Running in place? Starting a playground swing without touching the ground? Effective, long-term process safety?
All these tasks are difficult, and can seem impossible and pointless until a little momentum starts to build. Well, despite gains in some standards and technical areas, this apparent limbo is where process safety is today due mainly to entrenched corporate cultures in the process industries that continue to value and demand production and profit over safety and the lives and health of their people.
Granted, more process users and engineers are performing risk assessments (RA), hazardous operations (HazOp) studies, layers of protections analyses (LOPA), safety integrity level (SIL) evaluations and other methods, and even designing and implementing more ISA S84/IEC 61511-compliant safety systems. However, most of the safety programs that do get off the ground still fall woefully short on routine safety data gathering, maintaining long-term safety practices, and adjusting safety systems to integrate new equipment and systems.
"Many control engineers are unaware about functional safety” says Robert Ancrum, an instrumentation, control and safety instrumented system (SIS) consulting engineer in Chicago, Ill. "When I ran the SIS team at one refinery, we gave a presentation of existing, credited independent protection layers (IPL) in one of the refinery control systems. The control engineers were shocked to say the least. They had no idea they were involved with functional safety. Many control engineers are kept in the dark by the process safety engineers when they take credit for control system functions to mitigate risk. This lack of communication in the safety lifecycle is in violation of IEC61511 requirements.
"My advice for control engineers is get involved when you hear that a process hazard RA is being done for your unit, area or facility. Definitely invite yourself to the LOPA meeting. Don't be scared to challenge control system IPLs. From personal experience, they're not easy to manage and proof test, and there are better ways to mitigate process hazards. Process safety engineers believe that control loop IPL’s need no special attention as they are always working. This is not correct and again in violation of IEC61511. There are strict requirements for IPL’s in IEC61511 both for taking credit and managing them.
Update: Treading water
One reason why process safety is stuck in a rut is its standards were passed years ago, and have grown mature without being applied as widely, consistently and routinely as they should be. ISA S84 was first published in 1994, IEC 61511 followed in 2003, and both have been tweaked since then. This safety standards history parallels the fact that many in-house engineering departments were laid off in the 1990s, and continuing attrition due to today's accelerating retirements means many process safety efforts must be farmed out to third parties, if they're approached at all.
"ISA-84 has been around now for 21 years, and people were doing safety systems long before it came out," says Paul Gruhn, P.E., global functional safety consultant at aeSolutions, a process safety engineering and automation consulting firm headquartered in Greenville, S.C. "Certain companies (usually the large, international ones) are doing functional safety well because they have the resources and understand what process safety statistics mean. Other firms are struggling (usually the smaller ones) with others in between. Many small companies don't know their safety statistics, and think they're safe if they haven't had an accident.
"Lots of organizations do initial RAs, but then don't follow-up, monitor and manage their safety. These days, users can get integrated control and safety from one vendor, but they're all very different in terms of separation and diversity of hardware and software. Honeywell’s approach (diverse hardware and software of both) is vastly different than Emerson (similar hardware and the same software for both), which is vastly different than ABB (same hardware and software for both)."
Zachary Stank, product market specialist for safety at Phoenix Contact, adds that, "SILs have gone from few people knowing about them to everyone at least being aware of what they are. This is just touching the surface of getting them to know what each different SIL level means. This transition is also being driven by more users doing RAs, the need for increased upgrades of plants and infrastructures, and more insurance companies requiring safety measures and systems for coverage. As a result, we're also adding hazardous location capabilities to our safety products, such as Class I, Div. 2 relays that can be shipped and used anywhere, or equipment that's ATEX-compliant for use in Europe."
Avoid shiny distractions
Even though process safety is a crucial part of the control and automation field, it's also been overtaken in recent times by cybersecurity, virtualized computing, the Industrial Internet of Things (IIoT) and other more glamorous subjects. These technologies are important, too, but they may be a distraction from the day-to-day focus that process safety requires to succeed in the long term.
"Some colleagues say we need to breathe new life into process safety because its standards have matured, but we're too often distracted by shiny rocks like cybersecurity and IIoT, and chasing them takes our eyes off the safety ball," says Angela Summers, president of engineering consultant SIS-TECH (sis-tech.com) in Houston. "Still, many companies are working really hard to improve and sustain their process safety program. For example, the Center for Chemical Process Safety has seen a steady increase in worldwide membership and has opened offices in other regions to better support their members. The problem with process safety is it's more than a campaign and baseball caps. It requires unrelenting effort every day, grueling gathering of routine safety data, long-term maintenance, keeping teams engaged, thinking more deeply and self-reflecting, especially when equipment and systems are changed.
"The biggest issue that I see is that some users believe the myth that they're guaranteed safe operation simply by buying certified equipment. This is similar to thinking you can build a sports car by buying a few essential parts with impressive pedigrees. Safe automation requires that the entire system be designed and managed to achieve the required performance in the application. The ideal situation is to implement a system that works when it needs to, doesn’t operate spuriously, and rarely needs maintenance."
Summers adds that process safety's maturity also means its practices have become institutionalized, and spread to other points on the process control lifecycle and technical areas, which further improves safety. "The standards and practices initially focused on the last line of defense in preventing process safety incidents—the SIS. Now, it's accepted that the functional safety lifecycle applies to all instrumented safeguards, whether implemented using basic process control system (BPCS) equipment or SIS-rated equipment," explains Summers. "All instrumented safeguards used in process safety applications must be proven to achieve desired performance via testing and metrics.
"There's also more focus on human factors during normal and abnormal operations, since human errors are so frequently a contributor to process safety incidents. The inherently safer strategies of simplify, moderate, substitute and minimize can be applied to instrumentation and controls design to reduce the chance of human error. In addition, increased configuration options for many field devices is increasing the potential for errors. There was once a controller where all logic processing was done. Now, the logic can be resident in the sensor, controller, final element or all three. Configuration management is a significant human factor issue because the potential for error is escalating rapidly."
Ancrum adds that, "Although Process safety is a compliance requirement, it still takes a back seat to production. At a conference I was presenting at in 2016 for Chemical Industry Control Engineers, I was asked how do you handle being asked to bypass safety functions to increase production? The answer to that is, if the safety function is required to mitigate a process hazard you can’t. But it does highlight the pressure control engineers are in when production takes priority over process safety."
More "shalls" than "shoulds"
One positive development on the process safety front is that IEC 61511, second edition, was published in July 2016, and it reportedly includes more prescriptive language. Of course, there's no guarantee these statements will affect plant-floor safety. (See sidebar, "IEC 61511 second edition updates.")
"It's a good jolt for process safety because IEC 61511's second edition not only addresses cybersecurity in RAs and SIS, but its statements are stronger. There are a lot more 'shalls' where there used to be ‘shoulds,’ " says Steve Gandy, vice president of global business development at exida, a leading process safety certification and software provider. "IEC 61511 has always required performance measurements, KPIs and recording leading and lagging indicators, and many users are getting better at performance hazard analysis (PHA), LOPAs and RAs, and designing safer systems.
"However, where they're falling down is on the back end of IEC 61511. They're often not continuing to record performance data, not recording proof tests, and not running the proof tests at the right intervals, which should be per their safety requirement specification (SRS). The problem is that a lot of users’ data collection systems are weak, and many are lacking manpower, too. This means data lags, incidents, trips, faults, near misses and maintenance proof tests aren't properly documented and/or recorded."
Charles Fialkowski, process safety director at Siemens Industry Inc. and a voting member on the ISA 84 SIS standard committee, reports it and other safety efforts by users and suppliers have progressed over the years, but their directives sometimes fall through the cracks by the time they reach the plant floor. This is especially true as standards need to be rewritten to address devices that weren't part of traditional, such as alarms, interlocks and other devices. "A user may have a standalone safety system that's compliant, but it's networking isn't monitored or audited. People don't want to violate cybersecurity rules, but they have different interpretations about how to do it, and so it doesn't get done."
Fialkowski adds that Siemens' Safety Matrix software provides cause-and-effect diagrams that show hazard monitoring and responses, which can be followed in a LOPA and sent to operators' HMIs earlier to improve process safety. "Cause-and-effect diagrams for switches are clearer because it can be hard to see data for devices like safety switches in Ladder Logic or function block code," says Fialkowski.
Pete Skipp, process safety manager for Rockwell Automation's Systems and Solutions division, reports that, "The key change in IEC 61511 is that it formalizes how process safety should be applied, and clearly aligns functional safety and cybersecurity. This is useful because there's more awareness of process safety, especially by insurance companies, who are asking how process safety should be managed better, and are attending industry training classes and seminars. Also, federal agencies like the U.S. Chemical Safety Board are seeking more oversight, too."
Ganesh Cherukuri, global process technical consultant at Rockwell Automation, adds that, "Our PlantPAx control system puts its DCS and safety functions together in an integrated control and safety system (ICSS), which can combine BPCS, fire and gas controls, burner management and other functions."
Not surprisingly, cybersecurity is still hogging the spotlight in process safety. "The latest IEC 61511 says cybersecurity needs to be addressed for SISs, but the standard doesn't tell you how to do it," adds Gruhn. "The IEC 62443 series of documents provides the ‘how,' but it’s a very big pill to swallow. This is a very hot topic at the moment, and will remain so for quite some time. There are plenty of consultants in this space because most end users simply don’t have the specific knowledge."
Crippled by culture
Sadly, despite all the study, analysis, recommendations, software and safety components developed recently and over the past 30 years, avoidable process accidents, injuries and deaths continue, largely unabated, because many users simply refuse to employ them. Production is still more important than safety, no matter what promises are made to the contrary. Aside from passing tougher safety laws, which isn't likely to happen anytime soon, the only practical solution is slowly chipping away at existing practices with deliberate, persistent and targeted training, retraining, simulation and encouraging safety team members to speak up and intervene when needed.
"Many process companies still have surprisingly big appetites for accepting risk to their personnel," adds Ancrum. "The tolerable level, or target for their maximum event limit (rate at which workers are killed or badly injured) is a very confidential number that varies greatly across oil, gas, refinery and chemical industries. There should really be nationally defined numbers for this.
"Another challenge for process safety is being overruled by management when complying to IEC61511 because of time, money or both. This further adds to the risk appetite. Trying to get SIS valves pulled for inspection and testing to see if they are performing per the SRS is the most common example where I have been overruled even though I was the subject matter expert (SME) and responsible for the performance of the SIS to meet IEC61511. The updated version of IEC61551 is requiring that end users prove that their actual failure rates meet or exceed the requirements of the SRS. This is generally not the case, actual failure rates are worse for field instrumentation. Only the logic solvers get close.”
Echoing legendary process safety advocate Trevor Kletz's famous quote that, "All accidents are due to bad management," Gruhn reiterates that process safety must come from the top down and be more than words. "Company leaders must be accountable, and this can be accomplished in two ways," he says. "First, it should be possible to depose CEOs. Did you know that the CEO of BP was protected from being deposed after the 2005 Texas City accident? Courts in a variety of jurisdictions actually protect senior-level officials from depositions if they can show the CEO lacks personal knowledge of the facts in dispute. Second, CEOs should meet with the families of victims because it's been shown that it will change their mindsets and attitudes about safety. It’s true that a plant manager in East Texas went to prison over a U.S. Environmental Protection Agency/Risk Management Plan (EPA/RMP) violation. And the plant manager in Bhopal, India, went to prison as well. That's accountability, but it doesn't happen as often as it should."
Gruhn adds that process industry insurance premiums should be based on how well companies are following safety practices based on leading process safety indicators. "Premiums are already set based on how well a company is complying with OSHA process safety management (PSM) regulations. Leading process safety indicators are just another level of further detail based on lessons learned," says Gruhn. "We also should minimize the downsizing and outsourcing. People working in process plants need to really know it, have ownership of everything that goes on, do more than just manage outside contractors, and be well trained. For example, the Texas City facility had about 150 staff engineers at one point in the past, but by the time of the 2005 explosion, it was down to about a dozen.
"Finally, it won't happen, but we should enforce the old DuPont rule. When a former CEO of DuPont was once asked about process safety, he essentially said, ‘Process safety is easy. Just do what the French did 200 years ago. They passed a law requiring the owner of an explosives facility to live on the property with his family.’ If every plant manager of a facility covered by OSHA PSM rules had to live on the property with this family, the world would no doubt be a safer place."
Partners reduce risks
Beyond convincing internal personnel and managers to understand the value of process safety methods and use them routinely, some users are also recruiting system integrators, suppliers and other third parties to help them.