EH-9303 Issue No. 3, March 1993 Occupational Safety Observer
MARCH 1993
Occupational Safety Observer
Fatal Fall
Worker Falls to His Death
The following tragedy illustrates how change can contribute
to accidents that are otherwise preventable. In this accident, a
number of planning mistakes were made, but one of the most
important mistakes was a failure to respond to change Ä no one
provided the extra safety materials needed and no one informed a
substitute worker of the safety hazards at the work site.
What happened
The accident took place at the retired F-Reactor at the
Hanford site. Over the last few years, the building had received
several structural evaluations that had indicated the need for
roof repairs, but a lack of funds had delayed this effort. In
1991, the dangers associated with the deteriorated roof gave it
sufficiently high priority to be scheduled for repairs, and
preparation for this work began in early 1992.
(DOE AI Report, May 1992)
During pre-job planning, a number of safety problems were
experienced. First, a misunderstanding in the creation of the
Letter of Instruction for the work resulted in the deletion of a
requirement for life lines during the performance of the roof
work (the use of safety harnesses and life lines would require an
overhead "tie-off" point), although it is not clear that the life
line would have helped in this situation. Second, the required
Job Safety Analysis (JSA) and pre-job safety plan were not
performed. During the job planning stage, both the safety
representative and the ironworker supervisor were on the roof
several times and had observed roof cracks from the inside of the
building. Because no planks were made available to construct
"safe" walkways and there were no attachment points for safety
lines, the safety representative advised workers to walk on those
areas directly over the roof beams while on the roof.
On the day of the accident, one of the ironworkers who had
participated in the previous walkthroughs was absent. A
substitute "ironworker craftsman" took his place for the day. No
one provided the necessary safety planks or harnesses and lines
and no one briefed the substitute worker on the dangers of the
roof or advised him about walking directly over the roof beams
while on the roof.
Soon after work began, the substitute ironworker climbed to
the roof and walked to the southern end. The supervisor, who was
already on the roof, noticed that the ironworker was not walking
over the beams and began to warn him. At that moment, the
ironworker stepped on a deteriorated panel and fell through the
roof. He landed on the floor of the building, 36 feet below.
The supervisor called for medical help and administered CPR, but
the worker did not respond, and was pronounced dead a short while
later.
What caused the accident?
A number of procedural deficiencies affecting safety
contributed to this fatal accident. First, many of the required
Page 2 Occupational Safety OBSERVER
pre-job planning steps, if performed properly, would have
identified a need for stricter work controls. Second, the
ironworker supervisor did not obtain the appropriate safety
materials and equipment nor did he brief the substitute
ironworker on the "fall-through hazards that might exist on the
roof" or the safety advisements that were in place (i.e., walking
over the beams). Further, there were no controls in place to
require the supervisor to perform this briefing or to allow the
ironworker to gain this information from other sources. The
result of these deficiencies was a fatal accident that occurred
only 7 minutes into the work day, but that should not have
happened at all.
What's needed
29 CFR 1926.21(b)(2) requires that employers advise all
employees on the recognition and avoidance of unsafe conditions
connected with their job. Further, adequate safety measures
must be planned for all hazards that workers are exposed to.
Adequate investigation must be performed to ensure that all
hazards are recognized. Signs should be posted stating both the
hazard and proper avoidance measures to be taken unless controls
are either obvious or universal. Finally, formal job safety
analyses are necessary to meet OSHA requirements.
Heavy Equipment
Accidents Have Site-Wide Effects
Accidents can have significant safety effects well beyond
the accident scene. The interconnected nature of the facilities
and activities at DOE sites means that an accident in one area
can affect operations in other areas. Therefore, it is important
to be careful in your activities for your own safety as well as
the safety of others.
Two recent incidents involving heavy equipment operations
illustrate the potential for serious safety problems well beyond
the accident site.
Front-end loader incident
During a blizzard on December 4, 1992, a contractor at
Sandia National Labs drove his front-end loader into a set of guy
wires on a utility power pole. The impact caused the wires to
snap and the top part of the guy wire to fall onto an overhead
46kV line, cutting power to ten substations. This incident not
only damaged the loader, but also resulted in the loss of
electric power to eight buildings, a live firing range, and the
Solar Tower Site. Although the power loss lasted only three
hours, the consequences could have been much more serious.
(ORPS Ref. # ALO--KO-SNL-TA3COYOTE-1992-0007)
Crane incident
A second event occurred at the Savannah River Site on
December 7, 1992. An unescorted 40-ton crane hit a 40-psi steam
line. In this incident, the crane operator was making a
right-hand turn and raised the boom of the crane so that it did
not obstruct his vision. Apparently, the boom had elevated more
Occupational Safety OBSERVER Page 3
than the operator thought and hit an in-service steam line. The
impact damaged the steam line and released asbestos insulation.
(ORPS Ref. # SR--WSRC-POD-1992-0056)
Following the incident, the area was barricaded and
certified asbestos handlers cleaned the loose asbestos from the
crane and road. An investigation determined that there was a
minimal impact on the environment, safety, and health.
What do these incidents have in common?
No one was injured in either incident. However, in both
cases, the operation of heavy equipment had a safety impact
beyond the accident scene.
In the front-end loader incident, the downed wires in the work
area could have seriously injured those in the immediate area and
could have placed those in surrounding areas at risk from power
loss. In the crane incident, the damaged steam line could have
ruptured or fallen from its supports, jeopardizing the safety of
those in the immediate and surrounding area.
Safety considerations
All DOE workers share responsibility for preventing such
incidents. Consider the following steps you can take to maintain
a safe work environment for yourself and others:
o Workers should survey their surroundings before starting a
job and note how to avoid possible hazards.
o Consider the impact of your actions on other operations Ä
keep the big picture in mind.
o In adverse weather conditions take extra care and plan
ahead.
o Whenever possible, management needs to ensure that heavy
equipment operations are located in areas where the
potential for impact is minimized.
o Construction supervisors and workers should arrange spotters
and escorts when traveling or working in congested areas.
Industrial Accident
Three Workers Trapped, Die in Fire
If a fire occurred where you work, would you be able to
escape safely? A tragic fire at a New Jersey power plant offers
a powerful reminder to DOE site personnel regarding the
importance of safe evacuation.
What happened
On December 25, 1992, three workers died in a fire at the
Newark Cogenerating Plant. Though the investigation is not yet
complete, it appears that the three died of smoke inhalation when
they were unable to escape the burning facility. The three
workers were trapped in the kitchen, where they tried to break
Page 4 Occupational Safety OBSERVER
wire-reinforced windows to escape; according to the Fire
Department spokesperson, "They obviously tried breaking them with
chairs, and you can see the pockmarks on the glass." When they
were unable to escape through the windows, the workers left the
kitchen. The door locked behind them, and the workers were
trapped in a hallway, where thick smoke from burning fuel oil
apparently caused their demise.
The plant was so secure that rescuers had difficulty
entering. According to the Fire Department spokesperson,
firefighters had to break metal doors to enter the locked plant.
In addition, firefighters needed sledgehammers to open the
wire-reinforced windows.
Lessons for DOE sites
Prevention should always be the first line of defense
against occurrences like this fire. But should a fire occur, it
is essential that a safe means of egress exists.
DOE Tiger Teams have reported means of egress problems at
more than half the facilities evaluated. One reason for these
problems could be a conflict between ensuring worker safety and
ensuring facility security. Recent reports by EH-30.3 site
representatives from several DOE sites have also revealed
problems with means of egress.
DOE Order 5480.7 requires compliance with the National Fire
Code, including the Life Safety Code, NFPA 101. The requirements
for maintaining exits free of obstructions and available to the
occupants, as well as required levels of standard and emergency
lighting for exit paths, are described in NFPA 101.
OSHA General Industry Standard 29 CFR 1910.37(k)(2)(3)
requires that the means of egress (including exit doors,
corridors, stairs, etc.) be free of all obstructions or
impediments, so that they are fully and instantly usable in case
of fire or other emergency. Devices or alarms that restrict the
improper use of an exit for reasons such as security must be
designed and installed so that they do not impede or prevent
emergency use of the exit even if they fail to work properly.
Some responsibilities
Locked exits, inadequate exit signs, blocked exit pathways,
and poor illumination along emergency evacuation routes all can
impede a swift and safe exit in an emergency situation. To
reduce such danger, the following points should be remembered:
o Cognizant DOE Field Office personnel should be familiar with
national standards (e.g., NFPA, 29 CFR 1910, 29 CFR 1926,
and UBC) and should periodically review and oversee
contractors' emergency preparedness programs regarding means
of egress.
o Facility managers and safety personnel should perform
periodic inspections to identify unsafe conditions,
including conditions that might impede an immediate
evacuation during an emergency.
Occupational Safety OBSERVER Page 5
o Workers should take a moment to walk down their work site
and make sure that there are no obstacles to a swift
evacuation. Know your emergency exit route before the
emergency occurs.
o Fire protection engineers should examine semi-confined
process areas to ensure that an alternate means of
egress exists in case the primary means of egress is
blocked.
Performing careful periodic reviews and inspections are the
best way to ensure that safe egress routes are available for
emergency evacuation.
Flash Flood
Lockout/Tagout Procedures Did Not Include Equipment Modification
Lockout/tagout incidents often occur when procedures are not
followed. But, even when work teams follow their lockout/tagout
procedures, there can be the potential for serious problems. In
the following incident, a lack of communication between two work
crews and a failure to incorporate new equipment into the
lockout/tagout system created a dangerous situation Ä accidental
release of 10,000 gallons of water into an occupied drainage
outfall. Although no one was hurt, this near miss had an obvious
potential for serious injury.
What happened
The incident occurred on December 1, 1992, at Savannah
River's K-Reactor Area. It may be helpful to refer to the
diagram on the facing page.
The incident involved the K-Reactor coolant system,
specifically the 186 Basin, which is linked by blowdown line (a
60-inch diameter pipe) to the 904 Building. When the reactor is
operating, cooling water can flow from the 186 Basin to the 904
Building and then into an outfall, which runs to the Savannah
River. The outfall is basically a 40 foot-wide drainage ditch
that collects cooling water from several sources. At the time of
this incident, two construction crews were working on this
system.
(ORPS Ref. # SR--WSRC-REACK-1992-0255)
The first crew was working in the outfall, which was dry.
In accordance with site procedures, operations had locked out the
flow to the outfall, which carries 190,000 gallons per minute of
water when the reactor is running.
The second crew was working on the blowdown line between the
186 Basin and the 904 Building. Two valves, in series, isolated
the water in the 186 Basin from the 904 Building and points
downstream, including the outfall. The crew was working
downstream from the second valve, ISV-1, coating the interior of
the blowdown line. To protect the men in the pipe, the second
crew hung a "Do not operate" tag on ISV-1.
ISV-1, however, was a new valve and was not included in the
lockout/tagout procedure affecting the first crew, in the
outfall. Operations had not known about it and had not locked it
Page 6 Occupational Safety OBSERVER
closed. Thus, two independent lockout/tagout systems were in
effect, one affecting each crew. The first crew, in the outfall,
had locked all sources draining into the outfall under the
operations lockout/tagout system (by placing their lock on the
box containing the keys for an operations lockout). The second
crew, working on the blowdown line, had tagged out ISV-1 under an
independent construction lockout/tagout system. ISV-1 should
have been locked and/or tagged under both of these systems, but
it was only tagged out under one system because, as a newly
installed valve, it had not yet been passed to operations.
Unknown to the second crew, the valve in the blowdown line
upstream of ISV-1 leaked. Pumps had been installed to remove the
water that leaked past the first valve and was trapped behind
ISV-1, but these pumps were not operational. As a result, 10,000
gallons of water had accumulated behind ISV-1.
The second crew, unaware of the accumulated water, completed
coating the inside of the blowdown line. They removed the "Do
not operate tag" from ISV-1. It was permissible for them to
remove this tag because they had installed it. They opened the
valve. The 10,000 gallons of accumulated water rushed out and
into the 904 Building. The water rushed through the 904 Building
and into the outfall.
Fortunately, an erosion weir in the outfall diverted most of
the water and it did not reach the crew working in the outfall.
If the water had swept over the crew, the results could have been
catastrophic.
The lesson of effective communication
The primary cause of this incident was that ISV-1 was not
included in the lockout/tagout procedure used by the crew in the
outfall. ISV-1 was newly installed and had not been passed into
the operations lockout/tagout system as part of a design control
or configuration management system. It came down to an issue of
communication Ä proper communication would have ensured that
operations was informed of newly installed equipment as soon as
it was capable of affecting other plant systems. If operations
had been so informed, the new configuration could have been
controlled by the centralized lockout system.
It can be difficult to keep lockout/tagout procedures
current. Procedure writers may not be aware of changes, because
administrative procedures and practices may not support prompt
notification of plant modifications. The typical procedure
writer also confronts a large backlog of procedure change
requests, adding to the difficulties inherent in keeping
procedures up-to-date. However, as this incident illustrates,
out-of-date lockout/tagout procedures can lead to disaster.
As Savannah River personnel were investigating this
incident, they reached another conclusion -- access to the
outfall should be restricted. When the reactor is operating, the
outfall is full of flowing water and no reasonable person would
venture into it. However, when the reactor is not operating, the
outfall is dry and appears quite harmless. If someone who was
unaware of the danger were to wander into the dry outfall as the
reactor started, he or she would be swept away by a wall of
water. Savannah River personnel decided that the outfall should
Occupational Safety OBSERVER Page 7
be barricaded or that warning signs should be posted. Although
these actions would not have prevented the incident discussed
here, they could prevent a future accident.
Excavation Hazards
Beware of Surprises During Excavation
Excavation activities pose special challenges since the
dangers are hidden. Buried electric power cables, natural gas
pipelines, telephone cables, and other utilities are real
obstacles to excavation. If they are disturbed during excavation,
they may pose a danger to the immediate work crew and to the site
at large.
Two recent excavation incidents
The first excavation incident occurred December 12, 1992,
when a subcontractor at the West Valley Site hit and ruptured a
two-inch natural gas line with a backhoe, significantly damaging
the line and necessitating the evacuation of site areas downwind
from the incident. Although no personnel were injured and little
property damage occurred, the ruptured line released a tremendous
amount of natural gas into the air, creating the potential for a
serious explosion. The cause of this incident was attributed to
inaccuracies in the site utility plan. While the subcontractor
performing the excavation followed the site utility plans and
procedures, he may have failed to allow a significant margin for
error, as the site utility plan showed the gas line to be about
two feet away from its actual location.
(ORPS Ref. # ID--WVNS-CF-1992-0001)
A second, similar incident occurred at Brookhaven on
December 28, 1992. While excavating to install a sewer line, a
backhoe bucket struck and damaged a buried telephone cable,
causing a partial loss of telephone communications that affected
the site fire alarm system. Fortunately, the site had a backup
alarm system. Although all telephone cables were originally
marked prior to the excavation, snow had obscured the markings,
and the workers did not verify the location of the cables before
digging.
(ORPS Ref. # CH--BH-BNL-PE-1993-0001)
Some lessons learned
Use caution during excavation. Do not always trust the
available plans that mark underground utilities, as a number of
factors can render these plans and markings inaccurate.
For example, a buried pipeline, cable, or wire can shift if
the soil is rocky, frozen, or sandy. Even when workers are using
an accurate map, they cannot precisely determine where they are
digging Ä a trench dug by a backhoe may vary two feet either side
of the centerline of a trench.
Be sure to closely follow all procedures governing
excavations. These procedures may require you to make field
verifications with a metal detector, isolate all utilities in the
area surrounding the excavation, follow available site utility
plans, and use hand excavation in questionable areas or when
Page 8 Occupational Safety OBSERVER
closely approaching the location of buried services. 29 CFR
1926.651(b) requires sites to determine the location of all
utility installations prior to beginning the excavation. Site
managers should also contact utility companies or owners in
advance of the excavation to confirm utility locations. Warning
and marking techniques should be utilized when burying lines or
cables.
Lockout/Tagout
Another Close Call
The January issue of the Observer reported an electrical
lockout/tagout incident at Savannah River. This issue discusses
a similar lockout/tagout incident, this time at Lawrence Berkeley
Labs. No one was hurt in either of these incidents but, whenever
high voltage is involved, any close call is too close.
What happened
On December 4, 1992, two workers at Lawrence Berkeley Labs
were performing diagnostic maintenance work on a power supply for
a magnet. This particular power supply was split, providing power
to individual pieces of equipment Ä a charging power supply that
was located away from the magnet and a "kicker" unit located near
the magnet. The workers de-energized and locked out two sets of
breakers at the charging power supply Ä the control circuit
breaker and the high-voltage circuit breaker. These breakers cut
the power to the kicker, where they were going to work. They
diagnosed the problem with the magnet's power supply and replaced
the defective part they had discovered. They then removed their
locks and re-energized the control circuit breaker, allowing the
part they had installed to warm up (as required), and left the
high-voltage breaker de-energized. They went to lunch. When
they returned from lunch, they noticed that someone had energized
the high-voltage breaker.
(ORPS Ref. # SAN--LBL-AFRD-1992-0008)
No harm was done in this incident. The high-voltage breaker
had been energized by operations personnel making rounds.
Finding an untagged breaker de-energized, they had energized it
in accordance with a search-and-secure procedure. The
maintenance workers were fortunate that they had not been working
on the kicker unit when the high-voltage breaker at the charging
power supply had been energized.
29 CFR 1910.333 (2), Lockout and Tagging, requires that when
any employee is exposed to contact with parts of fixed electrical
equipment or circuits that have been de-energized, the circuits
energizing the parts shall be locked out or tagged or both. The
employer is required to maintain a written copy of the procedures
for locking and tagging out electrical equipment. In a related
standard, 29 CFR 1910.147, OSHA also requires lock and tag
procedures for other types of hazardous energy sources such as
pneumatic, hydraulic, or chemical systems.
Inadequate procedures
The maintenance workers followed general lockout/tagout
Occupational Safety OBSERVER Page 9
procedures in this situation. Although these procedures complied
with OSHA standards, it appears that those procedures were
somewhat inadequate. General lockout/tagout procedures permitted
the maintenance workers to remove their locks once the equipment
covers were replaced on the magnet, as the covers would protect
any personnel from electric shock. However, the potential for
minor equipment damage would have existed if the high-voltage
breaker had been energized. The maintenance workers should have
kept the locks and tags in place until they turned the equipment
back over to operations. Because of this deficiency of the
general lockout/tagout procedure in this case, a specific
lockout/tagout procedure for that breaker that incorporated this
safeguard was developed.
But there was no programmatic requirement for the
maintenance workers to notify the operators of the system status
before energizing the control breaker. Further, the maintenance
workers apparently did not tag the high voltage breaker when they
de-energized it, or they removed their tags prematurely before
departing for lunch.
Some guidelines
Although no harm was done in this incident, the potential
for serious injury existed because of programmatic deficiencies
in the lockout/tagout. The apparent lack of communication
between operations, who routinely control and operate the
equipment, as they are directed, and maintenance, who remove the
equipment from service, repair or replace it, and apparently
return it to service, is significant.
o Effective lockout/tagout programs require both maintenance
and operations to de-energize electrical equipment, placing
locks and/or tags on appropriate circuit breakers.
o Only one lockout/tagout procedure should be in place at each
site. This procedure must conform to the requirements of 29
CFR 1910.147 and the electrical safety requirements of 29
CFR 1910.333. Compatibility of these OSHA requirements with
Chapter IX, Lockouts and Tagouts, of DOE 5480.19, Conduct of
Operations, can be achieved by using uniquely identified
locks and/or tags during servicing and maintenance versus
for administrative or operational needs.
o Operations should maintain formal written logs that identify
equipment or devices removed from service for repair or
replacement, and that control the application of locks and
tags.
o When equipment is returned to service, operators are
contacted to energize the circuits and/or restart the
equipment. If further inspection or evaluation of repairs
is required, maintenance workers stand by while operations
performs these duties. Thus, operations is cognizant of
equipment status.
Smart work habits
Page 10 Occupational Safety OBSERVER
The maintenance workers involved in this incident did three
things that helped reduce the danger:
o Upon returning from lunch, the workers checked the charging
power supply, discovering that the high-voltage breaker was
re-energized. If you are away from a job for any period of
time, it is always a good practice to check for anything
that has changed.
o When the workers realized that someone had energized the
high-voltage breaker, they checked the job site to see if
anything else had changed.
o Before leaving for lunch, the workers completed the
maintenance work on the magnet and replaced all panel
covers. By securing the job site before leaving it, the
workers greatly reduced any immediate potential for injury,
because no high-voltage components were exposed.
Occupational Safety OBSERVER Page 11
DOE Order 5483.1A, dated June 1983, requires DOE compliance with
OSHA regulations.
The descriptions of the incidents included in this compendium are
based on information available at the time of publication.
The Occupational Safety Observer
is a publication of the
Office of Environment, Safety and Health.
For more information or corrections to the articles in this
issue, please contact:
Leonard M. Lojek
Operations Management Division (EH-32.1)
U.S. Department of Energy
Telephone: (301) 903-2033
For address changes and mailing list information, please contact:
John Everett
Fax: (206) 528-3246
Telephone: (206) 528-3246