By Walt Boyes, Editor in Chief
We plan cover stories fairly far in advance. This was supposed to be a story of the convergences going on in safety systems in the process industries. Then the story was, as they say, overtaken by events. We will still look at those convergence trends, but we have to do it in a whole new light.
On Friday, April 2, 2010, at 12:30 a.m., employees of Tesoro Corp.'s Anacortes, Wash., refinery were starting up the naphtha unit after it had been down for maintenance. The unit caught fire and was seriously damaged. Seven workers were killed. The refinery's capacity to make unleaded gasoline was reduced by two-thirds.
Then, on April 5, 2010, in the Massey Energy-owned Upper Big Branch Mine near Montcoal, W. Va., an explosion killed 29. There also was a much larger mining catastrophe recently, killing over 100 miners in China, as well as another refinery problem in Gujarat, India.
Most recently, BP's Deepwater Horizon oil rig caught fire on April 21. Eleven workers are missing and presumed dead, and the environmental impact remains unclear.
Ever since the Producers and Refiners refinery in Parco, Wyo., exploded in April 1927, with a loss of 18 lives, the process industries have been faced with a continuing series of refinery, chemical plant, mining and even food plant disasters, which continue to happen with distressing regularity. Including mining, such as the Massey Coal explosion, there have been over a dozen accidents in process industry plants just since the first of the year, requiring shutdowns and causing injuries and some fatalities.
This is made worse by the knowledge that at least since the Buncefield explosion and fire in the U.K. and the BP Texas City disaster, both in 2005, end-user and vendor companies alike have been trying to understand what causes these accidents and seeking actively to prevent them. Based on the record, we haven't had a lot of success.
Some people simply shrug and point out that petrochemical plants aren't called "boom factories" for no reason. Others have elected, as apparently the management of Massey Coal did, to delay or defer installing the appropriate safety systems. But still others have been working very hard to develop ways to prevent accidents like Buncefield and BP Texas City.
There have been several approaches to preventing accidents. There has been a global drive toward using safety instrumented systems (SIS) that are designed and maintained to shut plants down in the event of failures. But SISs haven't stopped the accidents, even where they have been shown to be working. One of the most important findings in studying the Buncefield and Texas City accidents was that the operators were inundated by alarms. So EEMUA, the Engineering Equipment and Materials Users Association (www.eemua.co.uk/), the Abnormal Situation Consortium (www.asmconsortium.net/Pages/default.aspx), ISA18 (www.isa.org), and the Center for Operator Performance (http://operatorperformance.org/) have focused on HMI design and alarm management. But alarm management hasn't stopped the accidents.
The vendor community has moved to incorporate the safety systems into the basic process control system (BPCS) interface—even while maintaining some separation—to provide a uniform engineering package, design interface and operator HMI so that operators in emergency situations will not have to interpret data coming to them in different formats. But a converged operator environment has not stopped the accidents.
So there is considerable controversy about what to do to prevent the deaths and injuries that are so regularly occurring in the process industries.
A Controversial Convergence of Systems
The strongest movement toward stopping the nearly continuous stream of accidents is the convergence of systems. Fire and gas safety systems are being incorporated into SISs, and alarm management systems have been redesigned and respecified (See the EEMUA and the ASM Consortium guidelines, and the new ISA18.2 standard, for example.). But is this convergence a good thing, and if it is, is it enough?
John Rezabek, process control specialist at ISP Corporation (www.ispcorp.com) in Lima, Ohio, doesn't think so. "They are separate efforts and disciplines that need to be done well," he says. "Alarm management is an endeavor to help the humans function on a higher level with better information (and therefore more safely). SIS is an effort to design an autonomous interlock to save the humans from themselves when all else fails."
Todd Stauffer, director of alarm management services at exida (www.exida.com) a major safety consultancy, disagrees. "The disciplines of alarm management and functional safety have always been interconnected. The release of the ISA18.2 standard in June of 2009 has accelerated the pace of convergence and is leading practitioners to take steps to treat these two disciplines holistically."
Nicholas P. Sands, process control engineer for E. I. DuPont, in Wilmington, Del., and co-chair of the ISA18 Alarm Management Standard says, "My opinion is that there are some convergences in safety thinking. I think the adoption of the performance-based approach to safety systems is changing some long-held prescriptive views, especially around burner management systems, and I think that is a good thing."
Carl Moore, senior instrumentation engineer, SIS, at Mustang Engineering (www.mustangeng.com), one of the world's largest control system integrators, sees the advantages of convergence, but says. "The current thinking and method of implementation for a number of oil-and-gas companies offshore is to have an independent fire-and-gas (F&G) system with a SIL 3 logic solver, an independent emergency shutdown (ESD) system (with another SIL 3-rated logic solver), an independent process shutdown system (SIS) with yet another SIL 3-rated logic solver, and an independent BPCS. Fire detection and hydrocarbon leak detection are implemented in the F&G system, which must pass this information on to the ESD system for trip or open action."