At the Buncefield Depot in the United Kingdom, evidence suggests that a high level switch that should have shut off the supply of gasoline to the tanks failed to operate.


In Part 1 of this brief series, I described three industrial incidents demonstrating the potential cascading effects that failing to consider the human factor and ensure equipment reliability can have. What can we learn from incidents such as these? I continue my series on hazards to people and plants.

The Buncefield Depot was the fifth largest oil-products storage depot in the United Kingdom, with a capacity of approximately 60 million Imperial gallons (273 million liters) of fuel. In all, it was some 5 percent of United Kingdom's oil-storage capacity.

An inquiry, held jointly by the Health and Safety Executive (HSE) and the Environment Agency, was started. The board's aim was “to identify the immediate causes of the explosion, rather than consider who was to blame for any deficiencies, so as not to prejudice further legal proceedings.”

Legal proceedings? Blame? These words encourage concealment.

The open publication of accident reports such as in three cases, and the NASA reporting system described below, lets you turn hindsight to foresight.

NASA's Aviation Safety Reporting System

The Aviation Safety Reporting System (ASRA) provides for the receipt, analysis and de-identification of aviation safety reports. Periodic reports of findings obtained through the reporting program are published and distributed to the public, the aviation community and the FAA. Reporters' identities remain protected. Of the more than 715,000 reports received to date, no reporter's confidentiality has ever been compromised.

The exemplary record of aviation safety that the ASRS has achieved is one that could well be adopted in the process industries.

In March 2002, in collaboration with NASA, the Veterans Administration rolled out a new medical reporting system, called the Patient Safety Reporting System (PSRS), to most of its medical facilities nationwide.

All of you - from management, engineering, procurement, plant design and installation, process technology, maintenance, production or plant operations  - have to feel free to report your concerns.

Controller alarms can be set for high, low or rate-of-change conditions with delay and latching options.
Courtesy of Eurotherm

Plant and Equipment

Among the steps to take to ensure safety in your facility, do the following:
  • Make sure that your instrumentation provides both an overview and a detailed understanding of the plant's operating condition.
  • Have access to layout and schematic drawings and descriptions of equipment, wiring and piping, with identification of plant items. Use these to evaluate the control and safety implications.
  • Recognize that control equipment can “fail to danger.” Typically, this means, that the failure leaves heat, flow, level, etc., uncontrolled. Where this is a hazard, have in place a completely independent override to head off this risk.
  • Check that you have identification labels on indicators, controls, internal cabinet wiring, terminals, piping and components. These include such simple matters as which switch position is “off” and which way is “increase” on a manual control.
  • Put in place procedures and priority rankings to be observed when responding to plant alarms and off-normal events.
  • Have stickers on cabinets and plant equipment showing each manufacturer's or outside supplier's service phone numbers.
Temperature Sensor Location.Ensure that your thermocouples or RTDs are located where they can see the temperatures of interest to you, and that the wiring is sound. A misplaced or pulled-out-of-place sensor, or one whose wiring is shorted, can lead to overheating of the process.

Broken Temperature Sensor.In most processes, you want a broken or burnt-out (open-circuit) sensor to make your controller default to a high reading or “broken sensor” message and turn the heat off. (This is sometimes called “upscale burnout.”) If you don't specify otherwise, controllers normally come configured this way, being the usual safe default.

Some processes may require a broken sensor to default to full power or some predefined percentage of full power. (This is sometimes called “downscale burnout.”) For example, downscale burnout is used when trace-heating an outdoor pipe or vessel that must not be allowed to cool off. In situations where downscale burnout is required, ensure that the controller is configured this way and that this type is not mixed with upscale burnout controllers in the storage area. Mixing these two up at time of controller maintenance is imprudent and potentially dangerous.

Reversed Thermocouple.Often, thermocouple wires are crossed when a process is being rewired or commissioned. This would normally send the controller indication downscale and call for full heat, perhaps damaging your equipment or making scrap product.

Consider using controllers that can recognize this as an unrealistically low temperature and default either to power off, or to the level of power that you specify.

Replacing Thermocouples.Some plants have a mixture of different sensors, and it is easy to take, say, a Type R thermocouple off the spares shelf and install it where a Type K came out. This would make the controller drive the temperature up to some three or four times the set value. So, identify and label spare thermocouples and controllers by thermocouple type.

Auxiliary Alarms on Controllers.Besides the control output, a controller can have extra relay or logic outputs that can be configured as high, low, deviation high, deviation low or deviation band alarms. Note that deviation is from the working setpoint. The usual convention is to have the relay or logic signal drop out in the alarm condition. This usually is defined as “fail-safe” because open-circuit relay contacts and broken wires would give a false alarm, reckoned to be preferable to an unrevealed alarm that the opposite logic would suffer.

However, before you depend - and act - on the term “fail safe,” you must thoroughly analyze the failure modes in any alarm, interlock or shutdown chain for loss of protection. For serious overtemperature protection, remember that the controller could fail, so do not depend on the alarm circuit in the controller itself. You would be wise to provide an independent second opinion in the form of a separate alarm instrument or module on its own dedicated sensor.

More on hazards next month.  

Links