Process Safety Beacon: An Interlock bypass bites again
In August 2017, a major fire occurred at a refinery in the Netherlands when a furnace tube ruptured. The furnace was overheated when the process flow through it stopped, but the burners kept firing. With no flow, the tubes overheated and failed (Figure 1). Over 100 metric tons (110 tons) of flammable liquid were released and burned in the furnace. The furnace had to be replaced, which shut the unit down for about a year. Fortunately, no one was hurt.
Several things went wrong. This Beacon will focus on just one –the availability and use of interlock bypass switches as part of operating procedures without following the bypass management procedure.
The company had recognized the hazard associated with the low-flow interlock bypass several years before and had programmed timers in their safety systems to remove the bypasses after being at low-flow for 5 minutes. But the company didn’t remove the field bypass switches.
Operators felt the 5 minutes was too short, so they continued to use the field-mounted bypass switches without using the company’s bypass management procedure. The system was in manual bypass when the incident occurred.
After the accident, the refinery technical staff studied the timers and concluded that 5 minutes was, in fact, sufficient. They also changed all their non-timed bypass switches to require supervisor keys.
Did you know?
- Bypass switches on safety interlocks are occasionally needed. In this case, a low-flow Interlock stopped the burner gas. If an interlock bypass is needed for start-up, an interlock timer can ensure the interlock isn’t left in bypass longer than needed.
- Another key interlock on gas-fired equipment is the pre-ignition purge timer. Bypassing this timer has caused many firebox explosions and fatalities.
- Many companies use a bypass permit or a temporary MOC to manage bypassing controls. These systems require a hazard review and approval by an authorized person.
- Many events were caused by improper use of interlock bypasses. Some noted in past Beacons are June 2003, June 2013, and February 2019.
What can you do?
- When participating in hazard reviews:
- Point out where interlock bypasses are used for getting the unit started or for any other purposes.
- In particular, discuss interlocks that can be manually bypassed.
- If bypass timers are used, ask, ’are the time-limits reasonable?’ They should be long enough to get started, without being so long that an incident could happen.
- Systems in bypass should be noted in the unit logbook and discussed during shift handover.
A safety device can’t protect you if it is bypassed!
Afrikaans
Albanian
Amharic
Arabic
Armenian
Azerbaijani
Basque
Belarusian
Bengali
Bosnian
Bulgarian
Catalan
Cebuano
Chichewa
Chinese (Simplified)
Chinese (Traditional)
Corsican
Croatian
Czech
Danish
Dutch
English
Esperanto
Estonian
Filipino
Finnish
French
Frisian
Galician
Georgian
German
Greek
Gujarati
Haitian Creole
Hausa
Hawaiian
Hebrew
Hindi
Hmong
Hungarian
Icelandic
Igbo
Indonesian
Irish
Italian
Japanese
Javanese
Kannada
Kazakh
Khmer
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latin
Latvian
Lithuanian
Luxembourgish
Macedonian
Malagasy
Malay
Malayalam
Maltese
Maori
Marathi
Mongolian
Myanmar (Burmese)
Nepali
Norwegian
Pashto
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Samoan
Scottish Gaelic
Serbian
Sesotho
Shona
Sindhi
Sinhala
Slovak
Slovenian
Somali
Spanish
Sundanese
Swahili
Swedish
Tajik
Tamil
Telugu
Thai
Turkish
Ukrainian
Urdu
Uzbek
Vietnamese
Welsh
Xhosa
Yiddish
Yoruba
Zulu