews
were identified as the author conducted risk assessments Context
with project managers at complex high-hazard processing Hazard identification and risk assessment (HIRA) studies are
plants. The author observed that for some organisations the key activities in any design process and start at an early
the ISD review, once completed, checked the box and
stage of the project. Hierarchy of process risk management
provided an inherently safer design regardless of whether
strategies also called hierarchy of design solutions or hierarchy
new ideas were brought forward. In others, a robust set of
of controls are applied while performing these studies. Figure
best practices started to emerge, many emphasising ways
1 shows a typical hierarchy of process risk management
that project teams can overcome the status quo, essential
flowchart.
for safer operations.
As shown in Figure 1, an inherently safer solution strategy
The paper concludes with a list of “dos and don’ts”
to consider as guideposts for implementing ISD into takes priority over the use of passive, active and procedural
major projects and operating facilities within high hazard controls (also called safeguards, barriers, or protection layers).
industries. However, HIRA studies such as Hazard Identification (HAZID),
Process Hazard Analysis (PHA), Layers of Protection Analysis
Keywords: inherent safety, safer design, hazard (LOPA), Quantitative Risk Assessment (QRA) are standard
elimination
requirements in any project. HIRA studies are ingrained
into today’s engineering design package. They are proven,
generally well communicated, well understood, and supported
Introduction using experienced facilitators. Robust and ever evolving tools
In 1977, Trevor Kletz suggested that the most effective and techniques perpetuate the use of these familiar studies.
approach to process risk management was to focus on the
elimination of hazards where feasible, rather than relying
on safety systems and procedures to manage risk — loss Elimination/Substitution
avoidance as opposed to loss prevention, i.e. the loss cannot Inherent Moderation/Simplification
happen if the hazard is removed from the source1.
This philosophy, now thought of as Inherent Safety in
Design, is an iterative process that can reduce the potential Passive
Engineering Controls
for harm by eliminating or reducing hazards through • Physical Barriers
four principles — elimination/minimisation, substitution, Active • Instrumented Systems
moderation, and simplification. While it is best applied
early in a project’s design phase, the concept can drive risk
Administrative
improvement throughout the lifetime of a facility. Case studies Procedural Procedures, Training
have proven that the benefits can be far reaching. They range
from saving on the costs of maintaining the add-on safety
features and safety protocols needed for a layered approach to Figure 1 – Hierarchy of Process Risk Management Strategies

© Institution of Chemical Engineers

0260-9576/23/$17.63 + 0.00

290Dahiya.indd 22 30/03/2023 14:32:14

 Loss Prevention Bulletin 290 April 2023 | 23

Implementing an inherently safer solution strategy Project teams were given an ISD philosophy that had to be met
successfully takes courage, tenacity, and a different set of for a project to progress past each gate. There were detailed
tools that can help an organisation overcome the status quo procedures covering all four ISD principles – elimination/
of focusing solely on engineering and procedural controls minimisation, substitution, moderation, and simplification that
as priority strategies. It takes an acknowledgement and were to be applied from concept through construction and
understanding of the intent of ISD. installation stages, and some of the teams were even trained
face-to-face.
Rolling out ISD baseline Yet the outcome of the first ISD review showed no real
For this discussion, it is assumed that companies implementing change in the levels of risk and engineering controls being
ISD have a solid foundation for project safety in place and recommended as solutions. The review was not meeting the
that projects are managed using the stage-gate process. For intent of the process. For this to be occurring at such an early
each stage, an independent gatekeeper or subject matter design stage of the project pointed to insufficient training
expert (SME) is assigned to support the implementation. as a potential contributing factor to a low level ISD concept
Experienced project teams, robust in-house engineering and understanding.
design standards and specifications, and leading engineering, An effective ISD review can be demonstrated using the
procurement, and construction (EPC) companies play a role bowtie. The bowtie is a simple graphical demonstration of
in the success and safety of projects. It is also assumed that hazard management. The more hazards, the bigger is the
traditional design reviews and HIRA studies are performed bowtie with multiple safeguards as shown in Figure 2. The
efficiently, and that management wants to take advantage of intent of the ISD review is to reduce the size of the bowtie, and
the possibilities that a formal ISD review can offer. the only way to minimise the size of the bowtie is to eliminate
the hazards at the source. Figure 3 illustrates where several
Ensuring roll-out success, pitfalls hazards were eliminated or minimised and the remaining
The intent of an ISD review is to only focus on inherently safer residual hazards were managed by controls. A resulting
design opportunities. When ISD review is a new concept smaller bow tie is only possible when the ISD review is well
for the user, it is an activity that is done in addition to the understood and implemented.
traditional design process and requires extra efforts beyond
checking a box. Role of an ISD champion in the design phase
Management’s failure to fully understand the significance In this situation where the bow tie size remained unchanged,
of the change required by the project teams and some of an ISD champion was brought in to help. An ISD champion
the pitfalls of implementation can be the root cause of ISD can be instrumental in the successful adoption of ISD. The ISD

knowledge and
implementation mishaps.

competence
champion’s role is to be a subject matter expert, establish a
In one case study, an ISD review was added to the stage-gate baseline of understanding, and identify potential reasons why
requirements, the team believed that everything was going ISD was not being used as intended.
well, and that the ISD review was well executed per the plan. To establish the baseline, the ISD champion may look for
pitfalls such as:
The Bow Tie Effect (Before ISD)

engineering
and design
• Delivery: Is the philosophy and procedures delivered
effectively with emphasis needed to ensure adoption of a
Hazards
Hazards Controls
Hazards
Hazards
Hazards Hazards
Hazards
new concept?
• Ownership: Is there that one “owner” who would be
Top Event
accountable for the outcomes of the ISD review?
Preventative Response
• Communication: Are expectations communicated with
Barriers Barriers the clarity and specificity needed to ensure the ISD review
was completed to the point where risk elimination and risk
reduction ideas were brought forward?
Figure 2 – Hazards Managed by Controls only • Training: Is training being delivered by someone
experienced in ISD and the organisation’s processes?
• Training materials: Do they go beyond the basics? Is there
The Bow Tie Effect (After ISD) any unintended bias towards old ways by emphasising on
controls?
Hazards
Hazards Controls
Hazards • Mythology: How are the ISD reviews being conducted?
Are they conducted like a traditional HAZOP study in
Top Event which the design is accepted “as is” and then controls are
identified to help reduce the likelihood of an incident?
PB RB • Morale: Are there instances where people on the team are
resisting the ISD review altogether? Was there discussion
culture

prior to implementation about the trade-offs and benefits

versus the potential for added time to the project timeline?
Figure 3 – Hazards Managed by ISD & Controls • Excellence: How is the ISD review positioned within the

© Institution of Chemical Engineers

0260-9576/23/$17.63 + 0.00

290Dahiya.indd 23 30/03/2023 14:32:14

 24 | Loss Prevention Bulletin 290 April 2023

stage-gate requirements? Is there more than a check-the-box Strategies, methods and techniques to address
line item in the gate checklist?
the gaps
• Approvals: Is there any indication that ISD reviews are
being approved with traditional control applications The following new strategies, methods and techniques were
without demonstrating inherently safer design ideas or new adjusted to address the gaps and implement the process
techniques and solutions to eliminate/minimise the hazards effectively.
presented? The objective was to use an ISD to identify new ways to
eliminate or reduce risk, leading to a safer process.
Any one of these pitfalls can cause an ISD review to go off course.
• Strategies
What was wrong and why? – show how the current implementation was not meeting the
There are four categories of pitfalls that can contribute to an ISD intent of ISD
review falling short. The case study above was used to dig deeper – set clear expectations and communicate them
into the root causes challenging the successful implementation of – influence the project management teams on how ISD
ISD. It is essential to understand the pitfalls before best practices makes sense
can be identified. – provide effective training for facilitators and engineers
• Management program shortcomings – demonstrate by relevant examples that ISD does work
and can work in this situation with the same people and
– inconsistent standards and procedures
resources by transforming the organisation’s mindset and
– not fully vetted and communicated expectations implementation methods.
– unavailable technical support
• Methods and techniques
• Ownership and accountability gaps
To meet the objectives of the ISD process, the following
– no ISD program owner methods and techniques were applied to educate the project
– no requirement that reviewers and gatekeepers avoid management and instil the message of value, now and for the
just “checking the box” lifecycle of the facility. Seven steps were used to facilitate the
– no method to ensure checking the box does not happen necessary change.
– no guidelines and examples that define what an
1. Rejecting reports
acceptable report should look like
– rejecting the ISD report, results in a failed stage gate
– no quality check and continuous improvement cycle
– delivering an acceptable ISD report becomes the priority
• Training and competency for a project manager to pass the stage gate
– ensure ISD understanding across all levels of the project – conducting an independent ISD review
management, especially if ISD is new for everyone on
2. Set expectations and objectives
the team
Expectations need to be clear and succinct. Incorporate the
– the benefits need to be prominent and illustrate
expectations in the design package, stage-gate process and
relevancy to their immediate situation
kick off meeting agenda.
• Culture, mindset, and communication
With any change, there is conflict and a tendency to stay
The objective of ISD is to understand the hazards and
with the status quo. Special emphasis was required to
eliminate / minimise hazards at the source instead of
influence project management and train engineers to “sell”
controlling them by complex and expensive safeguards.
this novel idea.
Once applied, the facilities are expected to be safer,
– An ISD culture had not evolved — project managers simpler, and cheaper which are easier to design, build,
were stuck with old techniques and old ways of thinking operate, and maintain for their lifecycle
because they had no evidence that ISD offered enough
benefit to overcome their requirements to keep the
projects running smoothly on time and within budget. 3. Influence management to embrace the change
– Since everyone on the project team was experienced Specific presentations and detailed training for
in traditional hazard identification and risk assessment management including project directors, project managers,
methods, they naturally were using controls instead of and gatekeepers need to be developed and delivered. This
challenging the norm through the ISD review. This line training should use real-life, examples and benefits that
of thinking caused the process to derail. would resonate with their corporate agendas.
– One of the key gaps in communication took place during 4. Train end users to understand and be effective
the hand-off of the design standards and processes to In-house and EPC engineers and designers should also
the project managers. With no communication that be trained using new detailed training materials that are
the ISD review was a pre-requisite to other reviews to consistent across the standards and procedures and again,
determine engineering controls, the project teams fit use project specific relevant examples. In this case study,
the review into the regular design standards that had several hundred engineers and designers went through this
been used for years. training.
Senior leadership was informed that ISD was implemented and 5. Best use of resources
that designs were expected to be inherently safer. – high risk sections of the process should be the focus

© Institution of Chemical Engineers

0260-9576/23/$17.63 + 0.00

290Dahiya.indd 24 30/03/2023 14:32:14

 Loss Prevention Bulletin 290 April 2023 | 25

to get maximum benefit from investing minimum time – review was completed in seven hours.
and resources Overwhelming outcomes from a one-day review were
– a small team of 4-6 engineers should be used compared recognised by the team. It was not expected in a seven-hour
to 15-20 engineers in a typical HIRA study session after a detailed HAZOP that the results would include
– each review should take a maximum of one day elimination of more than 70 leak points including piping,
valves/flanges, sight glasses, instrumentations, etc.
6. No compromise on quality
The review and the reports were of high quality. No The project manager was influenced with the outcomes
normalisation of deviation accepted. No check-the-box and shared the real-life example with other project teams
type of reports existed. and thereafter independent ISD reviews were successfully
performed with great results.
7. Proved success
The ISD champion facilitated the first review following Inherent safety in operating phase
the change in approach to ISD implementation. There were
incredible, positive, and unanticipated outcomes. The best time to apply ISD is in the early stages of a project.
However, there are still opportunities in the operating phase
• Implementation method 1 – combined review of the facility, although, typically with less impact. Taking
After the training, project teams liked the concept but still were advantage of the latest reliable technology, errors and mistakes
not seeing the value for conducting independent reviews. can be reduced by making the operating practices safer, simpler
They insisted on adding the ISD reviews to the traditional and user friendlier.
design review process e.g., plant layout review, Piping & The most common improvement opportunities to apply
Instrumentation Diagram (P&ID) review, PHA, etc. Inherently Safer Techniques (IST) in an operating facility are:
It was agreed to conduct equipment simplification review with Modification of hardware/software – management
regular P&ID review. This was a controlled setting where the of change (MOC)
project manager could experience failure early in the process.
Take advantage of the latest technology which is more robust
The combined review did not work for two primary reasons: and reliable during any modification or change.
– P&ID review is a matured established process in a specific
mindset. That did not allow the review engineers to think • First round of hazard management should focus on ISD
outside the box when they were questioned using the ISD without discussing the controls at all. Then depending on
checklist. the complexity and risks associated with the change, HIRA
– ISD questions were completely different to those of a may be performed.
traditional review process. The questions turned into a • Add ISD application to the hazard checklist in the MOC
burden that annoyed the review team and interrupted their program as a trigger, for example, “Is ISD option evaluated
usual P&ID review method. before adding controls to manage the risk?”
The review was scheduled for two weeks. However, after two Operating and maintenance procedures
days, review team decided that the ISD questions interfered
with the P&ID review and brought no value. A standard format that follows regulations and industry
standards and fit for purpose simpler procedures are most
This failure helped to strengthen the case for independent effective and can minimise the chances of errors and mistakes.
reviews.
• Current procedures should be made easily available and
• Implementation method 2 – independent review
accessible either in electronic or physical form.
This review was done at the end of the detailed design which
• Standard operating procedures (SOPs) and emergency
had already completed the final Hazard and Operability Study
operating procedures (EOPs) should be documented
(HAZOP). Engineers then wondered what could realistically
separately. Emergency procedures should not be buried
be changed at this stage. The design and risk management
deep and mixed with standard procedures.
were already taken care of, and the project was ready for
construction. • A shortcut on the desktop with a logical folder and path
should take the user to the latest procedure in the shortest
The focus of this review was leak minimisation and process time.
simplification. Checklist and guidewords were used to inspire
• Emergency procedures should be in simple steps with
the team to challenge their own design. The independent
a checkbox for each step. A hard copy backup of the
review involved:
emergency procedures is highly recommended for easy
– a team of engineers from owner and EPC
access during emergency.
– a session kicked off with a one-hour training refresher on
process simplification Data collection and use
– focus on high hazard processes based on flammable
inventory, temperature, and pressure On one hand, digital technology has made life easier, and at the
– the use of plot plans and about 20 P&IDs selected in same time complexity is added due to the availability of infinite
advance which were already HAZOPed information and data.
– session facilitation using the ISD checklist and guidewords • Identify and define what data is useful and collect only that
– no controls were discussed in this review data. Avoid the cases where tons of information and data

© Institution of Chemical Engineers

0260-9576/23/$17.63 + 0.00

290Dahiya.indd 25 30/03/2023 14:32:14

 26 | Loss Prevention Bulletin 290 April 2023

is piled up, but only minimal useful information is available Primary steps to implement ISD
buried in the larger pile.
• Write philosophy, a standard and detailed procedure
• Diligently design or buy the data collection and analysis tools
exclusively for ISD review and not to mix with other risk
which are fit for purpose and user friendly.
management processes.
Training and competency • Write key performance indicators and set goals.
• Ensure an owner with authority is in place and supported by
Computer based training is quite common and frequently used.
upper management.
However, in many cases it is not consistent with the procedures.
Refresher training is commonly just a repeat of the same training. • Communicate expectations and check for understanding.
• Use a competent facilitator to lead the reviews.
• A needs-based training is more effective than repeating the
• Review each step of the ISD program for effective
same training as refresher training cycle.
implementation.
• Appropriate and fit for purpose training techniques deliver
• Focus on the high-risk processes to demonstrate the largest
better outcomes.
benefits in the shortest amount of time.
Software and tools • Conduct independent review first and then incorporate in
the HIRA processes.
There are excellent and ever evolving software and tools in
the market. These tools are used and misused in many ways. Conclusion
There are many cases where an expensive software is bought
and implemented, but employees keep using their private Eliminating or minimising the hazard at the source by applying
spreadsheet and word documents. Those are not user friendly inherently safer design is the first element of hierarchy of process
and do not deliver the end results. These software/tools include risk management. Whenever there are opportunities for a new
but are not limited to incident investigation, action tracking, and project or modifications to existing facilities, ISD must be the top
management of change. priority before jumping to potentially expensive and complex
safeguards that will require maintenance for their lifetime and
• Before developing or buying any tool(s), define the have probability of failure on demand. The benefits can be
requirements and expectations then use this as the surprising and long lasting.
purchasing guide — i.e., no advanced features which are not The ISD process will only deliver the greatest impact if the
required. intent and concept is well understood, and it is implemented
• More complex and sophisticated tools are not necessarily with management commitment and employee involvement.
better. A simple spreadsheet sometimes can be much better Improving the company culture and elevating the morale of
than a million-dollar software package. the employees are the cornerstones for success when using
ISD. Well written robust management programs, a well-trained
Summary workforce and a strong corporate culture are important for best
results.
Impactful training and only one day of dedicated effort with a
While there are more opportunities to benefit from ISD in
message from one influential manager changed the mindset
situations where engineering controls are used to reduce risk,
of an entire project management team. Educating the project
it should be noted that it is not always practicable to eliminate
management teams and demonstrating results can be the key to
or minimise all hazards to an accepted level using ISD. Residual
success for effective implementation.
risks are then managed by passive, active, procedural, or a
Key learning combination of these controls.

• An effective training program, with demonstration of References

benefits, changed the mindset of engineers who were stuck
with their established “comfortable” practices. The engineers 1. Inherently Safer Design: The Fundamentals by Dennis C.
started thinking “outside-the-box” and taking advantage of Hendershot, Center for Chemical Process Safety. https://
new technologies. www.aiche.org/cep January 2012.
• Each step of the process is important for effective 2. Inherently Safer Chemical Process: A Life Cycle Approach.
implementation. A disconnect in any step can adversely Center for Chemical Process Safety, American Institute of
affect the overall purpose of the process. There were Chemical Engineers, New York, NY, 2nd Edition, December
multiple disconnects in this case that were resolved. 2008.
• The project resources were used to perform all activities 3. Center for Chemical Process Safety, “Inherently Safer
including training and conducting the ISD reviews, but the Chemical Processes: A Life Cycle Approach,” CCPS, AIChE,
outcome was worthless diluting the whole ISD purpose when New York, 1996
it was not well understood, and benefits were not tangible. 4. Hendershot, Dennis C., “Process Minimization: Making
• In addition to the independent reviews, ISD principles were Plants Safer,” Chemical Engineering Progress, pp.35-40
applied in regular design reviews as an extension of the (January 2000).
formal review. As mindsets changed and engineers started 5. Achieving World Class Performance in Oil and Gas Industry
thinking differently, a new tendency was generated to Using Inherently Safer Design www.cetjournal.it https://
challenge the status quo at each step. www.aidic.it/cet/19/77/129.pdf

© Institution of Chemical Engineers

0260-9576/23/$17.63 + 0.00

290Dahiya.indd 26 30/03/2023 14:32:15

 Loss Prevention Bulletin 290 April 2023 | 27

We invite read
ers to send thei
accidents they r views on whi

Accidents of the future – part 10

expect to see ch
years, why thes over the next
e keep happen few
we failed to le ing, and what
arn. have
Please visit ht
tps:
A selection of predictions from our readers knowledge/lo //www.icheme.org/
ss-prevention-
submit-mater bu
ial/ if you wou lletin/
share your id ld like to
eas.

accident
se d ful cru m an d lev er sys tem will result in a serious an operator
A mis-u d ca uses a heavy force to strike
of the lev er ‘sli ps ’ an
because one end
Tony Fishwick
happened before? with less serious consequen
ces. The
When has a similar accident sib ly ma ny tim es since, though fortunately
, and pos
In the late 1970s – see below l, accident.
ed a serious, potentially fata
operator in this case suffer
?
Why does it keep happening t.
car e tak en in mo vin g or dislodging heavy weigh
Insufficient
rn? – for example, ad hoc
What have we failed to lea or dis lod gin g hea vy we ights is potentially hazardous
methods of lifting
Use of ad hoc, improvised
fulcrums and levers .
to prevent repetition? per slings, etc.
What steps could we take lied for ce; for klif t trucks; hooks and eyes; pro
ern ally app
Use proper lifting gear – ext

ce of that
Moment of madness end of the lever and distan
of mo me nts and its dep endence on mass at each m tha t poi nt. ”
t knows the principle mass fro
Every young physics studen “mass” X “distance of the
int of bal anc e). Thu s, mo ment about a point equals sol idif ied pro duct had stuck to the inside
mass from the fulcrum (po bet we en rea ctio ns. A large lump of many years was
flui dis ed bed rea cto r was being cleane d out
dia gra m. The me thod that had been used for
A bat ch has to be said – see the open manhole
the rea cto r – not an uncommon occurrence, it the rea cto r and sw ing it back and forth through
wa ll of ss members of of the reactor. The
m from one of the inner cro pieces and fell to the bottom
to suspend a wooden bea eventually bro ke up into sm alle r
the reactor until the lump
to strike the inside wall of . ilst he did this, a huge
lower edge of the manhole
acted as a fulc rum
on the low er edge of the manhole. Wh
for a few moments and pla
ced the bea m ctor, knocking that end of
The operator stood at rest fell ont o the wooden beam inside the rea ck
ly as much as 50 kg – dislod
ged itse lf, beam shot upwards and stru
weight of the lump – possib ver y con sid era ble for ce. The protruding end of the his tee th. He wa s very
the beam down with and dislodged several of
jaw and eye soc ket
fractured his
the operator in the face. It and he did, eventually, make a
full recovery.
n not kill ed from the inside
REACTOR fortunate not to hav e bee
the exi stin g method of removing lumps
The investigation into the
accide nt ban ned the manhole. Instead, a
pro per ly be seen or accessed easily via
wall of the reactors, where
the y cou ld not ight was positioned so
FILTER CHAMBER e the rea cto r was implemented. The we
system of suspending a lea
d we igh t out sid s adhered to the wall on the
the out sid e exactly where the lump wa us
that it would strike the rea
cto r wa ll on ch safer. There are numero
bit as we ll as the sus pen ded beam and was very mu live s. A few
CROSS MEMBER inside. It worked every ers in industry, commerce
and our everyday
BEAM END
exa mp les of the use of fulcrums and lev
STRIKES
OPERATOR examples are: and a low brick wall as
of pow der or liqu id out of a stack using an iron bar
LUMP SIDE • Levering a full drum
MANHOLE
the fulcrum let from underneath
full , or par tial ly full pal let in order to get an empty pal
FALLS • Levering up a a sack truck
cabinet so as to move it on
• Levering up a full filing
ONTO
its wheels
of a truck to change one of
BEAM
• Levering up the back end y be no way
sim ilar to the one des crib ed herein because there ma
in an accident erneath the item
WOODEN Any of these could result t tha t wo uld be rele ase d if the end of the lever und
, the weigh
BEAM
of knowing, or estimating safe way in such cases is to
nta lly, and suddenly, freed. The only t
to be moved wa s acc ide (if they are present), forklif
to be mo ved by suc h means as hooks and eyes
lift the item
trucks, slings etc
FLOOR LEVEL

© Institution of Chemical Engineers

0260-9576/23/$17.63 + 0.00

290futureaccidents.indd 27 30/03/2023 14:37:57

 28 | Loss Prevention Bulletin 290 April 2023

Loss Prevention Bulletin 288 December 2022 | 21

established some relevant principles ch ajor acci5dent hazard

will result in a mMethane
ate whie.g.
4

p will fail to oper

A• triEmployers ought to know about risks available at During the late 1970s in the UK a tunnel was constructed to
Rogerthe Catime Consultant
sey, which may involve keeping abreast re ? of the transfer water from the River Lune over the Pennine Hills to
r acincid t haof
theencase ppaen ed befo
s a similaand
When haliterature large organisation
tio n, LP
lfunc it may involve B0 with
93 the headwaters of the river Wyre in order to optimise water
its own research es low andlev el trip ma
medical branches
• Wrong valve caus dia /6 099/ lpb _is su e0 93 p0 23 f)
.pdrequirements of the region. To minimise environmental impact
13.pdf)
a duty
ww of
w.the
ich em e.o
executive rg/me to get information from these the valve 9/ lpb
house sue0
_iswas 89p0
built underground. Tunnelling
(https ://
departments and act upon (ht
it. tps :// ww w. ich eme.org/media /6 04
2/ 247_pg02.pdby
lpbsupplemented f) was based
er ac cid en t, LP B0 89 on geological e.o maps
rg/ me dia
100 /2 11
years old minimal
• Hydrocrack w.ichem
g an d do ub le fai lur e, LPB 247 (https://ww bore drilling. Traces of
-re natural
po rt. pd f)
gas were detected once
• rag e tank ovoferf
Suppliers illin
materials for use in a manufacturing uncefield/buncefi eld
• Sto .hse.gov.uk/comah/b tunnelling commenced but engineers considered the tunnel to
process, : W sohy did
far as it ha
they pp areen ? (www
aware of the process, owe
• Buncefield be ‘gas free.’ g,
as high a duty ofpp care
en as the
ing ? employer in assessing and uce the lik23 hood1984,
eliMay of the event occurrin
es it
Why doeliminating ke ep ha wo rk. All trip s do is red
On Wednesday a group of 44 people
risks. e trips and interlocks wi ll
um
Too often, people ass can fail for many reaso
ns: gathered in the valve house at the outfall end of the Lune/
ic so lver
• If t
the eli mi na
materials te it.
are A trip
too dangerous to be used, they Wyre Transfer be or a gas at
Scheme tector, the log
deAbbeystead. The aim was to
they do no e.g. a tem pe rat ure pro
should stop supplying onentsthem. of the trip. The sensor allay. an
visitors’
actuaanxieties .
ted valveabout the effects of the installation
• Failure of the comp rdw ire d un it) or the fin al element on e.g
the winter flooding of the lower Wyre Valley. As part of
proce sso r or ha
g. microthe
(e.explains
This responsibilitiestin ofglarge companies . and of this presentation, water was to be pumped over the weir
plete tes of the trip
Inadequinate
• suppliers or incom
avoiding hidden dangers. aft er tes tin g or rep
regulating the .
airflow of water into the Wyre. Shortly after
ed pro pe rly
idden or not re-instat
• The trip being overr pumping commenced there was an intense flash, followed
Case Th histories
e setpoint has been ch
anged. immediately by an explosion causing severe damage to the
• , in the
lea rn ? valve house. Sixteen ociatpeople
ed withwere them. For no
killed; examoneple
from
Some of the foregoing
ve we faisalient
led to points are highlighted by e pro ba bil ity ass nd
What ha
accidents previously reported as trip
in s, rel
LPB which , etc. have to
vicesconsidered
ief dewere
a fai lurvalve house escaped
as having without
a probabil ity of failure on ma
injury. de
All saf ety de vic es su ch tem is oft en tak en ma y be
as pro cess coby ol sys
ntrthe The explosion was caused thebycothe nseq uences
ignition of a mixture of
contain an element
ris
of hidden on
k analysis a trip based
a basic
danger, indicated
ee n
small 0.001
0.0 1 to methane which depending on
OD of be tw and air which had accumulated in the valve house.
selection in Table 2. loop has a PF
(PFOD) of 0.1. A SIL2 ma y sti ll be
ols from the LPB archive, req uir ed. The methane had been displaced from a void, which had
Hidden causes ional contralso
of four explosions,
insufficient and addit tit ion ? formed in the end of the Wyresdale tunnel during a period
ety
pe saf
we tak to prevent re
are briefly summarised below; theereader is advised to consult k forno layers of
fail and loo
steps co
What papers
the original forulda more detailed explanation ve to theume any pro
of ass oftec
17tiv
days erlockthe
e intbefore canexplosion
es
when
or oth er
water was
engineered
pumped
ass es sm en ts, etc . ha through the system.
oc ks, rel ief de vic
background,
Hazard plant s, risk the accident and its causes,
studielayout, ofplus
addittheional different interl
nario, compromising No source of ignition for the explosion was positively
lessons any major hazard sce
in learned. rformed by
identified although ignition s mu st be pe
sources considered included:
controls. ch as EN 61 51 1. SIL assessment calculation
ati on al sta nd ard s su
Adherence to intern
LPB Reference Hazard Risk Group
• Electrical equipment that was not intrinsically safe, flame-
pe rso nn el.
co mp ete nt Systems, proof LPB044 or pressurised. (Subsequent inspection, however,
sig n an d M ain ten an ce of Instrument Trip suggested
f) this to be highly unlikely)
See also DeHidden health and fire dia/5683/lpb_issue044p001 .pd
ww w. ich em e.o rg/ me • Smoking. Since the likelihood of a flammable atmosphere
(https
2001(158), 12
:// dangers associated with
Employers, Contractors
working in confined developing had not been envisaged smoking was not
spaces prohibited. Indeed, just prior to the explosion one visitor
had been seen smoking, and ‘smoking equipment’ had
2005(183), 12 20 |chemical
Toxic Loss Prevention
leachate BulletinCrops288 December 2022
and livestock been recovered during the investigation.
• Static electricity from clothing.
2009(209), 3
Utilities Operators, Contractors
Several years after the explosion, negligence actions were
Correction
Loss Prevention

risk of exposure. Those responsible must ensure these controls

Bulletin 288 December

Knowledge
2022 | 19
Safety practice

Hidden dangers
Microbial
are suitably
Phillip Carson
spoilage
designed installed, understood, used, maintained, brought by survivors and relatives of the deceased against
Known Unknown
‘The ability to foresee

2010(216), 15 ofand monitored

chocolate to ensure the
during risk is preferably eliminated or atthose responsible for the
Consumers
Jean-Jacques Rousseathat some things cannot be foreseen

Summary
u 1712-1778 is a very necessar
y quality’

time because it design, construction and operation

least reduced to acceptable levels using reasonably practicable
The meaning of is not visible (e.g.
‘hidden danger’ or the signals are underground utilities),

processing
Responsibilities is explored. inadequate, or
are discussed. etc. Thus, if in because of data
Avoidance measures a burning building, overload,

of the works. Initially it was held that the consulting engineers,

briefly mentioned.

Loss Prevention Bulletin 288,

Case histories are are smoke/fumes may precautions against
used as illustrations be toxic
Keywords: Hidden . can kill and believing ignored if you fail to realise that
they
dangers flames. Alternative you are safe by simply avoiding
ly, the
be unclear whether on approaching a closed door,

means. The control procedures must also ensure the danger is

Introduction it is safe on the it may
will expose you other side or on
to an inferno. In opening
Accidents are sometimes hazardous properties of substances process safety
even when

the contractor, and theIntroduce

description is often attributed to ‘hidden the risks may be are well-establi

operator were to blame 55%, 15% and

used by various dangers’. This hidden unless shed
things, which begs people to mean are effectively the hazards and
such questions different brought to the attention precautions
become exposed
hidden danger,
what is hidden,
as to what is meant
by by means of Safety of those that may

highlighted and not hidden.Employees, Contractors,

what and why, hidden labels, etc supplemen Data Sheets, warning
and who is responsible from whom, hidden by ted with manageme
training, supervision

December 2022
to first clarify some ? As a result, it nt systems such
,
common terms is useful permits, inspections standard operating procedures as

control measures
in Table 1. , work
, audits, etc to
Discussion are adequate, functioning ensure the risk
controls
exposure to the , and sustainable

30%, respectively. But on appeal the Court considered the

What is hidden? contents of a well-labelle . The danger of
chemical may be d drum of hazardous
Known

clear unlike the

Even when hazards are known and understood some

To add to the confusion pipe which may, opening of an unlabelled
or may not, contain
knowledge and
competence

conversely not hazards can elevated temperatur hazardous substances

all risks necessarily be quantified and all situations as
e and pressure.
Operators should at
assessments. In are, for example, if the system is

2015(246), 2
treat

Corrosion
reality, any of the in

Local residents’
foregoing elements risk they can obtain in its worst-case

Publicise
‘hidden’ may lead more information condition until
to if
they are unknown accidents They may be ‘hidden’ .

Conduct research on
There are some
(see below), or because things we know; others

commentators believe it is inevitable that certain risks are notduties of care owed by each of the defendants for the design,
they have not been because don’t know and we know we
adequately communica although known things
occupational hazards we don’t know we don’t know.
not obvious to ted, or they
those who may are well-known Most
exposure, due suffer the consequen are broadly classified and
to lack of training, ces of as physical, mechanical understood and are
or they cannot ergonomic and , chemical, biological,
see it at the psychosocial. If
those exposed, these
then controls must pose serious danger to

Environment hazards and risks

be introduced

Monitor compliance/
to reduce the
Term

foreseeable (i.e. are hidden) because of the complex matrix

systems and
procedures

Figure 1 on page 20 of the print construction and operation of the tunnel and held that:
Hazard is any object,
situation, or behaviour
injury, ill-health, that has the potential Example
or damage to property to cause
or the environment. A loose brick on
the top of a 10m
Danger Circumstance probability, nor wall (This is qualitative,
s or surroundings the consequence since neither the
Awareness

existence of a person that compromise are quantified)

effectiveness
or thing the security or A loose brick on
the top of a 10

of possible interactions of events or conditions associated

hat) being within m wall, and a person
Hidden Danger impact range. This (without a hard
A source of potential consequence (fatality is semi-quantit
detected by a person danger that “could or injury) being ative with only

version of Issue 288, Decemberthat2022

not be easily ‘quantified’ the
of average intelligence
an area.” while they casually A loose brick on
inspected the top of a 10m
vegetation etc wall that is obscured
by a nearby sign,
Risk is a function and a person (without
of the likelihood a hard hat) being
of exposure to

• At the design stage, the consultant engineer is expected

severity of the within impact range.

concept of risks
with high technology1. The Employees, are not fully
harm that results. the hazard and The product of
Essentially, risk the the probability

Contractors
chances of harm is an estimation that the loose brick
resulting from of the fact fall, while the on the 10m wall
a given hazard. person below is will in
damage caused in the impact zone,
by the brick hitting multiplied with
the person (This the

had an isincorrect
introduced heading. 2 The correct
Table 1 – Terms is injury or fatality is quantitative,
with examples per time unit) the unit

© Institution of
0260-9576/2
Corrosion
understood
Chemical Engineers
under inLocal
a paper on reducing unknown risks to exercise the skill of a reasonably competent engineer
2015(246), 18
2/$17.63 +

residents’
0.00

andversion
insulation
it proposes ofthat
themost
figure
risksis
in opposite.
the chemical industry fall in to Obligations to seek
Environment
the category of ‘partly unknown’, suggesting even foreseeable
specialising in the knownparticular
informationfield of construction. In
risks may contain a not foreseeable element. the circumstances,
Conducta safety
reasonably
studies competent engineer
Table 2 on page 21Radioactive
of the print version ofLocal
Issue 288,
unknown any risk assessment specialising in theeg design of water systems ought to have
Sense of vulnerability
Unknown

2021(278), 3 When hazardsiodine are known to beresidents HAZOPs

December 2022 omitted would be the following
flawed reference:
and the situation must be avoided completely detected a riskConstant of methane being
attention to present in the aqueduct.
Creativity
2021(280), 13 Buried
until thechemical
hazards waste
have beenLocal residents
established primarily by discussion The explosion safety was therefore
performance reasonably Proactive
foreseeable.
with suppliers, trade associations, consultants, et al and by
The first defendants were
Follow upnegligent in failing to take into
literature searches. If this confirms the hazards
Employers, are unknown to
contractors, eg near misses,
2022(286),7 Propane
mankindrelease
they should be determined
environmentby, for example, in-house, account the possibility that methane may be present when
health complaints
supplier or other third party contract laboratory studies or by designing the aqueduct.
academic research prior to any industrial exploitation with • The second defendants, the tunnelling contractors, did
potential for exposure.
Table 2 – Examples of previous LPB papers on hidden dangers notFigure
owe the1 – Knowledge/Awareness/Action Matrix for avoidance
claimants a duty of care since their duty was
When we are unaware that unknown hazards exist it is of a range of accidents under various scenarios After 2
essential to become proactive on gaining new insights and in
controlling risks from the new hazard, and even question what © Institution of Chemical Engineers
Who is responsible?
© Institution of Chemicalelse must be done. When materials such as asbestos, silica, lead,
Engineers 0260-9576/23/$17.63 + 0.00
0260-9576/22/$17.63etc + were
0.00 first used on an industrial scale the health dangers of Responsibility for ensuring hazards are known and the risk is
exposure to particulate matter were not fully appreciated. Once controlled usually rests with the employer but, dependent on
the respiratory hazards became very apparent it still took many circumstances, responsibility can extend to others including
years for parts of industry to adopt sufficiently robust protective designers, constructors, contractors, suppliers, employees,
290futureaccidents.indd 28 measures. History suggests that on publication of emerging new 30/03/2023 14:38:01
regulators, et al. In some situations, it may be necessary to
 Information for authors and readers
Loss Prevention Bulletin 2023 Subscription rates
Panel members Complete online collection
Mr Ramin Abhari
Helping us to help others
£564 + VAT
Chevron Renewable Energy Group, US • The Loss Prevention Bulletin (LPB)
aims to improve safety through Print and complete online collection
Dr Andy Brazier
the sharing of information. In this £630 + VAT (UK)
AB Risk Ltd, UK
respect, it shares many of the Print and complete online collection
Mr Roger Casey
Roger Casey & Associates, Ireland
same objectives as the Responsible £654 + VAT (ROW)
Care programme particularly in its
Dr Tom Craig The complete collection online provides
openness to communication on
Consultant, UK access to over 40 years of articles, back
safety issues
Dr Bruno Fabiano to 1975. Multi-user site licences are also
University of Genoa, Italy • To achieve our aims, we rely on available. For further details,
contributions providing details of contact sales@icheme.org
Mr Geoff Gill
safety incidents. This information
Consultant, UK
can be published without naming an Coming up in future issues
Dr Zsuzsanna Gyenes affiliated author, and details of the
European Commission’s JRC, Italy plant and location can be anonymised
of lpb
Mr Mark Hailwood if wished, since we believe it is We are especially interested in
LUBW, Germany important that lessons can be learned publishing case studies of incidents
Dr Andrea Longley and shared without embarrassment related to:
Scott Bader Company Ltd, UK or recrimination.
• Organisation structure &
Ms Fiona Macleod • Articles published in LPB are process safety
Consultant, UK essentially practical relating to all
• Emergency planning & response
Dr Ken Patterson aspects of safety and loss
Consultant, UK prevention. We particularly • Ageing plant
Dr Christina Phang encourage case studies that • Lessons from other industries
Environmental Resources Management, describe incidents and the lessons • Management of Change
Malaysia that can be drawn from them.
• Hazardous waste
Mr John Riddick, • Articles are usually up to 2500
• Hidden hazards
Caldbeck Process Safety Inc., Canada words in length. However we are
also interested in accepting accident • Transfer of hazardous materials
Mr Doug Scott
Charles Taylor Adjusting, UK reports to be written up into articles • Electrostatic hazards
Dr Hans Schwarz by members of the Editorial Panel. • Energy
ProsafeX, Germany Drawing and photographs are
welcome. Drawings should be clear, If you can help on these or any other
Mr Roger Stokes
but are usually re-drawn before topic, or you would like to discuss your
BakerRisk, UK
printing. Any material provided can ideas further, please contact the editor
Mr Sam Summerfield Tracey Donaldson on the number above.
be returned if requested.
Health & Safety Executive, UK
For further information, see
Ms Zoha Tariq https://www.icheme.org/
University of Strathclyde, UK knowledge/loss-prevention-bulletin/
Dr Ivan Vince submit-material/
ASK Consultants, UK • Correspondence on issues raised
Ms Heather Walker by LPB articles is particularly
OMV, New Zealand welcome, and should be addressed
to the editor at:
Loss Prevention Bulletin
Institution of Chemical Engineers
165 - 189 Railway Terrace
Rugby, Warwickshire
CV21 3HQ, UK
Tel: +44 (0)1788 578214
Fax: +44 (0)1788 560833
Email: tdonaldson@icheme.org

© Institution of Chemical Engineers

0260-9576/22/$17.63 + 0.00

290infopage.indd 37 30/03/2023 14:39:04

 Sustainable Nuclear Energy Conference

Call for papers

12–14 April 2016, Nottingham UK

casestudiesFP.indd 2 31/03/2023 16:11:46