A Time to Destroy, and a Time to Rebuild. A Time to Isolate, and a Time to Restore.

In CFR 29 1910.147, OSHA pays a great deal of attention of isolation. We are clearly told what to do with breakers, valves, etc. Clear instructions surround the acts of dissipating stored energy, and the act of locking devices to be sure that stored or potential energy cannot be released. In a previous article, I made the observation that as the experience and sophistication of isolation teams has grown, new guidelines and procedures have evolved and have been created to further ensure the safety of staff working around an isolated, or locked out, system. Such advancement towards excellence is typical in mature industries like the petrochemical sector. These advancements represent many facets of the isolation activity, some maybe vaguely addressed in the OSHA regulations, some maybe not addressed at all. In this article, I’d like to discuss a topic that OSHA covers, but represents another area where the regulations could be interpreted as too vague, or maybe even incomplete (apologies to my friends at OSHA). That topic is the act of restoration, or when a system is reenergized. As with isolation, there are plenty of opportunities for diligence and advancement of techniques above and beyond the OSHA regulations. Excellence is always available, and actively sought after as corporations seek to protect the human asset, as well as the hard assets of their productions systems. So, let’s entertain a bit of my obsessive compulsive nature and get all OCD on restoration.

Restoration is in some ways an activity very similar to isolation, but in other critical ways, utterly different. The overly simplified casual observation is that we flip the isolation list over, go backwards, and do the exact opposite thing to each isolation point. That is, if I started by turning off the local switch, the last thing I do in restoration is turn that switch on. If I locked a certain valve closed, when I reach it in the process of restoration, I open it. This act of “undoing” the isolation is in many cases just fine. But, as we all know, the devil is in the details and the true hazards lie in the unusual or unexpected situations. The reality is that a minority of injuries occur around properly isolated equipment. The greatest danger exists in the time when things are changing, i.e., electricity again begins to flow, or inventory again begins to move through the system. If we are to be so diligent and obsessed with proper behavior during isolation, then it only follows that we would exercise that same level of care when we reenergize the system. In my humble opinion, this time represents and even greater opportunity for the unusual or unexpected to arise. So, let’s examine the disparities from isolation that are frequently at work in these moments.

In my work of analysis and design of LOTO automation systems, I am fortunate to work not only with some super sharp guys in the petrochemical industry, but also in other completely unrelated but similarly mature and dangerous industries. One recent discussion I had was with an HSE manager at a major pharmaceutical company. The guy was a guru, or maybe just suffering from occupational OCD like me. But, when we discussed the format of his isolation list, I was amazed at the detail the guy employed. For instance, OSHA clearly states that you communicate with affected parties when isolating systems. This guy actually had a sign off on his report for informing affected parties. The overall effect was that his isolation checklist read just like the regs. I know some people in other industries that would scoff at the overly detailed form (especially those in the field that don’t want to seek a proprietor’s signature after informing the person in the far corner), but in my myopic view, it seemed appropriate if not… excellent. And as happens frequently, my brain started squirming like a toad. Who is to say that locking a valve is a more important portion of the regulations than informing the affected parties? If they are of equal weight, why shouldn’t they be clearly documented and signed off upon? Anyway, as usual, I digress. We’re discussing restoration here, right? The reason I got on the topic of my pharmaceutical industry friend is that his isolation report went through all the usual steps, and then also included a restoration checklist, completely independent of the isolation list. Again, this was new to me, certainly not something I frequently see in the petrochemical industry. Many times an Isolation List will include a restoration column, but since they are part of the isolation report, and therefore in isolation order, they do not reflect the appropriate order for restoring. As we discussed the list, it brought back to mind a lengthy discussion I had with a high level safety guy in a little outfit I like to call the largest oil company in the world. His beef was: how do we handle the unusual, and even more difficult, the unexpected? Uh-oh. Here goes my brain again.

Since we are getting a little conceptual here, let’s start with definitions to provide clarity of my setting. For the purpose of this article, let’s say the unusual can be distinguished from the unexpected with one point: the unusual can at least be predicted and, therefore, documented in advance. The unexpected differs in the sense that it cannot be predicted and therefore must be discovered in the field before anybody gets surprised and as a result, injured. Very different situations, but both potentially threatening to people and equipment. Let start with the unusual.

It is common practice to document not only the isolation position of different of different valves and breakers, but to also document the “in-service” or production position of the various isolation points. This is where we vary from the behavior I mentioned earlier, where, in the act of restoration, every point is simply placed in the opposite position of the isolation position. This may not be appropriate. Let’s consider a bypass valve. In my work with a hydrogen supplier of a major refinery, I was told of a situation where a young buck did exactly this. However, there was a bypass valve in the critical path. The bypass was closed in the isolation, and it was supposed to be closed in production as well. When they restored, he opened the bypass valve, effectively circumventing the control valve, and well, you can imagine the adversity that ensued from there. This situation is unusual, but predictable. This is why you will frequently see a document called a “valve line up” that details production positions for the entire flow path. Another example of unusual would be a difference in order instead of position. For instance, what if the staff needs to turn on the motor before opening all valves just to be sure it will run? Not to sound judgmental, but this is information that should be communicated to the staff in the field. What better place to do so than on the restoration checklist? So, now that we have that situation handled, let’s move on to the more difficult situation, that is, the unexpected.

To properly examine the unexpected, I will first describe a real-world example. My friend with the massive oil company brought up a situation where, during a turnaround, isolation had been properly executed and the work had been completed without incident. However, no one was able to know that behind a certain blind (for readers unfamiliar with the terminology, a blind is a metal plate covering an opening in the product flow, also sometimes called a blank), a valve had failed during the turnaround and had begun to leak. The unknown and extremely dangerous condition here is that a significant amount of inventory had gathered up behind the blind and was sitting there ready to spill when the blind was unbolted. This could result in different situations. Best case, a reportable spill of chemicals. On the opposite end of that spectrum, it could cause a lethal flash fire in the immediate proximity of multiple workers. I feel like this horrifying example brings to light the gravity of the situation and the reason I have been rambling through all of this so far. How are we to expect the unexpected? How do we detect this unknown, yet incredibly dangerous situation? My opinion is, we execute a mundane procedure that is done frequently in industry. I humbly suggest a Job Safety Analysis.

Job Safety Analyses are so common in the industry that I will not bother to go into great detail. Let it suffice to say the JSA is the walkthrough of a jobsite that identifies issues in advance and prescribes safe work behavior in advance. The problem is, they are commonly only executed before a job. I respectfully submit that an entire new JSA be executed before restoration occurs. It is easy for me to say this; I am not a person on the ground. However, in my limited experience, I cannot conclusively say how else you would detect and react to these unexpected situations. I doubt anyone would question the motivation here. The short of it is, everyone wants to go home. What better justification does a safety manager need? Whereas I would normally end my blog with an invitation to check out dangertags.com and see how our software can solve the problem, this time, we’ll just skip that. We are discussing a behavioral matter here, and no software can handle that.

Leave a Reply

You must be logged in to post a comment.