Running in place? Starting a playground swing without touching the ground? Effective, long-term process safety?
All these tasks are difficult, and can seem impossible and pointless until a little momentum starts to build. Well, despite gains in some standards and technical areas, this apparent limbo is where process safety is today due mainly to entrenched corporate cultures in the process industries that continue to value and demand production and profit over safety and the lives and health of their people.
Granted, more process users and engineers are performing risk assessments (RA), hazardous operations (HazOp) studies, layers of protections analyses (LOPA), safety integrity level (SIL) evaluations and other methods, and even designing and implementing more ISA S84/IEC 61511-compliant safety systems. However, most of the safety programs that do get off the ground still fall woefully short on routine safety data gathering, maintaining long-term safety practices, and adjusting safety systems to integrate new equipment and systems.
"Many control engineers are unaware about functional safety” says Robert Ancrum, an instrumentation, control and safety instrumented system (SIS) consulting engineer in Chicago, Ill. "When I ran the SIS team at one refinery, we gave a presentation of existing, credited independent protection layers (IPL) in one of the refinery control systems. The control engineers were shocked to say the least. They had no idea they were involved with functional safety. Many control engineers are kept in the dark by the process safety engineers when they take credit for control system functions to mitigate risk. This lack of communication in the safety lifecycle is in violation of IEC61511 requirements.
"My advice for control engineers is get involved when you hear that a process hazard RA is being done for your unit, area or facility. Definitely invite yourself to the LOPA meeting. Don't be scared to challenge control system IPLs. From personal experience, they're not easy to manage and proof test, and there are better ways to mitigate process hazards. Process safety engineers believe that control loop IPL’s need no special attention as they are always working. This is not correct and again in violation of IEC61511. There are strict requirements for IPL’s in IEC61511 both for taking credit and managing them.
Update: Treading water
One reason why process safety is stuck in a rut is its standards were passed years ago, and have grown mature without being applied as widely, consistently and routinely as they should be. ISA S84 was first published in 1994, IEC 61511 followed in 2003, and both have been tweaked since then. This safety standards history parallels the fact that many in-house engineering departments were laid off in the 1990s, and continuing attrition due to today's accelerating retirements means many process safety efforts must be farmed out to third parties, if they're approached at all.
"ISA-84 has been around now for 21 years, and people were doing safety systems long before it came out," says Paul Gruhn, P.E., global functional safety consultant at aeSolutions, a process safety engineering and automation consulting firm headquartered in Greenville, S.C. "Certain companies (usually the large, international ones) are doing functional safety well because they have the resources and understand what process safety statistics mean. Other firms are struggling (usually the smaller ones) with others in between. Many small companies don't know their safety statistics, and think they're safe if they haven't had an accident.
"Lots of organizations do initial RAs, but then don't follow-up, monitor and manage their safety. These days, users can get integrated control and safety from one vendor, but they're all very different in terms of separation and diversity of hardware and software. Honeywell’s approach (diverse hardware and software of both) is vastly different than Emerson (similar hardware and the same software for both), which is vastly different than ABB (same hardware and software for both)."
Zachary Stank, product market specialist for safety at Phoenix Contact, adds that, "SILs have gone from few people knowing about them to everyone at least being aware of what they are. This is just touching the surface of getting them to know what each different SIL level means. This transition is also being driven by more users doing RAs, the need for increased upgrades of plants and infrastructures, and more insurance companies requiring safety measures and systems for coverage. As a result, we're also adding hazardous location capabilities to our safety products, such as Class I, Div. 2 relays that can be shipped and used anywhere, or equipment that's ATEX-compliant for use in Europe."
Avoid shiny distractions
Even though process safety is a crucial part of the control and automation field, it's also been overtaken in recent times by cybersecurity, virtualized computing, the Industrial Internet of Things (IIoT) and other more glamorous subjects. These technologies are important, too, but they may be a distraction from the day-to-day focus that process safety requires to succeed in the long term.
"Some colleagues say we need to breathe new life into process safety because its standards have matured, but we're too often distracted by shiny rocks like cybersecurity and IIoT, and chasing them takes our eyes off the safety ball," says Angela Summers, president of engineering consultant SIS-TECH (sis-tech.com) in Houston. "Still, many companies are working really hard to improve and sustain their process safety program. For example, the Center for Chemical Process Safety has seen a steady increase in worldwide membership and has opened offices in other regions to better support their members. The problem with process safety is it's more than a campaign and baseball caps. It requires unrelenting effort every day, grueling gathering of routine safety data, long-term maintenance, keeping teams engaged, thinking more deeply and self-reflecting, especially when equipment and systems are changed.
"The biggest issue that I see is that some users believe the myth that they're guaranteed safe operation simply by buying certified equipment. This is similar to thinking you can build a sports car by buying a few essential parts with impressive pedigrees. Safe automation requires that the entire system be designed and managed to achieve the required performance in the application. The ideal situation is to implement a system that works when it needs to, doesn’t operate spuriously, and rarely needs maintenance."
Summers adds that process safety's maturity also means its practices have become institutionalized, and spread to other points on the process control lifecycle and technical areas, which further improves safety. "The standards and practices initially focused on the last line of defense in preventing process safety incidents—the SIS. Now, it's accepted that the functional safety lifecycle applies to all instrumented safeguards, whether implemented using basic process control system (BPCS) equipment or SIS-rated equipment," explains Summers. "All instrumented safeguards used in process safety applications must be proven to achieve desired performance via testing and metrics.
"There's also more focus on human factors during normal and abnormal operations, since human errors are so frequently a contributor to process safety incidents. The inherently safer strategies of simplify, moderate, substitute and minimize can be applied to instrumentation and controls design to reduce the chance of human error. In addition, increased configuration options for many field devices is increasing the potential for errors. There was once a controller where all logic processing was done. Now, the logic can be resident in the sensor, controller, final element or all three. Configuration management is a significant human factor issue because the potential for error is escalating rapidly."
Ancrum adds that, "Although Process safety is a compliance requirement, it still takes a back seat to production. At a conference I was presenting at in 2016 for Chemical Industry Control Engineers, I was asked how do you handle being asked to bypass safety functions to increase production? The answer to that is, if the safety function is required to mitigate a process hazard you can’t. But it does highlight the pressure control engineers are in when production takes priority over process safety."
More "shalls" than "shoulds"
One positive development on the process safety front is that IEC 61511, second edition, was published in July 2016, and it reportedly includes more prescriptive language. Of course, there's no guarantee these statements will affect plant-floor safety. (See sidebar, "IEC 61511 second edition updates.")
"It's a good jolt for process safety because IEC 61511's second edition not only addresses cybersecurity in RAs and SIS, but its statements are stronger. There are a lot more 'shalls' where there used to be ‘shoulds,’ " says Steve Gandy, vice president of global business development at exida, a leading process safety certification and software provider. "IEC 61511 has always required performance measurements, KPIs and recording leading and lagging indicators, and many users are getting better at performance hazard analysis (PHA), LOPAs and RAs, and designing safer systems.
"However, where they're falling down is on the back end of IEC 61511. They're often not continuing to record performance data, not recording proof tests, and not running the proof tests at the right intervals, which should be per their safety requirement specification (SRS). The problem is that a lot of users’ data collection systems are weak, and many are lacking manpower, too. This means data lags, incidents, trips, faults, near misses and maintenance proof tests aren't properly documented and/or recorded."
Charles Fialkowski, process safety director at Siemens Industry Inc. and a voting member on the ISA 84 SIS standard committee, reports it and other safety efforts by users and suppliers have progressed over the years, but their directives sometimes fall through the cracks by the time they reach the plant floor. This is especially true as standards need to be rewritten to address devices that weren't part of traditional, such as alarms, interlocks and other devices. "A user may have a standalone safety system that's compliant, but it's networking isn't monitored or audited. People don't want to violate cybersecurity rules, but they have different interpretations about how to do it, and so it doesn't get done."
Fialkowski adds that Siemens' Safety Matrix software provides cause-and-effect diagrams that show hazard monitoring and responses, which can be followed in a LOPA and sent to operators' HMIs earlier to improve process safety. "Cause-and-effect diagrams for switches are clearer because it can be hard to see data for devices like safety switches in Ladder Logic or function block code," says Fialkowski.
Pete Skipp, process safety manager for Rockwell Automation's Systems and Solutions division, reports that, "The key change in IEC 61511 is that it formalizes how process safety should be applied, and clearly aligns functional safety and cybersecurity. This is useful because there's more awareness of process safety, especially by insurance companies, who are asking how process safety should be managed better, and are attending industry training classes and seminars. Also, federal agencies like the U.S. Chemical Safety Board are seeking more oversight, too."
Ganesh Cherukuri, global process technical consultant at Rockwell Automation, adds that, "Our PlantPAx control system puts its DCS and safety functions together in an integrated control and safety system (ICSS), which can combine BPCS, fire and gas controls, burner management and other functions."
Not surprisingly, cybersecurity is still hogging the spotlight in process safety. "The latest IEC 61511 says cybersecurity needs to be addressed for SISs, but the standard doesn't tell you how to do it," adds Gruhn. "The IEC 62443 series of documents provides the ‘how,' but it’s a very big pill to swallow. This is a very hot topic at the moment, and will remain so for quite some time. There are plenty of consultants in this space because most end users simply don’t have the specific knowledge."
Crippled by culture
Sadly, despite all the study, analysis, recommendations, software and safety components developed recently and over the past 30 years, avoidable process accidents, injuries and deaths continue, largely unabated, because many users simply refuse to employ them. Production is still more important than safety, no matter what promises are made to the contrary. Aside from passing tougher safety laws, which isn't likely to happen anytime soon, the only practical solution is slowly chipping away at existing practices with deliberate, persistent and targeted training, retraining, simulation and encouraging safety team members to speak up and intervene when needed.
"Many process companies still have surprisingly big appetites for accepting risk to their personnel," adds Ancrum. "The tolerable level, or target for their maximum event limit (rate at which workers are killed or badly injured) is a very confidential number that varies greatly across oil, gas, refinery and chemical industries. There should really be nationally defined numbers for this.
"Another challenge for process safety is being overruled by management when complying to IEC61511 because of time, money or both. This further adds to the risk appetite. Trying to get SIS valves pulled for inspection and testing to see if they are performing per the SRS is the most common example where I have been overruled even though I was the subject matter expert (SME) and responsible for the performance of the SIS to meet IEC61511. The updated version of IEC61551 is requiring that end users prove that their actual failure rates meet or exceed the requirements of the SRS. This is generally not the case, actual failure rates are worse for field instrumentation. Only the logic solvers get close.”
Echoing legendary process safety advocate Trevor Kletz's famous quote that, "All accidents are due to bad management," Gruhn reiterates that process safety must come from the top down and be more than words. "Company leaders must be accountable, and this can be accomplished in two ways," he says. "First, it should be possible to depose CEOs. Did you know that the CEO of BP was protected from being deposed after the 2005 Texas City accident? Courts in a variety of jurisdictions actually protect senior-level officials from depositions if they can show the CEO lacks personal knowledge of the facts in dispute. Second, CEOs should meet with the families of victims because it's been shown that it will change their mindsets and attitudes about safety. It’s true that a plant manager in East Texas went to prison over a U.S. Environmental Protection Agency/Risk Management Plan (EPA/RMP) violation. And the plant manager in Bhopal, India, went to prison as well. That's accountability, but it doesn't happen as often as it should."
Gruhn adds that process industry insurance premiums should be based on how well companies are following safety practices based on leading process safety indicators. "Premiums are already set based on how well a company is complying with OSHA process safety management (PSM) regulations. Leading process safety indicators are just another level of further detail based on lessons learned," says Gruhn. "We also should minimize the downsizing and outsourcing. People working in process plants need to really know it, have ownership of everything that goes on, do more than just manage outside contractors, and be well trained. For example, the Texas City facility had about 150 staff engineers at one point in the past, but by the time of the 2005 explosion, it was down to about a dozen.
"Finally, it won't happen, but we should enforce the old DuPont rule. When a former CEO of DuPont was once asked about process safety, he essentially said, ‘Process safety is easy. Just do what the French did 200 years ago. They passed a law requiring the owner of an explosives facility to live on the property with his family.’ If every plant manager of a facility covered by OSHA PSM rules had to live on the property with this family, the world would no doubt be a safer place."
Partners reduce risks
Beyond convincing internal personnel and managers to understand the value of process safety methods and use them routinely, some users are also recruiting system integrators, suppliers and other third parties to help them.
For example, Norske Shell operates two high-availability oil and gas fields on Norway's continental shelf: Draugen that runs in 250-meter-deep water with a 70% recovery factor, and Ormen Lange that runs in 3,000-meter-deep water and transports natural gas via two pipelines to a huge, onshore processing plant in Nyhamna, Norway (Figure 1). The plant dries and compresses the gas, and sends it via the 1,200-kilometer Langeled pipeline to England's east coast, where it supplies 20% of the U.K.'s requirements. To assist Norske Shell's production and expansion at these three sites, ABB operates integrated process automation, safety and information management systems. They monitor and control sub-sea and topside production at both fields and at the onshore plant, while field operations are supported by two ABB 800xA simulators at each field that replicate the physical safety and automation systems, train operators, and test automation system changes to reduce errors. The Nyhamna plant also uses ABB variable-speed drives to run its compressors more efficiently, save energy and reduce carbon dioxide emissions.
“Using simulation at Ormen Lange gives us better safety routines in our processes, as well as significant savings in the start-up period of the facility," says Geir Fillip Håseth, operations engineer at Norske Shell.
To make sure their fields, platforms, process plant and support facilities run safely, Norske Shell and ABB report they've seamlessly integrated their control and safety systems into a "single yet separate entity," which uses the same control architecture and HMI, share controllers and field equipment, and use the same software tools, but still keep their functions separate. For example, Ormen Lange has 16 wells that extend 2,000 meters below the seabed, and they're surrounded by gravel and sand that will collapse into the well if production is ramped up too quickly. Previously, the wells were started slowly at preset speeds, but it typically took nine hours to ramp up a low-pressure well and 15-20 hours for a high-pressure well. This procedure was safe, but it also didn't account for real-time well conditions. To accelerate this start-up process safely, Shell asked ABB to create an automatic choke to monitor process dynamics in the wells, and adjust ramp-up speed in response to variables in the wells. This enabled Ormen Lange's wells to be opened faster than before, and with reduced risk to well integrity and safety. On average, they report it now takes only two hours to open the low-pressure wells and six hours to open the high-pressure wells.
John Walkington, managing consultant at ABB's Safety Lead Competency Center (SLCC), reports that the 10-year-old center provides IEC 61511-benchmarked functional safety governance in the form of SIL-capable systems, processes and people. "All of these involve safety culture" says Walkington. "This has been a sea change for us, too, but the concept of systematic safety capability must include human factors and evaluating errors through process lifecycles, so we can get the right people in the right places.
"I think changing safety culture begins with awareness, just as process and functional safety are related to occupational safety. This means training in safety procedures, and using simulations to improve operator engagement, which can also improve performance and the bottom line. In the future, we're heading toward a more collaborative safety approach with process safety teams, process engineering teams and instrumentation and mechanical teams cooperating on RAs, and developing forward- and backward-traceable hazard and operations studies that can be used by designers and operators. Then, they'll make their way back to the original assumptions about a safety case to see whether those assumptions are still valid, what improvements need to be made, and close the loop on safety in that application."
Likewise, to reduce risk and speed up deployment of its $1.2-billion renovation of the Rotterdam Advanced Hydrocracker (RAHC), ExxonMobil is using an innovative main instrument vendor (MIV) approach that relies on Emerson Automation Solutions to participate in a global framework agreement with standardized parts and models, pre-fixed pricing structures, coordinated specification and procurement, and verified testing and commissioning (Figure 2). The RAHC expansion is presently in the detail engineering stage, and is expected to begin construction late in 2017. It will expand Rotterdam's hydrocracker to upgrade heavier byproducts to lighter, higher-value products, such as EHC Group II base stacks and ultra-low-sulfur diesel. The MIV also works closely with Fluor, which is the project's engineering and procurement construction (EPC) company, and handles engineering documents, loop diagrams and other essential tasks.
"There are a lot of challenges on this project and added risks caused by its accelerated schedule," says Amit Verma, instrument group lead for Safety and Automated Systems at ExxonMobil Research & Engineering. "These include added manpower needed for developing specifications, increased engineering burden on the EPC and ExxonMobil, managing procurement and lead times, and speeding up bid evaluations. However, the resources for coordinating and completing all these tasks are limited, and the risk is something may slip somewhere, increasing costs and delaying the schedule.
"Besides coordinating testing documentation and logistics, having an MIV enables more focused review meetings on process data with Intergraph's SmartPlant Instrumentation (SPI) software for QA reviews. It also allows deep dives by the MIV into control valve data and review cycles. This let us make sure process data was right, so the correct valves are selected before purchase order (PO) placement, and allows standardization across all valve orders."
Safe shutdown strategy
Most available research and incident post-mortems show the most dangerous times for process applications are during shutdowns, startups and other transition periods when non-routine tasks are happening. As a result, pretty much everyone is more aware and focused on improving safety during these critical periods.
Fortunately, safety shutdowns recently got easier at Georgia Pacific Chemical's nine U.S. plants thanks to coordination of their longtime Experion Process Knowledge Systems (PKS) with the plants' more recently integrated Safety Manager safety management system (SMS), also from Honeywell Process Solutions.
"Five years ago, we began implementing a new safety system across our plants," says Jarmo Salminen, manager of process control engineering at GP Chemicals, based in Atlanta, Georgia. "In the past, shutdowns were handled by the basic process control system or single-loop controls, so we really need to enhance our safety system. We began to research safety control solutions, and eventually selected Honeywell Safety Manager, which was a pretty natural move for us because we're standardized on Experion."
Though its plants aren't especially big—the largest has eight reactors and the smallest has two—GP Chemicals produces a variety of products, mainly of resins, especially thermo-set resins for plywood and other products, as well as specialty chemicals and controlled-release nitrogen fertilizers. In general, the nine U.S. plants maintain rigorous separation between their controls and safety functions, and perform root-cause analyses of all safety shutdown trips.
Because of the unique characteristics of its applications, Salminen explains. "We can't have normal shutdown systems because we'll be trying to stop chemical reactions, and this means adding materials to stop or slow those reactions. We call this process 'quenching,' and it involves keeping two types of quenching materials—for either acid-catalyzed reactions or base-catalyzed reactions—in tanks at about 100 psi. We use pressurized air as the motive force because it's safer than nitrogen, which poses a possible asphyxiation risk. One quench system can handle up to five reactors."
To maintain the quenching capability required for its safety shutdowns, GP Chemicals maintains and tests both automated and manual valves. They're designed to be SIL 2-rated, undergo standard testing every 15 days and 30 days, complete full tests annually, and conduct logic-proof testing every five years. "The 15- and 30-day tests are performed with timers, which means new batches can't be started until one of these tests is successfully completed," said Salminen. "We also have a manual maintenance mode for opening, moving and closing valves, and for doing other safety tasks."
While most traditional safety shutdown systems have used completely separate HMIs and other equipment, GP Chemicals takes advantage of the fact that Experion and Safety Manager can combine several useful DCS and SIS functions. While their actual safety equipment and controls remain separate, Safety Manager's indicators, functions and data for GP Chemical's quenching recipes are displayed on Experion's existing HMIs at its plants, which helps maintain operator awareness and performance.
"Whether they're doing regular production or carrying out a quenching recipe, our operators see the same types of graphics, and that's a big help for them," adds Salminen, who reported that other key benefits of combining Experion and Safety Manager include:
- Standardization across sites. This is critical for enabling a centrally provided support model; allowed programmatic rollout of a common DCS/SIS approach; and allows standardization down to software revisions.
- Maintenance of BPCS and SIS separation. This means SIS modification can only be made by central engineering, and not site staff. Also, different programming environments ensure that no one can unintentionally work on a safety function. But, everyone can still benefit from using a common operator interface.
- Sequence of events (SOE). Integrating SMS data to Experion simplifies analysis of the root causes of trips, while Honeywell's SOE is a useful tool for root-cause analyses (RCA).
"Experion does the process control, and Safety Manager does the safety shutdown functions, and we're saved by not having to invest in a separate HMI for each," says Salminen.
Just as startups and shutdowns are prime times to implement safety strategies, the same goes for efforts to rationalize and prioritize alarms.
Shortly after undertaking their three-year, $3-billion capital improvement project in late 2014, engineers and managers at Total Petrochemicals & Refining USA Inc.'s (www.totalpetrochemicalsrefiningusa.com) Port Arthur refinery (PAR) realized they also needed to make alarm management more of a priority to avoid potential floods of unnecessary alarms. "Our team reviewed PAR's existing alarm philosophy document (APD) written in 2009 to support the overall capital project, learned that remote operations had little or no input in it, and found the alarms weren't coordinated," says Randy Conley, supervisor of DCS, SIS and APC implementation at PAR. "So we established a core team, and called Honeywell Process Solutions and Missy Jones because they'd helped us with a similar APD project at another Total facility." Jones is principal project engineer in the Advanced Solutions division at Honeywell.
The core team at PAR included: area operations superintendent as management representative; operations project manager for process control experience; process control supervisor; process unit supervisor to help rationalize the first console; and alarm coordinator for console operator setup. Together, they and Jones began developing an alarm management roadmap, including cost, schedule and resources, for PAR's consoles, which would also require management approval. In all, this four-year project is rationalizing and managing alarms on 10 consoles at a cost of $2 million. Each of these consoles runs a DCS, which in turn manages many of the 120 PLCs and 40,000 I/O at the Port Arthur facility. It's 18 process units perform mainly refining for various fuels, though PAR is also integrated with an ethylene cracking unit.
After arriving onsite, Jones conducted three days of interviews and meetings with the core team and all of PAR's other players and stakeholders. "We had a big, core lunch-and-learn with about 50 people on the first day to explain our objectives and get stakeholder buy-in," reported Conley. "Next, we held separate, more detailed meetings with groups of related stakeholders to discuss different elements of the APD. Then, the core team circulated drafts, and held more meetings as required to engage stakeholders and get their agreement."
Thanks to all their gatherings and contributions, PAR's core team and participants successfully completed a draft and made three key modifications to their APD. They streamlined the refinery's alarm MOC, addressed alarm management for PAR's capital projects, began accumulating "typicals" with the first alarm rationalization, and identified and documented several classes of alarms. For instance, the newly streamlined alarm MOC now includes: operator initiates request from MOC shortcut; supervisor pre-approves the request; alarm coordinator completes form after discussing change with operator, and makes changes; HSE completes the send notice, and affected employees sign off; and alarm coordinator closes the request.
"It's difficult to coordinate people and schedules, but we also worked with IT maintenance on some larger MOC issues, and developed a simple, one-page, drop-down form, which is easy for users to complete and send to a supervisor," added Conley. "This is a 175,000-bpd refinery. We usually have about 100 active capital projects under development, and about 75% of those involve our DCS or alarms in some way. In addition, our project managers aren't very process-oriented and are usually more mechanically inclined, so we also worked with PAR's projects superintendent to come to an agreement that the APD would be given to all contractors, and that the alarm coordinator will attend process hazards analysis (PHA) and layers of protection analysis (LOPA) meetings to make sure the APD is followed. This approach will reduce ‘alarm inflation’ that can come from new projects.
"We just want to get rid of the alarm floods that typically happen whenever there's a plant hiccup."
Innovations smooth safety path
Besides forming partnerships to aid safety efforts, several new software tools and other technical advances are streamlining safety tasks and easing their adoption in many applications. For example, an SRS captures the design of how a safety system is supposed to work, such as bypasses and delays needed and how to react to failures, and then gather data, generate reports and recommend configuration changes. However, many of these tasks have been largely manual or difficult to program, and so they often aren't used as much as they could be.
Buddy Creef, sales director at HIMA Americas Inc., reports its HIMax components can read HART diagnostic data inside a safety system to help improve proof testing, or provide alerts before related equipment fails. "Speeding up testing and LOPAs upfront is important, but the real work is following up during the lifecycle, managing changes, and verifying that risk reductions are achieved," says Creef. "This is laborious work, and it's the easiest place to fall down on safety. As result, several companies, such as Mangan, aeSolutions and Meridium, have developed online or semi-online tools to help users perform these day-to-day tasks.
"Many small firms are afraid to start process safety efforts because they have small applications—30 to 100 I/O points—and they don't know what they can do. For example, they may have an ammonia terminal that needs just three SIFs, and they feel like it can't be done economically. We solve this challenge with our HIMatrix SIL 3 platform for low-I/O count applications."
aeSolutions' Gruhn adds that more users are specifying that their field devices must be independently SIL-certified. "There are pros and cons to this, but it's definitely not the magic silver bullet people would like it to be," he explains. "It’s more important to select devices that will actually work in the application, and then properly design things so they'll be testable and able to work in the long run. In addition, many safety devices are having higher levels of diagnostic coverage. This makes it easier to reach higher SILs with less hardware, requiring less maintenance and testing, thereby resulting in more reliable and simpler designs that save money in the long run."
In addition, aeSolutions' aeShield software helps automate the safety lifecycle process; maintains relationships among risk-reduction targets; does design verification calculations, creates inspection and test plans for integrity management, and tracks actual historical data. It also tracks and analyzes various process safety indictors (PSI), provides alerts, and reports on process safety health in real time. Meanwhile, the firm's aeFacilitator software helps users execute HaZop and LOPA studies, complete them while integrating with SIS designs, and provide a feedback loop into reporting and health meters to keep operations up-to-date.
Gandy adds that exida's exSILentia software has added PHAx and LOPAx components that feed into its SIL determination tool for building a SRS and conducting SIL verifications. Likewise, exida's SILsolver software also helps automate SIL calculations and analysis after inputting numbers from a LOPA. The results also can be added to a SRS, and form the basis of a safety system design that enables safety component selection.
Sergio Diaz, DeltaV product marketing manager at Emerson Automation Solutions, confirms that exida's exSILentia software has modules that automate LOPA, SRS, proof testing and other tasks. "We're also in final development on conversion tools and function blocks that automate creation of DeltaV SIS configurations based on their application's SRS," adds Diaz. "This means users no longer have to duplicate their efforts, and can develop projects faster, eliminate errors and improve consistency. We've also seen a lot of interest in integrating control and safety systems on the same network, which means addressing cybersecurity aspects as well. Typically, one layer protects controls performing operations, but added layers are needed when upsets occur that the controls can't handle.
"When safety and control began integrating around 2006, there were different tools and HMIs for DCSs and SISs, and different vendors with isolated solutions. However, this was very difficult, so we began connecting SISs through network interfaces like Modbus and OPC. This maintained separation to avoid single points of failure, and enabled common engineering tools for configuration and HMIs. Safety logic ran on dedicated hardware—we verified and proved separation according to IEC 61511, and recently began focusing more on cybersecurity. For example, our DeltaV SIS has a dedicated, isolated safety network, a safe way it to interface with controls, and can enforce a physical presence before some actions are allowed. It also complies with cybersecurity certifications and standards.”
To collect data from multiple safety software applications and deliver a unified view of them, Northwest Analytics (NWA) offers its NWA Focus EMI software, which connects different databases including historians, maintenance management and ERP systems. "We can tie in all these data sources, provide an overall view of operations, and give users a better perspective on safety performance from one plant to another," explains Jim Petrusich, NWA's vice president of sales. "We can also establish connections, and run query-centric programs like Spotfire and Tableau for improving business intelligence, but we can also monitor automated controls and ranges in real time, especially during startups and shutdowns."
In addition, Summers reports that SIS-TECH recently launched its own hardware tool for safety. The Instrumentation, Controls and Electrical (ICE)-Tablet combines a third-party Bartec tablet PC with SIS-TECH software for managing process safety inspections and maintenance. "ICE-Tablet reduces the time required to execute turnaround testing of safety and protective instrumentation by integrating documentation, procedures and forms in one platform for efficient field deployment," says Summers. "On-board HART connectivity and data governance reduces entry errors and ensures quality data records. "ICE-Tablet eliminates the need to create physical files to support inspection, calibration and testing. The field technician is issued an ICE-Tablet with everything needed, such as specifications, procedures, installation diagrams, manufacturer manuals and forms. HART connectivity allows ICE-Tablet to capture instrument data automatically without manual entry."
Unfortunately, though many of these safety tools and software have been available for years, Gandy adds they're often unused. "If a facility is covered by OSHA PSM, then it should have functional safety management (FSM) and follow IEC 61511, but many sites have never even been audited," he says. "I've asked operators if they have FSM in place, and they say 'not really.' Again, it just depends on their history and management culture. We're usually called in when an organization has to implement process safety, but we still have to convince management. Last year, I asked some senior managers why they hadn't done process safety before, and there was just silence. It just echoed what Trevor Kletz always said: 'If you think safety is expensive, then try an accident.' "
Safety produces profit
Ironically, even though many process industry managers resist implementing safety program due to cost, several experts report that safety can actually add to profits as well as improve staff well-being.
"If they follow a process safety lifecycle properly, conduct maintenance correctly, and log their performance, they'll find over time that their costs are less," adds exida's Gandy. "They're also likely to discover that their safety system is performing better than its original design, and so, for example, they may be able to do proof tests every 24 months instead of the 18 months originally scheduled, which will cut costs even more."
Scott Wozniak, senior process safety specialist at Honeywell UOP's Process Safety Group, reports he's optimistic about process safety because he's seen a lot of progress recently, such as the American Petroleum Institute (www.api.org) developing its 754 standard on leading indicators before incidents and 755 standard on fatigue management in SIS. UOP is also licensing its technologies to make oil and gas units safer, and is using Honeywell's UniSim software to run dynamic simulations to determine how reactions will turn out before they're run. "Because IoT connects plants and workers, and collects data about them, it can also enable better predictive analytics about when incidents may happen," explains Wozniak. "Data used for predictive maintenance can be used for safety, too."
Safety consultant Ancrum adds, "I expect the safety standards to become more rigorous over time with more regulations on audits, documentation, testing, real failure-rate data collection, and training. The expectation is all hazardous processes will have functional safety systems, and that fatalities in oil, gas, chemical and refineries will become very low. We still have a long way to go to meet this objective. I hope in time that facilities will understand what it really takes to meet these functional safety standards, and have the correct amount of staff and funds to become fully complaint. Current trends are doing the opposite.
"In fact, the Trump Administration is trying to defund the Chemical Safety Board, which does an outstanding job in supporting and pushing for more process safety. I read all their incident reports and learn from them. Their budget is only $12 million, so defunding them will make no difference to the national debt, but it does speak volumes about the new administration's view on process safety "
Dr. Sam Mannan, executive director of the Mary Kay O'Connor Process Safety Center (MKOPSC) at TexasA&MUniversity, adds he's pushed for establishing a national chemical incident repository with information on incidents and root causes, which might be similar to the CSB or work in concert with it. "It's crucial answer questions like where process safety problem occurred? Were they due to a training issue? Did the SIS not work and why? Many of these could be better answered with a national repository that would have failure-rate data, provide lessons learned on how to improve, and help users adds to their RAs."