If you want something done right, you have to do it yourself. This old aphorism was never more true than when applied to process safety—at least in the U.S. and other backward regions.
Lip service about valuing employees' lives and health masks often insufficient safety mechanisms and scant training in many process applications, facilities and industries. Intractable corporate cultures still view safety as a drag on productivity. Toothless federal, state and local regulations provide little if any prescriptive requirements, grandfather in potentially dangerous processes and facilities, and enforce after the fact with slaps on the wrist. And, despite an unending series of accidents, injuries, deaths and environmental damage, federal and state legislators and owner-operators typically only call for less regulation—leaving victims to rely on inefficient, unevenly applied "regulation through litigation" that doesn't make other applications safer in the long run.
In short, it's clear that uptime and short-term profits are what's important, and people are not. Bottom line? If you're seeking process safety for yourself, your co-workers and your organization, you're on your own.
"In the U.S., the process industry has lived through the aftermath of the Texas City and Deepwater Horizon events. This has resulted in many companies expending significant monies attempting to educate workforces on the importance of critical protection layers such as basic process control systems (BPCS) and/or safety instrumented systems (SIS), but even with the best intentions, we've often failed miserably," says Mike Scott, co-founder and executive vice president of global process safety technology at aeSolutions, a member of the Control System Integrators Association (CSIA) in Greenville, S.C. "In order to make a step change in process safety performance, a paradigm shift in how we make risk-based financial decisions and ultimately how we operate facilities is mandatory because what we've been doing up to now isn't working.”
Scott adds there seem to be three tiers of process industry companies when it comes to process safety:
- Tier 3—Doesn't necessarily care, and wants to limit any extraneous spending;
- Tier 2—Wants to do what's right, but doesn't necessarily know the most efficient way to do so; and
- Tier 1—Practice best-in-class class process safety performance, but is very much in the minority.
"If you ask any of the above companies to operate a pressure vessel without a relief valve, they'll most likely become very adamant about not doing so. However, if you ask these same companies to bypass a SIL 2 safety function, which carries the same level of risk reduction capability as a relief valve, many of the Tier 2 and 3 companies will start the bypass paperwork. Unfortunately, right now, this is the norm instead of the exception in the process industry."
Brent Frizzell, U.S. product marketing manager for level at Endress+Hauser, adds: "While there is some regulation of SIS design and testing, there are many processes that should have process safety in place, but haven't implemented it more than likely due to lack of resources. Based on experience in the field, there's a lot to be done in the industry, which talks about SILs for worker safety, though implementing has been challenging. Safety is always an important topic, and new technological developments can help take some of the burden off the industry. Implementing these new technologies will help prevent accidents, instead of an accident occurring first and a plant having to take that responsibility and ownership."
Despite this historically negative tide, evolving process safety standards and a growing crop of software solutions are giving users some tools to eke out safety gains on their own.
"The process safety environment in Canada is similar to the U.S. in that it's mainly self-regulated and has recommendations that until recently weren't required by law," says Sam Kozma, safety and control systems specialist at Autopro Automation Consultants Ltd., a CSIA-member control system integrator in Calgary, Alberta. "However, some multinationals have adopted safety standards like IEC 61511, and we're also seeing them infiltrate some rules, such as provincial regulations or burner codes. For instance, the Canadian Electrical Code has adopted IEC 61511, and on Feb. 1, it's also scheduled to become part of Alberta's regulations. Other provinces are currently reviewing the code, and will adopt it within the next 6-12 months, but there's still a lot of debate going on."
Kozma adds that Autopro often works on high-integrity pressure protection systems (HIPPS) that are typically linked to natural gas processing and bitumen processing inlets, and manages HIPPS proof test data that's part of the documentation automatically collected from the SIS for reports, analysis, historization, storage and referrals back as needed. "Proof testing is key to the safety instrumented functions (SIF) of HIPPSs and SISs in general, and results are used to ensure that safety integrity levels (SIL) are maintained, and identify issues so they can be fixed before failing on demand," he explains. "Plus, with the greater availability of digital formats we have now, we can refer back without writing everything down in a file, which means we can typically reduce proof test staffing by one person."
Zachary Stank, product market specialist for safety at Phoenix Contact, adds that, "The biggest changes in the past couple years have been updates in the U.S. Occupational Safety and Health Administration's Process Safety Management (PSM) standard and in the International Electrotechnical Commission's IEC 61511/ISA 84 process safety standard. "PSM's basic content didn't change, but some amounts and items are different. With IEC 61511, everything is now about the lifecycle. Much of the push is coming from insurers, which are demanding full hazard and operability (HazOp) studies, SIS analyses and SIL 1, 2 and 3 designations.
"Consequently, while process safety in the European Union (EU) is still linear from concept to decommissioning, and OSHA still enforces after the fact, process industry firms in the U.S. have come a long way in adopting more safety requirements. In addition, more equipment is wearing out, which means less can use grandfather clauses to avoid safety updates. Also, increased awareness of possible cybersecurity intrusions and attacks, especially on SISs, is causing more users to look at their safety infrastructures, too. In fact, the 2016 update of IEC 61511 even includes a clause requiring security risk assessments (RA) to identify SIS security vulnerabilities."
Rules and standards penetrate
Though effective regulations, enforcement and outcomes remain woefully inadequate, mainly in North America, longtime observers report that process safety standards, awareness and requirements have been making slow but steady gains over the years.
"Things haven't changed much. Whenever you open a newspaper or watch TV, process accidents continue to be reported with regularity. Plus, there's still no tracking of incidents at the national level, so if you ask government, industry or academia how many there are per year, no one can tell you," says Dr. M. Sam Mannan, PE, executive director of the Mary Kay O'Connor Process Safety Center at TexasA&MUniversity, who just passed away on Sept. 11. "However, some people say we're doing a lot better on process safety, and I can't deny that as discipline, it's grown extensively in the last 20-25 years. I think more people and organizations know and want to improve process safety internally, but they don't want to publicize it, so the problem will go away sooner. For example, they know if they're working with problem chemicals, understand the consequences of using them, and can study and analyze where they need to spend resources on safety. However gradually, process safety standards of care are starting to penetrate. At first, only operating companies would try it, but in the past two decades, contractors, system integrators, OEMs, process suppliers and insurers have been getting involved, too."
Mannan adds their main guides to process safety include the 14 elements of OSHA's PSM released in 1992 and IEC 61508 and IEC 61511, which puts more responsibility on designers, OEMs and control suppliers to comply with the standard.
"OSHA and the U.S. courts are also increasing their emphasis on Recognized and Generally Accepted Good Engineering Practices (RAGAGEP)," explains Mannan. "So, when a plant blows up and the owner points fingers at engineers, system integrators and suppliers, and says the plant's 1970s equipment couldn't be expected to achieve the same performance as 1990s technology, the courts can respond that a basic standard of care is equipment that satisfies RAGAGEP. For example, in ammonia storage, it's well-known that double-walled containers are a good idea in practice, but is this RAGAGEP? It is if most suppliers sell double-walled containers and most users employ them.
"If a plant blew up 10 years ago, the current owner could argue that it was built 40 years ago, they got it in that condition, and so they're not responsible. This argument is becoming more and more unacceptable. Mostly the federal and district courts are now telling owners they're responsible for not keeping up with reasonable technologies. In addition, based on the losses they may experience, the insurers are ahead of the courts, and asking owner-operators for RAGAGEP as a minimum requirement."
Erik Mathiason, product manager at Emerson Automation Solutions, adds: "IEC 61511 provides guidance on how a safety system should be implemented and how to maintain the system over time. One decision that a safety implementation team must make early in the evaluation process is whether to adopt safety loop components that are compliant with IEC 61508, or use conventional components and justify them by citing proven-in-use principles. One advantage of compliant components is the benefit of being able to use manufacturer- or certification agency-provided failure rate values that include a useful life for each component and recommended proof tests to detect failures. These can all be included in the probability-of-failure calculation required by the standard to provide guidance on the proper maintenance strategy the engineer should implement."
Insurers arrive, market matures
Because of the present regulatory vacuum, some industrial insurers have been taking a more active role in pushing for process safety—with some even offering premium discounts.
"The EU-wide directive Seveso III requires companies to identify hazards, and have policies in place to prevent and mitigate them, with higher risk sites filing reports, and regulatory authorities assessing them," says Jonathan Carter, risk engineer in the Energy and Power Practice at Marsh, a global insurance broker that's part of the Marsh & McLennan group of companies. "Many insurers prefer this proactive approach, and have ramped up their involvement in recent years. It's now a core topic at many sites."
Carter reports that in many European countries such as Spain, process industry firms have been very proactive in adopting and complying with Seveso III, while other regions have a different regulatory framework. "A lower complexity of regulation in some developing countries can present more of a challenge. Although there may be high-level discussions about process safety, there may be little action on site," explains Carter. "We believe that the U.S. has chosen to follow a rule-based, reactive regulatory approach. As a result, some process industry companies may do enough to comply, but stop there.
"The regulatory process in Europe uses a more goal-setting and RA-based approach, and requires the determination of the safety of processes and facilities beforehand. This approach puts barriers in place to prevent accidents from occurring, and manages them by prompting firms to ask, ‘what would happen if they fail?’ They make sure there are no gaps, and then prompt reexamination if something does fail. These barriers include inspection of plant, DCSs, staff competency, emergency shutdown systems, overpressure protections, as well as critical engineering and managerial system to help prevent accidents."
During a typical site visit, Carter adds that Marsh brings along insurer representatives, and usually spends three days onsite talking to operators, engineers and maintenance personnel, inspecting equipment, and drafting reports that support the underwriting process. “We try to present a clear idea of the risk at a site and the adequacy of the measures in place to manage it, and usually conclude with recommendations if we see gaps," adds Carter. "We're not an enforcement organization, but we hope that these reports do influence behaviors. A bad example of risk management can result in higher premiums, and improvements can reduce premiums. This is a soft power approach, rather than the hard power of actual regulations. We hope that this works in a drip, drip way to affect change, but it does influence the bottom line. Users’ responses vary. While safety performance worldwide has improved, accidents still happen every week and month."
In addition, Angela Summers, president at engineering consultant SIS-TECH in Houston, reports the process safety market has matured from the 1990s, when the first SIS standard was introduced, there was little competition among service providers, and just a few specialized safety products. "In the 2000s, there was huge growth, lots of new players in the market, and suppliers offering everything from sensors to final elements, and all types of software for RAs and performance analysis," says Summers. "In today's mature safety market, vendors must show value and sustain it. The pervasive attitude is still that safety is a drag on costs, but players in this market are looking at process safety's return on investment (ROI). They'll do an RA, but then ask did it actually made the plant safer? Or, was it followed up with installed safety devices, training and written policies and procedures? Unfortunately, a lot of money gets spent on safety without making changes on the front lines of process applications and operators day-to-day jobs. There's also pushback, so what's needed is fewer safety studies and more material changes."
Reason to invest
Morality aside, probably the most powerful incentive for evaluating and improving process safety is that it can pay solid dividends, and not just in hard-to-measure incidents that were averted.
"More users are beginning to think of process safety as a good investment, and we've found that any RA we've been involved with has saved money," says Kozma. "This perspective of safety having an ROI for safety has to start from the top down. The CEO has to be onboard, so everyone will know it has to be done. You have to talk about the cost of accidents, downtime and product not getting refined, which means customers will go elsewhere and likely not come back."
Once management is committed to process safety, Kozma reports the rest of an organization's people must be convinced to buy in as well, usually by a safety team of their peers. "I facilitate layer of protection analyses (LOPA), and these teams work hard to understand process safety, and secure buy-in and participation," he explains. "If people don't buy in, they won't learn how process safety works, so we try to get everyone to work together and gel. This facilitation gets easier as the safety effort moves forward because the team members are the ones who know their process best."
In fact, Kozma adds that many adversarial conflicts can be resolved when participants learn that performing a LOPA can help them get what they need for their applications. "We worked with one licensor in western Canada a few years ago, who had a specific idea about what they wanted for their protection system, while the owner wanted to do as little as he could," he says. "These were two sides of the same team, but by initially pushing the LOPA to further their own agenda, they began to realize from the debate and learning during the LOPA we conducted that they all wanted the same things from their safety system. The client even came up with protection layers that the licensor hadn't thought of, such as an independent shutdown system.
"Both sides eventually agreed on what was really needed where, and everybody won because the facility was safer and they also eliminated unneeded SIFs where they already had enough layers, and added them where there were gaps. For instance, they changed the design case for their pressure safety valves (PSV) from a fire case to a full-flow case based on the amount of energy the PSV would release in an incident, and found their existing pressure relief was adequate and that a SIF wasn't needed. However, they also learned that the pump cavitation scenario isn't always caught by a HazOp, and so they added a low-flow SIF."