For operating facilities, designs or operating regimes that reduce or eliminate vessel entries are inherently safer.
During the design phase, identify the human interaction with the chemical process and provide means to make that interaction inherently safer.
Rail cars, tank trucks, and some reactors and storage tanks were cleaned manually by personnel who entered the vessel; fatalities occurred from unexpected or undetected low oxygen content or toxicity. An inherently safer system is a rotating pressurized water spray head that does the cleaning without vessel entry.
Elimination of filters that must be changed reduces the potential for exposure. This may require a redesigned filter or a process change that eliminates the need for the filter.
- If you don't make residues, you don't have to filter them out
- If you don't install a filter, you don't have to maintain it
Human factors should be considered in the location of items to be maintained and the required frequency of maintenance:
- Inspection items
- Calibration items (on-line, off-line, or shutdown)
- Periodic replacement
- Repair without shutdown
Equipment that can be reached for inspection, repair, or monitoring from permanent platforms is more likely. to be inspected, calibrated, and replaced than equipment that requires climbing with a safety harness or scaffold.
Calibrating equipment usually requires disconnecting it from the process. Equipment that requires less calibration is inherently safer. A furnace oxygen analyzer is not protecting the furnace while it is being calibrated. Equipment that can function in abnormal operating conditions is inherently safer than equipment that fails in those conditions. For example, an oxygen analyzer was designed to shut itself down when the oxygen content went below 4%. While the oxygen analyzer shutdown tripped the furnace, it left the operators blind during the shutdown and delayed the restart. An analyzer that continued to show the actual concentration during the upset would be inherently safer.
Equipment could be designed so that there is only one right way to reassemble it. If it is important for a pipe sleeve to be right side up, then it could be notched or pinned so it will go in only right side up.
To prevent errors, it is important to make it easy to do the right thing and hard to do the wrong thing. The design and layout can be clear on what should be done or it can be very confusing. Likewise, the design of the training can increase or decrease the potential for error.
Systems in which it is easy to make an error should be avoided. To reduce the risk of contaminated product and reworked batches, it is generally better to avoid bringing several chemicals together in a manifold. However, manifolding can be done safely and it may be the best design when all factors are considered.
The operators and engineers need a correct mental model of how the process is operating linked to what they can see. If the operators do not understand what is happening in the process via the information available to them through the instruments and their eyes and ears, they may operate the process incorrectly even while doing their best.
Consider the following in control design:
Avoid boredom - if operators don't have anything to do, they go to sleep-mentally, if not physically.
Display corroborating or verifying information on the same display with-or very near to-the other information. Display the reading from two level sensors for the same tank on the same chart or graphic.
Put sensibility limits on process control inputs and set point changes.
Limit maximum or minimum setpoint inputs to stay in safe and quality operating regions.
Limit the maximum step changes to setpoints to prevent upsetting the process.
Provide smooth transfer and setpoint tracking for switching among automatic, manual, and cascade.
Catch decimal errors by software or procedure. For example, have the control system logic trap and prevent setpoint changes, for example, from 6% to 61%, when a change from 6.0 to 6.1 % is intended.
Provide guidance to operators on the magnitude of a specified action to achieve a specified goal. Rather than letting the operator guess at how much to open a valve, suggest opening to 5%, then using minor adjustments to get the desired startup flow. Where needed, give guidance on how to lead or lag in changing setpoints. Advise on how long to blow a line to clear it of liquid. "Take out the guess work." Good operators will figure these tips out; document the information and make it available to all the operators.
Feedback that confirms "I am doing the right thing!" is important for error recovery as well as for error prevention. It is important to display the actual position of what the operator is manipulating, as well as the state of the variable he/she is worried about.
Systems should be designed with knowledge of the response times for human beings to recognize a problem, diagnose it, and then take the required action. Humans should be assigned to tasks that involve synthesis of diverse information to form a judgment (diagnosis) and then to take action. Given adequate time, humans are very good at these tasks and computers are very poor. Computers are very good at making very rapid decisions and taking actions on events that follow a well-defined set of rules (fur example, interlock shutdowns). If the required response time is less than human capability, the correct response should be automated. Unless the situation is clearly shown to the operators, the response has been drilled, and is always expected, anticipate from 10 to 15 minutes up to 1 hour minimum time for diagnosis.
An inherently safer operating system should also address how to use personnel effectively in response to a process upset. Without such a system, the most knowledgeable person(s) in the unit frequently rushes to attend to the perceived cause of the emergency. While this person is thus engaged, other problems are developing in the unit. Personnel may not know whether to evacuate, resources may go unused, and the ultimate outcome may be more serious. The knowledgeable person assumes command of the incident, designates responsibilities to the available personnel, and maintains an overview of all aspects of the incident. Thus, as resources become available, the process corrective actions, emergency notifications, perimeter security, etc., can be attacked on parallel paths under the direction of the incident commander.
Error recovery by the operators is only one of several layers of protection to prevent undesired consequences. Process and equipment designs that prevent undesired process excursions are inherently safer than designs that require operator intervention. Likewise, designs that enable the operators to intervene before an upset becomes serious are inherently safer than those that do not.