DOI: 10.3303/CET2290107 Paper Received: 16 December 2021; Revised: 20 March 2022; Accepted: 26 April 2022 Please cite this article as: Manuel H.J., Kooi E., Wolting B., 2022, Learning from incidents at Seveso sites: a focus on the safeguarding of containments prior to start of operations, Chemical Engineering Transactions, 90, 637-642 DOI:10.3303/CET2290107 CHEMICAL ENGINEERING TRANSACTIONS VOL. 90, 2022 A publication of The Italian Association of Chemical Engineering Online at www.cetjournal.it Guest Editors: Aleš Bernatík, Bruno Fabiano Copyright © 2022, AIDIC Servizi S.r.l. ISBN 978-88-95608-88-4;; ISSN 2283-9216 Learning from Incidents at Seveso Sites: a Focus on the Safeguarding of Containments Prior to Start of Operations Henk Jan Manuel*, Eelke Kooi, Bert Wolting RIVM, PO Box 1, 3720 BA Bilthoven, The Netherlands henkjan.manuel@rivm.nl Learning form incidents is done in many ways. One approach is that companies investigate a particular incident, report the findings within the company and take actions to prevent this incident from happening again. Learning on a broader scale can be enhanced by publishing observations from a single incident with other stakeholders. An even broader approach is to investigate multiple incidents in order to find causes and characteristics that are common to a larger number of incidents. The Storybuilder Major Hazard Chemical Accidents (Storybuilder- MHCA) database can be used for this. This can help to bring focus, so that a limited set of measures can potentially prevent a substantial number of incidents, rather than having to implement separate measures for individual incidents. An analysis of the incidents in the database showed, for instance, that around a quarter of all incidents in the database are linked to failure of the barrier ‘safeguarding containment prior to start of operations’. Safeguarding containment means that equipment items should be emptied before being opened and be properly lined-up before being filled. This paper presents several actions that can be taken to ensure that equipment items are properly safeguarded. 1. Introduction Seveso companies are required by the European Seveso III Directive (2012/18/EU) to manage and control hazards and risks related to hazardous substances with a safety management system. Despite these efforts, incidents with fires, explosions and releases of toxic substances still occur, and can result in serious injury, lethality and environmental damage. 1.1 Single incident investigations Many companies investigate incidents to see what went wrong and to prevent them from happening again. Usually, findings from incidents are only shared within the company. In the Netherlands, the ‘Safety First’ programme (Veiligheid Voorop, 2020) published a paper on the importance of sharing information at sector level to let other companies and sectors learn from particular incidents. Some organisations publish outcomes of investigations of these particular incidents for all to benefit, such as the Loss prevention bulletins of the Institution of Chemical Engineers (IChemE) and the incident learning sheets from the European Process Safety Centre (EPSC). In (IChemE, 2021) and (EPSC, 2021), particular incidents are used as examples that illustrate the importance of maintaining process safety fundamentals. Incidents with serious consequences must be reported to the Major Accident Reporting System (MARS) of the European Commission. The conditions for reporting are specified in Annex VI of the Seveso III Directive. The Dutch Safety Board (DSB) investigates the Dutch ‘MARS reportable’ incidents and publishes a report with main observations and recommendations. In addition, in the Netherlands, incidents with lethal outcome or with serious injuries to employees must be reported to the Netherlands Labour Authority (NLA). The Netherlands Labour Authority (NLA) may investigate these incidents in order to identify possible legislative violations and/or to see what can be learned from the incident. The results of these NLA-investigations are collected in the digital information gathering system of the NLA and are not publicly available. 637 1.2 Multiple incident investigations The investigations mentioned in the previous section are targeted at single incidents. This may help prevent a specific incident from happening again, but it does not give information on how frequently that type of incident takes place. It is also unclear to what extent underlying causes are relevant for other types of incidents. In practice, companies have limited resources for resolving issues and implementing measures. Thus, it can be beneficial to look at multiple incidents and see if there are common root causes that can be targeted with a reduced set of measures. By looking at multiple incidents, recurring patterns might arise; some specific safety fundamentals or organisational aspects may be involved more frequently than others. The Dutch National Institute for Public Health and the Environment (RIVM) uses the multiple incident investigation route to look for recurring patterns.Similar studies have been performed in the past. One example is the study by the Dutch Safety Board (2018) which looked at a number of incidents occurring at an industrial area where many companies work in close vicinity. The Board concluded that the companies work separately on their (safety) performance and that improvement is needed by developing an overall view regarding the safety performance for all companies at the industrial area. Another example is of a company (Shell) that performed a multiple incident investigation of its own incidents. As a result, a number of ‘life saving rules’ were derived. Life saving rules and process safety fundamentals are used for multiple aims and are complementary to one another. Groeneweg (2010) reported a decrease in the number of deaths within Shell by adhering to these life saving rules.It is possible to learn from incidents or near-incidents in other ways as well. For example, it is possible to focus on the success factors that stopped incidents from happening or end up in a near miss situation. These ‘resilience’ factors can be investigated and possibly strengthened to avoid incidents. This paper however, focusses on what went wrong during actual incidents and what can be learned from them. 2. Storybuilder-MHCA database Storybuilder-MHCA is a database, used by RIVM, in which characteristics of incidents with hazardous substances within major hazard companies are stored. The database is filled with incidents that were investigated by the NLA or the DSB from 2004 onwards. In total, 344 incidents have now been added to the database. The structure of the database is identical for all incidents. In total, the database contains circa 4000 parameters that are grouped into 40 different main categories of information. Categories comprise for example the type of industry, type of equipment, substances, hazardous phenomena and type and severity of injury. For each incident, all relevant parameters in the database are selected. A more detailed description of the Storybuilder-MHCA database is given in Kooi et al. (2019, 2020). The information in this paper is based on the latest version of the database (RIVM, 2021).In order to analyse incident causes, the MHCA-database contains six lines of defence. The first three should prevent the incidents from happening and the last three can limit their impact. The different lines of defence contain various barriers that may have failed in the incident and different sets of underlying causes for the failure of these barriers. In total, the database contains 41 different barriers. 2.1 Analysis of failures to operate within a safe operational envelope The first line of defence is ‘operational control’. It contains barriers that should keep the operations within a safe operational envelope. These barriers and their percentage of failure within the set of 344 incidents, are listed in table 1. The barrier ‘safeguarding containment prior to start’ failed in 25 % of all incidents. As such, it is the barrier that failed most frequently of all barriers in the 1st line of defence. It will therefore be examined below in more depth. In the incidents where this barrier failed, six persons were killed and three others received permanent injury. Forty-two others received injury of a temporary nature. Table 1: Barrier groups and associated barriers in the 1st line of defence (operational control). The percentage of incidents going through the barriers is given in brackets (the total exceeds 100 % as multiple barriers can fail in one incident) Barrier groups Associated barriers and percentage of occurrence for all incidents Ensuring safe start of operations and work Equipment selection (4 %), safeguarding containment prior to start of operations (25 %) Equipment condition Control of material degradation (15 %), proper containment material (12 %), proper design (6 %), proper installation (6 %), proper equipment connections (10 %) Control of process parameters Temperature control (4 %), pressure control (8 %), flow control (17 %), control of reactions (6 %), separation of incompatible substances (1 %) Control over environment Prevention of external impact (3 %), control of common mode failures (1 %), ensuring safe storage conditions (1 %), separation from heat sources (2 %) 638 2.2 Analysis of incidents caused by safeguarding failure The incidents related to the failure of the barrier safeguarding containment prior to start is used below to illustrate how the Storybuilder-MHCA database can be used to implement measures and interventions. Table 2 shows a breakdown of contributing factors related to the 87 incidents (25 % of all incidents) where this barrier failed. The information in table 2 can be used to verify if these factors are accounted for in safety management systems. Table 2: Factors influencing the barrier ‘safeguarding containment prior to start’ (the total exceeds 100 % as multiple factors can fail in one incident) Contributing factors Percentage of occurrence for ‘safeguarding’ barrier failure Emptying/cleaning/ventilation failure (Some) hazardous content remained Not emptied at all Not (or not adequately) ventilated 46 % 34 % 2 % 8 % Failure to isolate the respective part from other parts of the installation Isolation or closing valve not (properly) closed No isolation at all Leaking valve Forgotten bypass Isolation not removed at startup 40 % 16 % 6 10 % 1 % 3 % Valve not closed prior to start of operations 17% Undesired start-up/ action (for example opening of a valve) 3 % Instrument failure ( for example sensors, cables, logics) 1 % The second line of defence in the Storybuilder-MHCA database is ‘recovery of deviations’. The management system should implement measures to identify deviations outside the operational envelope and remove these before incidents take place. Table 3 shows why companies did not recover incidents with failed safeguarding. It shows that in over half of the incidents where the safeguarding barrier failed, there was no (or no proper) indication of the deviation. In other words, the deviations were invisible due to lack of proper checks. In 22% of the cases, warning signals for the deviations were available, but had been missed out (detection failure). Table 3: Recovery failures for incidents with failed barrier ‘safeguarding containment prior to start’ (2nd line of defence; only one failure allowed per incident: the total number of failures adds up to 100%). Recovery failures Percentage of occurrence for ‘safeguarding’ and ‘recovery of deviations’ barrier failure Recovery of deviations 100 % Indication failure 52 % Detection failure 22 % Diagnosis failure 15 % Response failure 7 % Unknown failure 4 % The location of the release is presented in Table 4. As safeguarding containment is closely connected to opening and closing, valves are the most occurring location of release. In addition, connections and couplings occur regularly as locations of release. They may represent a vulnerable spot in the safety management system as they are prone to degradation and may not operate in the desired way. This was for example the case in an incident where a level indicator and its housing were fused due to corrosion. When unscrewing the indicator, the housing also got unscrewed and materials were released. 639 Table 4: Most prominent release locations regarding incidents with failed barrier ‘safeguarding containment prior to start’ (only most prominent shown: the numbers of the subdivisions such as ‘Flare’ do not add up to the numbers for ‘Provisions’ and ‘Openings’) Location of release Percentage of occurrence for different locations for ‘safeguarding’ barrier failure Provisions in/on equipment and connections Closing or isolation valve Connection (including flanges) Coupling Drainage/discharge point (including drain) Blind flange/plate 51 % 15 % 14 % 7 % 7 % 1 % Openings and designated release points Ventilation hole Vent Flare Chimney Open pipe end 21 % 1 % 5 % 3 % 2 % 8 % With the data presented in the tables already some ideas for possible interventions can be derived. However, not every aspect of an incident can be captured in the database characteristics and translated directly into interventions. Sometimes it is necessary to know the stories behind the facts and for this the Storybuilder-MHCA database also contains abstracts of all incidents in the database. A few abstracts of incidents with a failed safeguarding barrier are presented as examples: • A person died after opening a valve, releasing flammable gases that ignited. Isolation valves in the installation had been closed, but they had leaked. Also, an error had been made in the work instructions sequence, because this operation was not seen as critical. Using the right sequence could have prevented the build-up of material. There was no equipment to detect that materials had built up in the pipes connected to the valve and thus they were released when opening the valve. • Grinding, welding and drilling was carried out on an ‘empty’ tank. The tank had not been cleaned and ventilated before and still contained an explosive atmosphere. Shortly after drilling a hole through the tank roof, an explosion occurred, lacerating the tank roof at the place of the weak weld in the edge of the roof. The constructor was blown off, luckily receiving no major injuries. The company required a Task Risk Assessment and Last Minute Risk Analysis (LMRA) for hot work, but this had not been carried out. The hot work permit had been released despite the empty check box for LMRA on the work permit. • A mechanic opened the bottom flange of a reactor. Pyrophoric nickel catalyst dust was released and ignited spontaneously. The mechanic got burned and was sent to hospital for treatment. The direct cause was a leakage of the bottom gate valve before the bottom flange, causing approximately 3 kg of pyrophoric material to collect between the valve and the flange. The contributing factor is that this activity did not have a good risk analysis: the failure of the bottom gate valve should have been considered and additional measures should have been adopted. • In consultation with the control room, a pipe was closed off and the remaining fluid was drained. The victim began to turn the screws to remove the tap with a colleague. The colleague suffered from burning eyes and went to get a full face mask with filter canisters. The victim continued. When the tap hung on the last bolt, he smelled vapor. He walked away and a moment later lost consciousness. The duty officer later said that the control room had forgotten to turn off the valve of the mixing vessel, causing the release of benzene. • During commissioning of an installation after short term maintenance, methane, cyclohexanone and hydrogen gas were released via an open spout. The spout is normally connected to the flare. During maintenance work, contrary to the procedure but with the permission of the manager on duty, the spout was set to open air. When starting up the installation, one was not aware of this setting of the spout. During 20 hours, about 6000 kg flammable gas was released through the open connection to air. The release was observed by an operator of a nearby installation. The spout was then reconnected to the flare. The information presented here can be linked to process safety fundamentals. The process safety fundamentals provide a tool to increase understanding of items that often go wrong in the field. When looking at the safeguarding barrier, some fundamentals appear regularly in the data, especially ‘Empty and de-energize before line-breaking’, ‘Unplugging of equipment’ and ‘Verify leak tightness after maintenance work’. As can be seen from the MHCA data, failures to empty or clean installations occur due to insufficient emptying, cleaning or ventilation (or sometimes no emptying at all). Leaking valves or insufficiently closed valves may cause materials 640 to flow back after emptying an installation. Often no indication is given of being emptied or de-energized. These indications were not implemented, often because the risk had not been identified beforehand or had not been given a critical status. The first abstract showed that when flanges or other equipment are closed, leaks can still occur, (re)introducing hazardous chemicals. Overall, leaking valves contribute to 10 % of the incidents with safeguarding failures. Plans and procedures to check this are often absent mainly because the risk was not identified or the exploitation (testing/maintaining) failed. Using the multiple incident investigation route some barrier failures can be detected that occur often throughout the industry. Thus, limited resources can be focussed to prevent incidents that seem to occur often. This can be used by all, but it should not be overlooked that the situation at a specific site may differ from the mainstream. As an example, there are few incidents in de Storybuilder MHCA-database related to erosion as a direct cause of incidents. However, at the same plant, five years apart, two oleum leaks occurred, that were related to the same cause. In the past, the flow rate of the oleum had been increased due to an increased demand of the plant. This caused the flow to change from laminar to turbulent, which eroded the protective layer of iron sulphate, eventually leading to the leakages. As another example: corrosion under isolation is a matter of concern for many companies and should be monitored. However, it is a contributing factor in only five incidents in the Storybuilder database, probably because it usually leads to minor leakages that are not always investigated by the NLA. 3. Recent additions to the database The 2nd line of defence in the model, ‘recovery of deviations’, was until recently not further specified in detail. It was only recorded if this line of defence failed because the right signals were missing (indication failure), were overlooked (detection failure), were not properly diagnosed (diagnosis failure) or because corrective actions were not identified or taken too late (recovery failure). In 2021, different ways to identify deviations were added to the model. This includes equipment material inspections (beyond using the right equipment materials and process conditions), process alarms (beyond monitoring of process conditions), leak testing (beyond proper installation of components and parts) and last minute risk analysis (beyond properly safeguarding installations prior to starting operations). These additions were first used for the 17 incidents that were added to the database in 2021. It is expected that this addition will further help to understand incident causes in the future. 4. Conclusions The Storybuilder-MHCA database now contains data on 344 incidents that took place in Seveso companies in the Netherlands since 2004. The database is publicly available from the RIVM website and incident information can be retrieved from this database to look for common causes of incidents. This paper gives an example on how to use the database. The barrier ‘safeguarding containment prior to start’ was discussed in more detail, as it failed in 25 % of the incidents recorded in the database. This gives the opportunity to prevent a relatively large number of incidents with a relatively small number of interventions. Some possible intervention routes are listed below: • Ensure that procedures are adequate and that they are carefully followed. Related to safeguarding containments, procedures are required for making containments product-free before opening them and for putting valves and gate valves in the installation in the right position before adding or transporting materials. • Know which valves leak or are difficult to close and communicate this information to the personnel that is carrying out the work. Take the possibility of leaking isolation valves into account in risk analyses. • Before starting work, check once more that the installation is indeed free of pressure, does not contain any undesired product and that all valves and cut-off valves are in the right position. In 52% of the cases where safeguarding failed, deviations were invisible due to lack of proper checks. In 22% of the cases, warning signals for the deviations were available, but had been missed out. Relatively simple checklists may help to reduce the likelihood of incidents. • If deviations from the working procedures are allowed, make any deviations clearly visible to all people involved in the work. • Some incidents are caused by errors that could have been prevented with relatively simple technical solutions. Plug-in flanges can be used to temporary isolate installation parts while working, for instance. Intelligent locking systems can ensure that valves are correctly positioned. • Make sure that there are sufficient possibilities to show that a system is not or insufficiently emptied and thus pressurised. Think for example of pressure and level gauges near valves, and sensors to detect remaining gases or liquids in equipment. 641 • Some locations may be overlooked as potential release points. Related to safeguarding containments, most releases occurred from valves, connections, couplings and drains. Make sure these are taken into account in risk assessments. Acknowledgments The development of Storybuilder-MHCA and the analyses were financed by the Dutch Ministry of Social Affairs and Employment. The Netherlands Labour Authority provided access to all relevant incident investigation reports. References IChemE, 2020, Loss Prevention Bulletin 272 - Process Safety Essentials, Warwickshire, UK. EPSC, 2021, Process safety fundamentals, accessed 19.11.2021. Groeneweg J., Has the pendulum swung too far? Preventing incidents with life saving rules (in Dutch) accessed 26.11.2021. Kooi E.S., Bellamy L.J., Manuel H.J., 2019, Presenting RIVM’s publicly available database of Dutch Major Hazard Chemical Accidents: Storybuilder-MHCA, Chemical Engineering Transactions, 77, 403-408. Kooi E. S., Manuel H.J., Mud M., 2020, Fifteen years of incident analysis, RIVM report 2020-0115, Bilthoven, The Netherlands. Onderzoeksraad voor de Veiligheid (Dutch Safety Board), 2018, Chemistry in cooperation – Safety at the industrial complex of Chemelot (in Dutch) accessed 12.11.2021. RIVM, 2021, Storybuilder download page accessed 19.11.2021 Veiligheid voorop (‘Safety first’), 2020, Handbook for better learning from incidents in the (petro)chemical industry (in Dutch) 642 lp-2022-abstract-103.pdf Learning from Incidents at Seveso Sites: a Focus on the Safeguarding of Containments Prior to Start of Operations