The new edition continues and extends the wisdom, innovations and strategies of previous editions, by introducing new material on recent incidents, and adding an extensive new section that shows how many accidents occur through simple miscommunications within the organization, and how strightforward changes in design can often remove or reduce opportunities for human errors.
Kletz' approach to learning as deeply as possible from previous experiences is made yet more valuable in this new edtion, which for the first time brings together the approaches and cases of What Went Wrong with the managerially focussed material previously published in Still Going Wrong. Updated and supplemented with new cases and analysis, this fifth edition is the ultimate resource of experienced based anaylsis and guidance for the safety and loss prevention professionals.
* A million dollar bestseller, this trusted book is updated with new material, including the Texas City and Buncefield incidents, and supplemented by material from Trevor Kletz's 'Still Going Wrong'
* Now presents a complete analysis of the design, operational and for the first time, managerial causes of process plant accidents and disasters, plus their aftermaths
* Case histories illustrate what went wrong, why it went wrong, and then guide readers in how to avoid similar tragedies: learn from the mistakes of others
"e;What Went Wrong?"e; has revolutionized the way industry views safety. The new edition continues and extends the wisdom, innovations and strategies of previous editions, by introducing new material on recent incidents, and adding an extensive new section that shows how many accidents occur through simple miscommunications within the organization, and how strightforward changes in design can often remove or reduce opportunities for human errors. Kletz' approach to learning as deeply as possible from previous experiences is made yet more valuable in this new edtion, which for the first time brings together the approaches and cases of "e;What Went Wrong"e; with the managerially focussed material previously published in "e;Still Going Wrong"e;. Updated and supplemented with new cases and analysis, this fifth edition is the ultimate resource of experienced based anaylsis and guidance for the safety and loss prevention professionals. A million dollar bestseller, this trusted book is updated with new material, including the Texas City and Buncefield incidents, and supplemented by material from Trevor Kletz's 'Still Going Wrong' Now presents a complete analysis of the design, operational and for the first time, managerial causes of process plant accidents and disasters, plus their aftermaths Case histories illustrate what went wrong, why it went wrong, and then guide readers in how to avoid similar tragedies: learn from the mistakes of others
Front Cover 1
What Went Wrong? 4
Copyright Page 5
Dedication 6
Contents 8
Acknowledgments 18
Preface 20
Units and Nomenclature 28
A. What Went Wrong? 34
1 Preparation for Maintenance 36
1.1 ISOLATION 36
1.1.1 Failure to Isolate 36
1.1.2 Isolations Removed Too Soon 40
1.1.3 Inadequate Isolation 40
1.1.4 Isolation of Service Lines 41
1.1.5 Isolations Not Removed 42
1.1.6 Some Miscellaneous Incidents Involving Isolation for Maintenance 43
1.1.7 Electrical Isolation 43
1.2 IDENTIFICATION 45
1.2.1 The Need for Tagging 45
1.2.2 The Need for Clear, Unambiguous Labeling 47
1.2.3 The Need for Clear Instructions 48
1.2.4 Identifi cation of Relief Valves 49
1.2.5 Make Sure You Find the Right Line 49
1.3 REMOVAL OF HAZARDS 50
1.3.1 Equipment Not Gas Freed 50
1.3.2 Conditions Can Change after Testing 52
1.3.3 Hazards Can Come Out of Drains, Vents, and Other Openings 53
1.3.4 Liquid Can Be Left in Lines 54
1.3.5 Service Lines May Contain Hazardous Materials 54
1.3.6 Trapped Pressure 55
1.3.7 Equipment Sent Outside the Plant 56
1.4 PROCEDURES NOT FOLLOWED 57
1.4.1 Equipment Used after a Permit Has Been Issued 57
1.4.2 Protective Clothing Not Worn 58
1.4.3 Jobs Near Plant Boundaries 59
1.4.4 Maintenance Work Over Water 60
1.4.5 Misunderstandings 61
1.4.6 Excavations 63
1.4.7 A Permit to Work Dangerously? 64
1.5 QUALITY OF MAINTENANCE 64
1.5.1 The Right and Wrong Ways to Break a Joint 64
1.5.2 Use of Excessive Force 65
1.5.3 Ignorance of Material Strength 65
1.5.4 Failure to Understand How Things Work or How They Are Constructed 69
1.5.5 Treating the Symptoms Instead of the Disease 71
1.5.6 Flameproof Electrical Equipment 72
1.5.7 Botching 72
1.5.8 Who Should Decide How to Carry Out a Repair? 74
1.6 A PERSONAL NOTE 75
References 75
2 Modifications 78
2.1 STARTUP MODIFICATIONS 78
2.2 MINOR MODIFICATIONS 79
2.3 MODIFICATIONS MADE DURING MAINTENANCE 84
2.4 TEMPORARY MODIFICATIONS 86
2.5 SANCTIONED MODIFICATIONS 87
2.6 PROCESS MODIFICATIONS 89
2.7 NEW TOOLS 92
2.8 ORGANIZATIONAL CHANGES 93
2.9 GRADUAL CHANGES 94
2.10 MODIFICATION CHAINS 95
2.11 MODIFICATIONS MADE TO IMPROVE THE ENVIRONMENT 97
2.11.1 Explosions in Compressor Houses 97
2.11.2 Aerosols and Other Uses of CFCs 98
2.11.3 Vent Systems 99
2.12 CONTROL OF MODIFICATIONS 101
References 102
3 Accidents Said to Be Due to Human Error 104
3.1 INTRODUCTION 104
3.2 ACCIDENTS THAT COULD BE PREVENTED BY CHANGING THE PLANT DESIGN OR METHOD OF WORKING 106
3.2.1 " There Is Nothing Wrong with the Design, but the Equipment Wasn't Assembled Correctly " 106
3.2.2 Wrong Valve Opened 107
3.2.3 Would You Climb over a Pipe or Walk 90 m ( 300 ft)? 108
3.2.4 An Error While Testing a Trip 108
3.2.5 Poor Layout of Instructions 109
3.2.6 An Inaccurate Reading Not Noticed on an Instrument at Thigh Level 110
3.2.7 Closing Valves in Error 111
3.2.8 An Explosion in a Batch Reactor 112
3.3 ACCIDENTS THAT COULD BE PREVENTED BY BETTER TRAINING 114
3.3.1 Readings Ignored 115
3.3.2 Warnings Ignored 116
3.3.3 Ignorance of Hazards 117
3.3.4 Ignorance of Scientifi c Principles 118
3.3.5 Errors in Diagnosis 119
References 120
4 Labeling 122
4.1 LABELING OF EQUIPMENT 122
4.2 LABELING OF INSTRUMENTS 125
4.3 LABELING OF CHEMICALS 126
4.3.1 Poor or Missing Labels 126
4.3.2 Similar Names Confused 128
4.4 LABELS NOT UNDERSTOOD 129
References 129
5 Storage Tanks 130
5.1 OVERFILLING 130
5.1.1 Alarms and Trips Can Make Overfilling More Likely 131
5.1.2 Overfilling Due to Change of Duty 131
5.1.3 Overfilling by Gravity 132
5.2 OVERPRESSURING 132
5.2.1 Overpressuring with Liquid 133
5.2.2 Overpressuring with Gas or Vapor 134
5.3 SUCKING IN 135
5.4 EXPLOSIONS 138
5.4.1 A Typical Tank Explosion 139
5.4.2 Some Unusual Tank Explosions 140
5.4.3 An Explosion in an Old Pressure Vessel Used as a Storage Tank 144
5.5 FLOATING- ROOF TANKS 145
5.5.1 How to Sink the Roof 145
5.5.2 Fires and Explosions 146
5.6 MISCELLANEOUS INCIDENTS 149
5.6.1 A Tank Rises Out of the Ground 149
5.6.2 Foundation Problems 149
5.6.3 Nitrogen Blanketing 150
5.6.4 Brittle Failure 151
5.7 FIBERGLASS- REINFORCED ( FRP) TANKS 152
References 153
6 Stacks 156
6.1 STACK EXPLOSIONS 156
6.2 BLOCKED STACKS 159
6.3 HEAT RADIATION 161
References 162
7 Leaks 164
7.1 SOME COMMON SOURCES OF LEAKS 165
7.1.1 Small Cocks 165
7.1.2 Drain Valves and Vents 165
7.1.3 Open Containers 167
7.1.4 Level and Sight Glasses 167
7.1.5 Plugs 168
7.1.6 Hoses 169
7.1.7 Cooling Coils 172
7.2 CONTROL OF LEAKS 172
7.2.1 Emergency Isolation Valves ( EIVs) 172
7.2.2 Other Methods of Controlling Leaks 176
7.2.3 How Not to Control a Leak 177
7.3 LEAKS ONTO WATER, WET GROUND, OR INSULATION 177
7.3.1 Leaks onto Water or Wet Ground 177
7.3.2 Leaks onto Insulation 178
7.4 DETECTION OF LEAKS 178
7.5 FUGITIVE EMISSIONS 180
References 181
8 Liquefied Flammable Gases 182
8.1 MAJOR LEAKS 183
8.1.1. Feyzin 183
8.1.2 Duque De Caxias 186
8.1.3 United Kingdom 186
8.1.4 Mexico City 187
8.1.5 Qatar 187
8.1.6 Ethyl Chloride Plant 188
8.2 MINOR LEAKS 190
8.3 OTHER LEAKS 191
8.3.1 Flanged Joints 191
8.3.2 Pump Seals 192
8.3.3 Level Glasses 192
8.3.4 Sample Points 192
8.3.5 Small Branches 192
8.3.6 Equipment Made from Grades of Steel Unsuitable for Use at Low Temperatures 192
8.4 SAFETY IN THE DESIGN OF PLANTS HANDLING LIQUEFIED LIGHT HYDROCARBONS 193
References 195
9 Pipe and Vessel Failures 196
9.1 PIPE FAILURES 196
9.1.1 Dead-Ends 197
9.1.2 Poor Support 200
9.1.3 Water Injection 202
9.1.4 Bellows 203
9.1.5 Water Hammer 204
9.1.6 Miscellaneous Pipe Failures 207
9.1.7 Flange Leaks 209
9.1.8 Catastrophic Failures 210
9.2 PRESSURE VESSEL FAILURES 210
9.2.1 Failures ( and Near Failures) Preventable by Better Design or Construction 210
9.2.2 Failures Preventable by Better Operation 214
9.2.3 Cylinders 216
References 217
10 Other Equipment 218
10.1 CENTRIFUGES 218
10.2 PUMPS 219
10.2.1 Causes of Pump Failures 219
10.2.2 Types of Pump Failures 219
10.3 AIR COOLERS 221
10.4 RELIEF VALVES 221
10.4.1 Location 221
10.4.2 Relief-Valve Registers 222
10.4.3 Changing Relief Valves 222
10.4.4 Tailpipes 224
10.4.5 Relief-Valve Faults 225
10.4.6 Disposal of Relief Discharges 228
10.4.7 Vacuum Relief Valves 229
10.5 HEAT EXCHANGERS 229
10.5.1 Leaks into Steam and Water Lines 229
10.5.2 Leaks Due to Evaporative Cooling 230
10.5.3 Damage by Water Hammer 230
10.5.4 An Accident during Maintenance 232
10.6 COOLING TOWERS 232
10.7 FURNACES 233
10.7.1 Explosions While Lighting a Furnace 233
10.7.2 Furnace Tube Ruptures 236
References 238
11 Entry to Vessels 240
11.1 VESSELS NOT FREED FROM HAZARDOUS MATERIAL 240
11.2 HAZARDOUS MATERIALS INTRODUCED 242
11.3 VESSELS NOT ISOLATED FROM SOURCES OF DANGER 244
11.4 UNAUTHORIZED ENTRY 247
11.5 ENTRY INTO VESSELS WITH IRRESPIRABLE ATMOSPHERES 248
11.6 RESCUE 249
11.7 ANALYSIS OF VESSEL ATMOSPHERE 250
11.8 WHAT IS A CONFINED SPACE? 251
11.9 EVERY POSSIBLE ERROR 251
References 252
12 Hazards of Common Materials 254
12.1 COMPRESSED AIR 254
12.2 WATER 256
12.3 NITROGEN [ 4, 29] 258
12.3.1 Nitrogen Confused with Air 258
12.3.2 Ignorance of the Dangers 260
12.3.3 Nitrogen Not Known to Be Present 261
12.3.4 Liquid Nitrogen 263
12.4 HEAVY OILS ( INCLUDING HEAT TRANSFER OILS) 264
12.4.1 Traces of Heavy Oil in Empty Tanks 264
12.4.2 Traces of Heavy Oil in Pipelines 265
12.4.3 Pools of Heavy Oil 265
12.4.4 Spillages of Heavy Oil, Including Spillages on Insulation 266
12.4.5 Heavy Oil Fireballs 266
12.4.6 A Lubricating Oil Fire 267
12.4.7 Degradation of Heavy Oils 268
References 268
13 Tank Trucks and Cars 270
13.1 OVERFILLING 270
13.2 BURST HOSES 271
13.3 FIRES AND EXPLOSIONS 273
13.4 LIQUEFIED FLAMMABLE GASES 273
13.5 COMPRESSED AIR 274
13.6 TIPPING UP 274
13.7 EMPTYING INTO OR FILLING FROM THE WRONG PLACE 275
13.8 CONTACT WITH LIVE POWER LINES 277
References 277
14 Testing of Trips and Other Protective Systems 280
14.1 TESTING SHOULD BE THOROUGH 280
14.2 ALL PROTECTIVE EQUIPMENT SHOULD BE TESTED 283
14.2.1 Leased Equipment 283
14.2.2 Emergency Valves 283
14.2.3 Steam Tracing 284
14.2.4 Relief Valves, Vents, Flame Arrestors, and Similar Items 284
14.2.5 Other Equipment 284
14.3 TESTING CAN BE OVERDONE 286
14.4 PROTECTIVE SYSTEMS SHOULD NOT RESET THEMSELVES 286
14.5 TRIPS SHOULD NOT BE DISARMED WITHOUT AUTHORIZATION 288
14.6 INSTRUMENTS SHOULD MEASURE DIRECTLY WHAT WE NEED TO KNOW 290
14.7 TRIPS ARE FOR EMERGENCIES, NOT FOR ROUTINE USE 291
14.8 TESTS MAY FIND FAULTS 292
14.9 SOME MISCELLANEOUS INCIDENTS 292
14.10 SOME ACCIDENTS AT SEA 293
References 294
15 Static Electricity 296
15.1 STATIC ELECTRICITY FROM FLOWING LIQUIDS 297
15.2 STATIC ELECTRICITY FROM GAS AND WATER JETS 298
15.3 STATIC ELECTRICITY FROM POWDERS AND PLASTICS 299
15.4 STATIC ELECTRICITY FROM CLOTHING 301
References 303
16 Materials of Construction 304
16.1 WRONG MATERIAL USED 304
16.2 HYDROGEN PRODUCED BY CORROSION 308
16.3 OTHER EFFECTS OF CORROSION 309
16.4 LOSS OF PROTECTIVE COATINGS 309
16.5 SOME OTHER INCIDENTS CAUSED BY CORROSION 310
16.6 FIRES 311
16.7 CHOOSING MATERIALS 311
References 312
17 Operating Methods 314
17.1 TRAPPED PRESSURE 314
17.2 CLEARING CHOKED LINES 316
17.3 FAULTY VALVE POSITIONING 317
17.4 RESPONSIBILITIES NOT DEFINED 319
17.5 COMMUNICATION FAILURES 320
17.6 WORK AT OPEN MANHOLES 322
17.7 ONE LINE, TWO DUTIES 322
17.8 INADVERTENT ISOLATION 323
17.9 INCOMPATIBLE STORAGE 323
17.10 MAINTENANCE: IS IT REALLY NECESSARY? 324
17.11 AN INTERLOCK FAILURE 325
17.12 EMULSION BREAKING 326
17.13 CHIMNEY EFFECTS 327
References 329
18 Reverse Flow, Other Unforeseen Deviations, and Hazop 330
18.1 REVERSE FLOW FROM A PRODUCT RECEIVER OR BLOWDOWN LINE BACK INTO THE PLANT 330
18.2 REVERSE FLOW INTO SERVICE MAINS 332
18.3 REVERSE FLOW THROUGH PUMPS 333
18.4 REVERSE FLOW FROM REACTORS 334
18.5 REVERSE FLOW FROM DRAINS 336
18.6 OTHER DEVIATIONS 336
18.7 A METHOD FOR FORESEEING DEVIATIONS 337
18.8 SOME PITFALLS IN HAZOP 339
18.9 HAZOP OF BATCH PLANTS 340
18.10 HAZOP OF TANK TRUCKS 341
18.10.1 " More of Pressure" 342
18.10.2 " Less of Temperature" 342
18.10.3 " More Than" 342
18.11 HAZOP: CONCLUSIONS 342
References 343
19 I Didn’t Know That . . . 346
19.1 AMMONIA CAN EXPLODE 346
19.2 HYDRAULIC PRESSURE TESTS CAN BE HAZARDOUS 348
19.3 DIESEL ENGINES CAN IGNITE LEAKS 349
19.4 CARBON DIOXIDE CAN IGNITE A FLAMMABLE MIXTURE 350
19.5 MISTS CAN EXPLODE 351
19.6 THE SOURCE OF THE PROBLEM LAY ELSEWHERE 352
References 353
20 Problems with Computer Control 356
20.1 HARDWARE AND SOFTWARE FAULTS 356
20.2 TREATING THE COMPUTER AS A BLACK BOX 357
20.2.1 The Hazards of Complexity 358
20.2.2 Unforeseen Effects of a Small Leak 359
20.2.3 Unforeseen Effects of a Measurement Failure 360
20.2.4 Changing Trends May Not Be Noticed 360
20.2.5 An Error That Would Not Be Made without a Computer 361
20.3 MISJUDGING THE WAY OPERATORS WILL RESPOND 361
20.4 OTHER PROBLEMS 363
20.4.1 Errors in the Data Entered in the Computer 363
20.4.2 Failures to Tell Operators of Changes 363
20.4.3 Modifications 363
20.4.4 Old Software 364
20.5 UNAUTHORIZED INTERFERENCE 364
20.6 NEW APPLICATIONS 366
20.7 CONCLUSIONS 367
References 367
Additional Reading 368
21 Inherently Safer Design 370
21.1 BHOPAL 371
21.1.1 "What You Don't Have Can't Leak" 371
21.1.2 Plant Location 372
21.1.3 Keep Incompatible Materials Apart 372
21.1.4 Keep Protective Equipment in Working Order—and Size It Correctly 372
21.1.5 Joint Ventures 373
21.1.6 Training in Loss Prevention 374
21.1.7 Public Response 374
21.2 OTHER EXAMPLES OF INHERENTLY SAFER DESIGN 375
21.2.1 Intensification 375
21.2.2 Substitution 376
21.2.3 Attenuation 377
21.2.4 Limitation of Effects 377
21.2.5 Seveso 378
21.2.6 Existing Plants 379
21.3 USER- FRIENDLY DESIGN 379
References 380
Additional Reading on Bhopal 380
22 Reactions—Planned and Unplanned 382
22.1 LACK OF KNOWLEDGE 382
22.2 POOR MIXING 384
22.3 CONTAMINATION 386
22.4 REACTIONS WITH AUXILIARY MATERIALS 388
22.5 POOR TRAINING OR PROCEDURES 388
22.6 USE-BY DATES 389
References 390
B. Still Going Wrong 392
23 Maintenance 394
23.1 INADEQUATE PREPARATION ON A DISTANT PLANT 394
23.1.1 What Went Wrong? 395
23.2 PRECAUTIONS RELAXED TOO SOON 395
23.2.1 Lessons Learned 396
23.3 FAILURE TO ISOLATE RESULTS IN A FIRE 397
23.4 UNINTENTIONAL ISOLATION 398
23.5 BAD PRACTICE AND POOR DETAILED DESIGN 399
23.6 DISMANTLING 400
23.6.1 Wrong Joint Broken 400
23.6.2 Trapped Pressure in Disused Equipment 402
23.7 COMMISSIONING 403
23.8 OTHER HIDDEN HAZARDS 403
23.9 CHANGES IN PROCEDURE 404
23.10 DEAD-ENDS 405
23.10.1 A Disused Pipe Becomes a Dead-End 405
23.10.2 A Dead-End inside a Vessel 406
References 407
24 Entry into Confined Spaces 408
24.1 INCOMPLETE ISOLATION 408
24.2 HAZARDOUS MATERIALS INTRODUCED 409
24.2.1 409
24.2.2 410
24.2.3 410
24.2.4 410
24.3 WEAKNESSES IN PROTECTIVE EQUIPMENT 410
24.4 POOR ANALYSIS OF ATMOSPHERE 411
24.5 WHEN DOES A SPACE BECOME CONFINED? 411
24.5.1 412
24.5.2 412
24.5.3 413
24.6 MY FIRST ENTRY AND A GASHOLDER EXPLOSION 415
24.7 FAILURE OF A COMPLEX PROCEDURE 417
24.7.1 What Went Wrong? 418
24.8 EPIDEMICS OF UNSAFE ENTRIES 418
24.8.1 Similar Experience Elsewhere 420
24.8.2 Avoiding the Need 421
References 422
25 Changes to Processes and Plants 424
25.1 CHANGES TO PROCESSES 425
25.1.1 Scale-Up Is a Modification 425
25.1.2 Unrecognized Scale-Up 425
25.1.3 Ignorance of a Reaction 425
25.1.4 Changes Made to Handle Abnormal Situations 426
25.1.5 An Abnormal Situation Produced by a Process Change 427
25.2 CHANGES TO PLANT EQUIPMENT 428
25.2.1 Changes in the Direction of Flow 428
25.2.2 Two Changes in Firefighting 430
25.2.3 Adding Insulation Is a Modification 430
25.2.4 Two Unauthorized Changes 431
25.2.5 A Very Simple Change 432
25.2.6 A Temporary Change 432
25.2.7 Another Trivial Change 433
25.2.8 Unintended Changes 434
25.2.9 A Change to the Type of Valve 434
25.2.10 A Change in the Cooling Agent 434
25.2.11 A Failure to Recognize the Need for Consequential Change 435
25.2.12 An Example from the Railways 435
25.2.13 Another Historic Incident 436
25.3 GRADUAL CHANGES 436
25.3.1 A Gradual Change in Concentration 436
25.3.2 A Gradual Change in Maintenance 437
25.3.3 Gradual Changes in Procedures 437
25.4 CHANGES MADE BECAUSE THE REASONS FOR EQUIPMENT OR PROCEDURES HAS BEEN FORGOTTEN 438
References 438
26 Changes in Organization 440
26.1 AN INCIDENT AT AN ETHYLENE PLANT 441
26.1.1 Short-Term Changes 442
26.1.2 Long-Term Changes 442
26.1.3 A Failure to Learn from the Past 443
26.2 THE LONGFORD EXPLOSION 444
26.3 THE TEXAS CITY EXPLOSION 447
26.3.1 Another Industry: Similar Problems 449
26.4 OUTSOURCING 450
26.5 MULTISKILLING AND DOWNSIZING 450
26.6 HOW TO LOSE YOUR REPUTATION 451
26.7 ADMINISTRATIVE CONVENIENCE VERSUS GOOD SCIENCE 452
26.8 THE CONTROL OF MANAGERIAL MODIFICATIONS 452
26.9 SOME POINTS A GUIDE SHEET SHOULD COVER 453
26.10 AFTERTHOUGHTS 454
References 454
27 Changing Procedures Instead of Designs 456
27.1 MISLEADING VALVE LAYOUTS 458
27.1.1 458
27.1.2 459
27.2 SIMPLE REDESIGN OVERLOOKED 461
27.3 UNIMAGINATIVE THINKING 462
27.4 JUST TELLING PEOPLE TO FOLLOW THE RULES 464
27.5 DON'T ASSEMBLE IT INCORRECTLY 464
27.6 TIGHTEN CORRECTLY OR REMOVE THE NEED 466
27.7 SHOULD IMPROVEMENTS TO PROCEDURES EVER BE THE FIRST CHOICE? 466
References 467
28 Materials of Construction(Including Insulation) 468
28.1 RUST 468
28.1.1 Rust Formation Uses up Oxygen 468
28.1.2 Rust-Jacking 469
28.1.3 Liquid Can Be Trapped Behind Rust 469
28.1.4 Rust as Catalyst 469
28.1.5 Rust Jams a Valve 470
28.1.6 Thermite Reactions 470
28.1.7 Rust Formation Weakens Metal 470
28.1.8 Old Plants and Modern Standards 471
28.1.9 Stainless Steel Can Rust 471
28.2 INSULATION 472
28.2.1 Insulation Hides What Is Beneath It 472
28.2.2 Wet Insulation Is Ineffi cient 473
28.2.3 Spillages on Insulation Can Degrade and Ignite 473
28.2.4 Some Insulation Is Flammable 473
28.2.5 Metal Coatings over Insulation Should Be Grounded 474
28.2.6 Insulation Can Fall Off 474
28.3 BRITTLE FAILURE 474
28.3.1 Temperature Too Low as a Result of Adiabatic Cooling 474
28.3.2 Temperature Too Low as a Result of Adding Cold Fluids 474
28.3.3 Manufacturing Flaws 475
28.3.4 Use of Unsuitable Materials 475
28.4 WRONG MATERIALS OF CONSTRUCTION 475
28.4.1 Wrong Materials of Construction and Contaminants 475
28.4.2 A Hasty Reaction When the Plant Leaked 476
28.5 CORROSION SENDS A COLUMN INTO ORBIT 478
28.6 UNEXPECTED CORROSION 479
28.7 ANOTHER FAILURE TO INSPECT PIPEWORK 479
28.8 HOW NOT TO WRITE AN ACCIDENT REPORT 480
References 481
29 Operating Methods 482
29.1 THE ALARM MUST BE FALSE 482
29.2 A FAMILIAR ACCIDENT—BUT NOT AS SIMPLE AS IT SEEMED 483
29.2.1 What Can We Learn? 484
29.2.2 Another Similar Accident 484
29.3 MORE RELUCTANCE TO BELIEVE THE ALARM 486
29.4 THE LIMITATIONS OF INSTRUCTIONS 487
29.5 THE LIMITATIONS OF INSTRUCTIONS AGAIN 487
29.6 EMPTY PLANT THAT IS OUT OF USE 488
29.7 A MINOR JOB FORGOTTEN—UNTIL THERE WAS A LEAK 488
29.7.1 What Went Wrong? 489
29.8 DESIGN ERROR + CONSTRUCTION ERROR + OPERATING ERROR = SPILLAGE 489
29.8.1 What Went Wrong? 491
References 491
30 Explosions 492
30.1 AN EXPLOSION IN A GAS-OIL TANK 492
30.1.1 Lessons Learned 493
30.2 ANOTHER SORT OF EXPLOSION 494
30.3 ONE + ONE = MORE THAN TWO 495
30.4 "NEAR ENOUGH IS GOOD ENOUGH" 496
30.5 ANOTHER EXPLOSION IGNITED BY A CARBON BED 497
30.6 AN EXPLOSION IN AN ALTERNATIVE TO A CARBON BED 498
30.7 ONLY A MINOR CHANGE 498
30.7.1 Lessons Learned 499
30.8 AN EXPLOSION IN A PIPE 499
30.8.1 Lessons Learned 500
30.9 A DUST EXPLOSION IN A DUCT 501
30.10 OBVIOUS PRECAUTIONS NEGLECTED 502
30.10.1 What Went Wrong? 502
30.11 A DRUM EXPLOSION 503
30.12 FOAM-OVER—THE CINDERELLA OF THE OIL AND CHEMICAL INDUSTRIES 503
30.13 EXPLOSIONS OF COLD GASOLINE IN THE OPEN AIR 505
30.13.1 Buncefi eld 506
30.14 THE INEVITABILITY OF IGNITION 507
30.14.1 The Aviation Industry 508
30.14.2 Conclusions 509
References 509
31 Poor Communication 512
31.1 WHAT IS MEANT BY SIMILAR? 512
31.2 MORE SIMILAR ERRORS 514
31.3 WRONG MATERIAL DELIVERED 515
31.4 PACKAGED DEALS 515
31.5 "DRAFTSMEN'S DELUSIONS" 516
31.6 SAME PLANT AND PRODUCT, BUT NO COMMUNICATION 518
31.7 A FAILURE AT THE DESIGN/ CONSTRUCTION INTERFACE 519
31.8 FAILURE OF COMMUNICATION BETWEEN MARKETING AND TECHNOLOGY 519
31.9 TOO MUCH COMMUNICATION 520
31.10 NO ONE TOLD THE DESIGNERS 520
31.11 CONCLUSIONS 521
References 521
32 I Did Not Know … 524
32.1 … THAT METALS CAN BURN 524
32.1.1 Another Metal Fire 525
32.2 … THAT ALUMINUM IS DANGEROUS WHEN WET 525
32.3 … THAT RUBBER AND PLASTICS ARE PERMEABLE 526
32.4 … THAT SOME PLASTICS CAN ABSORB PROCESS MATERIALS AND SWELL 526
32.5 … WHAT LAY UNDERNEATH 527
32.6 … THE METHOD OF CONSTRUCTION 528
32.7 … MUCH ABOUT STATIC ELECTRICITY 529
32.7.1 Another Static Ignition 531
32.7.2 An Unusual Effect of Static Electricity 531
32.8 … THAT A LITTLE CONTAMINATION CAN HAVE A BIG EFFECT 532
32.9 … THAT WE CANNOT GET A TIGHT SEAL BETWEEN THIN BOLTED SHEETS 533
32.10 … THAT UNFORESEEN SOURCES OF IGNITION ARE OFTEN PRESENT 534
32.11 … THAT KEEPING THE LETTER OF THE LAW IS NOT ENOUGH 535
32.12 … THE POWER OF COMPRESSED AIR 536
References 537
33 Control 540
33.1 INSTRUMENTS THAT CANNOT DO WHAT WE WANT THEM TO DO 540
33.1.1 Measuring the Wrong Parameter 540
33.1.2 An Alarm That Immediately Reset Itself 541
33.1.3 A Trip That Did Not Work under Abnormal Conditions 541
33.1.4 A Sight-Glass with Limited Range 543
33.1.5 An Explosion in a Nitric Acid Plant 544
33.1.6 Vapors and Noncondensable Gases Confused 544
33.1.7 Protective Equipment Caused an Explosion 546
33.1.8 A Procedure That Cannot Do What We Want It to Do 547
33.1.9 Preventing Similar Errors 548
33.2 TOO LITTLE INSTRUMENTATION 548
33.3 DIAGRAMS WERE NOT UP TO DATE 549
33.4 AN AUTOMATIC RESTART FAILS TO RESTART 550
33.5 PROCEDURES: AN ESSENTIAL FEATURE OF CONTROL SYSTEMS 551
Afterthought 552
References 553
34 Leaks 554
34.1 LEAKS FROM TANKS 555
34.1.1 A Leak from a Bad Weld 555
34.1.2 A Leak from a Plastic Tank 556
34.1.3 A Leak from a Lined Tank 556
34.2 LEAKS FROM LINED PIPES 556
34.3 A LEAK THROUGH CLOSED VALVES 557
34.4 A LEAK CAUSED BY SURGE PRESSURE 559
34.5 LEAKS FROM SCREWED FITTINGS 560
34.6 OTHER WEAK SPOTS IN PIPEWORK 561
References 562
35 Reactions—Planned and Unplanned 564
35.1 DELAYED MIXING 564
35.2 WAITING UNTIL AFTER THE FOURTH ACCIDENT 566
35.3 LOWER TEMPERATURE MAY NOT MEAN LESS RISK 567
35.4 FORGETTING TO ADD A REACTANT 568
35.5 INADEQUATE TESTS 569
35.6 A HEATING MEDIUM WAS TOO HOT 570
35.7 AN UNSTABLE SUBSTANCE LEFT STANDING FOR TOO LONG 571
References 571
36 Both Design and Operations Could Have Been Better 572
36.1 WATER IN RELIEF VALVE TAILPIPES 572
36.2 A JOURNEY IN A TIME MACHINE 573
36.2.1 Design Errors 573
36.2.2 Operating Errors 574
36.3 CHOKES IN FLARESTACKS 575
36.4 OTHER EXPLOSIONS IN FLARESTACKS 577
36.5 DESIGN POOR, PROTECTION NEGLECTED 578
36.5.1 What Went Wrong? 578
36.6 SEVERAL POOR SYSTEMS DO NOT MAKE A GOOD SYSTEM 579
36.6.1 What Went Wrong? 581
36.7 "FAILURES IN MANAGEMENT, EQUIPMENT, AND CONTROL SYSTEMS" 582
36.7.1 Better Management Could Have Prevented the Incident 583
36.7.2 Better Control of Modifi cations Could Have Prevented the Incident 584
36.7.3 Better Process Control Could Have Prevented the Incident 584
36.8 CHANGES TO DESIGN AND OPERATIONS 585
36.9 THE IRRELEVANCE OF BLAME 586
References 587
37 Accidents in Other Industries 588
37.1 AN EXPLOSION IN A COAL MINE 588
37.2 MARINE ACCIDENTS 589
37.2.1 A Misleading Display 589
37.2.2 Stand Clear 590
37.2.3 Wrong Connections 591
37.2.4 Preparation for Maintenance 591
37.2.5 Entry into Confi ned Spaces 591
37.2.6 For Want of a Nail, a Ship Was Lost 592
37.3 HUMAN ERROR 592
37.4 TESTS SHOULD BE LIKE REAL LIFE 593
37.5 LOAD AND STRENGTH TOO CLOSE 593
37.6 THE NINETEENTH CENTURY 595
References 595
38 Accident Investigation—Missed Opportunities 598
38.1 ACCIDENT INVESTIGATIONS OFTEN FIND ONLY A SINGLE CAUSE 598
38.2 ACCIDENT INVESTIGATIONS ARE OFTEN SUPERFICIAL 599
38.3 ACCIDENT INVESTIGATIONS LIST HUMAN ERROR AS A CAUSE 600
38.4 ACCIDENT REPORTS LOOK FOR PEOPLE TO BLAME 601
38.5 ACCIDENT REPORTS LIST CAUSES THAT ARE DIFFICULT OR IMPOSSIBLE TO REMOVE 601
38.6 WE CHANGE PROCEDURES RATHER THAN DESIGNS 602
38.7 WE MAY GO TOO FAR 602
38.8 WE DO NOT LET OTHERS LEARN FROM OUR EXPERIENCE 603
38.9 WE READ OR RECEIVE ONLY OVERVIEWS 603
38.10 WE FORGET THE LESSONS LEARNED AND ALLOW THE ACCIDENT TO HAPPEN AGAIN 604
38.10.1 Weaknesses in Safety Training 605
38.10.2 Databases 606
38.10.3 Cultural and Psychological Blocks 608
References 609
39 An Accident That May Have Affected the Future of Process Safety 610
39.1 WHY DID ICI, MORE SO THAN OTHER COMPANIES, MAKE THESE CHANGES? 612
39.2 WHAT WOULD HAVE HAPPENED IF ICI HAD NOT EXISTED? 612
39.3 WHY DID ICI COME TO AN END? 613
39.4 WHAT WILL WE MISS IN THE YEARS TO COME? 614
References 615
Appendix 1 Relative Frequencies of Incidents 616
Primary Causes 617
Responsibility 617
References 618
Appendix 2 Why Should We Publish Accident Reports? 620
“It’s Not Like That Today” 621
Appendix 3 Some Tips for Accident Investigators 622
Appendix 4 Recommended Reading 624
Appendix 5 Afterthoughts 626
Index 628
Preface
In 1968, after many years' experience in plant operations, I was appointed safety adviser to the heavy organic chemicals division (later the petrochemicals division) of Imperial Chemical Industries. My appointment followed a number of serious fires in the 1960s, and therefore I was mainly concerned with process hazards rather than those of a mechanical nature. Today I would be called a process safety adviser.
One of my tasks was to pass on to design and operating staff details of accidents that had occurred and the lessons that should be learned. This book contains a selection of the reports I collected from many different companies, as well as many later reports. Although most have been published before, they were scattered among many different publications, some with small circulations.
The purpose here is to show what has gone wrong in the past and to suggest how similar incidents might be prevented in the future. Unfortunately, the history of the process industries shows that many incidents are repeated after a lapse of a few years. People move on, and the lessons are forgotten. This book will help keep the memories alive.
The advice is given in good faith but without warranty. Readers should satisfy themselves that it applies to their circumstances. In fact, you may feel that some of my recommendations are not appropriate for your company. Fair enough, but if the incidents could occur in your company, and you do not wish to adopt my advice, then please do something else instead. But do not ignore the incidents.
To quote the advice of John Bunyan, written more than 300 years ago, What of my dross thou findest there, be boldTo throw away, but yet preserve the gold.What if my gold be wrapped up in ore?None throws away the apple for the core:But if thou shalt cast all away as vain …
You have been warned what will happen.
You may believe that the accidents could not happen at your plant because you have systems to prevent them. Are you are sure that they are always followed, everywhere, all the time? Perhaps they are followed most of the time but someone turns a blind eye when a job is urgent. Also remember that systems have limitations. All they can do is make the most of people's knowledge and experience by applying them in a systematic way. If people lack knowledge and experience, the systems are empty shells.
Many of the accidents I describe occurred in plants that had such systems, but the systems were not always followed. The accidents happened because of various management failures: failure to convince people that they should follow the systems, failure to detect previous violations (by audits, spot checks, or just keeping an open eye), or deliberately turning a blind eye to avoid conflict or to get a job done quickly. The first step down the road to many a serious accident occurred when someone turned a blind eye to a missing blind (see Chapter 1).
The incidents described could occur in many different types of plants and are therefore of widespread interest. Some of them illustrate the hazards involved in activities such as preparing equipment for maintenance and modifying plants. Others illustrate the hazards associated with widely used equipment, such as storage tanks and hoses, and with that universal component of all plants and processes: people. Other incidents illustrate the need for techniques, such as hazard and operability studies, and protective devices, such as emergency isolation valves.
You will notice that most of the incidents are very simple. No esoteric knowledge or detailed study was required to prevent them—only a knowledge of what had happened before, which this book provides.
Only a few incidents started with the sudden failure of a major component. Most started with a flaw in a minor component, an instrument that was out of order or not believed, a poor procedure, or a failure to follow procedures or good engineering practice. For want of a nail, a kingdom was lost.
Many of the incidents described could be discussed under more than one heading. Therefore, cross-references have been included.
If an incident that happened in your plant is described, you may notice that one or two details have been changed. Sometimes this has been done to make it harder for people to tell where the incident occurred. Sometimes this has been done to make a complicated story simpler but without affecting the essential message. Sometimes—and this is the most likely reason—the incident did not happen in your plant at all. Another plant had a similar incident.
Many of the incidents did not actually result in death, serious injury, or serious damage—they were so-called near misses, although they were really near accidents. But they could have had much more serious consequences. We should learn from these near misses, as well as from incidents that had serious results.
Most of the incidents described occurred at so-called major hazard plants or storage installations—that is, those containing large quantities of flammable, explosive, or toxic chemicals. The lessons learned apply particularly to such plants. However, most of the incidents could have occurred at plants handling smaller quantities of materials or less hazardous materials, and the consequences, though less serious, would be serious enough. At a major-hazard plant, opening up a pump that is not isolated could cause (and has caused) a major fire or explosion. At other plants, this would cause a smaller fire or a release of corrosive chemicals—still enough to kill or injure the employee on the job. Even if the contents of the plant are harmless, there is still a waste of materials. The lessons to be learned therefore apply throughout the process industries.
For the second edition of this book, I added more incidents, extended the sections on Bhopal and Mexico City, and added chapters on some little-known but quite common hazards and on accidents in computer-controlled plants.
For the third edition, I added sections or chapters on heat exchangers, furnaces, inherently safer design, and runaway reactions, and extended many other chapters. Although I have read many accident reports since the first edition appeared, most have merely reinforced the messages of the book, and I added only those incidents that tell us something new.
For the fourth edition, I added further incidents to every chapter.
For the fifth edition, Part A of this book, changes have been minor. A supplement to What Went Wrong? called Still Going Wrong was published in 2003. It is reprinted as Part B, and many reports on incidents that have occurred since then or become available since then have been added.
There is, however, one difference between Parts A and B. In Part A I emphasized the immediate technical causes of the accidents and the changes in design and methods of working needed to prevent them from happening again. In Part B I have, whenever possible, discussed also the underlying weaknesses in the management systems. It is not possible to do this in every case, as the information is not always available. Too many reports still describe only the immediate technical causes. I do not blame their authors for this. Most of them are close to the ‘coal-face.’ They want to solve the immediate technical problems and get the plant back on line in a safe manner as soon as they can, so they concentrate on the immediate technical causes. More senior people, before approving the reports, should look for the underlying weaknesses that result in poor designs, poor methods of working, failures to learn from the past, tendencies to blame people who make occasional but inevitable errors, and so on. They should also see that changes that cannot be made on the existing plants are fed back to the design organizations, both in-house and contractors, for use in the future. Because of this difference in approach, I have not merged the contents of the two original books but left them as they were. There are therefore chapters in Parts A and B with the same or similar titles.
In Part A, some of the chapters covered different types of equipment, whereas others covered procedures such as maintenance or modifications. In Part B, most of the chapters cover procedures, but a number of reports on explosions and leaks are collected under these headings. This part also emphasizes the multiple causes of accidents. As a result, the accidents described in the chapter on the management of change, for example, also have other causes, whereas some incidents in other chapters also involve the management of change. Similarly, several scattered reports show that some accidents cannot be prevented by more detailed...
| Erscheint lt. Verlag | 17.6.2009 |
|---|---|
| Sprache | englisch |
| Themenwelt | Naturwissenschaften ► Chemie |
| Technik ► Bauwesen | |
| Technik ► Elektrotechnik / Energietechnik | |
| Technik ► Umwelttechnik / Biotechnologie | |
| Wirtschaft | |
| ISBN-10 | 0-08-094969-X / 008094969X |
| ISBN-13 | 978-0-08-094969-7 / 9780080949697 |
| Haben Sie eine Frage zum Produkt? |
PDF (Adobe DRM)Größe: 10,5 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
EPUB (Adobe DRM)Größe: 6,9 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich
