Another safety standard area that needs improvement is operator interface design. “Of all the theoretical aspects of safety, graphics needs the most improvement,” claims Bullerdiek. “Current literature talks about limiting the amount of information on a page, and we’ve tried to adhere to these standards. But DCS system operators don’t want to navigate to find information; thus, they have a tendency to want to put more information on a display than is recommended,” he continues.
“I think the theoretical writing has a flaw because too much information on a screen is better than forcing the operator to go hunting for information when he needs it. The cognitive problem is the effort it takes to search for hidden objects—the effort to recall what display the information is on and the keystrokes and time required to recover it,” he concludes.
Alarm management and operator interface issues are directly related to the proliferation of modern digital control systems. Older control systems had limited capacity for alarms and other operator information displays, so only the most important operating conditions were displayed. Newer systems have nearly infinite capacity for information display. These capabilities are often abused, and safety standards haven’t always kept pace with ever expanding control system capabilities.
“The problem is not that existing standards are wrong; it is that they have become obsolete as technology has advanced,” explains Dr. Nancy Leveson, professor of engineering systems and director of the Complex Systems Research Lab at MIT. “New technology, particularly digital technology, does not match the assumptions of the process safety techniques developed for the much simpler analog electro-mechanical systems of the past.”
Inadequate Implementation Causes Accidents
The other culprit is poor implementation. “For many years after my retirement, and while I was consulting, I had a standing bet of $100 against a plant manager’s $1 that given four hours, I could find enough violations of safety standards to put his plant in danger,” says Warren Thompson, formerly with Citgo, explaining how people can die when safety implementation falls victim to production mandates. “I didn’t mean an occasional violation, but a continuing violation that was known by everyone. In one plant, I asked the unit operator if he was violating any limits of operation. His answer was yes. I asked him if he knew he could be disciplined for that action. His response was he would be fired if he didn’t violate the limit because the limit was wrong. These statements were made with the safety manager standing next to me. Later this plant had an accident resulting in deaths.”
An anonymous end user from a major chemical company says correct implementation depends on a thorough understanding of standards and procedures. “The root cause of most incidents is an action or lack thereof by a person or group. Most incidents, especially the serious ones, have multiple small causes or events that come together to permit and initiate the incident. Many of these enabling events are failures to follow procedures or recommendations prescribed by the hazards analysis. They are often committed by people with good intentions, but poor understanding of the consequences,” he says.
Initial assessment of hazards is not enough; continuous attention and improvement are required. “In many cases, the expertise that maintained proper deployment of safety standards is gone,” says John Bass of Xcel Energy. “Some of the implementation detail is very subtle, and in the process of upgrading to newer instrumentation and control systems, some safety features can get lost.”
Dr. Lang of LyondellBasell adds, “The biggest issue is the need for a continuous improvement process that measures performance, sets goals and ensures that safety standards are met. Plant managers need to provide the appropriate working environment, including communication, operator graphics and support resources to foster continuous improvement in safety. ”
Accidents Don’t Count
So how do we change attitudes so that more time and money are applied to safety?
“Accidents continue to happen because many companies use injuries and fatalities as the predominant metric to demonstrate safe operation,” says Dr. Angela Summers, CEO and founder of safety system consultancy SIS-TECH. “But injuries and fatalities should occur so infrequently that the data is meaningless. A focus on injuries and fatalities often leads to a normalization and tolerance of loss-of-containment events, increasing the likelihood of injuries and fatalities. Effective metrics that include minor incidents must be used to monitor required management system activities, expected behavior and work quality to ensure continuous safe operation.”
Rick Hakimioun, a senior instrument/electrical and control systems engineer at Paramount Petroleum, Paramount, Calif., agrees. He observes, “All accidents, no matter how small, must be analyzed, and steps taken to avoid future occurrences. If we get into the habit of ignoring safety and thinking that the accidents are part of doing business, we are 100% wrong.”
In addition to using correct metrics, developing a proper safety culture is critical. “Safety does not happen by itself or by external enforcement,” says Romel Bhullar, PE, technical fellow and director of control systems at Fluor Corporation, Irving, Texas. “Safety has to be inbred, developed, nurtured and encouraged by management and every member of the organization. Safety cannot be implemented by instilling a culture based solely on return of investment. There is no way to put a price/benefit analysis on safety.”
Safety expert Dave Harrold, co-founder and president of AFAB Group, and a past recipient of ISA’s E.G. Bailey Award for his efforts to promote process safety, sums it all up.