Thursday, July 29, 2010

Is CSB on the right track?

On July 21st the CSB annonced the publication of report on 2009 Explosion at Veolia ES Technicla Solutions, L.L.C. Hazardous Waste Facility. Your can find details under Instigations on the web-page Veolia Environmental Services Flammable Vapor Explosion and Fire including a pdf-file of the report, which the CSB calls a case study.

The facts of the incident on the surface appears rather simple: A flammeable substance was accidentally released to the environment and the vapours found a nearby ignition source resulting in several explosions and a fire plus injuries to a number of workers and damage to nearby residences and businesses. On the surface this sound very much like what happened on March 23rd 2005 at the BP Texas City Refinery. Only difference appear to be that at West Carrollton in Ohio no one was killed, and damage was significantly less than at Texas City.

So what did CSB find? They found that the vent devices (I assume they mean on the feed and product tanks) were not designed to contain or control hazardous and/or toxic vapor. They also found that the ignition source was most likely some gas-fired boilers in an electrically not classified building less than 10 meters south of the process area. Finally the found, that no record of a process hazard analysis (PHA) of building siting was found.

And what does CSB recommend? They recommend that non-essential personal don't have offices in buildings close to process areas, and that a closed relief system be installed at the facility, and a PHA of the facility is conducted. I have absolutely no problem with these recommendations, although I would have put the PHA first, the relief system second, and the occupancy third. Why? I used to work a the operations room at Imperials Oils Sarnia Polyethylene Plant. This one-story building was not much more than 10 meters from the process area and about 30 meters (on the other side) from a benzene extraction unit. I newer felt unsafe in that building. The doors were 20 cm thick steel doors, and the surroundings were landscaped to help a pressure wave pass over this concrete building containing both control room, unit laboratory, offices for engineers and others associated with the unit including secretarial staff. The building was designed for the occupants to survive the worst possible event, e.g explosion of the benzene extraction unit. So buildings can be designed to be safe for the occupants! This is nice if your relief design for some reason fails, as it did at the BP Refiney in Texas City in 2005, or is insufficient, as it was at the Veolia site.

However the CSB does not stop with these 3 recommendations. They also recommend revisions to NFPA 30, revised control room siting guidelines, development of occupancy standards specific to hazardous waste treatment facilities, and development of standardized guidance for hazardous waste processing facilities. The last two recommendation are aimed at Environmental Technology Council, which here in the middle of 2010 have not reacted on two recommendations following a 2006 fire at another hazardous waste facility. All in all this explosion and fire resulted in 7 recommendations from the CSB to 4 different organisations. I wonder what the change is of this leading to safer processes?

Were is the teeth in this? What is going to make all the other operators of hazardous waste processing facilities stop up, do their facility PHA and act on it? Because I do assume, that there are other waste processing facilities without a site PHA. I am also concerned, because in my own country, Denmark, I see tank farms as closely spaced at the ones at Veolia, but with neighboring tanks having different owners.

As an added bonus I learned from reading this case study, that the National Fire Protection Association is an international non-profit organisation. This was confirmed by going to the NFPA web-site and selecting the "About NFPA" bottom. Recently another American organisation went international. ISA formerly known as "Instrument Society of America" after much discussion became "International Society of Automation". I wonder if the NFPA will become the IFPA, and develop standards following ISO instead of ANSI?

Monday, July 12, 2010

Why can safety systems be switched off?

On May 5th, 2010 Jim Montague's editorial column at ControlGlobal.com ended with a call for safety rules and laws with teeth, and calling the present US enforcement a joke.

On the way to that call Jim stated that "safety measures and guards are still shut off, disabled and circumvented all the time" to meet demands "from all us consumers", and that is "why refineries, chemical plants and coal mines keep blowing up".

This statement made me think: Why is it that we engieers and managers continue to ask people to use machines, which can be run without guards in place? To create a safe workplace we should properly stop doing that right now! I hear argument against this: The machines has the safety features required by law, and it would be costly to retrofit them, so they cannot run without the safe guards. Yes, it will cost money to modify the old machines, and these cost are all carried by the company using the machine. Unfortunately, that is not the case with the cost associated with injuries because the safe guard was not in place while the machine was running. The cost of such injuries are shared among the company, the worker and society.

Why is safe to run a process facility without a safety valve while it is being checked in the workshop? There has for more than 10 years been available dual head safety valve, which allows online switching between two parallel safety valves, so one can be taken to the workshop for testing and calibration of set point etc. Now the safety valve is just one example. One could ask the same question about any safety system, such as an interlock or an emergency shut down system. Such system are added to the process to provide protection against specific undesired events. Then why do we allow them to be designed to be switched off while the events they are to protect against can still occur?

I think it about time we take process operations integrity one step further, and ask engineers to design process facilities with integrated safety, that cannot be disabled while the events they are protecting against can occur. Such an approach would properly require a few extra planned shut downs. However, the price of those would be small compared to the unplanned shut downs of events such as the explosion and fire on the Deepwater Horizon, which occured on the day Jim wrote his editorial column. The cost of that accident is already above 3 billion £, and the value of BP shares has been halfed.

Monday, July 05, 2010

What process safety goals makes sense?

In the past week there has been a dynamic exchange of views on what the goal of process safety and occupational safety should be in two different groups on LinkedIn: EHS Professionals and People, Safety and Culture.

I all started by Rob Stewart stating "Zero injuries goal - leading edge safety or root cause of catastrophe?", and asking whether this goal is a realistic goal. Since I believe the purpose of process safety is to prevent accidents and the purpose of occupational safety is to prevent injuries, I see zero accidents and injuries as the only goal, which makes sense from a business perspective.

Why is this the case? Any accident with anything more than negligible consequences lead to an investigation. An investigation take time and cost money. That time is taken away from other task, such as optimizing plant performance or training co-workers. The cost take away from company profits, and hence is definitely not in the interest of shareholders. The same holds for injuries, although depending on the type of injuries the cost of investigation could be less.

If you set a non-zero goal for either injuries or process safety accidents, then you could be unlucky enough to achieve the goal you set. Usually achieving a goal is celebrated. However, how proud would you by celebrating the achievement of a goal of 0.2 fatalites/year and/or 5 reportable injuries per year? I don't believe any manager would feel good about celebrating a fatality. Setting a non-zero goal and achieving it really just mean, that you made a lucky prediction.

Now, if you are currently experiencing X reportable injuries per year and Y fatalities per year, would be realistic to achieve zero the following year? I don't thing so. Getting into the heads of the CEO and every other employee that the aim is zero injuries and zero accidents, is a major safety culture change in most companies. So why the aim should be zero you should be realistic about how to achieve this over time.

This is very similar to how countries budget for wars. No politician is going to stand up, and say the goal for the next year is Z dead soldiers. The goal naturally is to win the war, and have everyone return home safely. Nonetheless the people in the budget office have to set aside money for cost associated with soldiers dying at war.

I have always admired the attitude towards safety at Dupont. When I worked in the petrochemical industry in Sarnia's Chemical Valley in the mid eighties, the most talked about effort in most of the companies was quality. This was partly started by Ford's "Quality is No.1" campaign. So most plant managers in the valley those years talked first about quality, and then about other issues facing their company. At Dupont is was different. The local Dupont manager - as usual - first talked about safety, and then about other issues.

So if you want to set business related aims for process safety accidents and occupational safety injuries, then you need to keep your eye on the ball, no matter what changes is happening in the world around you. Let's do it!