Loss Prevention Bulletin

Improving process safety by sharing experience

A toolkit for successful

Issue 296, April 2024

process safety
leadership site visits

Managing the risks
of stored energy
Updated history of a
solvent recovery plant
site after an explosion
and fire
Three Mile Island –
Can we learn from a
nuclear accident that
occurred 45 years ago?
Book Review:
Flixborough ‘I Was
There’
Five commonly missed
hazards in Process
Hazard Analysis or
Hazard Identification
and Risk Analysis

LPBcover296.indd 1 02/04/2024 16:52:52

 TRAINING

LIVE ONLINE ON-DEMAND FACE-TO-FACE IN-COMPANY

Develop your process safety skills

IChemE provides a wide range of process safety training courses to help you identify, assess and
manage process risk effectively at your organisation. From hydrogen safety to HAZOP, we've got
it covered.

Hazard identification and risk analysis

■ Bowtie Analysis and Barrier-Based Risk Management
■ Consequence Modelling Techniques
■ Delta HAZOP
■ Hazard Identification Techniques
■ HAZOP Leadership and Management
■ HAZOP Study for Team Leaders and Team Members
■ Layer of Protection Analysis (LOPA)
■ Process Risk Assessment
■ Quantified Risk Analysis
■ Safety Instrumented Functions (SIFs)

Process safety management

■ Fundamentals of Process Safety
■ Process Safety Leadership and Culture

Understanding hazards
■ Advanced Process Safety Considerations for
Hydrogen Projects
■ Pressure Systems
■ What Engineers Need to Know About
Hydrogen Safety

Human factors
■ Human Factors in the Chemical and Process Industries

IN-COMPANY

All our courses can be delivered in-company,

LPB296

on-site or online.

www.icheme.org/process-safety-training

LPB 295 Courses FP AD.indd 1 01/02/2024 12:36:35

 Loss Prevention Bulletin 296 April 2024 | 1

Contents
2 Managing the risks of discussions, incident reviews, and
Loss Prevention Bulletin stored energy – always process plant task audits. ​These
activities aim to engage with
Articles and case studies expect the unexpected. staff, identify process safety risks,
This article highlights the and demonstrate the leader’s
from around the world importance of managing the risks commitment to safety.
associated with stored energy. ​
Issue 296, April 2024
It discusses common accidents 18 Three Mile Island – Can
Editors: Tracey Donaldson that can occur due to releases
of stored energy and provides
we learn from a nuclear
& Charlotte Wessels
Publications Director: good practices for ensuring accident that occurred 45
Claudia Flavell-While safety. ​The article also presents years ago?
Subscriptions: Hannah Rourke a case study of an accident at a This article highlights the main
Designer: Alex Revell power station, emphasizing the events leading to the accident
consequences and investigation and the lessons that can still be
Copyright: The Institution of Chemical findings. The article emphasizes applied today. ​It discusses failures
Engineers 2024. A Registered Charity in the need for proper procedures in design, control room layout,
England and Wales and a charity registered and communication to effectively alarms, operator skills, and the
in Scotland (SCO39661) manage the hazards of stored normalization of deviance. ​The
ISSN 0260-9576/24 energy. ​ aim is to emphasize the importance
of learning from past accidents to
The information included in lpb is given in 4 Updated history of a improve safety in all industries.
good faith but without any liability on the
part of IChemE
solvent recovery plant site
after an explosion and fire 22 Book Review: Flixborough
Photocopying This article provides an updated ‘I Was There’: The story
lpb and the individual articles are protected history of a solvent recovery plant of the 1974 Flixborough
by copyright. Users are permitted to site in Cheshire, UK, after an
make single photocopies of single articles disaster
explosion and fire in 1981. ​The site Rick Loudon’s book, marking
for personal use as allowed by national
copyright laws. For all other photocopying was initially considered suitable 50 years since the Flixborough
permission must be obtained and a fee for housing development, but disaster, intertwines personal
paid. Permissions may be sought directly subsequent sampling and analysis stories with the event’s impact
from the Institution of Chemical Engineers, revealed extensive contamination. ​ on chemical safety. Highlighting
or users may clear permissions and make The contamination posed health
payments through their local Reproduction
survivor accounts and emergency
hazards to animals, leading to the responses, it stresses the
Rights Organisation. In the UK apply
remediation and landscaping of importance of prevention and
to the Copyright Licensing agency
Rapid Clearance Service (CLARCS), 90 the site to form a country park. ​The ongoing safety lessons.
Tottenham Court Road, London, W1P article highlights the hazardous
0LP (Phone: 020 7631 5500). In the USA nature of the plant’s design and 23 Five commonly missed
apply to the Copyright Clearance Center operation and the failures to
(CCC), 222 Rosewood Drive, Danvers, MA address safety concerns. ​
hazards in Process
01923 (Phone: (978) 7508400, Fax: (978) Hazard Analysis or
7504744). 8 A toolkit for successful Hazard Identification
Multiple copying of the contents of process safety leadership and Risk Analysis
this publication without permission is
always illegal.
site visits This article discusses often missed
This article presents a toolkit for hazards that are not picked up
Institution of Chemical Engineers leaders to conduct impactful during PHAs and HIRAs. ​It
Davis Building, Railway Terrace, process safety themed site visits. ​ emphasizes the importance of
Rugby, Warks, CV21 3HQ, UK It emphasizes the importance of diversifying analysis methods,
process safety leadership in setting conducting site visits, and
Tel: +44 (0) 1788 578214 challenging existing practices to
Fax: +44 (0) 1788 560833 the culture of an organization
and reducing the risk of major avoid overlooking these hazards.
Email: tdonaldson@icheme.org accidents. ​The toolkit includes
or journals@icheme.org eight activities that leaders can
www.icheme.org choose from, such as small group

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00

296contents.indd 2 02/04/2024 17:10:08

 2 | Loss Prevention Bulletin 296 April 2024

Incident

Managing the risks of stored energy –

always expect the unexpected.
Andy Brazier, UK
Good practices
Summary
Lock-Out Tag-Out Try-Out (LOTOTO) is a safety procedure
Stored energy has a habit of catching us out. We instinctively for ensuring that hazardous equipment has been properly
perceive operating equipment as hazardous and stopped shut down and made safe before work can take place. Locks
equipment as safe. We direct our attention to handling and tags are used to prevent hazards being reintroduced after
flammable or toxic substances and view inert substances as preparation is complete and the Try-Out stage is verification
harmless. that preparation has been successful. However, the case study
Three people were injured, two seriously when hot water below will illustrate how this can fail if the sequence of steps
condensate was released whilst preparing a non-return valve required to prepare equipment are not completed and in the
for maintenance. The method used to verify the system’s correct sequence.
safety created a strong-but-wrong indication that there was A ‘First Break’ procedure should be followed when breaking
no stored energy in the system, erroneously suggesting it containment on any system that handles hazardous substances
was safe to break containment. and/or conditions. It should ensure only people essential to
the task are in the vicinity and that they are protected against
Keywords: Stored energy
the potential hazard (including the use of appropriate Personal
Protective Equipment). Wherever possible, the break of
integrity should be carried out in a way that can be recovered
Hazards of stored energy if a hazard is discovered (e.g. partial unbolting that can be
We may encounter potentially hazardous stored energy in reversed) and ensuring people are not in the ‘line of fire’.
many places. Spinning flywheels and springs or cables under Someone from the operating team should physically inspect the
tension can be a source of mechanical energy. Batteries equipment immediately before containment is to be broken to
and capacitors may hold hazardous electrical charge. Hot ensure all preparations have been completed correctly.
water and steam, and non-hazardous gases including air
and nitrogen under high pressure can be very hazardous. Case study
Hydraulic systems can be held at very high pressures (several
Rye House power station uses combined cycle gas turbine
hundred bar) and hydraulic injection injuries can be horrific
technology to generate megawatts of electrical power. On 23
(images on Google of these injuries is blurred out by default as
January 2009 three people were badly burned by a release of
potentially explicit).
hot steam condensate when a valve was being prepared for
maintenance. One casualty suffered life-threatening injuries.
Common accidents
This accident summary is based on details presented in
Some accidents occur fairly frequently due to releases of a video created by ScottishPower and widely circulated to
stored energy whilst performing routine tasks. employees, contractors and industry colleagues.
Hose whip injuries when disconnecting a flexible hose can
be fatal. Well designed connection rigs with a depressurisation Timeline
facility and reliable gauges should be a requirement, with whip
The power station was being shut down for maintenance on
checks as an additional control.
the gas supply pipeline. The opportunity was used to progress
Releases of pressure when removing blank flanges can lead maintenance in other areas, including repairs to a non-return
to technicians being sprayed with chemicals or hot fluids.
valve on the discharge side of a high-pressure condensate
Valves only need to pass a very small amount to allow full
recirculating pump. This required the system to be isolated and
plant pressure to be built up between the blank flange and
drained. Access to the valve was by scaffolding erected at a
the closed valves. Bleed valves and/or vented blank flanges
height of approximately 3 m.
can be used to confirm there is no pressure before the joint is
broken. • 9:42 p.m (22 January — night before the accident):
Even a small release of energy can be hazardous if it is Station shuts down and preparations begin for the following
unexpected and startles the technician, especially if they are day’s maintenance. A team was tasked with isolating
working at height. and draining the system to make it safe for the planned

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00

296 Brazier.indd 2 02/04/2024 16:48:26

 Loss Prevention Bulletin 296 April 2024 | 3

maintenance. Information was provided to them in shift were called. A paramedic was on site within 20 minutes
instructions and a detailed drainage schedule. followed by the first ambulance a few minutes later.
• 2:30 a.m.: It became clear that the pressure was not The more seriously injured man had to be rescued from the
decaying quickly enough for preparation work to be scaffold using a mobile elevated working platform. All three
completed by the end of the night shift. Consequently, the men were taken to hospital. The man who had been trapped
system would be handed over in a partially isolated and on the scaffold received 60% burns and spent several days in
drained state. a critical condition on a high dependency ward. Thankfully
he pulled through, but he spent six weeks in hospital. His
• 6:00 a.m.: The day shift arrives to receive a handover. At
colleague who had been working with him on the scaffold
this time the system pressure was 3 barg.
received 26% burns and was hospitalised for two weeks. The
The drainage schedule was referred to during the
third man who went to the rescue of his colleague was allowed
handover. It had been marked up with a highlighter pen
home after treatment that night.
and some handwritten notes. Two sets of valves remained
to be open. The first was the group of drainage valves that Investigation
the night shift had been unable to operate. The second
was a pair of ‘tell-tale’ valves that would provide visual An internal inquiry found the cause of the incident was a failure
confirmation that the system had been fully drained. The to drain the discharge side of the high-pressure recirculating
shift instruction stated that these could be opened when pump where the non-return valve was situated. This occurred
the boiler pressure had fallen to 2 barg. due to communication errors from night to day shift that meant
the status of the system’s drains valves was misunderstood.
• 7:10 a.m.: The pressure had fallen below 2 barg. This was
Whilst the status was indicated on the drainage schedule,
taken as a cue to open the tell-tale valves.
use of a highlighter pen and hand-written notes may have
When the tell-tale valves were opened a small amount
contributed to the error.
of steam was observed to flow to drain, which quickly
Inexperience of the maintenance personnel also contributed.
stopped. This created a strong-but-wrong indication that
They interpreted the small steam flow from the tell-tale valves
the whole system had been drained and depressured
as a positive sign that the stored energy in the system (hot
successfully. However, this was not the case because the
condensate) had been removed. However, they should have
group of drainage valves were still closed, which meant the
first seen a quite significant flow that subsided as the residual 2
tell-tales were isolated from the main system.
barg pressure decayed.
The day shift team leader visited the site and inspected
the telltale valves. Seeing no steam or water he assumed
Conclusions
that the system was in a safe state for maintenance to
commence. The hazards of stored energy can be easily be overlooked.
• 9:40 a.m. A permit for work was issued to the maintenance Even when recognised, the indications used to verify system
team member for the valve repairs. safety can be unreliable or prone to misinterpretation. It
is always inherently much safer to work on systems after
• 3.40 p.m. Two contractors, working from the scaffold,
eliminating all potential hazards, including stored energy. If
started to break the pressure seal on the non-return valve.
this is not considered at the design phase it may be difficult to
Suddenly hot condensate escaped from the seal and
achieve or confirm reliably.
engulfed both men.
Good procedures for removal of energy and personnel
Consequences who understand the hazards and how they are controlled are
essential for managing residual risks. Communication errors
One man was able to escape from the scaffold, but his can significantly contribute to these risks, as common place

systems and
procedures
colleague was not. Another contractor from the same company administrative controls such as permit to work and lock-out
witnessed the incident and went to rescue his trapped tag-out may inadvertently reinforce errors due to the high
colleague. regard in which people hold them, making individuals less
First aiders rushed to the scene and emergency services inclined to question or challenge their effectiveness.

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00

296 Brazier.indd 3 02/04/2024 16:48:26

 4 | Loss Prevention Bulletin 296 April 2024

Incident

Updated history of a solvent recovery plant site

after an explosion and fire
Tom Craig, UK
contaminants found by the survey would eventually be reduced
Summary to negligible levels by natural degradation processes. This
This paper outlines and updates the history surrounding assumption guided the site history for a further seven-year
a hexane vapour cloud explosion in 1981 that wrecked a period during which it was left derelict. After heavy rainfall
solvent distillation plant (Chemstar Ltd) in Cheshire and surface water carrying an oily film ran off the site to an adjacent
killed one man. After the wreckage was cleared the site road. Odours arising from the derelict site in warm weather
was considered appropriate for housing development. were regarded by local residents as a tolerable feature of their
Two years after the fire the site was found to be unsuitable environment; the odour intensities were much lower than those
for that use when sampling and analysis showed it to be generated by the plant operations.
extensively contaminated. The contamination was such that Eventually some local residents became concerned by their
earth removed from the site would be classified as special observations of birth defects, deaths and ill-health among
waste as defined in the Control of Pollution Act (1974)16 animals at the derelict site. The residents suspected that these
and its disposal carried out accordingly. Twelve years after health effects were associated with the site contamination.
the explosion and fire a second campaign of site sampling They carried out controlled trials that involved keeping groups
showed that the contamination was still present and evidently of guinea pigs on site soil5. The groups of guinea pigs kept
causing health hazards to animals. The land was then on site soil developed severe weight loss and died while
remediated and landscaped to form part of a country park. the remotely kept groups thrived. These replicable findings
indicated that dioxins might be present in the site soil. Further
Keywords: Hexane, explosion, distillation, remediation extensive analysis of site soil, using the internationally agreed
GC-MS procedures for determining dioxins, found high
This paper draws on the Health and Safety Executive report1 levels of these were present on the site. These specialised
of the explosion and fire, and on subsequent work2,3,4 that analyses had not been done in the earlier site investigation.
describes the environmental and social aftermath of the The dioxins are extremely toxic materials6,7. Quantitative
incident. The latter work includes information from former data on the site contamination by these chemicals has been
plant employees and from people living near the plant site. recorded elsewhere2,3,4. The levels of dioxins found were orders
The site reclamation by the local authority is an example of of magnitude greater than the published UK background
a comprehensive contaminant investigation and remediation concentrations.
programme applied to a toxic industrial legacy. Subsequent lobbying actions by residents motivated by
The operation of the distillation process practised on the these findings led the local authority (Tameside Metropolitan
site and described below was self-evidently and avoidably Borough Council) to obtain a further derelict land grant from
hazardous. The requirements of UK health and safety law the UK government. This grant, the second of two, funded
that the explosion and fire risks associated with the distillation remediation of the site for public use as a country park8.
process system should be reduced to levels as low as The history summarised in this paper took place in Carrbrook,
reasonably practicable were not applied during the life of the a village near Stalybridge in Cheshire. The village was built in
plant. the 19th century beside a textile printing and bleaching works9
To prevent chemical processing operations being resumed and is a conservation area. Part of the textile works closed
after the explosion the local authority bought the site and in 1970, and in 1975 was occupied by Chemstar Ltd. This
planned to use it for housing development. Those plans were company was created to recover solvents from contaminated
abandoned when a soil survey proposed by local residents highly flammable liquids by distillation. It used four batch stills
and conducted two years after the fire showed that the site and wiped film evaporation equipment. Much of the equipment
was widely contaminated to depths of 4 m by 400 different was second hand (Figure 1). Chemstar’s stated intention was to
chemicals at concentrations up to 5000 ppm. The site was recover solvents from difficult wastes which would otherwise
mapped using an 8 m2 grid and samples were taken from be landfilled or incinerated as end-of-life materials10. Planning
boreholes and trial pits. The pattern of the soil sample analytical permission for the solvent recovery operations was not needed
data showed that the contamination formed a plume pointed since under planning law, the Chemstar business fell within the
across the site towards nearby houses. same class of use as the textile printing and bleaching processes
The site owners (the local authority) assumed that the carried out earlier on the site.

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00

296 Craig.indd 4 02/04/2024 16:50:14

 Loss Prevention Bulletin 296 April 2024 | 5

works director who wrote instructions in a log book and also

acted as a supervisor. Laboratory analysis of contaminated and
processed materials was carried out by the works chemist.
Nightshift working, usually involving two employees, began
in 1979. If problems arose that these workers could not solve
they telephoned the works director for advice.
On the evening of 6 September 1981 an operating batch
still that had been charged with 6000 litres of contaminated
hexane lost the cooling water flow to its condenser. At the time
the cooling water supply to the site was being pumped from
behind a weir in the Carr Brook via a diesel-engined pump and
temporary piping while the normally used reservoir source had
been drained for repair. This temporary supply of water to the
site had proved unreliable and it was not backed up by any
other supply.
Figure 1 – Distillation pots on left
A process operator and a lorry driver visiting to load his
truck were the only persons present on the site. They tried
In the first year of its operation, 1976, the company unsuccessfully to re-establish the cooling water flow to the
reportedly handled a weekly workload of 10,000 litres1. still condenser. While they were still troubleshooting, hexane
This grew to 100,000 litres by 197810. By 1981, prior to the vapour from the condenser vent was flowing into the process
explosion the site held 700,000 litres of contaminated and building for about thirty minutes. The accumulated hexane
recovered solvents in 200-litre drums, and another 145,000 vapour was then ignited by the burner of a steam boiler
litres in bulk tanks1. Some of the bulk tanks were previously located close to the batch still. The resulting explosion and fire
used road tanker barrels. These were placed beside the destroyed most of the plant. The lorry driver was killed. The
process building and had no bunds (Figure 2). operator suffered burns but managed to run from the site and
Still bottoms were taken off-site for disposal and were call the fire brigade from a nearby house. The arrangement of
sometimes mixed with waste materials that the company process equipment that produced the hexane vapour cloud is
accepted from outside sources. shown in Figure 3.
The distillation process condensers were cooled by raw Village residents were evacuated while 37 fire appliances
water piped from a nearby reservoir that had previously fed fought the blaze15. During the fire, several steel 200-litre drums
the textile printworks operations. The outlet water from the holding flammable liquids flew from the fire and landed on
condensers flowed into a stream (the Carr Brook) that ran adjacent property.
across the site and then through Carrbrook village. There were no flow indicators or alarms in the condenser
In 1981, at the time of the hexane vapour explosion, there cooling water system. Water flow rate to the condenser was
were 15 employees, including process operators, a fitter, assumed to be constantly adequate to condense all vapour
drivers and office and laboratory staff. There were two generated by boiling in the still pot. Steam supply to the still

engineering
and design
company owner/directors; one of these was a chemist and one was adjusted manually so that the rate of vapour generation
an electrical engineer. There was also a works director who was did not exceed the condenser cooling capability. Control thus
an industrial chemist. All three had worked previously in the relied totally on the process operator observing by sight and/or
chemical industry. smell that distillate vapour was emerging from the condenser
There were no manuals describing the plant operation. and then reducing the steam supply to the still. He did this
Operators were trained by verbal instruction from one of the by regulating a manual valve in the steam supply line until the
directors. Day-to-day operations were decided usually by the distillate vapour emission stopped. To enable this practice a
vapour vent pipe from the condenser outlet end was located
alongside the batch stills at about 1.5 m above floor level
where the operator could easily see vapour being emitted from
it. This primitive control method obviously required operator
vigilance to avoid distillate vapour emissions. It was similar in
principle to that used in the 19th century for batch nitration of
glycerine where the operator controlled the hazardous process
while sitting on a one-legged stool to ensure his constant
attention11.
It has been suggested that locating the condenser vent
inside the building (Figure 3) was a process design feature
intended to prevent distillate vapour emission to the external
environment and consequent air pollution12. This suggestion
is incorrect and should not be read as a justification for the
hazardous process control practice. The reality is that having
the condenser vent location inside the building and thus
Figure 2 – Chemstar site readily visible was the essential feature of the process that

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00

296 Craig.indd 5 02/04/2024 16:50:17

 6 | Loss Prevention Bulletin 296 April 2024

Figure 3 – Flow diagram of plant

enabled the operator to control the distillation. Glass had been of steel drums filled with flammable liquids prompted a study13
removed from the windows in the ground floor close to the by the Health and Safety Executive Laboratories in which 200
stills and replaced by wire mesh panels to allow vapours to litre closed steel drums of acetone were exposed to a shallow
disperse outside the building (Figure 4). Each of these three pool fire. They flew vertically up to 130 m and their contents
mesh panels was 2 m high and 1 m wide. formed a fireball in the drum trajectory. Images captured from
After the later (1988-89) analysis of around 500 samples film of this behaviour are shown in reference 14 along with a
of site soil, and discussion of the results with local residents comprehensive discussion of the mechanisms that can produce
in relation to health risks, a site remediation scheme was missiles when steel drums of flammable liquids are exposed
agreed between the local council and the Department of the to fire.
Environment. A grant of £1.3 million was given to the local The Chemstar solvent recovery operation is an example of
council to enable the site to be modified for use as a park. an economically beneficial recycling activity that avoidably
This scheme involved extensive civil engineering work. Land
where benzene concentration exceeded 5 mg/kg or where
total solvent concentration exceeded 500 mg/kg would be
removed. This required excavation and then burial in an
appropriately licensed landfill of 10,000 m3 of soil. 80 m3 of
soil contaminated by polychlorinated biphenyls (PCBs) and
dioxins was to be excavated, drummed and incinerated in
an appropriate high-temperature facility. To intercept water
leaching from the site towards the houses, a vertical barrier of
bentonite (600 mm thick and 2000 mm deep) and polyethylene
was to be installed in the ground along a 21 m stretch of the
land where the site bordered the village. These planned
actions would be followed by the importation of clean soil,
landscaping and tree planting.
During the fire at Chemstar several 200 litre steel drums of
flammable liquids became missiles as a result of fire exposure,
causing their contents to produce boiling liquid expanding
vapour explosions (BLEVEs). Some of the drums flew up to
300 m beyond the site boundaries. This hazardous behaviour Figure 4: Former Chemstar Site (Drum stacks in areas A, B, C)

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00

296 Craig.indd 6 02/04/2024 16:50:20

 Loss Prevention Bulletin 296 April 2024 | 7

created an environmental and social disaster. The hazards and was used solely to remove asbestos from fire-damaged
risks of fire and explosion associated with the plant’s clearly buildings near the site, and to reinforce a dam. The grant
sub-optimal design and operation were not identified and recipients (the local council) assumed that the chemical
appropriately addressed in the context of duties set out by UK contamination identified by the first survey of the site
health and safety laws. would dissipate naturally.
Following its failures after the fire to foresee the persistent 9. Dr. M. Nevell et al. Carrbrook: A textile village and its
and hazardous nature of the site contamination after the fire, valley. A study in the industrialisation of the Pennine
the local authority eventually acted commendably in obtaining uplands. University of Manchester Archaeological Unit
derelict land grants to remediate the Chemstar site and and Tameside MBC (2006). This book contains an aerial
landscape it to form part of the adjacent country park.
photograph showing the Chemstar site lying derelict in
1981 after the wrecked plant and buildings had been
Notes and references removed. The book’s authors wrongly attribute the
1. The explosion and fire at Chemstar Limited 6 September Chemstar explosion to a runaway reaction.
1981. Health and Safety Executive 1982. This report 10. David Kilpatrick. The Sunday Times, June 11 1978. “Where
contains an aerial photograph of the site immediately after there’s chemical muck…”.
the fire.
11. Alfred Nobel batch process for nitroglycerine manufacture.
2. Tom Craig and Roman Grzonka. A case study of land A process description and illustration showing the reactor
contamination by solvents, polychlorinated biphenyls and operator in position on a one-legged stool to ensure his
dioxins. . Land Contamination and Reclamation 2 no 1 attention to temperature control of a batch nitration reactor
(1994) 19-25 are at http://lateralscience.blogspot.com
3. T.O. Craig and R.B. Grzonka. Persistent land contamination
12. T.A. Kletz. What went wrong? Case histories of process
from the operation and subsequent fire destruction of a
plant disasters and how they could have been avoided.
solvent recovery plant. Environmental Protection Bulletin
Elsevier 1985. The invalid explanation in this book that
018 (IChemE 1992) 12-18
Chemstar located the condenser vent inside the process
4. B.J. Alloway and D.C. Ayres. Chemical Principles of building to avoid air pollution remains uncorrected in
Environmental Pollution. (Second Edition) 371-2 Blackie 1997
subsequent editions published through 2009.
5. R.D. Kimbrough et al. Health implications of
13. Dr. Graham Atkinson. Private communication to the author
2,3,7,8-tetrachlorodibenzodioxin contamination of
(1993).
residential soil. J. Toxicology and Environmental
Health 14 47-93 (1984). This paper by workers at the 14. Dr Tom Craig. Storing steel drums of flammable liquids
US Environmental Protection Agency mentions the – regulations and reality. Loss Prevention Bulletin 252
use of guinea pigs as sentinel animals on contaminated December 2016 7-12.
sites to indicate the possible presence of dioxin and its 15. Greater Manchester Fire Service: Chemstar Fire Report
bioavailability. Guinea pigs kept on soils contaminated with FP//F/44/11 (1981). Photographs taken at the Chemstar
dioxin develop a characteristic wasting disorder and have site at the end of the firefighting operation are at www.
an abnormally short lifespan. They are more sensitive than facebook.com/manchesterfire
other animal species to dioxin poisoning. 16. The Control of Pollution Act (1974) defined special waste
6. S.A. Skene et al. Polychlorinated dibenzo-p-dioxins and as waste which is dangerous to life. The legal definition
polychlorinated dibenzofurans: the risks to human health. of this property according to the act is that a single dose
A review. Human Toxicology (1989) 8 173-203 of not more than 5 cm3 would be likely to cause death or
7. Ronald A. Hites. Dioxin: an overview and history. serious damage to human tissue if ingested by a a child of
Environmental Science and Technology (2011) 45 1 16-20 20 kg body weight, or if up to fifteen minutes exposure
8. The first derelict land grant (£500,000) had been would be likely to cause serious damage to human tissue
obtained in 1983 (after the first soil analysis results). It by inhalation, skin or eye contact.

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00

296 Craig.indd 7 02/04/2024 16:50:20

 8 | Loss Prevention Bulletin 296 April 2024

Safety Practice

A toolkit for successful process safety leadership

site visits
Ashley Hynds, DNV, UK
Leadership factors
Summary
The impact that leadership has on safety culture and outcomes has
In recent years, the phrase ‘process safety leadership’ been extensively researched and reported, with many alternative
has been used to describe the actions and behaviours of (and sometimes competing) theories and recommended
leaders which set the culture of an organisation, and which approaches. Much of this is focussed on occupational health
can have an impact on the risk of major accident hazards and safety rather than process safety. Whilst there are actions
being realised. Successive major accidents, including those that leaders can take to improve an organisation’s process safety
at Piper Alpha, Texas City, Macondo, and Buncefield have performance and culture which are specific to major accident
graphically demonstrated the catastrophic consequences hazards, there are likely to be many leadership traits which have
that can occur, when senior leaders fail to set the right a common and positive impact on both process and occupational
culture within their organisations, and are not sufficiently safety.
connected with activities at the front line.
Cooper1 identifies the importance of achieving a balance of
In 2009, the ‘Process Safety Leadership Group’ identified caring and controlling behaviours for leaders. The former is
eight key principles and associated organisational exemplified by concern for topics such as people’s well-being,
measures and resources that leaders needed to adopt to establishing a good rapport with sub-ordinates and being generally
create a positive process safety culture. Amongst others available. The latter refers to the setting of standards; clarifying
these include requirements for board level involvement, people’s job roles, expectations, and responsibilities; motivating
visibility, and promotion of process safety management; people to follow rules and procedures; and so on.
and engaging and involving the workforce in managing
Within the field of process safety, Kerin identified six personality
safety. Site visits are a key means by which leaders can be
traits (‘who we are’) are identified that are important to delivering
effective at engaging the workforce and understand the
effective leadership, namely: be inspirational, have vision, be
risks that their teams are facing.
trustworthy, serve others, be empathetic, and be humble. Eight
This paper presents a ‘toolkit’ of eight activities which
actions are also identified which help deliver effective leadership
can support leaders conduct impactful process safety
(‘what we do’), namely: set direction, be yourself, be consistent,
themed site visits. As well as providing general advice
speak up, look after people, have fun, seek information, and
on implementation of a site leadership visit plan, and the
reflect2.
conduct of site visits, each activity is described with its
Aspects of these behaviours, traits and actions are reflected in
purpose, methodology, and suggested follow-up actions.
the ‘Process Safety Leadership Principles’.
The toolkit may benefit all companies with major accident
hazard risks and will be suitable for use by leaders at all Process Safety Leadership Principles (PSLPs)
levels, including directors, production managers, technical
experts, supervisors, and safety representatives. Within the UK, sector trade associations, regulators, trade unions
and employee representatives have agreed common sets of
Keywords:Process safety leadership, site visit, toolkit principles for process safety leadership. These have included the
Process Safety Leadership Group (PSLG)3, and Offshore Energies
UK (OEUK)4 for onshore and offshore major hazard industries
Process Safety Leadership respectively. Both have set out similar principles for senior
industry figures to follow, as well as recommended arrangements
Introduction for organisation and resources, to deliver effective process
In recent years, ‘process safety leadership’ has been used to safety leadership. These include requirements for board level
describe those actions and behaviours of leaders which set the involvement, visibility, competence and promotion of process
culture of an organisation, and which can have an impact on safety management; putting process safety leadership at the
the risk of major accident hazards being realised. Successive core of businesses policies and ways of working to ensure that
major accidents, including those at Piper Alpha, Texas City, operational risks are properly managed; engaging and involving
Macondo, and Buncefield have graphically demonstrated the the workforce in managing safety; robust and regular auditing
catastrophic consequences that can occur when senior leaders of safety management systems; publication of process safety
fail to set the right culture within their organisations, and are performance indicators; and sharing of good practice and learning
not sufficiently connected with activities at the front line. of lessons from across industry sectors.

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00

296 Hynds.indd 8 04/04/2024 12:37:44

 Loss Prevention Bulletin 296 April 2024 | 9

Leadership site visits & supporting tools best possible light during leadership visits, and this may lead to
intensive efforts to make improvements in the days/weeks prior
In support of adherence to the PSLPs, and the requirements for to them such as housekeeping tours and clean-ups, updating
board level visibility, promotion of process safety management, of records, and organising presentations. From the leaders’
and engaging and involving the workforce in managing safety, perspective, an effective visit will also require planning and
a variety of practices have been adopted. Many organisations discussions with site management to get the best out of it. To this
encourage regular visits to their sites by senior leaders to meet end, it makes sense to ensure that an appropriate programme of
staff and see the facilities first hand5. visits and activities is scheduled in advance, such that the site is
In recognising that some leaders may not have the not inundated with short term or multiple requests for visits, and
competence or confidence to address process safety topics, and the engagements are planned. The plan should capture:
with a view to standardising and improving the approach taken,
several companies have developed leadership engagement visit • all planned leadership visits over the course of the coming
tools and guidance for senior staff, based around key process year.
safety management themes. The frequency of visits to each site • the planned content and timing of each visit.
by each leader may also be mandated. • the ground rules and expectations for the visits in terms of
The tools typically require leaders to look at site conditions and duration, who will be engaged with, expected behaviours
work practices first-hand, often in conjunction with a local leader and outcomes.
who is familiar with the area. They encourage leaders to discuss
their observations with a cross section of staff at the site, and to Conduct of leadership site visits
solicit their opinions on how well work is organised, and where
the process safety risks lie. They also provide a good opportunity Hopkins’ analysis of a trip to the Deepwater Horizon rig by BP
for leaders to share their expectations and values. Importantly & Transocean executives, immediately prior to the blowout
they typically require leaders to provide feedback to the site and in 2010, is particularly helpful in terms of identifying the key
wider organisation on what they have seen, and any actions they factors necessary to deliver an effective leadership site visit6. He
intend to progress as a result. concludes that the visit was particularly ineffective because it:
• had an exclusive focus on personal rather than process
Senior leader site visit toolkit safety;
Scope and purpose • targeted assessment of conditions (e.g. housekeeping)
rather than individuals’ behaviours (actions and decisions)
This paper presents a ‘toolkit’ (or set) of activities that leaders can such as adherence to procedures;
choose from to support them in conducting site visits which have • avoided spending time in areas where there was intense
a positive impact on an organisation’s process safety culture. activity, to avoid interference or disruption;
Each activity is described in terms of its purpose, methodology,
• avoided directly engaging with staff at more junior levels, out
expected benefits and outcomes, time and necessary resources
of a concern not to undermine site leadership or be seen as
to deliver it, target audience, and appropriate suggested follow-
challenging individuals’ competence.
up actions.
The toolkit is based upon the author’s own observations of Hopkins suggests several actions that could have been taken to
senior leader site visits and associated visit protocols made whilst make the visit more effective including:
working in major hazard sectors as a site manager, regulatory
• being aware of the major accident events that could occur on
inspector and safety engineering consultant.
the installation, prior to attendance;
Target audience • understanding the controls that should be in place to prevent
such events, with a view to verifying that they are in place
The toolkit will potentially be of benefit to all companies with
and working as intended whilst on site;
major accident hazard risks. It is designed to be suitable for
use by leaders at all levels and in all functions, including board • being aware of any recent significant process safety incidents
members, directors, middle management and supervisors, and that have occurred on other sites which may have relevance
those in HR, finance, procurement, logistics and others as well as to the current site;
assurance

engineering and operations roles (such as production managers, • dedicating time to check processes which may be of
technical experts, HSE managers, and safety representatives). fundamental importance to process safety;
Many of the activities will however require a baseline level of • being aware of any current operations at the site which might
understanding of operations and major hazards, and so are likely present an opportunity for closer attention, and potentially
to be of greater use to those in such functions. relate to the higher risk issues identified above.

Site leadership visit plan Further guidance that can help senior leaders prepare for and
deliver effective site visits7 includes the following suggestions:
Leadership visits are critically important, in terms of the positive
impact that they can have on the process safety culture of a site, • Finding out when key regular operational meetings occur
and the enhanced awareness of a site risk profile that they can and deciding which ones to attend. Discussion with local
culture

bring to leaders. It is important to recognise however that they management to agree the role the leader will play in these
can also be disruptive to day-to-day operations. meetings.
Site managers will typically want to present their site in the • Preparing a list of topics or questions to ask when meeting

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00

296 Hynds.indd 9 04/04/2024 12:37:44

 10 | Loss Prevention Bulletin 296 April 2024

with individuals or work groups. For example, asking people concerns that they express. Site staff will know far more
what the key risks are in their work, what dangers they face about the risks of the activities that they perform than many
and how these are controlled. What activities make the team visiting leaders will, and it is important for leaders to show their
feel uneasy? What key health and safety issues are not being interest, competence, and curiosity in such matters. The latter
addressed? What safety-related equipment is not operational is particularly important for those leaders who do not have a
– and why? How can safety critical activities be improved? background in operations or high hazard risk management.
Being visible to the workforce – speak to as many individuals Similarly, it is important for leaders to take any opportunities
and shake as many hands as possible. Do not be restricted just to that present themselves to set a vision for the standards
meetings with site management. that they expect, and to sensitively challenge any expressed
behaviours or actions which do not meet the requirements.
Notification of the visit This may require explanation or reinforcement of such
In advance of the visit, it can be helpful for the visiting leaders standards and the reasons for them.
to explain to site teams who they are in terms of their current
role and professional background, why they are coming, and Engagement with safety representatives
what their expectations are. This may typically be achieved via Engagement with safety representatives and committees can
an email to all site staff, and possibly in online meetings with be a powerful mechanism for influencing behaviour at a site
site management who can cascade the messages. Done well, and obtaining a ‘warts and all’ perspective on how process
a short video message (vlog) can also be particularly effective safety is really being managed.
in reaching a wider audience and increasing engagement. This Scheduling a meeting with safety representatives at an
upfront messaging sets the scene for the visit, gives the leader early point within the visit agenda will clearly demonstrate to
an opportunity to demonstrate their commitment to safety and the representatives and others that their status and opinions
the wellbeing of their staff, and ideally shows their willingness to are valued. It is important also that any feedback from the
listen, learn, and support the team. In so doing, any barriers to visit is shared with safety representatives at the end of the
starting meaningful safety conversations on site should hopefully
engagement.
be lowered.
Follow-up of issues arising
Prioritisation of visit time on safety matters
It is important that the leader provides feedback to the site
Once on site, it is essential that a key focus of the visit is on
on any observations that they make (both positive/negative).
safety, with other topics playing only a minor role in terms of the
Ideally this should be in the form of an immediate debrief
time spent on them. To do otherwise risks site staff having the
perception that safety is of lesser interest to the leader. before they leave the site, and then some more considered
written feedback once they have been able to consult with
Listening and challenging colleagues and have been able to agree any appropriate follow-
In accordance with the positive leadership traits of being up actions. It is particularly powerful for the leader to be seen
trustworthy, serving others, being empathetic, and being to be acting on any process safety issues that they identify, and
humble, it is important that leaders ask open questions of site they should follow these through with personal interest until
staff, and actively listen and acknowledge the thoughts and they are successfully completed.

Desirable process safety

Leadership actions to support their demonstration
leadership attributes
A high level of awareness of process hazards Prepare in advance of the visit by reading about site major accident hazards (e.g. from COMAH or Offshore
and their potential consequences at the site. Safety Report).
Be briefed from a process safety engineer with knowledge of the site/installation.
Support for a high level of vigilance and Ask questions about what might go wrong, how would someone be able to tell, and what they can do about it?
curiosity for indications of system weaknesses Review recent site incident and near miss investigation reports.
that might allow such hazards to manifest Ask staff to talk about any recent process safety related incidents and near misses they are aware of. Praise
themselves, and the need to report these. those who have reported near misses.
Ask staff to talk about any plant equipment that isn’t working as it should, or procedures that are difficult to
adhere to.
Ask staff to explain any temporary procedures or operational risk assessments for deviations/degradations in
safety critical controls.
Unwillingness to be complacent about Celebrate positive leading (rather than lagging) process safety performance indicators (PSPIs) and
performance that could result from past safety improvement initiatives. Express concern at negative leading PSPIs.
success. Explain that just because a site has not had a major release, it does not necessarily mean that its process safety
risks are well managed.
Unwillingness to assume that good personal Be prepared to explain the difference between personal and process safety.
safety performance means that process safety
is similarly well managed.
Respect for technical expertise, and a need Ask teams who their ‘go-to’ expert is for process safety matters (e.g. when they have a concern, or are unsure).
to defer to this in matters of decision making Ask if they get enough time with them. Encourage teams to make use of them and share their experiences and
related to process safety. observations, particularly when something new or unusual occurs.

Table 1– Process Safety leadership attributes

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00

296 Hynds.indd 10 04/04/2024 12:37:44

 Loss Prevention Bulletin 296 April 2024 | 11

Walk the talk representative of the site workforce, to increase the impact of
It is important for leaders to be consistent in their approach and the interaction. The activity will likely take up to 60 minutes.
to lead by example, modelling the behaviours that they expect Purpose
of their teams. If a leader does not adhere to the rules, then
• To obtain an independent and/or alternative view on what
trust and engagement will be reduced.
is really going on at the site, and any issues of concern
In the field of personal safety, leaders should take extra effort
relating to process safety.
to ensure that they follow all site safety policies, including
wearing of PPE, following designated pathways, holding • To demonstrate to staff the importance that the leadership
handrails, etc. It can be helpful for leaders to ask for support/ place on process safety management.
reminders to do so, and to explain that they would welcome Methodology
challenge from people on site, as this can help demonstrate
humility and respect for the rules. • A key part of the session is to establish trust and
engagement with the leader, such that the conversation
In terms of process safety, they should similarly be seen to
can be open and honest. If the leader is not well known
follow site safety policies, but this can be extended to include
to the group, they should spend the first few minutes
other desirable traits, such as demonstrating to staff the
describing their background, before then asking for
following attributes and behaviours:
everyone else to do the same.
Visit activities • The leader should:
The table below describes the eight activities, along with an – Explain the purpose of the session, give an overview of
anticipated duration, and a suggested required level of process what process safety is, and how they are keen to hear
safety competence for them to be delivered effectively. honest opinions of how well process safety is managed
Competence levels are as described by the IChemE Safety within the work area, such that they can provide any
Centre8. necessary support.
– Describe why they feel process safety is important to
Required them, with use of any personal experiences to support
Duration/ this wherever possible.
Activity process safety
minutes
competence – Share details of any occasions where they feel they
1 Small group discussion Awareness 60 may have made a poor decision or error of judgement
2 Incident review – what can we Awareness 30
as a leader, which may have impacted on safety. It can
learn? be helpful to share these to demonstrate humility and
3 A-day-in-the-life Awareness 180 willingness to learn.
– Share a copy of any dashboard or PSPI report or
4 Improvement planning Basic 60
assessment similar that the leader receives and explain that this
5 Control room visit Basic 60
is a key means by which they obtain feedback on the
site’s performance, but they are keen to obtain a fuller
6 Degraded major accident barrier Basic 90
assessment
picture.
7 Process plant task audit Skilled 90 • Ask questions of the group. Examples which may be
8 Safety system audit Skilled 90
effective include:
– If there was going to be a major incident at this site in
Table 2 – Visit activities the coming years, what would it be and why?
– What improvements in process safety have there been
It is important that leaders choose activities that they are at the site in recent years?
confident in delivering, have sufficient time to complete fully, – What is on the improvement plan for process safety this
and are likely to align well with the current risk profile and year?
challenges that the site is experiencing. A poorly delivered – Are any of you involved in any process safety
activity may have a negative impact on the perception of a improvement projects?
senior leader’s commitment to process safety by site staff,
– What would have the biggest impact in terms of
and/or miss an opportunity to identify and challenge poor
reducing the risk of a major incident?
behaviours or practices, both of which ultimately could
– If you had (say) £50k, £500K, or £5M to improve
increase the risk of a major accident occurring in the future.
process safety at the site, what would you spend it on?
– What frustrates you about your job, and getting work
Small group discussion
done?
Activity – What aspects of your role impact on process safety?
Lead a discussion with a small group (4-6) of site staff from – Have you ever reported a near miss relating to process
a variety of different roles/backgrounds, to elicit opinions safety? What was it and what was done about it?
on a range of process safety topics, and how well these are – Have you ever taken part in an audit of a safety system,
managed within the company. Individuals can either volunteer or an investigation of an incident?
to take part or be nominated by site management. It can be – If you had a new task or procedure to follow, and you
helpful if the persons involved are seen to be influential and/or were not sure what to do, what would you do?

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00

296 Hynds.indd 11 04/04/2024 12:37:44

 12 | Loss Prevention Bulletin 296 April 2024

– If the plant was running unusually, and the team were incident. These can be captured on a flipchart, word-
unsure what to do, and you couldn’t get any external cloud app or similar. Explore with contributors what they
help or advice, what would you do? mean by the stated causes and encourage them to explain
– Have you seen process safety managed better further/dig deeper, for the benefit of the whole audience.
elsewhere? Summarise any key themes arising.
Overall, it is important that the group feels that the leader is • Display a pre-prepared slide of the key themes and causes
in ‘listening mode’. If appropriate, it can be helpful for the of the incident from the ‘official’ incident investigation
leader to explain that any feedback will be anonymous and report. Add to this with any insights from the previous
aggregated with that from the rest of the visit. audience discussion.
• Invite the audience to think individually for two minutes,
Follow-up activity and to identify any parallels that they can see with current
Thank those taking part for their insights and candour. This operations at their site. They might recognise similar
should be in person, but also ideally publicly in front of any hazards, weaknesses, gaps in control, or other specific
local management/peers, and potentially with a follow- concerns. Then invite the audience to share these with the
up email. Make a note of any observations, concerns or group, and again capture these on a flipchart, word-cloud
suggestions made arising from the discussion, and discuss app or similar. If appropriate, the feedback can also be
these with local management/appropriate technical experts to given anonymously via a piece of paper.
validate them. Agree a set of improvement actions to be taken • Discuss the issues as a group and look for any consensus/
(some may include/require action at a senior level). common themes or agreement. Explore any issues where
there is a strong feeling.
Incident review – what can we learn?
• Thank the group for their participation and insights and
Activity explain that you will reflect on what you have heard.
Lead a discussion centred on a major safety incident, where If there is any obvious follow-up activity required,
there is potentially transferable learning. The incident can be acknowledge what you will do next to address it.
from within the leader’s current organisation, their previous
Follow-up activity
experience, or from information available in the public domain.
It is best if there is clear process safety content, but often Review the observations made at the session with local
incidents from within different sectors and with different risks management/appropriate technical experts. Agree a set of
can be valuable where they relate to organisational failings improvement actions to be taken (some may include/require
(e.g. RAF Nimrod, Herald of Free Enterprise etc). The activity action at a senior level).
can engage a room full of people and will likely take up to 30
minutes. A day-in-the-life
Activity
Purpose
Spend a work period (e.g morning/afternoon) shadowing a
• To raise awareness of key process safety principles, hazards
person in a front-line management role with a direct impact
and controls.
on process safety, learning about the tasks that they perform,
• To encourage participants to reflect on operations at their interactions they have with others, and challenges they face.
own site and to look for parallels/transferable learning. This activity will likely take 2-3 hours.
• To demonstrate to staff the importance that the leadership
place on process safety management. Purpose
This activity can be particularly effective if the leader talks The activity provides an opportunity for the leader to better
about an incident they have first-hand knowledge of, as understand the challenges and decisions that front-line staff
audiences will typically be more engaged. are required to manage on a day-to-day basis, and the impact
that decisions made at a senior level are having. By carefully
Methodology observing and listening and asking questions, leaders will also
• Identify a safety incident to base the discussion around, demonstrate the issues that they care about.
and research what happened and why. Good sources of Methodology
incidents investigation reports include the US Chemical
Safety Board9, Health & Safety Executive10 and the Energy • In conjunction with local site management, identify a job
Institute11. role and individual to work shadow. Ideal roles include
shift team supervisors, maintenance team leaders, plant
• Introduce the incident:
managers etc.
– Give a brief description of the site, company, and history
• Contact the individual in advance of the session to explain
leading up to the incident;
the purpose of the visit, establish any ground rules,
– Show pictures of the site before the incident; and allay any concerns that they may have. As with the
– Ask audience to guess what happened next; ‘Leadership-led small group discussion’, a key initial task for
– Show pictures of the site after the incident, and describe the leader is to introduce themselves and establish trust. It
what took place, the scale of the release, who/what was is also important to stress to the individual that it is the role
harmed, and the consequences. and systems that are being observed, and not the person.
• Invite the audience to suggest possible causes of the An individual’s performance should be seen as likely to

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00

296 Hynds.indd 12 04/04/2024 12:37:44

 Loss Prevention Bulletin 296 April 2024 | 13

reflect the local culture and norms, rather than just the To demonstrate to staff the importance that the leadership
individual. place on continuous improvement of process safety
• The purpose of the session is to observe the individual go management.
about their normal role, so a specific agenda or activities
Methodology
need not be planned. The individual should be asked to
share their expected itinerary for the session (including • In advance of the visit, obtain a copy of the site’s most recent
people to see, meetings to attend, tasks to perform etc), annual performance review and improvement plan.
and where possible to explain what they are doing as they • Review the content of the performance review and assess
do it (or in advance if possible). With consent, the leader whether it adequately takes into account relevant sources of
should tag along to all activities. Topics for the leader to intelligence on the current level of process safety risk,
consider are shown in Table 3. such as:
– Near miss and incident reports and investigations.
Topic Considerations – Safety Management System audit reports and
Priorities How much time is spent by the individual; performing recommendations.
administrative tasks; on plant vs in office; coaching
staff; managing safety systems (e.g. permit to work, – Process Hazard Analysis (revalidation/reHAZOP studies).
task risk assessments). Is the balance appropriate? – Degraded equipment or safety systems (e.g. referenced
Are they accessible to their team? Are they ‘seen’ as a
safety leader?
by temporary operating procedures, operating risk
assessments).
Standards Are high standards expected by the individual of their
team members? – Current asset condition reports and progress with
Does the leader role model good standards improvement initiatives.
themselves?
Does the individual feel they have clear direction from – Staff training and competency assurance systems, and
above? any organisational changes.
Risk management Does the individual focus their time/attention on – Progress with current process safety improvement plans.
the highest risk areas (e.g. due to nature of a task,
competence of team members etc)? – Recent enforcement action by health and safety regulator.
Does the individual have a good understanding of the – Changing legislation and emergent good practice.
local hazards and controls? How do they know that
they are in good health? – Views of staff and safety representatives.
Does the individual feel they have sufficient access to
• Review the content of the improvement plan and assess
support and advice from technical experts and their
line management? whether it adequately addresses the challenges identified by
Safety authority Does the individual feel they have the authority to stop
the performance review above:
a job or task, without reference to others first, if safety – Are the improvement plans SMART (specific, measurable,
is threatened? achievable, relevant, time-bound)?
Barriers to success What are the blockers to the individual delivering – Are the improvement areas prioritised appropriately?
effective process safety management?
– Is there sufficient resource locally to implement the
Table 3 – Work shadowing topics to consider improvements?
Follow-up activity – Is there appropriate resource from outside of the site
(within the company or external) to support the plans?
Thank the individual for taking time to explain the work that
they do and for performing the activities diligently and with – How is progress being measured, and how visible are the
care (where appropriate). This should be in person, but also plans to all?
ideally publicly in front of any local management/peers, • Discuss the above with staff to obtain their perspective on
and potentially with a follow-up email. Make a note of any the matters. Are plans credible? Are the significant threats
observations, concerns or suggestions made arising from the being addressed? Where should resources and attention be
visit, and discuss these with local management/appropriate focussed?
technical experts. Agree a set of improvement actions to be
taken (some may include/require action at a senior level).
Follow-up activity
Make a note of any observations, concerns or suggestions
Improvement planning assessment made arising from the discussion, and discuss these with local
management/appropriate technical experts. Agree a set of
Activity
improvement actions to be taken (some may include/require
Carry out a review of the suitability of the site’s process safety action at a senior level).
improvement plans and initiatives, through discussion with
the site manager, discipline engineers, and worker safety Control room visit
representatives. The activity will likely take up to 60 minutes.
Activity
Purpose Spend time in the control room in discussion with operators,
To assess whether the site has a good understanding of its reviewing paperwork records, and inspecting equipment and
current process safety challenges and has sufficient resources systems. The activity should be limited to a maximum of 60
and capability to deliver any necessary improvements. minutes and be sensitive to the needs of their role.

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00

296 Hynds.indd 13 04/04/2024 12:37:44

 14 | Loss Prevention Bulletin 296 April 2024

Purpose Follow-up activity

To assess the facilities, support systems, level of activity and Thank the control room team for taking time to explain
operating team situational awareness. the work that they do. This should be in person, but also
Methodology ideally publicly in front of any local management/peers,
Before entering the control room, it is important to determine and potentially with a follow-up email. Make a note of any
how busy the team currently are, and whether it is a good time observations, concerns or suggestions made arising from the
or not to hold a conversation. An introduction via the team’s visit, and discuss these with local management/appropriate
supervisor is likely to be the best approach. technical experts. Agree a set of improvement actions to be
As with the ‘Leadership-led small group discussion’, a key initial taken (some may include/require action at a senior level).
task for the leader is to introduce themselves and establish trust.
Throughout any discussion, the leader should recognise that Degraded major accident barriers assessment
there may be a need to pause or abandon the conversation Activity
altogether, should the operator need to attend to a process
upset or emergency. As part of their introductions, the leader Assess how effectively the risks from any currently degraded
should state that they understand this, and do not wish to be an barriers are being managed by reviewing a sample of records,
unnecessary distraction. The leader should also be careful to limit discussions with engineering and operations staff, and visits to
the time they spend in total (an hour is a sensible maximum, but the equipment location. The task should involve the leader, a
less may be appropriate depending on prevailing conditions/ production supervisor, an engineering authority, and a process
operations). safety engineer. The activity will likely take up to 90 minutes.
Once the ‘ground rules’ for the discussion have been
established, the leader should pick a few topics from the list Purpose
below to explore with a control room operator. A sample • To understand how well emergent process safety risks are
of opening questions is provided in Table 4, but this can be being managed.
developed further depending on the background/competence of • To demonstrate to staff the importance that the leadership
the leader, and in consultation with a relevant expert. place on process safety management.

Topic Opening questions What to look for

A written record of the status of plant equipment and operations, and any key actions that have taken
What kind of handover do you have at the
place/need to take place for every job role for the systems they are responsible for. Cross checking of
start/end of a shift?
handover content between roles and as a team. Longer, more detailed handovers if there has been an
extended absence.
Shift handover What training have you received in
As well as covering handover content, training should address communication skills such as active
effectiveness holding effective handovers?
listening, summarising, and detailed recording.
Operators can take frequent short breaks as well as longer breaks to maintain focus. Competent
How do you manage rest breaks within
persons should be available to cover the role. In-shift handovers should ensure current plant status/
the team?
activity is understood by person covering.
A system that shows alarm history, which are still ‘live’ and which have been acknowledged. Count
How many alarms have there been in the
the number that have occurred over a recent period. Over 12/operator/hour is likely to be a
last 24 hours?
significant distraction, although might be acceptable for a short time if there has been a process upset.
If the rate is high, a team should be actively working on reducing the number.
Alarm How many are still in alarm condition?
Ideally there should be no ‘standing alarms’ in place. Good control is demonstrated if the daily
management
average is less than 5.
Which are the alarms that you need to
Alarms should have a designated priority for attention. The highest priority alarms should be very
worry about? Is there an instruction which
infrequent, and any operator response should be clearly defined, well known, and effective to bring
tells you what to do if that occurs?
the plant back to a safe state.
Ideally there should be no inhibits/overrides in place, but where they exist they all need to have
Live inhibits Are there any (ESD) shutdown systems been technically risk assessed and approved. A copy of the assessment and authorisation should be
and overrides currently inhibited or in override? If so, available.
and control of why? Is there a system to manage these? A register should be maintained of any live inhibits. There should be robust control over their
keys Who can apply inhibits/overrides? implementation (e.g. password protection known only to supervisor, panel inhibit key issued by
supervisor, and keys not left freely available in panel).
Is this a comfortable place to work? Well lit, but without glare on screens (natural light where possible). Comfortable temperature and
Ergonomics,
Are there many distractions? fresh air. Suitable desks and seating. Well-designed display screens.
comfort and
What would improve the control room The room should ideally not be used for meetings, permit to work issue, or as a thoroughfare/space
distractions
environment? to congregate.

Access to If you have a plant problem, how do you Supervisors and technical staff are readily contactable. Operating manuals and drawings are available
support get help when you need it? and up-to-date.
Major accident
What emergency situations could occur? A good understanding of credible scenarios (small to big) from the installation safety case/
hazard
report. Written plans which are readily accessible and clearly tell the team what they need to do.
awareness and
Do you have written emergency response Regular exercises (desktop discussions and simulated drills) to refresh understanding and test
emergency
plans and do you practice them? effectiveness of response.
response plans

Table 4 – Control room topics

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00

296 Hynds.indd 14 04/04/2024 12:37:44

 Loss Prevention Bulletin 296 April 2024 | 15

Methodology Follow-up activity

• Ask site management to identify the types of degraded Make a note of any observations, concerns or suggestions
barrier and undesirable situations that they currently made arising from the discussion, and discuss these with local
manage, and the systems they use to do so. These might management/appropriate technical experts. Agree a set of
for example include: improvement actions to be taken (some may include/require
– Small leaks/seeps of hazardous chemicals, oil, gas, action at a senior level).
utilities etc from pipework and equipment.
Process plant task audit
– Overdue inspections, maintenance or proof testing of
pressurised equipment and protective systems. Activity
– Overdue actions arising from audits and incident Carry out a walkaround of a system or section of process plant
investigations. with a production technician to assess how well safety risks are
– Actions arising from process hazard assessments which being managed. Ideally the system should be one that requires
identify high risk scenarios. operator interaction (e.g. operating valves in a sequence, taking
– Inhibits and overrides of safety systems. a process sample, checking plant readings etc.) which can be
witnessed during the activity. The task should involve the leader,
– Temporary operating instructions and ‘management of
an operating technician, and potentially an engineer (process or
change (MoC)’ assessments.
process safety). The activity will likely take up to 90 minutes.
– Operational risk assessments (e.g. for degraded
equipment or systems). Purpose
• Choose one or two of the above systems to be checked as The activity provides an opportunity for the operator to explain
is appropriate for the site. how they do their work, and aspects of it that they consider are
• In advance of the visit, obtain a copy of the company/ important to process safety. The leader can ask questions, share
site procedure for the system being looked at, and with experiences, and potentially challenge when issues do not appear
the help of a relevant expert identify the key elements to be well managed. Overall, the activity should demonstrate that
of control that need to be in place, questions to ask, and the leader cares about the safety of members of their team by
evidence to look for. being interested in their work and looking to identify opportunities
to make it safer. They will also gain a greater awareness and
• Look at the records (paper or electronic) which relate to the
understanding of the challenges that front-line workers face, and
system being checked. With the help of a local contact/
any additional support they may need. A fresh pair of eyes on a
user of the system, pick out one or two examples for
system can often spot concerns or ask questions about issues that
further scrutiny which appear likely to be a combination of:
those who work on a system day-in day-out have become blind to.
– current (active i.e. the risk is present and controls are in
place). Methodology
– higher inherent risk (i.e. relate to systems containing high • Select a process system and task to be observed, through
pressure, high or low temperature, flammable or toxic discussion with the operations team. Good examples include
materials). pig launcher/receiver operations, start-up of a pump, taking
– more unusual or less frequent. a process sample, swapping over of dual stream systems
(e.g. filters, pressure safety valves), bunkering operations,
• Review the assessment of risk and the controls that are in
transferring material between tanks, start-up of a well, etc.
place through reviewing the records, discussion with site
staff, and visiting the equipment. • Obtain a copy of the procedure for the task and ask the
operator to explain it to you:
Topics for the leader to consider are listed in Table 5: – Why is the task performed?

Topic Considerations
Identification of degraded Have all degraded situations been recognised, and has an assessment of the risk been made? Are there any degraded system
barriers seen on site or discussed which are not assessed within a management system?

Is the assessment suitable and Has the assessment involved the right people with the relevant technical expertise? Has the risk been escalated to an appropriate
sufficient? level within the organisation?

Has the assessment been recorded in writing, authorised by an appropriate person, and communicated to those who need to
Approval and communication
know?

Has an appropriate duration been set for rectification of the fault? If the date has been exceeded, has it had appropriate
Duration
re-assessment and re-authorisation?

Are any mitigation actions identified by the assessment likely to be effective, and are they actually happening? Is there evidence
Mitigation actions
to support this?

Is the residual risk acceptable? Do local leaders feel comfortable that they are managing their degraded barriers? Are cumulative
Residual risk
risks arising from multiple coincident degraded barriers taken account of effectively?

Table 5 – Degraded barrier considerations

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00

296 Hynds.indd 15 04/04/2024 12:37:44

 16 | Loss Prevention Bulletin 296 April 2024

– Please give an overview of the task and the key steps. reviewing a sample of records, discussions with users of the system,
– What could go wrong, and what are the important systems and visits to worksites. It is ideal if the system is actively in use at the
or controls that make it safe? site, with multiple records available for checking, and where a failure
to adhere to it could lead to a risk of a major incident. The activity
– Have there been any near misses or incidents on this
will likely take up to 90 minutes.
system in the past? Has anything changed since then to
deal with the problem? Do you have any concerns with Purpose
the operation or task? • To obtain an independent and/or alternative view on what is
• Walk around the equipment with the operator and get them really going on at the site, and any issues of concern relating to
to explain what each item is and note its condition. process safety.
• Witness the task being performed (ask operator to describe • To demonstrate to staff the importance that the leadership
each step and the purpose before they do it). place on process safety management.
• Ask questions: This activity can be particularly effective if it is targeted at a risk
– Why is this step important? What could go wrong? control system with known weaknesses.
– How would you know if there was a problem? How Methodology
would you deal with each problem?
• Choose a safety system to be checked. Good examples include
Look out for the following sorts of deficiencies listed in Table 6: energy isolations, permit to work, inhibits/ overrides
of instrumented protective systems, Operational Risk
Deficiencies Examples
Assessments (ORAs), asset integrity management, etc.
Plant equipment Pressure gauge not working, interlock system defeated,
defects leaks, drips, spills, valves stiff or missing handles, loose
• In advance of the visit, obtain a copy of the company/site
bolting, open ends on pipework (not capped or blanked). procedure relating to the system being looked at, and with a
relevant expert identify the key controls that need to be in
Workplace Poor housekeeping, inadequate labelling or signage,
conditions defective or insufficient lighting, difficult access, escape place, questions to ask, and evidence to look for.
issues routes blocked, safety equipment not accessible, means • Look at the records (paper or electronic) which relate to the
of communication with control room not functioning well,
noisy environment, extremes of temperature.
system being checked. With the help of a local contact/user
of the system, pick out three examples for further scrutiny
Operating Procedural steps not followed or omitted, steps followed
which appear likely to be a combination of:
procedure non- in a different sequence from procedure, procedure does
compliance not reflect installed equipment or task to be performed. – current (active i.e. the risk is present and controls are in place).
Operator Operator demonstrates lack of understanding of task/ – higher inherent risk (i.e. relate to systems containing high
competence procedure, operator does not have necessary skills pressure, high or low temperature, flammable or toxic
and supervision or experience to perform task successfully, operator
does not have sufficient support or involvement from
materials).
supervision or colleagues. – more unusual or less frequent.
Table 6 – Process plant task deficiencies • Carry out a check of the records against the requirements of
the procedure and the identified key elements of control.
If the leader is not confident in being able to identify deficiencies • Visit the worksite (where appropriate) to check that the
by themselves, it can be helpful to ask the operator to identify controls or systems are in place as expected.
them directly through questioning. For example, the leader can
• Discuss with the users of the system how well they feel the
ask questions such as, ‘is there any of this equipment which is
system is working locally and ask them to suggest any potential
broken?’ or ‘are there any steps in this procedure which don’t make
improvements.
sense?’ In addition, or alternatively, the leader can ask a technical
person to join the walkaround. It is ideal however if that person is An example of the key principles that should be in place, questions
independent of the site, such that they do not risk influencing the to ask, and evidence to look for is shown in Table 7 and 8 for the
behaviour of the operator in the way that they perform the task, or topic of asset integrity management of pressurised equipment.
report on any issues.
Asset integrity management – pressurised equipment
Follow-up activity • There must be an up-to-date register of all pressurised equipment at the
Thank the technician for supporting the audit, taking time to site (pressure vessels, pressure relief devices etc).
explain the work that they do, and performing the activity diligently • All pressure containing equipment must be risk assessed to identify
probable degradation threats and hazards. Written schemes of
and with care (where appropriate). This should be in person, but examination (WSE) and maintenance plans must be defined in
also ideally publicly in front of any local management/peers, and accordance with the assessments.
potentially with a follow-up email. Make a note of any observations, • Inspection and testing of pressure containing equipment must be
concerns or suggestions made arising from the visit, and discuss performed in accordance with the WSE and maintenance schedule.
these with local management/appropriate technical experts. Agree • Leadership must be informed (and have sight) of missed, failed and
overdue inspection, testing, maintenance and remedial repairs to
a set of improvement actions to be taken (some may include/
pressurised equipment.
require action at a senior level). • Equipment should not be operated outside of its safe operating
conditions envelope, or if it has not been inspected and maintained in
Safety system audit accordance with the WSE and maintenance schedule, unless this has
been risk assessed as safe to do so by a suitably competent person.
Activity
Carry out a check on the health of a procedural safety system by Table 7 – Pressure equipment key requirements for safety

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00

296 Hynds.indd 16 04/04/2024 12:37:44

 Loss Prevention Bulletin 296 April 2024 | 17

Question What to look for? Who to ask

Is there an asset register which lists all pressure A register of pressure equipment should be in place, owned by an Engineering authority/
containing equipment at the site? engineering technical authority. The register should be reviewed and responsible person
updated as required on a regular basis. All equipment must be uniquely
Who is responsible for asset integrity? tagged.

How are equipment degradation risks identified A written assessment must have been completed, led by a competent Engineering authority/
and managed? engineer, and with input from relevant functions (materials engineering, responsible person
operations etc).
How are equipment inspection requirements Inspection programme which is based on the equipment degradation Engineering authority/
identified? Who carries out inspections, and assessment (risk-based inspection – RBI). Competent inspector responsible person
who reviews the results? undertakes the inspections, and competent engineer reviews the findings.
How do you know that pressure containing Inspections and maintenance activities are being completed in line with Engineering authority/
equipment is in a safe condition? schedule requirements. Remedial actions identified through inspection are responsible person
being completed in a timely manner.
What do you do if you find a problem with Take plant to a safe state. Stabilise operations and shut down if unsure if Engineering authority/
pressure containing equipment, or it has required. Inform operations leadership. responsible person /operations
operated outside of its safe limits? team

Table 8 – Pressure equipment audit questions

Follow-up activity 5. Hynds, A., Chambers, C., & Prout, K., Leadership matters
Make a note of any observations, concerns or suggestions - examples of process safety leadership good practice,
made arising from the discussion, and discuss these with local IChemE, Hazards 31: Symposium Series No. 168, 46, 2021.
management/appropriate technical experts. Agree a set of 6. Hopkins, A., Management Walk-arounds: Lessons from
improvement actions to be taken (some may include/require the Gulf of Mexico oil well blowout, Safety Science, Vol 49,
action at a senior level). 1421-1425, 2011.
7. Anderson, M., Leadership Site Visits, accessed at https://
References humanfactors101.com/topics/safety-leadership/ on
1. Cooper, D., Improving Safety Culture – a practical guide, John 8/9/2023.
Wiley & Sons Ltd, London, 1998. 8. IChemE, ISC Process Safety Competency Guidance, 2019,
2. Kerin, T., The importance of (process safety) leadership, accessed at https://www.icheme.org/media/12909/isc-
Journal of Loss Prevention in the Process Industries, Vol 66, competency-document-december-2019.pdf on 8/9/2023
104220, July 2020. 9. US Chemicals Safety Board, Completed Investigations,
3. Process Safety Leadership Group, PSLG Principles of Process 2023 accessed at https://www.csb.gov/investigations/
Safety Leadership, 2009 accessed at http://www.p-s-f2.org. completed-investigations/ on 8/9/2023.
uk/wp-content/uploads/PSLG-Principles.pdf on 8/9/2023. 10. Health & Safety Executive, Investigation Reports, accessed
4. Offshore Energies UK, Principles of Process Safety Leadership at https://www.hse.gov.uk/comah/investigation-reports.
for the offshore UKCS Energy Industry, accessed at https:// htm on 8/9/2023.
oeuk.org.uk/wp-content/uploads/2023/03/Principles-of- 11. Energy Institute, Toolbox, https://toolbox.energyinst.org/
Process-Safety-Leadership-1.pdf on 8/9/2023. home on 8/9/2023.

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00

296 Hynds.indd 17 04/04/2024 12:37:44

 18 | Loss Prevention Bulletin 296 April 2024

Incident

Three Mile Island – Can we learn from a nuclear

accident that occurred 45 years ago?
Zsuzsanna Gyenes

Summary
This article is written on the 45th anniversary of the Three
Mile Island accident of March 28, 1979. It was the most
serious accident in U.S. commercial nuclear power plant
operating history, although its small radioactive release
had no detectable health effects on plant workers or the
public. Its aftermath brought about extensive changes
involving emergency response planning, reactor operator
training, human factors engineering, radiation protection,
and many other areas of nuclear power plant operations.
It also caused the U.S. Nuclear Regulatory Regime
(NRC) to strengthen its regulatory oversight. This paper
highlights the main events leading to the accidents and
the learnings that could still be valid almost half a century
later. The paper does not intend to cover all failures and
findings from the event, but it highlights tragic events
from other industries which have common features with
this nuclear accident.
Keywords: Nuclear, design, control room, alarms,
normalisation of deviance, operator skills, learning from
past events
Figure 1 – The INES scale (Source: NRC.gov)

Introduction environment. On the seven-point logarithmic International

The official investigation report on the Three Mile Island Unit
1 Nuclear Event Scale (INES), the TMI-2 reactor accident
2 (TMI-2) reactor partial meltdown reads like a well-written was rated Level 5, which means an “Accident with Wider
novel. The three-part document provides a clear description Consequences” (Figure 1).
of what happened, starting early in the morning on 28th The accident started with failures in the non-nuclear
March 1979, in a way that almost feels like the screenplay of a secondary system followed by a stuck-open pilot-operated
movie. And I am not talking about the film “China Syndrome” relief valve (PORV) in the primary system that allowed large
which was being introduced in theatres all over the country amounts of water to escape from the pressurized isolated
just before the TMI-2 event. The plot of the movie involved coolant loop. Plant operators failed to recognize the situation
an accident at a fictional nuclear power plant with impressive as a loss-of-coolant accident (LOCA). Loss of cooling capacity
technical details based on past nuclear events. Despite the in a nuclear power generation plant is one of the worst-case
proud statement made by the plant management of Three scenarios. In the chemical industry, a similar, but much smaller
Mile Island that such an event could never occur, a real-life scale accident would be such as losing the cooling capacity in
nuclear reactor partial meltdown accident happened just an exothermic chemical reaction and being unable to stop the
twelve days later. reaction before it reaches the point of an exothermic runaway
reaction and explosion.
What happened in the plant? TMI training and operating procedures left operators and
The Three Mile Island accident was a partial nuclear meltdown management ill-prepared for the deteriorating situation
of the Unit 2 reactor (TMI-2) of the Three Mile Island Nuclear resulting from the loss of coolant. Poor control design, the use
Generating Station on the Susquehanna River in Londonderry of multiple, similar alarms, and a failure of the equipment to
Township, near the city of Harrisburg, Pennsylvania. The clearly indicate either the coolant-inventory level or the position
reactor accident began at 4:00 a.m. on March 28, 1979, and of the stuck-open PORV all led to a worsening LOCA. Let’s take
released radioactive gases and radioactive iodine into the a look at these failures by investigating the sequence of events.

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00

296 Gyenes.indd 18 02/04/2024 16:51:48

 Loss Prevention Bulletin 296 April 2024 | 19

Sequence of events series of actions that made the situation worse. The stuck
valve reduced the pressure in the primary system to a level
Figure 2 shows a schematic diagram of the plant to explain the where the reactor coolant pumps started to vibrate and were
series of events on 28 March 1979. turned off. The emergency cooling water being pumped
The event started with either a mechanical or electrical into the primary system threatened to fill up the pressurizer
failure in the secondary, non-nuclear system of the plant. completely—an undesirable condition—to prevent this,
From the investigation report, a resin plug probably prevented operators decided to override the automatic system and
the main feedwater pumps from sending water to the steam cut back on the flow of water. Without the reactor coolant
generators that remove heat from the reactor core. This caused pumps circulating water and with the primary system lacking
the plant’s turbine-generator and then the reactor itself to emergency cooling water, the water level in the pressure vessel
automatically shut down, immediately causing the pressure dropped and the core overheated. As the primary coolant
in the primary system to increase. To control that pressure, drained away that the residual decay heat in the reactor core
the PORV opened. It was located at the top of the pressuriser. was not removed. The core suffered severe damage as a result.
The valve should have closed when the pressure fell to normal
levels, but it became stuck open. Instruments in the control Health effects
room, however, indicated to the plant staff that the valve was
Given the nature of the plant, this nuclear accident caused
closed. As a result, the operators were unaware that cooling
concerns about the possibility of radiation-induced health
water in the form of steam was pouring out of the stuck-open effects, principally cancer, in the area surrounding the plant.
valve. As alarms rang and warning lights flashed, the operators Therefore, the Pennsylvania Department of Health maintained
did not realise that the plant was already experiencing a LOCA. a registry for 18 years monitoring more than 30,000 people
Other instruments available to plant staff provided who lived within five miles of Three Mile Island at the time of
inadequate or misleading information. During normal the accident. The state’s registry was finished in mid 1997,
operations, the large pressure vessel that held the reactor without any evidence of unusual health trends in the area.
core was always filled to the top with water — according to In addition, a number of independent health studies of the
the design at the time “there was no need for a water-level event showed no evidence of any abnormal number of cancers
instrument to show whether water in the vessel covered the around TMI years after the accident. The only detectable
core”. Consequently, operators assumed that if instruments effect was psychological stress during and shortly after the
showed that the pressuriser water level was high enough, it accident, not helped by the China Syndrome movie or the
meant that the core was properly covered with water, but that fact that residents around the plant had never been informed
was not the case. of potential accident scenarios or health effects before the
Unaware of the stuck-open relief valve and unable to tell accident. Media has its acceleration effect in case of tragic or
if the core was covered with cooling water, the staff took a frightening events. People perceive nuclear power energy

REACTOR BUILDING COOLING TOWER

Pressurized Safety
relief valve Block valve valve
Pressurizer
Steam
generator TURBINE BUILDING

systems and
procedures
PORV Control Transformator
rods
Turbine
Generator

Pressurized Condensor
relief tank

Circulating
Reactor Condensate water
core pump pump

Main
feedwater
pump

Reactor coolant pump

Primary Secondary
(non-nuclear)

Figure 2–Schematic diagram of the plant2

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00

296 Gyenes.indd 19 02/04/2024 16:51:49

 20 | Loss Prevention Bulletin 296 April 2024

production and nuclear waste disposal as high-risk activities Alarms

because the worst case consequences of a loss of control
could have such catastrophic long term consequences. The control room contained more than 750 alarms which were
not prioritised, and many were difficult to read from normal
operator positions. In fact, during the first few minutes, over
Underlying factors
100 alarms went off. The alarms were received so rapidly that
Before analysing the contributing factors to this event, it is
the implications of each alarm could not be analysed in detail.
worth mentioning the underlying conditions of the Unit-2.
This unit was started up one year before the accident and Issues reported by operators before the accident
had experienced a series of minor but troublesome mishaps.
The unit went into commercial operation on 30 December Problems with the poorly designed alarm systems were
in 1978 (3 months before the accident) and as stated in the reported by an operator.
investigation report, it “had been running reasonably On 23 April, 1978 an operator documented problems
well since”. experienced during a reactor trip; he wrote a letter to his
Some of the major failures and learning points are supervisor, expressing concerns about mechanical failures,
discussed, without presenting all failures that caused the poor system designs and improperly prepared control system
accident. These points are useful findings when compared coupled with improper operator training and inadequate
them with more recent industrial accidents. emergency procedures.
These underlying factors mirror those in a number of past
PORV accidents, such as Milford Haven explosion in 1994, the
Longford accident in 1998, Piper Alpha in 1988 and the Texas
The PORV was a safety critical equipment to control the City explosion in 2005.
pressure. Operators in the control room failed to recognise
that the PORV on the reactor pressurizer had not automatically Normalisation of deviance
closed, as it was designed to do, during recovery from a
Operators seemed to be conditioned to expect problems in the
reactor trip. How could this happen? The failure to notice the
secondary (non-nuclear) circuit rather than the primary system.
open PORV can be traced to a misleading instrument that
Water discharged from the pressuriser via the PORV was
indicated the valve’s position via a single red PORV status
collected in the reactor coolant drain tank. That means, when
indicator light. This light was on when an electrical signal was
the PORV got stuck open, the water level in the tank rose.
sent to open the PORV, and it was off when the signal was
One of the valves, possibly the PORV had been leaking into
terminated. However, the light did not indicate the actual
the drain tank since autumn of 1978 and had been scheduled
position of the valve. As a result, when the PORV indicator
for maintenance during the next reactor shutdown. The
light went out, the operators believed the valve had closed
leaking was known to operators and elevated level of water,
when in fact, it had stuck open. The investigation report noted
high temperature and pressure in the drain tank was not an
that a valve indicator system that can directly sense the open
unusual observation to them. In fact, about once every shift,
and closed positions of the valve, i.e., a microswitch installed
operators had been forced to pump the accumulated water
on the relief valve stem, would have shown the operators if
from the drain tank. In addition, the instrumentation only gave
the valve was open or closed. instantaneous information about the level of water in the tank
A similar situation arose in the Flooding and capsize of ro-ro without recording the parameters. Alarms associated with the
passenger ferry Herald of Free Enterprise with loss of 193 lives tank were behind the control panel and difficult to observe.
when the lack of indicator lights meant that the crew didn’t Other accidents where normalisation of deviance - “the
know if the bow doors were open or closed. gradual process through which unacceptable practice or
standards become acceptable” was a key contributor to the
Design issues
event include the Challenger disaster in 1986, the Space
There were design issues relating to the PORV, as originally, Shuttle Columbia tragedy in 2003 or the gas plant explosion
the TMI-2 control room design contained no indicator light. at Longford in 1998, the capsizing of an Italian cruise ship
The investigation found several other design issues that the Costa Concordia in 2012, and the Royal Air Force Nimrod crash
investigators believed to have contributed to the accident. in 2006.
For example, inadequate control room design which included
illogical panel layout, confusing use of indicator colour Skills of operators
coding (Christmas tree effect) or difficulty for operators to In the case of TMI, many operators were recruited from
read the meters, obscured displays (vertical panels behind the Navy, and these veterans were accustomed to nuclear
the benchboard contained about 1900 displays, including submarines which were significantly smaller than any
indicator lights), labelling on back panels was difficult or commercial nuclear power plant. The significant differences
impossible to read from main operating positions together in Navy nuclear propulsion plants and civilian nuclear power
with poor lighting combined to make even routine work plants suggested that personnel who may be highly qualified to
difficult, not to mention the extreme difficulty during a nuclear operate Navy plants may not be the most qualified to operate
emergency situation. Communication was hampered by large, complex commercial civilian nuclear plants. As the
the so-called “paging system” which had the tonal quality investigation revealed, “there was a significant effort to simplify
of a “bad bronchial cough”, making communication very system design to give confidence in the ability of operators to
challenging. operate the plant properly”. In fact, designers of commercial

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00

296 Gyenes.indd 20 02/04/2024 16:51:49

ARDS34HAZARDS34HAZARDS34HAZARDS3
ARDS34HAZARDS34HAZARDS34HAZARDS3
ARDS34HAZARDS34HAZARDS34HAZARDS3
Loss Prevention Bulletin 296 April 2024 | 21

ARDS34HAZARDS34HAZARDS34HAZARDS3
nuclear plants assumed that the operators were only a backup
to the automatic control.
TMI-2 accident without detailing all the failures revealed by
the investigation. The aim of this paper is to highlight the fact

ARDS34HAZARDS34HAZARDS34HAZARDS3
that most findings from a nuclear accident that occurred 45
Lack of learning from past events years ago are still valid today and the investigation report is

ARDS34HAZARDS34HAZARDS34HAZARDS3
As the investigation revealed, there were a lot of so-called worth revisiting for experts not only from the nuclear but all
“precursor events” that would have served as learning points other industries, too. The examples of past accidents which
but not considered by the management of the TMI plant. showed similarities in one way, or another serve as a reminder

ARDS34HAZARDS34HAZARDS34HAZARDS3
For example, one of the most significant events similar to the to demonstrate how important it is to keep the memory of
TMI-2 accident occurred on 24 September, 1977 at the Davis- past accidents alive and think beyond the fence of our own

ARDS34HAZARDS34HAZARDS34HAZARDS3
Besse nuclear power station in Ohio, where the relief valve operations to learn and improve.
for the reactor pressurizer failed to close when the reactor,
running at only 9% power, shut down because of a disruption References

ARDS34HAZARDS34HAZARDS34HAZARDS3
in the feedwater system.
The failure to learn lessons from previous accidents lead 1. “Three Mile Island; A Report to the Commissioners and to
to repeat disasters, for example ammonium-nitrate fertiliser the Public,” by Mitchell Rogovin and George T. Frampton,

ARDS34HAZARDS34HAZARDS34HAZARDS3
explosions starting with Oppau in 1921, then Texas City NUREG/CR-1250, 1980 (Vol. I, Vol. II Pt. 1, Vol. II Pt.
disaster in 1947, the Toulouse accident in 2001, West Texas 2, Vol. II Pt. 3)

ARDS34HAZARDS34HAZARDS34HAZARDS3
explosion in 2013, Tianjin explosion in 2015 until the most 2. Three Mile Island Accident, accessed at https://world-
recent accident in Beirut in 2020. nuclear.org/information-library/safety-and-security/safety-
This paper discusses only a few learning points from the of-plants/three-mile-island-accident.aspx

ARDS34HAZARDS34HAZARDS34HAZARDS3
ARDS34HAZARDS34HAZARDS34HAZARDS3
ARDS34HAZARDS34HAZARDS34HAZARDS3
ARDS34HAZARDS34HAZARDS34HAZARDS3
ARDS34HAZARDS34HAZARDS34HAZARDS3

Hazards34 C nt p
al e en
co w o
no

ARDS34HAZARDS34HAZARDS34HAZARDS3 l f nt
or
ARDS34HAZARDS34HAZARDS34HAZARDS3
5–7 November 2024, Manchester, UK
ARDS34HAZARDS34HAZARDS34HAZARDS3
ARDS34HAZARDS34HAZARDS34HAZARDS3
IChemE’s Hazards conference is one of the world’s leading process safety conferences. Following a successful event in 2023,
Hazards 34 will continue its tradition of sharing knowledge across every major aspect of process safety.

ARDS34HAZARDS34HAZARDS34HAZARDS3
Share your insight and experience
Our call for content is open, inviting contributions to the technical programme. We welcome submissions from anyone with

ARDS34HAZARDS34HAZARDS34HAZARDS3
process safety knowledge, insight and experience to share that others can learn from and transfer to their own operations.

Sponsorship and exhibition opportunities

ARDS34HAZARDS34HAZARDS34HAZARDS3
Sponsoring or exhibiting at Hazards 34 is an excellent opportunity to raise your profile within the international process safety
community before and during the event. We have packages to suit all budgets, allowing you to showcase your products and

ARDS34HAZARDS34HAZARDS34HAZARDS3
services, engage with attendees, and generate new leads.
IChe
m

ARDS34HAZARDS34HAZARDS34HAZARDS3
Find out more:
E
Safet

www.icheme.org/hazards34 ISC
re
y

n
Ce

ARDS34HAZARDS34HAZARDS34HAZARDS3
© Institution of Chemical Engineers
0260-9576/24/$17.63 + 0.00

ARDS34HAZARDS34HAZARDS34HAZARDS3
296 Gyenes.indd 21 02/04/2024 16:51:58
 22 | Loss Prevention Bulletin 296 April 2024

Book review

Flixborough ‘I Was There’: The Story of the

1974 Flixborough Disaster
Rick Loudon author and publisher (Nov. 2023) ISBN: 9781399963671,
Hardcover: 366 pages, Dimensions 210 x 297 mm, £25.00
is rarely discussed. The explosion was not just a pivotal
point for chemical engineering. It turned the lives of many
individuals and families on their head. In the aftermath of a
major chemical accident reports are rarely produced which
look at the impact on individuals and the neighbouring
communities in detail. But what about the people who lived
close by in the towns and villages of Lincolnshire? What about
those of the workforce who survided the disaster, but lost
close friends and colleagues? What about the emergency
responders, called out to address an incident beyond anyone’s
immediate experience?
This book by Rick Loudon comes fifty years after the event
and is the first to compile personal accounts and photographs
as well as to record the personal experiences entwined with
the Flixborough disaster – the human element. Experiences
and memories are interspersed with photographs of
firefighters, vehicles, devastated plant and damaged buildings.
In appendices to the main text there is a log-book account of
the emergency response by the fire brigades and the response
of the Mines Rescue Teams. There were numerous challenges
on-site from extinguishing those fires still burning as a result
of the initial explosions, ranging from cooling tanks to dealing
with leaking tanks and pipe-work containing hydrocarbons to
coping with a nitric acid leak and a release of ammonia. The
explosions had left much of the site in an unstable condition
and totally destroyed the control room. The recovery of
casualties from the collapsed building was the task of the
Mines Rescue teams which worked in dark, cramped and
dangerous conditions to retrieve the bodies. It was not until 20
June that the final casualty was located and recovered, and the
rescue personnel were stood down.
This is not an engineering book — however, it is an
important contribution to the literature of chemical process
safety. The Flixborough Disaster is more than a discussion of
Where were you on 1 June 1974? For many readers this was deficient management of change, failures of 8”- and 20” lines
before they were born or whilst they were still at school. Fifty or the effects of a vapour cloud explosion. Being aware of
years is a long time ago. This date was a turning point in the and understanding the impacts of a major chemical accident
history of chemical process safety in the UK. The explosion on the community and the emergency responders underlines
of the Nypro Works in Flixborough changed the way many why it is important to invest in prevention and prepare for
thought about the potential for things to go wrong, and the the possibility that a major accident may occur. The fact that
education and training of chemical engineering students and a number of the issues described in the accounts included in
professionals alike was furnished with an event which was to this book are similar to the experiences of those affected by
other major accidents shows that there are still lessons to be
culture

culture

provide many hours of lectures, discusions, modelling and

learned.
debate.
However there is another side to this major accident which Mark Hailwood

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00

296 Book review.indd 22 02/04/2024 16:47:13

 Loss Prevention Bulletin 296 April 2024 | 23

Safety practice

Five commonly missed hazards in Process

Hazard Analysis or Hazard Identification and
Risk Analysis
Adam M Musthafa, Indonesia
the operations phase meaning it was not part of the initial design.
Summary The area is sometimes congested and located in dead-ends or areas
The main intention of Process Hazard Identification is to where escape is difficult. This is against the best practice of locating
ensure that risks from process plants to the employees, primary grade sources of release. To avoid the accumulation of
the public, or the environment are consistently controlled leaks, the sampling point for a flammable liquid or gas should be
within the organisation’s risk tolerance1. To allow risk to in a relatively open area. With the higher probability of flammable
be controlled, organisations first need to identify the risks. material releases, escape from the area should also be easy and
Unfortunately, there is no guarantee that hazards that unobstructed. They should also be located so that personnel can
introduce the risks from the plant can all be identified in stand upwind, based on the prevailing wind pattern.
a single PHA or HIRA session no matter how good the Atmospheric tanks and process vents terminating unsafely to the
facilitator and the team are. The following paper describes atmosphere are also commonly missed hazards. Sometimes, these
five commonly missed hazards in Process Hazard Analysis vents are pointed to an access way or working platform. This hazard
(PHA) or Hazard Identification and Risk Analysis (HIRA). will not be identifiable in the P&ID. The P&ID will only indicate that
These are: primary grade sources of release; dissolved the vent is terminated to a safe location. The hazard can only be
toxic gas in the liquid phase; human factor issues (error identified in a PHA if the PHA team conduct a site visit as part of the

knowledge and
traps and error-inducing situations); the hazard of workshop.

competence
pyrophoric material; and nitrogen. Vents terminating in congested areas are also dangerous. On 7
February 2010, six workers were killed, and fifty others were injured
Keywords: Process Hazard Analysis, Hazard by a natural gas explosion during the construction of a power plant.
Identification and Risk Analysis, Risk Management At the time of the incident, fuel gas was being vented between
two large structures of heat recovery steam generators (HRSGs).

engineering
and design
The location, while outdoors, was congested by the surrounding
Primary grade source of releases power generation equipment. This arrangement affected the safe
A primary grade source of release is a source of release that is dispersion of the gas and resulted in an accumulation. The gas then
likely to occur periodically or occasionally in normal operations2. found an ignition source, resulting in a vapor cloud explosion3.
In other words, these sources release flammable vapour or gas Pump seals are another primary grade source of release with
during normal operations where it is anticipated to occur during unique hazards. Single or dual pump seals without barrier fluid or
the execution of normal operating procedures. Examples are interspace leak detection are typically considered primary grade
sampling points and drains, process vents, pressure relief valve sources of release2. A packed gland pump seal which requires
tailpipes (terminating to atmosphere), tank vents, breather valves, lubrication from the process media will also be a primary grade
oily water sewers and sumps, pump seals, and pig barrel doors. source of release. Unfortunately, it is not uncommon for process
If the sampling point is frequently used and located in an area pumps to be located inside a pit, below grade level, to provide Net
with adequate ventilation, the source of release will result in Positive Suction Head (NPSH) at the pump inlet. In one of the PHAs
Zone 1 (an area in which an explosive gas atmosphere is likely for an onshore gas receiving facility, a flare knock out vessel also
to occur in normal operation) in the hazardous area classification served as the closed drain vessel. As a drain vessel, it should be
drawing. Most of the time, when designed correctly there will be located at the lowest point of the facility.
human factors

no major concern from these sources. However, during periodic The vessel and the pump used to pump back separated liquid to
plant Hazard Identification and Risk Analysis (HIRA), we found the process was then designed to be located inside the closed drain
specific hazards are missed when the organisation focuses only vessel pit area. The vessel was located approximately 2 m from
on conducting HAZOPs, without site visits, and strengthening the grade on top of a platform inside the pit. The pump was located at
Process Hazard Analysis (PHA) with another method like HAZID the bottom of the pit (about 4.5 m from the grade). Figure 1. Close
(Hazard Identification). drain drum and pump inside a pit shows a simple illustration of the
Firstly, in many facilities’ risk assessment site visits, we found system.
that manual sampling points are located in congested areas. Most The gas received was initially sweet, which indicates that no
of the time this happens when the sampling point is added during hydrogen sulphide (H2S) is present.. However, as production

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00
24 | Loss Prevention Bulletin 296 April 2024

Figure 1 – Closed drain drum and pump inside a pit

To Flare
Closed Drain Header
Flare Header
Back to Process

Pit ~4.5m KO Drum Pit

from grade

Flare KO Drum/Closed
Drain Drum

Closed Drain Pump

(Centrifugal)

matured, the reservoir became sour and H2S was observed. gas detection and means to provide adequate ventilation need to
Personnel started to smell the rotten eggs-like odour indicating be considered in the design.
the presence of an H2S leak. The team suspected that this came
from the pump seal. During the PHA, it was known that liquid Dissolved toxic gas
inside the vessel (mainly water) contained 5-10 ppm by weight Some toxic gases like H2S can dissolve in water, liquid
of H2S. As will be discussed in the second part of this paper, hydrocarbons, and even liquid sulphur. When these liquids
this concentration may still lead to a high H2S concentration if are routed to equipment open to the atmosphere, H2S will be
flashed to atmospheric conditions. A recommendation was raised released. It is well known that H2S is slightly heavier than air,
to study the feasibility of relocating the system, providing better therefore escaped gas/released H2S may accumulate in low-lying
ventilation, or treating the H2S with chemicals to avoid toxic areas, increasing the risk in case of a leak.
vapour accumulation inside the pit. Another hazard that is commonly missed during PHA is
It is always better to avoid locating a pump with flammable or dissolved H2S in waste streams such as produced water treatment
toxic service inside a pit or any shelter with inadequate ventilation equipment. Produced water is water that comes out from the well
in the first place. The hazardous gas or vapour will accumulate with the crude oil during crude oil production. After the treatment
inside the pit without being effectively dispersed, creating to separate the oil from the water, it is common for produced
significant risk to personnel. If for any technical reason, (e.g. noise, water to be routed to atmospheric tanks, before being re-injected
weather, etc.) the pump needs to be sheltered, toxic/flammable into the reservoir.

To Flare Header
Water from High 3000 ppmv
Pressure Separator H2S in vapour
space Back to HP Separator
Produced
Water Skimmer

To produced
10 ppmw H2S Water Injection
In Water Surge Tank
Crude Oil
Return Pump

Produced
Water Filter
Produced Water
Figure 2 – Produced water skimmer vessel containing H2S Booster Pump

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00
 Loss Prevention Bulletin 296 April 2024 | 25

Figure 3 –Two parallel reactors with the same tag number of steam heater actuated valve

Reactor side by side both at locations and at display

REACTOR A REACTOR B

To Vapour Recovery To Vapour Recovery

Reactants/Feed Reactants/Feed
Relief Header Relief Header
N2 Sparger N2 Sparger

Steam Heating Steam Heating

Water Water
Condensate Condensate

Liquid Product Liquid Product

Actuated Valve with

same tag number
Steam Header

The vapour space between the produced water surface and Error-inducing situation
the top of the tank may be rich in H2S, with a concentration much
With the maturity of plant designs and management system
higher than the liquid itself. For example, in one HAZOP, the
implementation, the industry has now has shifted a significant
process engineer noted that in one produced water skimmer the
portion of its focus to implementing best practices in human
H2S concentration is around 10 ppm (weight based) (Figure 2).
factors. Eliminating error-inducing situations is one of the key
The skimmer experienced accelerated thinning due to focus areas because even the most skillful and experienced
corrosion. Initially the team concluded that the risk was low as the personnel can make errors and mistakes due to error traps.
concentration of H2S was below its IDLH (Immediately Dangerous In one of the HAZOPs of a batch plant, two parallel reactors
to Life and Health) of 100 ppm. However, we suggested the team (Reactor A & B) were heated by steam coils. During the HAZOP,
conduct an isenthalpic flash simulation of produced water from the team identified that one of the overpressure scenarios will
the pressure of the vessel upstream of the skimmer to the skimmer happen if the vent valve of the reactor was accidentally closed
pressure (near atmospheric). This was to understand better the while heating continued (due to accumulation of pressure from
vapour space concentration in case of a skimmer vessel leak. evaporation). The operator was required to close the actuated
The process engineer did a quick simulation and came out with valve for the steam coil using a soft button at the control panel
the result of an H2S concentration of more than 3000 ppm (mole (not automatic) in case of high pressure in the reactor. The
based). This was much higher than the IDLH and could have recommendation was raised to automatically close the actuated
resulted in a fatality following a very short exposure to personnel valve. When formulating the recommendation, the facilitator
in case of a leak. The simulation calibrated the risk perception found that the actuated valve on Reactor A’s tag number was the
of the team, and the risk of produced water skimmer vessel leak same as that of Reactor B. The reactors were located side by side
became a high-priority risk to be mitigated. on the panel display and the actual site. Figure 3 gives a simple
illustration of the setup.
We should never assume that risk is low if the concentration of
Although no incident had happened so far, the team considered
H2S in the liquid phase is low. The vapour space may, and most
how significant the potential for error was. In the case of a high-
of the time will, still represent a serious hazard to personnel. This
pressure alarm, where the operator would be required to take
is true not only for produced water but also for other liquids like
quick action, there are two valves with the same tag number and
crude, condensate (or other hydrocarbon liquids), and liquid
the correct one needs to be quickly closed. The recommendation
sulphur. On 26 October 2019, a release of H2S led to the death was raised with higher priority to close this gap.
of one worker and one member of the public in Odessa Texas. In another HAZOP, an old Sulfamic Acid plant was constructed
This happened inside a pump house of produced water repeated in a three-storey manufacturing building. A significant error-
waterflooding the (injection) facilities. The pump inside the pump inducing situation was identified when the PHA team conducted
house had a broken plunger from which the water containing H2S the site visit. The facilitator noticed a field operator rushing up
was released. A worker attending an alarm was fatally injured from the stairs (unsafely) from the second floor to the third. At the
the exposure to released H2S. Subsequently, the spouse of the end of the site visit, the facilitator asked the operator why he was
injured person gained access to the station and searched for her rushing on the stairs. The operator explained that he was trying to
husband before being exposed to the H2S and succumbing to her close the inlet feed valve to a tank where a high-level alarm was
injuries4. annunciated. The feed came from a neutralisation vessel on

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00
26 | Loss Prevention Bulletin 296 April 2024

Solution Header

Expansion
Tank 1
Dome Fire Detection

Tank 2

Tank 3

Concentrate Tank 4
Pump

Concentrate Tank 5
Pump

From Firewater
Pump Tank 6
Proportioner

Responder needs to
open the correct value
going to the tank on fire
Figure 4– Centralised foam system for six flammable fluid tanks

the third floor, where sulfamic acid is gravity-fed to the product The foam system was designed to handle a single worst-
atmospheric tank on the second floor. Again, a similar issue case surface tank fire. If the wrong valve was opened in case
was identified. In the case of an alarm, the operator needed to of emergency, there wouldn’t be adequate foam concentrate
quickly close the correct valve. However, the valve was on a left to mitigate the fire. A recommendation was raised to
different floor. The operator needed to rush to climb the stairs, provide adequate labelling and a schematic visible at the
identify the correct valve and then close it. A recommendation solution header to guide the responder in opening the correct
to provide an overflow line was raised to have more passive valve. Another recommendation was to study the feasibility
and inherently safer overflow protection. of modifying the system so that fire detection would open an
In the final example, storage tank facilities were protected actuated valve to the correct tank.
by a centralised foam system. In case of fire, the concentrate The three examples above show how important it is to fight
pump would push the correct amount of foam to the status quo bias in a PHA when eliminating risk from error
proportioner where water was also pumped by the firewater traps and error-inducing situations. The three situations were
pump. The solution produced was then routed to the solution not raised to management before the PHA, as the plant team
header where the responder needed to open one of six valves had grown accustomed to the situation. Only when a more
going to the tank on fire. There were six tanks containing independent facilitator came and pointed out the significance
flammable fluid that depended on the solution of the system in of the risk, was the recommendation raised. In these cases,
PHA site visits also helped raise the independent team to gain a
case of a surface tank fire (Figure 4). During the site visit, the
better understanding of the facility and its concerns.
PHA facilitator noticed that there were no labels or schematics
available on-site to guide the responder to open the correct
valve. As can be seen in the photo, the operator could not see
Pyrophoric hazard
to which tank each of the valves would route the solution. Pyrophoric materials are those that can spontaneously ignite in

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00
 Loss Prevention Bulletin 296 April 2024 | 27

the air. They are unique because they do not need an ignition deposits submerged under the water surface during temporary
source to start burning. Some pyrophoric materials also react storage). Lastly, avoid the accumulation of pyrophoric material
violently with water or high humidity. Under some conditions, and immediately remove any solid material removed during
pyrophoric materials deposited inside equipment will smolder for cleaning from the site. Contaminated waste, such as filter
days before spontaneous combustion occurs during equipment elements and waste from fouled equipment cleaning (separation
maintenance or inspection. Pyrophoric ignition is unpredictable tower packing, reboilers, etc.) should be assumed to contain
and thus requires special care. pyrophoric material, unless positively confirmed otherwise.
Iron sulphide (FeS) is the most common pyrophoric material Special care should be given to locating temporary storage of
found in refining and upstream facilities. As its ignition requires the waste from cleaning operations before authorized hazardous
oxygen, there is a higher potential for pyrophoric fires during waste handlers remove them from the site.
shutdowns when equipment and piping are opened to The two examples above show how important it is not to
atmosphere for inspection or maintenance. assume that solid deposits or waste from internal process
At an onshore gas plant, due to reservoir souring, H2S equipment cleaning are free from pyrophoric material if the
started to be observed with a 1-5 ppm concentration in gas. fluid contains H2S. FeS can still form under very low H2S
As the concentration was low, the team considered that concentrations. PHA revalidation should evaluate changes in
no modification was required to the existing process and operating and fluid conditions, including reservoir souring for
procedure. During the PHA, the facilitator raised the concern upstream facilities.
that based on experience, FeS could form even at very low Hazards during activities such as maintenance are rarely
H2S concentrations (below 1 ppm) provided that the partial discussed in periodic plant PHA. A PHA team typically assumes
pressure of H2S exceeded the partial pressure of oxygen in the that a comprehensive Job Hazard Analysis will be done before
environment. A recommendation was raised to review existing the maintenance activities. However, as can be seen in the two
maintenance pigging and equipment maintenance procedures. examples, it is beneficial if the PHA team identifies the hazard
One attendee from the pipeline maintenance team supported the and the need to revisit maintenance procedures during periodic
recommendation and stated that they recently found the deposit PHA upon noticing the change in fluid composition, because
that was cleaned during pigging was smoldering with minor during a PHA, a more complete and independent team is
smoke generated on the pig tray after pigging operations. This working together to identify and assess the risks.
was an indication that some FeS had formed inside the pipeline.
In a similar case at an onshore gas receiving facility, a flash fire Oxygen depletion
occurred during a vessel gas testing for confined space entry The last hazard that is commonly missed during PHA is the use
procedure. During turnaround a horizontal separator needed to of nitrogen (N2) gas in an in adequately ventilated area. In one
be cleaned. Two gas tests were conducted after depressurization upstream facility PHA, the safety function of the wells were
and purging. However, the flammable gas reading after purging managed by wellhead control panels (WHCP). The WHCP
was still high. The team decided to proceed with filling the monitored the downhole safety valves, surface safety valves
vessel with water. The configuration of the nozzles of the vessel (SSV), and other wellhead safety valves for the safety of the
prevented the vessel from being filled with water as the team well and flowlines. The WHCP mainly used pneumatic control
decided to pump the water from the side inlet nozzle instead because the well location is remote from the processing facilities.
of the top. Some portions of the top of the vessel remained In this example, the WHCP pneumatic control used nitrogen
unwetted. When the vessel was emptied and a third gas test was supplied by several 140 barg N2 cylinders connected by hose
conducted, a minor flash fire occurred, injuring the hand of the and tubing to the WHCP. To protect it from the weather and
gas tester (minor burn injury). animals, the WHCP was located inside a house along with the
Upon investigation, it was concluded that after the water filling N2 cylinder (see Figure 5). Periodically, the operations and
or third purging, some of the sludge layers on top of FeS deposits maintenance team would enter the housing to conduct well
were scraped, exposing them to oxygen. As the vessel was surveillance, maintenance, and inspection of the equipment
opened again for the third gas test, FeS ignited upon exposure to inside.
oxygen, and residual vapour at the top portion of the vessel was The system was protected from overpressure by the N2
also ignited. The investigation team also found that the hazard of cylinder by a relief valve discharging directly to atmosphere,
pyrophoric FeS was never identified in the facility’s PHA, as the inside the housing. The facilitator guided the discussion on what
team assumed that the gas was sweet and free of H2S. However, would happen if the relief valve popped or a leak occurred on the
as the reservoir matured some traces of H2S were produced and fitting of the N2 cylinders. To the team’s surprise, the hazard of
this assumption became invalid at the time of the incident. oxygen depletion was not identified in any of the previous PHAs.
Special handling and precautions are required to avoid The WHCP is shown only as a simplified schematic or the P&ID
pyrophoric material hazards. Handling and precautions are based and the fact that it was housed couldn’t be seen in the P&ID. A
on (as a minimum) four strategies explained herewith. First, recommendation was raised to relocate the cylinders, most of the
reduce the concentration of pyrophoric material by periodic valve and fittings, and to relieve the valve outside the housing.
cleaning of internal surfaces. Second, maintain the separation As per one publication, looking into incidents related to N2
of air (oxygen) from pyrophoric material by effective wetting asphyxiation between 1992-2002, failure to detect an oxygen-
of any deposited solid or material as well as inert gas purging deficient atmosphere (due to N2 accumulation) was a significant
(maintaining a continuous barrier of liquid or inert gas between factor that needed to be considered. In the data evaluated
the air and the pyrophoric material). Third, as much as possible, in the study, 78% of incidents involved circumstances where
reduce the temperature of pyrophoric material (keep solid personnel were in or around a confined area where the gas was

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00
28 | Loss Prevention Bulletin 296 April 2024

Figure 5 – WHCP inside housing

Push PSHH PSLL ESD Signals

button Flowlines Flowlines from others N2 releases inside the
house in case of relief
valve opening

Pressure Relief Valves

Upper master valves Gauge

Downhole safety valves

Wing valves

Wellhead Control Panel

N2 releases inside the

house in case of leaks
from valve and fittings

Wellhead Control Panel Housing Nitrogen Bottles

accumulating, and personnel failed to detect the increased level system, some risks may be underestimated or overlooked1.
of N2 inside the space5. If a hard-piped fixed N2 system is used A combination of HAZOP and HAZID (e.g., What-If, etc.) is
inside an enclosed building and this cannot be avoided, the advisable. The second best practice is that the PHA should
building should be properly ventilated, and an oxygen-meter also be strengthened by team site visits, not only to gain an
should be installed with an alarm to notify personnel in the case understanding of the process and facilities but also to allow
of an N2 leak. Upon oxygen depletion, a visual indication should intentional hazard inspection of the area by a competent team.
also be provided outside the building or space to warn personnel The third best practice is that the PHA team should act as an
not to enter. independent “hazard hunter” by paying attention to fighting
Auxiliaries and supporting equipment such as WHCP, analyzer status quo bias during the session. Often, a hazard is overlooked
system with its housing, and other similar equipment are often when the team grows accustomed to the site condition, is
missed during plant PHA. The team often focuses only on the weak in process and design, and refuses to challenge existing
main process equipment and thus these pieces of equipment questionable practices and situations.
are often overlooked. But as shown in this example the risk of
oxygen depletion inside the WHCP housing is significant as N2 References
will not be dispersed inside the building. Personnel entering
1. Center for Chemical Process Safety. Guideline for Risk Based
the building may collapse under oxygen depletion resulting in
Process Safety. Hoboken, New Jersey : John Wiley & Sons,
serious injury or even fatality. Storing bottles of compressed N2,
Inc, 2007.
or any other gas, in confined or unventilated areas should always
be avoided. The use of compressed air instead of N2 gas in a 2. Energy Institute. EI15 Model Code of Safe Practice - Area
confined space is inherently safer. Classification Code for Installations. 2015.
3. Chemical Safety and Hazard Investigation Board. Kleen
Conclusions Energy Natural Gas Explosion. [Online] U.S. Chemical Safety
Board, June 28, 2010. [Cited: December 27, 2023.] https://
This paper discusses five (among many) commonly missed
www.csb.gov/kleen-energy-natural-gas-explosion/.
hazards in PHA/HIRA. This includes unsafe designs of primary
grade sources of releases, dissolved toxic gas in the liquid, 4. U.S. Chemical Safety and Hazard Investigation Board.
human factor issues (error-inducing situations), the hazards of Hydrogen Sulfide Release at Aghorn Operating Waterflood
pyrophoric material, and nitrogen. The paper shows that there Station. Washington DC : U.S. Chemical Safety and Hazard
are at least three best practices that we can implement to avoid Investigation Board, 2021. 2020-01-I-TX.
overlooking similar hazards. First, typically, it is advisable to 5. HAZARDS OF NITROGEN ASPHYXIATION. Washington,
diversify the method as each method has unique strengths and DC : U.S. Chemical Safety and Hazard Investigation Board,
weaknesses. If only one method is used to analyze a complex 2003. No. 2003-10-B.

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00
 Information for authors and readers
Loss Prevention Bulletin 2024 Subscription rates
Panel members Complete online collection
Helping us to help others
Mr Ramin Abhari £592 + VAT
Chevron Renewable Energy Group, US • The Loss Prevention Bulletin (LPB)
aims to improve safety through Print and complete online collection
Dr Andy Brazier the sharing of information. In this £662 + VAT (UK)
AB Risk Ltd, UK respect, it shares many of the Print and complete online collection
Mr Roger Casey same objectives as the Responsible £687 + VAT (ROW)
Roger Casey & Associates, Ireland Care programme particularly in its
The complete collection online provides
openness to communication on
Dr Tom Craig access to over 40 years of articles, back
safety issues
Consultant, UK to 1975. Multi-user site licences are also
• To achieve our aims, we rely on available. For further details,
Dr Bruno Fabiano contributions providing details of
University of Genoa, Italy contact sales@icheme.org
safety incidents. This information
Mr Geoff Gill can be published without naming an Coming up in future issues
Consultant, UK affiliated author, and details of the
plant and location can be anonymised
of lpb
Dr Zsuzsanna Gyenes
European Commission’s JRC, Italy if wished, since we believe it is We are especially interested in
important that lessons can be learned publishing case studies of incidents
Mr Mark Hailwood and shared without embarrassment related to:
LUBW, Germany or recrimination.
• Organisation structure &
Dr Andrea Longley • Articles published in LPB are process safety
ThermoFisher Scientific, UK essentially practical relating to all
• Emergency planning & response
Ms Fiona Macleod aspects of safety and loss
prevention. We particularly • Ageing plant
Consultant, UK
encourage case studies that • Lessons from other industries
Mr Robert Magraw describe incidents and the lessons • Management of Change
BakerRisk, UK that can be drawn from them.
• Hazardous waste
Dr Ken Patterson • Articles are usually up to 2500
Consultant, UK • Hidden hazards
words in length. However we are
also interested in accepting accident • Transfer of hazardous materials
Dr Christina Phang
GRIP Global, Malaysia reports to be written up into articles • Electrostatic hazards
by members of the Editorial Panel. • Energy
Mr John Riddick, Drawing and photographs are
Caldbeck Process Safety Inc., Canada welcome. Drawings should be clear, If you can help on these or any other
Mr Doug Scott but are usually re-drawn before topic, or you would like to discuss your
Charles Taylor Adjusting, UK printing. Any material provided can ideas further, please contact the editor
be returned if requested. Tracey Donaldson on the number above.
Dr Hans Schwarz
ProsafeX, Germany For further information, see
https://www.icheme.org/
Mr Sam Summerfield knowledge/loss-prevention-bulletin/
Consultant, UK submit-material/
Ms Zoha Tariq • Correspondence on issues raised
University of Strathclyde, UK by LPB articles is particularly
welcome, and should be addressed
Dr Ivan Vince
ASK Consultants, UK to the editor at:
Loss Prevention Bulletin
Institution of Chemical Engineers
165 - 189 Railway Terrace
Rugby, Warwickshire
CV21 3HQ, UK
Tel: +44 (0)1788 578214
Fax: +44 (0)1788 560833
Email: tdonaldson@icheme.org

© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00

296 infopage.indd 37 02/04/2024 16:53:28

 LIVE ONLINE FACE-TO-FACE IN-COMPANY TRAINING

Human Factors in the Chemical

and Process Industries
Modular human factors training
Would you like to develop your understanding of human
factors in the chemical process industries?
Are you looking for practical guidance, tools and approaches
to help you manage human factors effectively at
your organisation?
Sign up for our human factors training and take
your human factors understanding to the next level.
Training is available online and face-to-face in Manchester, UK.
It can also be delivered in-company.

LPB296
What’s available?

Module One Module Two Module Three Module Four

Strengthening
Managing Managing Human Factors
Organisational
Human Factors Human Failure in Design
Performance

Complete individual modules or all four depending on your training needs. Visit our website to see
scheduled online and in-person dates. Spaces are limited – early booking is advised.

“ Human Factors in the Chemical and Process Industries has given me the “
confidence to lead the human factors agenda at a top tier COMAH site.
Ian Taylor, SABIC UK Petrochemicals
Secure your spot – register today
www.icheme.org/human-factors

In partnership with

LPB295 Human Factors FP.indd 1 02/02/2024 12:26:20