Systematic Assessment, Response Reduce Upgrade Risk

Oct. 1, 2008
Change Can Be Real Risky

When operators and engineers at LyondellBassell’s polypropylene oxide and styrene monomer plant in Channelview, Texas, U.S., recently realized they had a communications problem between their DeltaV v8.4.2 software and their Asset Management Suite (AMS) software, they knew they were going to need an upgrade. The plant’s staff determined that they required a firmware “hot fix” and a migration to DeltaV v9.3 and its SQL Server capability to work with AMS.

However, the plant’s staff also was concerned that their upgrade project might bring up some potential problems for their operations. So they undertook a thorough risk assessment effort and then drafted a response plan with help from Emerson Process Management and its SureService program and personnel. This risk assessment and mitigation effort was crucial to Lyondell’s internal operations and onsite production, but assuring safety at the plant was even more essential because there are schools and a retirement home located nearby.

“You have to avoid and mitigate as much risk as reasonably possible and then implement risk responses.” LyondellBassell’s Willis Skaggs II explained how the company successfully upgraded its DeltaV control systems without impacting production, safety or the environment.
Willis Skaggs II, Lyondell’s systems specialist, Gilbert Montes, Lyondell’s process services specialist, and Sergio Diaz, Emerson’s upgrade team leader, showed how they implemented their risk assessment and response plan during their presentation, “Risk Management in a DeltaV Upgrade,” on the third day of the 2008 Emerson Global Users Exchange at the Gaylord National Resort and Convention Center near Washington, D.C.

As a major plastics producer, the plant’s production costs are approximately $450,000 per day. After start-up, it takes at least 24 hours for its units to reach their maximum rates, and following a trip, these units need extra personnel. Consequently, besides concentrating on their colleagues’ safety, Lyondell’s staff is intensely aware that any accelerated risk of equipment damage could cost millions of dollars. “Risk management includes risk identification, assessment that’s qualitative and/or quantitative and a response plan. These were the methods used at Lyondell,” says Diaz.

Because brainstorming is probably the most often used technique for risk identification, Lyondell used it too. However, before this could happen, organizers had to form a project team. “The team consisted of Lyondell’s engineering and operations department, because nobody understands and knows the process better than its final users; Emerson Advanced Services personnel that had system upgrade experience; a local business partner to help with procurement; and the engineering contractor that originally configured the system,” said Skaggs.

Still, Lyondell was concerned about its upgrade because DeltaV contains functional differences, enhancements and issues to be resolved between versions. “System customization, including graphics and custom logic, is the main source of risk during a DeltaV upgrade,” explained Diaz. “Likewise, enhanced functions could impact present configurations, or some configuration practices could have an adverse impact during a controller switchover. Risk during an upgrade also is a function of system complexity. As a result, process-related risk sources need to be evaluated, as well as process restraints. For example, at Lyondell, process history data must be available at least every 15 minutes for environmental compliance. This is why it’s so important to involve the right people with the right knowledge in each risk area, and then to use a systematic approach for risk identification.”

Once Lyondell’s team members identified all the risks they could, they assessed the impact and likelihood of each. This allowed them to describe risk probabilities and consequences in qualitative or quantitative terms, such as very high, high, moderate, low and very low. They also constructed a matrix assigning risk ratings based on combining probability and impact scales. The matrix document included identified risks, descriptions of each, affected areas, risk likelihood and impact.

“We found that it’s better to not debate too much on risk classification about impact and probability, and instead spend more time on defining risk responses,” said Skaggs.

“In this case, it was important to implement risk responses only for risks associated with the DeltaV upgrade. General process risk already should have been included in the general plant risk response plan.” 

Next, the team drafted its response plan by developing options and determining actions to enhance opportunities and reduce threats to the project’s objectives. These included:

  • Avoidance—changing the project plan to eliminate the risk or condition. To prevent losing historical data, Lyondell renovated its Application Station by defining a secondary historical server, and then upgrading each historical server.
  • Transfer—seeking to shift the consequence of a risk to a third party together with ownership of the response. Lyondell used Emerson Advanced Services and local representative Puffer-Sweiven for this service.
  • Mitigation—simply reducing the probability and consequence of an adverse risk event. In this case, Lyondell renovated its POSM 1 control system and better coordinated it with its water-wash process. 
  • Acceptance—not changing the plan to deal with a risk. This also includes developing a contingency plan to execute, just in case an incident occurs. Here, Lyondell found that switchover had no potential impact.

Skaggs and Montes add that a risk response plan, or risk register, should include identified risks and their descriptions; risk owner and assigned responsibilities; results from the qualitative or qualitative analysis process; agreed responses (including avoidance, transference, mitigation or acceptance); specific actions to implement; contingency and fallback plans; residual risks that remain after agreed response; and any secondary risks arising as a direct result of implementing a risk response.

“You have to avoid and mitigate as much risk as reasonably possible and then implement risk responses,” said Skaggs. “Then, if possible, transfer some risk to qualified parties. Some risks must be accepted, rather than trying unfeasible mitigation actions. However, risk can be accepted more confidently after a proper assessment. Of course, we recommend focusing on risks with higher impact and higher probability. By implementing our team’s risk response plan, we successfully upgraded our plant with no impact on production. In addition, no safety or environmental issues occurred during the upgrade.”