Read the full series!
Despite the pandemic, bad weather/lacking utilities and digitalized upheavals, some observers report that process safety continues to progress along several longstanding pathways.
"The process safety field is still pretty healthy because many companies have high-quality process safety management (PSM) programs, and have installed independent protection layers (IPL) and safety instrumented systems (SIS). However, now that they've arrived at the support and maintain phases, it's also becoming more of a challenge to justify funding as they transition to needing operating expenditures (OpEx) after the capital expenditures (CapEx) are gone. Plus, it's harder to justify these costs and maintenance lately because COVID-19 is often preventing personnel and contractors from getting onsite," says Jacob Morella, industrial cybersecurity technical project team manager at aeSolutions, a consulting, engineering firm and CSIA-member system integrator in Greenville, S.C. "Nonetheless, they're interested in digging into safety calculations to determine how long they can extend maintenance intervals while still meeting safety requirements, instead of just unilaterally postponing them. Attitudes about process safety are continuing to change. Safety is becoming more ingrained in the culture of more organizations, and we're seeing less workarounds. It's become a normal part of operations and management of change (MOC) functions."
Even though smart sensors can deliver data via the Industrial Internet of Things (IIoT) to servers and the cloud, Morella reports that IIoT isn't widely used for safety for a number of reasons, including safety, security and integrity of the data. Latency is also an issue because the data polling rates of many devices are still too slow for process safety alerts and alarms. "We're seeing more of a change when IIoT systems are installed in lieu of regular controls for monitoring," explains Morella. "However, even when an IIoT device is deployed solely for monitoring, its users must also address cybersecurity because it can introduce critical vulnerabilities if network segmentation and other security requirements aren’t considered. There's a big push to add IIoT components to production areas, but these efforts need to bring in operations technology (OT) and site control engineers to make sure everyone is comfortable with the deployment, and agrees on its ownership and who's responsible for it."
Morella adds that process safety principles are even more relevant to cybersecurity since the recent approval of the IEC 62443-3-2 standard, which provides recommendations for cybersecurity risk assessments (RA) in industrial automation and control system designs. aeSolutions performs cybersecurity screenings and Cyber PHA RAs for its clients, which gather and update a client's support documents and network layouts; perform screening of process hazards analysis (PHA) and layers of protection analysis (LOPA) to look for vulnerable scenarios; examine their systems and automated functions to evaluate cybersecurity risk; and prioritize remediation projects based on that risk.
"Cybersecurity risk can also impact process safety, which is why security RAs are needed. If you're using a cloud service to feed optimization data or instructions to controls like an advanced process control (APC) does, then that system needs to be made secure," says Morella. "A good example of a common best practice is limiting data transfer to specific points, adding guardrails on process setpoints that limit how far external systems can adjust controls, and ensuring that operations can maintain and override external adjustments when needed."
Even though it's difficult to digitalize and use safety principles to improve the cybersecurity of systems, Morella reports these challenges are very similar to tasks required in the past. "When OSHA's process safety regulations for hazardous chemicals took effect in 1992, many plants had to do retrofits, install SIS to satisfy their PHAs, and revalidate their PHAs every five years. There are a lot of parallels to the digital transformation challenge they're facing now," says Morella, who was referring the U.S. Occupational Safety and Health Administration's (OSHA) 1910.119 standard, "Process safety management (PSM) of highly hazardous chemicals." "The good news is we've learned so many process safety lessons over the past 30 years that we can’t afford to ignore, and must apply beyond the usual equipment to new systems like IoT and cloud services as we deploy them. The biggest idea is that we can’t just apply safety and security to individual systems. We also need to address the policies and procedures they'll need during their whole lifecycles, promote system ownership, and provide the training users need to support them. As digitalization and IIoT systems become more integrated with existing control systems their impact on process safety will increase, and closer integration with cybersecurity best practices will be needed. Just as process safety evolved from often being seen as something to work around into a normal part of controls engineers’ routines, cybersecurity will go the same way. Cybersecurity will be the responsibility of everyone, not just a few people, and will be incorporated as an accepted and valued part of all their job practices."
