Occupational Safety Online Safety, Shopping and Web Services
Occupational Safety Online

CODES, STANDARDS and REGULATIONS
OSHA Regulations
Federal Motor Carrier Safety Regs
NFPA Codes
MSHA
Federal Register
DOE Safety Regs
EPA Safety Regs
Longshoreman and Harbor Workers Act - USL&H
CHEMICALS & IH
Hazardous Substances
Industrial Hygiene
Work-Related Illness
GENERAL SAFETY
Industry Specific
Plant Related
Manual Handling
SAFETY TRAINING
Toolbox Safety Training Materials
Online Safety Training
Sources of Safety Training Materials
SAFETY PROGRAMMING
Safety Program Elements
Safety Program Samples
Safety Program Form Samples
Other Safety Items
SPECIALIZED SAFETY
Fleet Safety
Behavioral Safety
Fire Prevention and Safety
Boiler/Machinery
INFORMATION & REFERENCE
News, Associations, Publications
SAFETY SOFTWARE
Commercial Safety Software
  

 EH-89-2 Operator Dependence on Instrumentation and Protection Systems
                         ENVIRONMENT, SAFETY & HEALTH

                                    BULLETIN

Assistant Secretary for                              U.S. Department of Energy
Environment, Safety, & Health                        Washington, D.C. 20585

DOE/EH-0091                      Issue No. 89-2                       May 1989

Operator Dependence on Instrumentation and Protection Systems/Alarms

The Department of Energy has experienced several incidents in recent years
relating to faulty sensing devices.  Safety systems that rely on these visible
or audible alarms as the primary or sole means of detecting unsafe or
undesirable conditions have been a factor in several incidents.

Although there were no injuries and in most cases no major property loss, the
potential for severe consequences was present.  A summary of several of these
incidents follows:

Oil Tanks Overfilled During Transfer Operations

Large quantities of crude oil were spilled on two occasions when oil was being
transferred from tankers to aboveground tanks.  Tank level instrumentation and
high level alarms were a part of each of the oil transfer and filling
systems.  Additionally, operating personnel were required to monitor the area
for spills and leakage.  In one case, tank level instrumentation and high
level alarms were known to be inoperable; therefore, the alarms could not be
and were not relied upon by site personnel.  However, in the other case, site
personnel were dependent on tank level instrumentation that was known to be
unreliable.  Although the direct cause of these tank overfill incidents was
failure of site personnel to switch the flow of oil before the tank reached a
maximum level, a contributing cause was faulty tank level instrumentation and
alarms.

Faulty "Safety System" Shutdown Mechanism

A dry vacuum system associated with a vacuum trap was taken out of service
when personnel noticed an accumulation of enriched uranium oxide.  The
accumulation was above the level necessary to activate either of two "Safety
System" shutdown mechanisms.  The vacuum trap, used to accumulate the oxide,
overfilled following a failure of the trap capacitance detector assembly.

The major components of the assembly are the level detectors on the traps, the
level transmitters, and the electrical relay switches. When functioning
properly, these components shut down the vacuum producers at a level below the
point where accumulation of additional enriched uranium oxide could result in
criticality.  A faulty electrical transmitter enabled the oxide to accumulate
above the preset safe shutdown level.  Fortunately, the additional
accumulation of the oxide remained in favorable geometry even though the trap
was overfilled.

Low vacuum Alarm Failed Causing Explosion

An explosion occurred when personnel were attempting to optimize combustion
parameters on a Beta Gamma Incinerator (BGI) during the incineration of spent
radioactive solvent.  It occurred in the feed ram enclosure of the BGI;
enclosure panels were blown loose and a shockwave caused failure of a
personnel door latch in the room and minor damage to the doors and wall.

Prior to the incident, personnel discovered that too much air was being
introduced into the primary chamber of the incinerator causing excessive ash
carryover.  In order to eliminate this problem, attempts were being made to
reduce the air input by adjusting the air blower supply to the primary and
secondary chambers.  During this adjustment period the incinerator pressure
went slightly positive for about 4 minutes, forcing pyrolysis gases into a
cavity enclosing the feed ram.  When personnel adjusted the vacuum of the
unit, the gases were pulled back toward the incinerator and ignited.

Although several factors contributed to the cause of this incident, one of the
contributing causes was failure of an alarm to warn personnel of low vacuum
conditions.

Inoperative Alarm Contributes to Radioactive Release

At the time of the incident, a waste pump tank located in a below-grade pit
was being used to transfer radioactive concentrate from an evaporator to a
receiver tank.  During this process, ventilation air was drawn into the pit
and tank vapor space.  The air was then exhausted through a demister,
condenser, another demister, reheater, HEPA filter, and an exhaust fan.  The
exhaust system was equipped with a constant air monitor (CAM).

Routine checks revealed that excessive radioactivity was on the CAM filter
paper for the exhaust system.  Further investigation revealed that a small
amount of radioactive material was released to the environment because of a
breakthrough in the HEPA filter for the exhaust system.

An investigation of the incident revealed that the breakthrough of
radioactivity lasted for up to 40 hours without corrective action.
Investigators determined that one cause contributing to the incident was that
the audible CAM alarm, relied upon to identify unsafe conditions, was
inoperable.

Faulty Limit Switches Cause Valve Melting

The incident occurred during plasma high powered pulsing and neutral beam
testing of the reactor.  The beam dump located in front of the neutral beam
valve interrupts a beam before the valve is opened.  In this case, due to the
faulty operation of limit switches, the neutral beam sources were fired into a
valve and resulted in the melting of a hole through the valve.

Normally, when the neutral beam is operated, the beamline calorimeter is in a
down position and the isolation valve is closed. A safety system consisting of
a series of four connected interlocks erroneously indicated a down position.
Personnel, relying on the safety system to indicate when the calorimeter was
in the correct position, operated the neutral beam several times over a 3 day
period causing a burn through the valve.

An accident investigation of the incident recommended improving maintenance
documentation, halting operations when in doubt, and avoiding over reliance on
interlocks.

Loss of Control of Waste Water During Transfer

During an inter-area material transfer between 2 tanks, approximately 37,000
gallons of low-level radioactive waste water were inadvertently diverted into
two nearby pump sumps and pits. Although the pump sumps and pits were not a
part of the transfer system, alarms connected to them activated when the waste
water was inadvertently diverted into the area where they are located.

Although each of the pump sumps and pits was equipped with three level alarms
to indicate an overflow situation, the level alarms failed on the first pump
sump and pit.  The level alarms activated on the second, and transfer
operations were halted.  Before the level alarm activated, personnel
recognized that there was a substantial difference between the measured level
volume pumped from the first tank and that received by the second.  Initially
personnel assumed that the level discrepancies were due to the volume of waste
water contained in the 2 miles of piping between the two tanks. When it was
determined that the piping volume was less than the discrepancy, personnel
assumed that the error was due to instrumentation error, since the level
instrumentation in the tanks was known to be unreliable.

The initial investigation found that the incident could have been avoided if
procedures requiring leak checks and material balances had been followed.

Recommendations:

1.   Whenever possible, warning devices should not be used as the primary
     operating control.

2.   Personnel should verify that the protection system is operable before
     operations begin.

3.   On a routine basis, supervisors should observe operators to eliminate
     operator use of backup warning/safety devices as primary operating
     controls.

4.   Critical warning devices should be identified and included in preventive
     maintenance and routine surveillance programs.

5.   Faulty warning devices should be repaired or replaced on a timely basis.

6.   Procedures should be provided and appropriate training should be
     conducted with these procedures to address device failures and alarm
     signals.



----------------------------------------------------------------------------
Bulletin is published so that DOE program managers and contractors can share
information about potential occupational safety problems relevant to DOE
operations.  For more information or additional copies, contact Janet Macon,
Office of Safety Compliance, Assistant Secretary for Environmental, Safety &
Health, U.S. Department of Energy, Washington, DC 20545; telephone FTS
233-6096, Commercial (301) 353-6096.
----------------------------------------------------------------------------
.
.




Put Your Store Online




Disclaimer

Saftek Home Safety Index What We Do RM/I Books Boiler (BM)

Email to Webmaster
Your comments are always welcome.