Welcome to the 4th in our Control of Work series where Mark Carter examines all elements of Control of Work and presents some of the insights we have gained in over 20 years of operation. The article has been split into two parts. Part 1 features the preparation and isolation of equipment and Part 2 looks at the removal of critical equipment and preparing the work area.
The Preparation and Isolation of Equipment for Maintenance
Adequate preparation for maintenance work is probably the single most effective way of reducing risks present in both the equipment and in the environment and as such, is arguably the most effective safety management step in carrying out maintenance work. Normally, the preparation process will be well known to the Operations/Maintenance personnel and accordingly, the risk control will usually follow a well-worn procedure. However, as logic dictates, there will always be a first time for every piece of equipment being prepared for maintenance. It is vital therefore, that in the initial process is monitored very carefully for potential hazards and any procedure amended accordingly.
For preparation, we have broken the process down into 5 phases, namely the four ‘process’ phases of; taking the equipment off-line, de-inventorying it, decontamination and the isolation of energy from it. These are then followed by the preparation of the work area itself. It is realised that not all preparation processes will fall into this categorisation, with some stages merging into others or not even being needed at all but the general format will cover all aspects.
Taking the equipment off-line
Where taking the equipment off-line is concerned, then the risks associated with this will depend largely upon:
- the degree of sophistication of the equipment,
- the availability/usage of alternative equipment (for continuous processes),
- what is to be done with the contents of the equipment while the maintenance work is carried out (for process industries) – see de-inventorying below
For example, taking a blast furnace off-line in a steel works would take weeks, if not months, of careful planning (both maintenance-wise and with business strategy concerns). The planning would take place over an extended time period and require careful consideration of where any inventory/waste is to be removed to. On the other hand, taking a conveyor system off-line in a manufacturing industry could be as simple as switching it off.
We are of course talking about planned maintenance, where the major process concern would always be your vulnerability in not being able to come back on-line quickly enough. Even this is sometimes no issue because much equipment can be ‘spared’ if deemed sensitive. Unplanned maintenance is another matter altogether. Here you will not have the luxury of choosing your timing. You might not have a spare piece of equipment to bring on line. The choices are rather stark. You will have to either evaluate the risks of further damaging any equipment still running, running at reduced capacity or perhaps complete process shutdown.
The worst-case scenario however, is an emergency shutdown. Here, plant and equipment conditions will be such that it will not be safe to keep on running. The plant will effectively be switched off – either manually or automatically. Most plants operating high hazard processes will have contingencies for emergency shutdown. Most Operating personnel though do not – with nerves at breaking point during such circumstances.
The major problems might not of course present themselves when bringing the plant down but when it goes back up again. For example, an emergency shutdown might be relatively hazard free but the complications associated with coming back up (e.g. cross contamination, instruments out of range, dog-legs of material etc.) can be most serious.
Removing the inventory from the equipment (i.e. taking the process material from inside the equipment and removing it to the outside) can have safety implications for both those charged with carrying it out, and for others too. As well as being the first safety step in releasing stored energy, it may also involve extensive environmental implications as the contents are removed. This process is normally carried out by the Operations/Manufacturing personnel and is usually procedurally based. For example, if repairs are to be carried out on a boiler, there will be a number of pre-prescribed steps that would need to be carried out. Any residual steam may be vented to a safe place, removing any water and residual fuel. At each step, there would be a need to check various process indications, including temperatures or pressures so that the removal of the item did not cause a further hazard elsewhere. Nowadays, in most instances, removing the contents from process equipment would be an almost entirely closed process i.e. none of the contents would be allowed out of containment and exposed to the outside. For example, any hot water contents from the boiler could be sent to storage and steam, and thereby instead of being vented, could be condensed and recycled. This is almost certain to be the case for toxic and flammable liquids where total containment would be a major objective of the de-inventory process.
Removing the inventory may sometimes be followed by further processes in order to decontaminate the equipment fully. This would usually be carried out where it is unlikely that de-inventorying alone would have removed sufficient material to make the equipment clear of hazardous substances. This decontamination process is not to be confused with manually cleaning or ‘washing’ the equipment. Such a practice would only be carried out after these two processes, and perhaps only after the fourth element of preparation (isolation from energy sources) had also been carried out. Such processes could include say, washing with a solvent, purging with an inert gas or air etc.
The exact choice would depend upon the nature of the material to be removed. For example, you will not want to remove traces of a flammable material using an air purge, for example, due to the potentially explosive atmosphere you might be creating. Decontaminating in this way gives rise to potentially difficult environmental problems. There is the potential to have low(ish) levels of contamination present in potentially large volumes of fluids, and so care must be taken to ensure that these streams are dealt with properly, especially from an environmental point of view.
Example of vessel repairs
An oil storage tank had been taken off-line and inspected as part of its regular schedule. After emptying and cleaning, the tank was inspected and found to require some welding repairs to the internals. As part of the procedure for welding, the atmosphere inside the tank was to be measured for flammable gases. So, at 7 o’clock on a cold Spring morning the gas test was carried out and the atmosphere inside was duly found to be free of flammable gases and the work was allowed to go ahead. However, at three o’clock in the afternoon a small explosion was heard to come from the tank. Only the welder was inside at the time and the ‘standby’ man quickly called the rescue service, who were able to pull the man out with only minor burns but his hearing was affected by the explosion.
Upon closer examination, it was determined that the tank floor had been over-plated during its last repair. Some residual material had remained hidden from view and from the cleaning process. When the gas test was carried out, the material was cold and no flammable vapours had entered the tank atmosphere. However, when the ambient temperature increased, flammable vapours accumulated within the tank, eventually reaching the lower explosive limit. The ignition source from the welding ignited the vapours. Fortunately for the welder, there was only a small amount of residual material present and so the resultant explosion was relatively minor in nature.
This accident was particularly regrettable, as the maintenance records clearly indicated that the floor had been over-plated. Any good risk assessor would have identified a potential hazard and ensured proper controls were followed given that information, particularly in removing all possible traces of residual material. In addition, the atmospheric gas test carried out was a ‘one-off’, when in reality frequent gas tests should have been carried out or a continuous gas monitor installed.
Energy Isolation can be described as ‘the making safe of equipment by positively disconnecting the energy sources from it’. This is the preparation step that usually receives the most attention, as often the two middle process steps (de-inventorying and decontamination) may not be needed. The energy sources that, typically, are most commonly involved are as shown in the table below.
|Power required for driving motors for machinery; pumps, compressors, conveyor belts etc., and ranging in voltage from low (110/240 volts to many thousands of volts)
|Power required for driving some machinery; electrical turbines, engines etc.
|Toxic, corrosive or otherwise reactive materials being processed or used to process other materials
|Oils, gases, petrochemicals etc. being processed
|As a power source to provide steam. In smaller doses as a source for certain instruments e.g. level detection
|Potential Energy (stored)
|Energy perhaps stored in a spring or coil
|Potential Energy (gravitational)
|The potential for something to fall – for example, this may be of concern when working on lifts and hoists
|From moving objects where removal of their energy sources is not practical e.g. closing a road is one way of ‘isolating’ kinetic energy (from vehicles) from the workplace
|From compressible fluids, say steam (used in turbines, and/or compressors) or nitrogen for perhaps purging purposes
|Heat / Cold
|Commonly this would be in the form of surrounding equipment due to the specific duty it is carrying out e.g. a furnace
|Certain radio signals can interfere with other equipment being used in the area and in extreme circumstances can be harmful to health
|It may be impossible to work in certain areas for long periods where there are high levels of ambient sound and so you would require this to be isolated
In addition to these energy sources, there are other isolations, which although would not cause accident or injury themselves, could have potentially serious consequences as a secondary cause. For example, if instrument isolation is not carried out correctly, then the wrong readings could be input into plant control systems with a resultant loss of/poor control of the process, even when operating at these low electrical potentials.
There are many methods of effecting isolations and preventing the sources from impacting upon the work. These methods will be dependent upon the level of risk associated with them. The methods agreed within the organisation must be followed, and may include, for example:
- on/off isolation – which would refer to simple switching for electrical circuits to valves within process lines containing fluids,
- physical breaks within the process / services lines,
- the removal of fuses or contactors, etc. for electrical energy
- a physical ‘chock’ (insertion of a solid object) to prevent e.g. a stirrer from turning.
The isolation methodology itself will usually take the form of a list of operations to be carried out. Digital systems like RAP are more likely to take the form of a step-by-step procedure, where every step can be acknowledged as complete, before moving on to the next. If lockout tagout (LOTO) is being used then RAP can even print the labels for the tags if so required.
Whether list or procedure, it is important to recognise that the final sign-off is a most important stage in the workflow. Only now can you say that the equipment is free from potentially hazardous energy and only now can you say the maintenance work is safe to continue.
Once the isolation is in place, it is essential that it is adequately maintained in that state until all jobs associated with it have been carried out. There is an astonishing list of incidents caused by people reversing isolations (i.e. a re-connection) simply because they didn’t know what the status was meant to be. For this reason many isolations are tagged by a label indicating the isolation status and perhaps the work being carried out / and the person doing it. They may also be locked as well. Locking can take many forms, sometimes with all workers using their own personal lock.
Many companies are combining all their preparation stages, including those summarised, and others, into single ‘Energy Isolation Procedures’. In this way, all of the steps required to carry out all of the phases can be established in one place. Appropriate ‘safe’ points can be identified (e.g. ‘the temperature of a vessel contents must be demonstrably below 25 degrees Centigrade before the containment can be broken’). Signature points can be inserted to ensure the appropriate authorities can allow the next stage to proceed. Such procedures have the advantage of making the requirements clear and also showing the history associated with each step of the preparation. In this way, each person carrying out subsequent actions may establish what has gone before.
One big advantage of this, is when any permits required to carry out line-breaks are ‘launched’ from the Isolation Procedure itself. Once the valved isolations are complete and signed for and assuming all process conditions are acceptable, the line-break permits can be issued. If these permits form an integral part of the isolation procedure as they do in RAP, then until the permits are signed off, you cannot proceed to the next step. Therefore, there can be no confusion over the state of readiness for the equipment to be worked on. Until you reach the final isolation point in the procedure having signed off all of the line-break permits, no permits to carry out work on the system can be issued.
Example of an inadequate isolation procedure
A storage vessel containing some toxic materials was to be taken out for inspection and repairs. The initial emptying and decontamination procedures were well documented and tried and tested.
After these two elements, the isolation itself was initiated. This involved removing the electrical energy sources from two pumps, closing off all inlet valves and opening all outlet valves before making a positive intervention (line break) for man-entry purposes to insert some blanking plates. The process of the isolation went smoothly until the line break itself. In these circumstances, site procedures mandated that putting a positive isolation in place involving possibly breaking containment on toxic materials required a Permit to Work. Although still sanctioned by the Operations team, it was a separate system to the Isolation Procedure. Although the Permit to Work for the line breaks required signing off of the ‘valved’ and electrical isolation, no such requirement was in place for the status of this part of the isolation to be written into the ordinary isolation procedure. The reliance was from the Operations Team alone. In the event, the confined space entry went ahead without the positive isolation being fully in place (some bolts were proving difficult to remove and a secondary permit for hotwork had been applied for in order to effect this. However, the original line break permit was signed off leading the crew to believe it was all in place).
Unfortunately, one of the inlet valves was passing and during the work toxic fumes built up inside the tank and it had to be evacuated. It was down to the presence and actions of the standby man raising the alarm that all of the crew were safely removed with only minor and temporary respiratory problems. It could have been much worse.
RAP has a facility for combining all preparation and isolation steps intone procedure, including the permitry for line breaks.
This is RAP Insight #7 – Keep it all together
RAP - we’ve got it all covered
Part 2 of the article will talk about High Risk Isolations, Critical Equipment and Preparation of the Work Area.