Process Isolation Practices: an industry wide view
15 December 2020
As an experienced risk engineering manager within the high hazard process industries, Dr Jason Shirley has had the privilege to have a view of the operating practices across multiple energy installations around the globe. During the work, process isolations are always of interest, and it has been an interesting exercise to collect thoughts into one place with a view of typical approaches to this process safety element.
(Click here to view article in digital edition)
Many hazards can exist across a facility or plant of any size, whether it be electrical, chemical, pneumatic, thermal, or other energy that can cause a serious incident. Due to the nature of the energy industry, the hazards associated with the stored energy will always remain. But the risk of being exposed to the hazard during maintenance activities can be prevented by safety procedures and training for an effective lockout/tagout (LOTO) system. The standard for LOTO is in compliance with OSHA 1910.147.
Isolation refers to the process of rendering a piece of equipment to make it inoperable. Lockout uses locks (and probably chains) as part of the isolation process to hold a device in a de-energised state and prevents the re-energisation of the machine or equipment until the isolation is removed. Tags are also applied to inform the operatives of the use of the locks as part of an isolation.
Applying locks to valves as part of an effective isolation system was one of the key findings from the Piper Alpha disaster in the North Sea, UK, 1988 in which 167 people lost their lives and was the largest energy industry property damage loss of all time (loss Value US$2,088m based on December 2019 values). During the Piper Alpha incident, it was found that there were shortcomings in permit to work (PtW), isolation, management of change, and shift handover systems. A large explosion and fire occurred on the offshore platform when a pressure safety valve was removed for routine maintenance. If effective LOTO had been applied to add an effective layer of protection for the removal of the safety valve, then this incident would not have occurred.
In terms of benchmarking isolation practices across the energy industry it is possible to make the following observations:
LOTO is nearly always applied for electrical isolations, whereas applying full LOTO for process isolations is surprisingly rare. The emphasis on electrical isolation is understood, as it is clear that if an electrical item of equipment is inadvertently energised whilst maintenance personnel are working on it, then the risk of a fatality is very real and hence good electrical isolations should be upheld at all times. This type of event may have an impact on one to two operatives with the electrical equipment itself failing to a safe state. On the other hand, defective process isolation fails to a potentially dangerous state and can adversely affect many dozens of people, such as in large process safety incidents like Piper Alpha incident or the Phillips Petroleum Houston Chemical Complex disaster in 1989 (23 workers killed and a further 314 injured) in which isolation practices were leading causes.
There are many reasons presented as to why organisations cannot meet process LOTO requirements, popular permutations are:
Piper Alpha disaster memorial – Image: Shutterstock
• Operators know what they need to do as this activity has been done before
• We just follow the standard operating procedure
• It is physically not possible to lock or put a chain on a valve
An improvement on the above position that is seen with some frequency is that the energy installations refer to their isolation procedure as LOTO, but the plant does not physically lock the valves with chains and locks but the site closes the valves and places “do not operate” tags on the isolation points to indicate that the equipment is undergoing servicing or maintenance and cannot be operated until the tag is removed. This approach is correctly referred to as tag out which differs from LOTO as the site cannot claim the full benefit for LOTO without locking the valves.
On the tags themselves, it is rare to see a cross reference to the PtW or isolation certificate reference numbers, although nearly always there is a designated space on the tag to record such information. While tagout is a valid method under OSHA regulations for the utility industry, facilities can better safeguard employees by implementing a lockout element.
A variation within the lockout element that has been seen is the use of a cable hasp lock. This is when the site has a common lock which is kept with the field operators and can be used to unlock all of the hasp locks. No pad locks are used in the hasp system. If there are multiple trades working on different PtWs then additional cable hasps are used. This method would be effective but could be made more robust with full LOTO.
For the few sites that do apply full LOTO, it is noted that the management of the keys for the locks could be improved. It has been seen that keys are kept in the PtW issuing offices in a file with the PtW documents which is not the most robust means of controlling them. Best practice is to keep the keys in a locked box which is under the supervision of the operation supervisors.
Documents; the paper barrier
Within large complex energy installations, it is typical to see a reasonable template for the isolation certificate that the company has probably purchased from a consultancy, i.e. not developed in house where the fullness of the requirements may have been better understood through its development. These isolation certificates are nearly always used for electrical isolations, but the use of these isolation certificates is not frequently used for recording process isolations.
Where process isolation practices are supported by documentation the following summary is offered for the typical approaches taken.
It is not uncommon for the isolation procedure to state that the sketches should be produced when devising the process isolations. The issue here is that a sketch is not a controlled document and this approach could cause defective isolations – i.e. a process feature such as a drain line or small-bore instrumentation line could be missed.
A variation on the above approach is for a “sketch” drawing (basically a simplistic drawing showing the main process lines) is given in a standard operating procedure (SOP). This approach is taken as it is believed to simplify the process for the operator, i.e. they don’t have to refer to complicated process drawings (P&ID), and if this isolation is a frequent operation, then time is said to be saved as it eliminates the requirement to devise the isolation from scratch each time. The approach to simplify the tasks for the operators is understood from a human factors point of view. But the benefits of simplification may come at the cost of introducing a management of change (MoC) hazard. The site would need to have a very robust change management system to ensure any process changes are captured in the isolation SOPs.
Very occasionally the P&IDs are marked-up with the isolation points and then the P&IDs are appended to the PtW and the isolation certificate – which is best practice. In this case, the P&IDs must be a copy taken from the master “as built” set of P&IDs. It is noted that many energy installations struggle to maintain an as built master set and documentation management is regularly found as an area for improvement.
As with most management systems, there is a cultural element to the implementation of these procedures. There is a strong and underlying force that dictates the successfulness of these procedures (or safety barriers). These documents are a critical layer of protection in which the safety of the job should be fully assessed and challenged. If these layers of protection are not reviewed correctly during the document approval stage, then they will not be correctly reviewed at all. An example for this is cross referencing the isolation certificate to the PtW form (a key finding from the Piper Alpha incident), which is intended to inform all operatives working under the isolations as to all of the work being performed and to be completed before the isolations are removed.
I know what I am doing!
This may well be the case and technical competency is not in question. But experience and professionalism would suggest that errors, lapses and violations do occur. Experience and particularly perceived experience based upon years served does not necessarily translate into technical competency. It has been stated in many incident investigations that complacency and over confidence were significant factors.
It is not uncommon to hear from operators who have said that they previously worked for an organisation that had a LOTO procedure, and do not understand as to why it is not implemented by their current employer. It is understood that operators would not necessarily be well placed to implement a change in operating practice, but a suggestion of improvement should be welcomed. This is why companies employ good, experienced knowledgeable operators and this resource should not be overlooked.
What does good look like?
Implementing a best practice LOTO program is an ongoing process that requires routine training and a continuous commitment to safeguarding personnel and plant assets from the unexpected release of hazardous energy.
Best practice is to:
1. Use a safety lock to hold an energy isolation device in a de-energised state and prevents the re-energisation of the machine or equipment until removed. A lock should be used for each trade working under the isolation. The locks can be colour-coded to depict each trade.
2. The keys for the locks should be kept in a locked box under the supervision of the operations supervisor.
3. Tags should be used in the field to denote that a valve is being used for the purpose of isolation. The tags should be marked as “Do Not Operate” and the PtW number / isolation reference number should be recorded on the tags.
4. An isolation certificate should be used which is cross referenced to the PtW forms being used under the process isolation.
5. A copy of the master as built P&IDs should be marked-up with the location of the isolations which should be individually numbered (this number can also be added to the tags in the field). The marked-up P&IDs should be appended to the isolation certificated and the corresponding PtWs. Therefore, it is best practice to devise the isolation from scratch to ensure that the information used is up-to-date and nothing is missed.
6. To further ensure the accuracy of the information used for the preparation of the isolation, it is best practice to line walk the system and check the process features against the P&IDs. It is also best practice to deploy “Setting to work” (line walking the system with the issuing authorities and the personnel working under the PtW) prior to commencing the work. This has the added benefit that the final checks are made to the status of the isolations and the personnel working under the isolations are suitably informed of the locations of the isolations, so they can check themselves to look for change at the commencement of work each day as part of their tool box talks. The real important aspect of the setting to work initiative is that it is done as part of the site’s procedure.
Lock out, tag out and test
Even for companies with good operational procedures in highly regulated regions of the world, things can go wrong if the fullness of isolation best practice is not adhered to. A developing movement within field equipment isolation is to add a testing element to the procedure.
Valves do leak. In fact, they leak by design. The standards that cover seat leakage for control valves (ANSI/FCI/70-2 1976(R1982)) allows a 4 mL per minute leak rate for a 6” valve for example. These leakage rates do not seem too extreme at first glance, however for an isolation that could be in place for some time before work commences, then a significant pressure force can build up. The tragic consequences for the energy industry range from fires and explosions that can lead to fatalities and plant damage.
The test element of LOTO(T) can be a local pressure gauge or opening a drain line and bleeding off the accumulated pressure. Good practice when conducting the required maintenance is to loosen bolts on the cap ends and cracking the flanges open to prevent cap end blowing off under the excessive pressure force that may have built up.
The observations and issues discussed here are all mitigated with zero capital cost. Yes, training and revising documentation has a cost, but this is not a large capital investment, and in terms of a cost to the business, “if you think safety is expensive, try having an accident” – Dr Trevor Kletz.
About the author:
Dr Jason Shirley is an experienced risk engineering manager within the high hazard process industries. He has had the privilege to view the operating practices across multiple energy installations throughout the Middle East and globally. Jason has 10 years of operations management experience within the energy industry. He has a strong background in sharing knowledge and best practice within the industry.