On July 27, the US Chemical Safety Board (CSB) issued a Factual Update on their investigation into a release of water containing a toxic gas (hydrogen sulfide) and subsequent fatal injuries sustained at the Aghorn Operating Waterflood Station. While it is typically not a good idea to comment on investigations that are in progress, this one has the potential for significant learnings.
On October 26th, 2019, one of the pumps inside the pump house failed, resulting in the release of produced water containing hydrogen sulfide. The alarm system reported a high oil level alarm which triggered an automatic call-out phone notification to the Aghorn employee on duty. When the employee entered the pump house, he was overcome by hydrogen sulfide gas.
The waterflood station is used to pump water under high pressure into injection wells that improve oil extraction from underground wells. It is equipped with a hydrogen sulfide detection system consisting of eight detectors placed throughout the station, including two which are located inside the pumphouse. The system is designed so that when any one of the sensors detects hydrogen sulfide above certain concentrations, a signal is sent which triggers a callout notification and turns on a light on top of the pump house (alarm beacon). The light on top of the pump house was not illuminated when the emergency responders arrived on the scene. Post-incident testing revealed that the hydrogen sulfide detection system may not have been performing as expected. This means that the Aghorn employee may have unknowingly entered a deadly environment.
What is a Safety Alarm?
The alarm associated with detection of hydrogen sulfide and annunciation of the alarm beacon could be considered the very definition of a Safety (Related) Alarm according to ISA-18.2 and IEC 62682; “an alarm that is classified as critical to process safety for the protection of human life or the environment”.
You might think that because it contains the word “safety” in it, that this type of alarm would need to part of a safety instrumented system (SIS) and thus comply with IEC 61511. This would be incorrect unless a risk reduction of > 10 is claimed for it. Although not required to be in an SIS, it should, however, be part of a high reliability installation that is tested and maintained rigorously. It would likely follow the evolving ISA-84.91.03 standard “Functional Safety: Process Safety Controls, Alarms, and Interlocks (PSCAI) as Protection Layers”. The purpose of ISA-84.91.03 is to “bridge the gap” between existing standards such as IEC 61511 and ISA-18.2 / IEC 62682, which don’t address, for example, requirements for protection layers used in a Basic Process Control System (BPCS). This incident illustrates the importance of ISA-84.91.03 and reinforces why it is needed.
Figure. Alarm Beacon (Light) Designed to Illuminate when Hydrogen Sulfide is detected inside the Pumphouse