Warren Fothergill addresses lockout-tagout safety in the oil and gas industry.
Lockout-tagout (LOTO), or isolation as some will recognise it, is a key component of many safe systems of work (SSOW) in the Middle East, particularly in the highly hazardous oil and gas industry. In essence, LOTO is the process necessary to disable plant and equipment, thereby preventing the release of hazardous forms of energy while activities in the plant are performed.
Failures during LOTO and the subsequent reinstatement of process plant are primary causes of loss of containment, and could lead to major accidents. Given the nature of the oil and gas sector, the Middle East’s main industry, high standards of isolation and robust management control systems are required for isolation and de-isolation.
As with many aspects of HSE management, when designing and building process plant failure must be considered. This is the phase of hazard operability, where consideration of LOTO needs to be examined and foreseeable failures - of which LOTO is foreseeable - given historical statistics1 which should be considered. While a good design for new and existing plant is key, particularly those subject to modification, we cannot under estimate the role of human factors in the prevention of LOTO failures. Furthermore, organisations need to consider the need for criticality of isolation and de-isolation activity, while also determining strict regimes for step outs or variations from standard operating practices. The need for self and contractor isolations, both short and long term, must also be addressed.
The primary focus of LOTO is incident prevention, as this will ensure the safety of employees and others in the environment. Oil and gas activities, which are prevalent in the region, present the potential for major accidents. Ensuring containment will therefore benefit the environment and the individual, as well as limit the impact on business operations.
Any SSOW must be effective. This requires a formally recorded, systematic examination of the activity, which allows for hazards to be identified. Mitigating controls can then be established in order to bring levels of risk to as low as is reasonably practicable.
An effective SSOW will depend on:
• The depth of knowledge, ability, training and experience of operators and those in control of the installation
• Its arrangements and relevant control systems, normally the permit to work and its associated documents, all of which rely on training and competence factors such as management of change and contingency plans
The control of LOTO is in itself a planned safety procedure, the simple aim of which is to disable the energy to plant and machinery while servicing, maintaining or conducting repairs.
The following seven step procedure for LOTO implementation should be carried out by competent personnel who are authorised to conduct the process.
Step 1 - Prior planning and preparation
Including substances, what hazards are associated with the plant in terms of the energy used and/or stored? The severity and consequences of potential risks must be determined and methods of controlling these failures need to be identified.
Step 2 - Application
Identify the isolations and prepare the lockout of energy sources. The SSOW must ensure that the relevant parties are aware of the impending process. This is particularly important for those who may be affected by the loss of energy, including supervisors, operators and maintenance teams. The permit to work process is the first aspect of communication and identifies to the relevant parties why LOTO is being conducted.
Step 3 - Plant shutdown
Plant and equipment are turned off utilising established operational procedures, thereby ensuring there is no increase in hazards from the stoppage. At this point, energy is still able to get to the source, so the key point now is to disconnect the supply. We can achieve this easily for primary sources by disconnecting switches, using circuit breakers and turning valves. Consideration must be given, however, to where sources of stored energy will need to be released; for example, by bleeding the pressure, cooling and discharging capacitors.
Step 4 - Lockout
This is the locking of all energy sources to the safe or off position at each isolation point or device. With the emphasis on safety, there is a need to use a lock so that no one else can turn on or re-energise any device while the plant or equipment is being worked on. To reinforce safety, visual cues such as warning tags will generally be used. If more than one company or employee is working on the same plant, we can use multi-lock safety hasps. These provide safety reassurance for workers, as the plant cannot be restarted without the removal of their own individual locks.
Step 5 - Testing
Prior to conducting any works we should look and confirm that energy has been released and isolated. The key component here is to achieve a zero energy state prior to commencement of the work. At this stage, we must ensure that testing and switches are moved to the off position. If this isn’t confirmed it is imperative that you do not continue, as there is a failure of the system.
Step 6 - Work on plant
Upon the verification that steps 1 to 5 have been completed, confirmed and documented, the relevant modifications, maintenance and repairs can then be conducted.
Step 7 - Return to service
When the work is completed the LOTO devices should be removed, but only once the work area is confirmed as ‘made safe’. Again, this must be confirmed and documented. Competent authorised personnel should undertake the removal of LOTO devices. Prior to plant being re-energised, all workers must be advised to stay a safe distance away from equipment.
Incident analysis confirms that human failure is a factor in a large proportion of LOTO incidents. While the hardware used for isolations is one factor in the outcome of these procedures, performance is predominantly impacted by the arrangements for identifying and securing isolation points, verifying and monitoring of the isolation itself, and more importantly, the control of work in such areas – most of which are completed by the employee.
Human failure is banded into two parts: error and violation. Error is a non intentional action or decision that involves a deviation from standard procedures and leads to an adverse outcome. Violation, on the other hand, is a deliberate deviation, leading again to an adverse outcome.
While workers’ intentions may be good, the internal and external barriers established to control the process of LOTO continue to fail, presenting a major issue to the industry.
The human behaviour factor is the most important contributor both to safe and unsafe isolations. Quite simply, competent employees are less prone to human failure. There are other issues that come to mind such as complacency, which also lead to deviations from the accepted procedure and result in adverse outcomes.
Roles and responsibilities
To reduce the human factors, it is critical that competency is evaluated and employees have clearly defined roles and responsibilities in the LOTO process. This will be critical for designing, monitoring and improving the system. It is important that key personnel are involved in the operation of the system, so it is here that we shall focus.
As in any aspect of business it is important to look at supervision of both staff and systems. It is at this level of management that LOTO is implemented in the plant. So what do we expect supervisors to be responsible for in terms of LOTO? Well, it is no different from many other aspects of health and safety.
LOTO supervisors must ensure:
• That they know, fully understand and follow LOTO procedures
• Isolations are conducted to the quality considered acceptable across the plant
• Management of change is completed when variations from standard practise are required, with authority given at relevant levels to initiate it
• LOTO work is planned and conducted through the organisation’s established permit to work system
• Effective communication of key information between the organisation’s relevant parties
• The documented systems in use are authentic, valid and current
• Only competent and authorised personnel conduct work
• Supervision is constant
• Routine, planned and ad hoc monitoring of the system is conducted, with any actions for correction or improvement carried out at the earliest opportunity
All the personnel involved in any LOTO process should be able to understand the purpose and principles of the system, the critical safety elements and their role within that system. Additionally, it is important that each duty holder is aware of the potential consequences of any release of energy or substance, hazardous or otherwise. This should be covered in a comprehensive training programme, which is specific to the organisation, well structured and involves the elements addressed within the LOTO system.
As with any component of a business, LOTO processes need to be monitored, audited and constantly reviewed to establish that they meet the needs of the business. Legal compliance is provided through confirmation that the process actually does what it says and achieves what it should.
In evaluating, we are trying to find actions for improvement through identification of inadequacies of the system, by addressing deficiencies in isolations and their control and by looking at the behaviours of individuals involved in the system. It will also assist the evaluation of the effectiveness of the training.
What cannot be achieved is a single holistic picture from a monitoring exercise; the monitoring needs to be constant and across varied activities. This also applies to auditing and the process of review - we cannot determine effectiveness of the overall LOTO in one go. Regular compliance checks by management should reinforce commitment and leadership within the industry, while specific or specialist external audits may also be something to consider.
In September 2010, construction contractors were involved in the removal and overhaul of two turbine compressors on a production platform. The same platform was also equipped with a reciprocating compressor, which remained in service.
A job safety analysis (JSA) was supplied and as per this document the construction team need plumber’s plugs to isolate the open flanges in the production process piping, unaware that the suction piping was common between the two turbines and the reciprocating compressor.
When the reciprocating compressor shut down due to a process upset, flow continued from the low pressure oil wells, with an increase in pressure on the low pressure system. This migrated to the first turbine’s suction shutdown valve, dislodging the plumber plug from the suction piping and causing a gas escape inside the compressor building. This in turn activated the continuous monitoring gas detector and resulted in a total production plant shutdown.
Without even determining the result of the investigation, from this we can question a number of aspects of the case study, including the design, competency and roles and responsibilities.
The Bureau of Ocean Energy Management (BOEM) conducted an investigation and stated the following key findings:
• The operator’s LOTO policy states that “when isolating pressurised systems, a positive method of isolation is required, such as a double block and bleed or blinding.” The JSA recommended eliminating or reducing hazards by using blind flanges or a plumber’s plug to close the line
• Lack of operator oversight in enforcement of the LOTO policy
While the recommendations of the incident are obvious, the human factor is exposed. There is little in the way of competency from the perspective of writing the JSA, nor from the operating company’s employees, who would need to initiate the LOTO process. There is also little consideration given to the competency of the individual completing the JSA, and no questioning of the knowledge of the plant or experience is identified. Surely these are issues that needed to be addressed in the system?
It is evident that the operator and the contractor had major issues understanding both the plant and the LOTO processes. There were no clear definitions of any roles or responsibilities and little or no training on this important and critical aspect of LOTO to either party. As a direct result, a gas release occurred and the limited impact was the direct result of an effective method of shutdown on hearing the alarm – this in itself was obviously fit for purpose.
LOTO is essential to control hazardous energy releases within industry. Failure to use LOTO procedures can put people, assets, the environment and the company’s reputation at risk. It is essential that LOTO procedures are established, operated and conducted by competent personnel who understand the issues surrounding the need for removal of the energy component, while also understanding the consequences of failing to conduct LOTO.
LOTO systems need to be effectively monitored, audited and reviewed to ensure compliance from a moral, legal and economic viewpoint. Failure today results in enforcement tomorrow.
Remember, LOTO is not just about the equipment used to isolate energy and the warning signs used to provide information. There is a whole plethora of documentation to support the process of effective de-energising of plant and equipment for work to be conducted safely. Ensure it is followed, for everyone’s sake.
Published: 10th Apr 2014 in Health and Safety Middle East