How to implement and achieve ROI from process safety - Part 2
Read Part 1: The argument for pro-active process safety
Discussing and analyzing safety in a facility is one thing, but putting a safety project into action is a whole other thing.
To get a safety project underway and make its application and personnel safer, Angela Summers, president at engineering consultant SIS-TECH in Houston, reports that SIS-TECH first looks at the sophistication of the site, existing technology, organizational structure and the abilities of its staff, and crafts a solution that fits all of them.
"There's no one-size-fits-all when it comes to process safety," says Summers. "So, we can begin to determine what a typical terminal with tanks needs by looking at it, but it's safety level can be low enough that it doesn't need a quantitative risk assessment (QRA) or failure modes and effects analysis (FMEA). However, a QRA will likely be needed if there's the potential for a runaway reaction triggered by multiple process conditions, and it will have to apply appropriate analytics and safety equipment. Sometimes switches are enough, while most need fancier diagnostics. We also have to match safety tools with the capabilities of the people, and use the one that lets them achieve their objective."
To conduct a layer of protection analyses (LOPA), risk assessment (RA) or hazard and operability (HazOp) assessment properly, Sam Kozma, safety and control systems specialist at Autopro Automation Consultants Ltd., a Control Systems Integrators Association (CSIA) member in Calgary, Alberta, advises clients to establish procedures and rules, and thoroughly train their team about them. "Previously, there wasn't a lot of understanding about the IEC 61511 standard and how to do a LOPA," he explains. "Today, there's more understanding and participation, and everyone in an organization knows they have to do process safety, even if there is some reluctance. However, the big task is still reviewing the process with the team, and refreshing veterans and rookies on the LOPA process, which is independently analyzing the frequency of safety incidents, and evaluating their causes, consequences and severity. Just refreshing participants on what a LOPA is can speed up the process later because the team can go through more causes/consequence scenarios if everyone is on the same page and has the same understanding of the LOPA process."
Kozma adds that some useful software tools for performing a LOPA include PHA-Pro from Sphera and exSILentia from exida. "You can also just use a Microsoft Excel spreadsheet to make your own grid," he adds. "It all comes down to what the client wants to standardize on. The process industries are always seeking more efficiency, so we're also seeing process safety programs using more As Low as Reasonably Practical (ALARP) principles to determine the risk-to-benefit ratios of their efforts. It also helps that many insurers are learning about IEC 61511 and other standards, and are sometimes offering 5-10% discounts on their premiums. This makes SIS a potential cost center, and that's really good news."
Steve Elliott, senior marketing director for process automation control and safety offerings at Schneider Electric, adds that: "Traditional safety tools are designed to meet specific safety parameters. However, how they perform once deployed might be different from the original design intent. Therefore, as-designed data, such as demand rates, test intervals and time in bypass, should be digitally connected to the as-operating data, so the potential safety risks presented by systems degradation can be assessed in real time, for example, by identifying potential gaps in instrument protection layers and seeing what the real-world impact is on operational safety integrity. By digitally connecting to existing systems and data sources, the need for manual data collection and data handling is minimized, and the new real-time information can then complement the safety information gleaned from existing reports. This digitization provides a more meaningful context than the traditional historical analysis of safety KPIs, enabling personnel to see what’s coming, rather than analyzing incidents after the fact."
Jonathan Carter, risk engineer in the Energy and Power Practice at Marsh, a global insurance broker that's part of the Marsh & McLennan group of companies, advises process control engineers to cooperate with their company's plant-floor operators and technicians. "You have to get away from theoretical assessments and get involved with the people who are running production every day, so you can understand what the real hazards and implications are. Insurers are also very concerned about cybersecurity, and clients need to have good protections in place. The industry as a whole needs to improve its accounting and reporting practices around cybersecurity events. This is another area where we need to talk with the people involved about what the right tools might be, and then add incentives to put patching and other security policies in place."
Adding up safety dollars
Naturally, investors in safety want to know what kind of returns they're getting, and these are coming into clearer focus.
Operations at Repsol's two exploration and production (E&P) plants in eastern Ecuador began in 1994 and 1997, respectively. However, after running productively for almost 20 years, the company needed to update their safety instrumented systems (SIS) to bring them into compliance with its new internal E&P safety standards based on IEC 61508 and IEC 61511, as well as address the aging equipment's obsolescence risks and lack of data visibility for maintaining them.
Consequently, Repsol conducted several risk analyses (RA) in 2013, which included safety integrity level (SIL) and hazard and operability (HazOp) analyses at the NPF and SPF sites to determine what SIS upgrades they'd need to comply with the standard. It also worked with safety consultant exida and Rockwell Automation, and settled on a Allen-Bradley ControlLogix-based SIS that easily integrated with the PLC-5 it would replace, an installed base of Rockwell Automation devices, and equipment from other suppliers. Repsol also installed new fiber-optic networks at the plants for communicating between controllers and I/O racks, and used alarming and events capabilities in the new system to gain better visibility into performance and downtime issues.
“Sharing information across different systems is possible but not always easy, and sometimes it requires bringing in outside experts,” says Marcelo Villegas, project engineer, Repsol Ecuador. “That wasn’t the case with the Rockwell Automation's system, which gave us a clean interaction between the different systems that we had in place.”
Because the NPF plant is smaller with only about 1/4 the capacity of the SPF plant, Repsol used it as a proving ground for the first of the two SIS migrations. The migration at NPF was completed in 21 days, and finished at the much-larger SPF in the same amount of time. Both were completed without interrupting production.
Repsol workers can use alarms and events in their new SIS to access information about system performance to improve troubleshooting if a failure occurs. They can also use real-time performance data to predict where failures are likely to occur to help avoid downtime. “We didn’t have any insights into failures in the previous systems,” adds Villegas. “The new system allows us to monitor every part of the architecture, whether it’s the controller, different I/O racks or a specific output signal. This can help us more quickly identify the root cause of a failure and in some cases anticipate where a failure is likely to happen.”
In the future, Repsol expects its SIS to give it greater flexibility for meeting safety requirements. Both plants presently have SIL 1 safety requirements, but the new SIS gives them SIL 2 performance if they ever need it. should it someday be necessary. “These systems will help us get ahead of potential SIL requirement increases without another SIS upgrade in the future,” adds Villegas.
"In the past, RAs and their results were stored due to compliance requirements, but now they're far more available in digital formats, and can be easily accessed for other purposes," says SIS-TECH's Summers. "RAs along with design and maintenance documents are being made available in common areas for operations, maintenance and engineering personnel, who are sometimes using them to develop metrics to drive improvements. For instance, once they know which devices have repeated failures or which interlocks tripped repeatedly last year, users can better determine what fixes are needed to get those devices off the bad actor list.
"Once RAs and other safety data are freely available, they can be turned into metrics, prioritized according to where it's best to spend time and money, and deliver tangible safety improvements into people's lives. The percentage of companies doing this isn't large, and it's mostly the big guys like Exxon, Shell and Dow that can afford it, smaller players will follow as they see the ROI from eliminating trips, repeated alarms and devices failure, as well as the revenue to be gained from increased reliability and production."
Summers adds the American Petroleum Institute's API 752 standard on process safety metrics describes four levels where users can account for the ROI and revenue from improved process safety:
- Level 1—Monitoring and preventing large events, which has relatively limited ROI;
- Level 2—Monitoring and preventing small events, which also has limited ROI;
- Level 3—Examining metrics for chronic alarms, upsets and shutdowns, and undertaking process improvements, which can deliver greater ROI; and
- Level 4—Managing systems, governance and training, which can resolve problems identified by RAs, improve metrics, and also deliver greater ROI.
"The big players are institutionalizing Level 3, which is where digitalization is taking raw data, and turning it into usable metrics," adds Summers. "Software like SAP does this, though there's still resistance to spending on programs like this. There's still a lot of pencils and paper, and files shelved and stored, but SIS-TECH also provides our Instrumentation, Controls and Electrical (ICE) documentation software for deploying maintenance procedures on mobile devices in the field, entering data, transmitting it to computerized maintenance management systems (CMMS) such as Maximo, Meridian or SAP, and getting it to those common areas for faster analysis, customized presentation by discipline, and better decisions. So, instead of improving process safety because of rules or laws, it will be done because the worst problems are prioritized, and tackled to deliver ROI."
Mike Scott, co-founder and executive vice president of global process safety technology at aeSolutions, a member of the CSIA in Greenville, S.C., adds there's a difference between compliance, which means spending on process safety to avoid breaking laws and jail time, and conformance, which means spending to meet standards and recommendations that are often deemed optional. "As a result, many end users ask, 'Do I really need to do this now, or can it wait until later?' This is because their financial people don't fully understand process safety, and most engineers are not adequately versed in the language of financial justification to intelligently to justify expenditures for rare, high-cost events. There are operations dollars and profits to be gained by keeping applications and plants running versus risk-mitigation dollars spent to guard against loss of containment events that would result in rebuild efforts, lost production, etc. One can ignore spending on process safety or leave it in suspension for years, but it will ultimately stress your kit and set you up for a potential loss of containment event sometime in the future."
To talk about the financial benefits of process safety to their accountants, management and other dollar-focused people, Scott adds, "We must articulate the cost benefits of process safety. This requires establishment of a single, new key performance indicator (KPI) that provides direct line of sight on process safety performance without speaking in process safety-related three letter acronyms, such as SIS, SIL and RRF, which don't resonate with financial staff." Scott reports aeSolutions does with its Functional Safety Index (FSI) as part of its aeShield software.
"If you do a PHA or LOPA on a spreadsheet for a large facility, it can end up as big as the Houston phonebook. However, once a study is completed, it's typically not used to make day-to-day decisions on how to best operate the facility safely,” says Scott. "However, by taking an IIoT view on process safety, protection-layer and instrument-specific data can be extracted from the historian, tied to the aeShield analysis engine, and used to generate FSI, and quickly identify process safety related bad actors. This enables one to have a real-time risk profile available to support day-to-day operations. In doing so, currently invisible process safety related gaps can be identified and cost effectively corrected."
As a result, Scott explains that aeShield begins to build an FSI for a plant by gathering currently stagnant data, such as PHA\LOPA, SIL calculations, SRS, C&Es and test plans, all from disparate sources into one tool. This further enables end users to create libraries that can be copied/cloned to reduce the cost of producing future-like deliverables for similar unit operations. This baseline data is then linked to real-time operating data from the historian and computerized maintenance management system (CMMS). This allows users to quickly review the assumed risk profile versus the actual risk profile. Other benefits include the ability to enhance the quality of future PHAs and LOPAs by easily elevating bad actors, such as excessive time in bypass, excessive demands, late testing or more frequent failures than previously assumed, into the study for consumption by the team.
"These are used to produce an FSI percentage that shows how a plant's being run versus its baseline risk analysis," says Scott. "This allows users to execute intelligent gap-closure initiatives to remove process safety-centric bad actors that are prioritized based on dollars per risk unit.”
Scott adds that an FSI can also be turned into a Functional Safety Cost Impact (FSCI) number or scorecard to further promote the savings that process safety can deliver. Because insurers are getting more involved in these efforts, aeSolutions software can even be used as a real-time meter to help adjust premiums. "The whole idea here is to simplify process and unit safety to one number," he says. "Usually, PHAs and LOPAs are good engineering guesses. Well, with the right software, users no longer need to guess. This software, lets them prioritize the most cost-effective means of removing risk from the business."
More tools to the rescue
While short-sighted humans and many of their organizations continue to drag their feet on safety, digitalization and other technical innovations continue to race ahead with useful solutions for avoiding accidents and injuries—including some that coax users into better safety habits.
For instance, just as digital documentation and common collaborative areas enable better safety practices, other software can coordinate the players and performance in process applications and facilities. "There are more faces onsite than ever, including corporate engineers, EPCs, OEMs, subcontractors and others, and one party may not understand how it's impacting the others. The result can be a domino effect, in which factors that aren't supposed to line up and cause an accident do it anyway," says Tim LeFevre, global customer marketing manager for safety systems at Honeywell Process Solutions. "Because process safety has been slow to change, many third- and fourth-generation safety systems are still based on original designs from 30 years ago.
"What's changed is faster systems driven by faster microprocessors, layering on software, diagnostics and data, and trying to turn resulting bombardments of data into useful information. Likewise, new software application layers are joining existing SISs, and these include Honeywell's Process Safety Analyzer (PSA) application that runs on a server, talks to the safety system, and monitors that the right safety sequences are followed or if any devices aren't working properly. Also, our Field Device Manager (FDM) software shows field devices attached to safety systems, identifies devices failures, and provides detailed device information onscreen, so users don't have to go into the field."
Unlike paper documentation that's hard to track and slow to respond to, digital dashboards present more data faster with daily, onscreen reminders for better performance. "We've seen clients with critical loops in bypass for a couple of weeks for maintenance reasons, but they were neither reminded nor aware their system was operating in a degraded state that's less than the safety requirement. Our dashboards can take alerts and alarms from PSA and FDM, and push them to our Experion DCS. We can also use PSA to show if a device is running at a certain SIL level, or if the system is running in a degraded state due to a bypass."
Rather than linking a DCS and safety system using a traditional SCADA master/slave polling protocol, LeFevre reports Honeywell is assisting users with its Controlled Data Access (CDA) proprietary communication protocol. It runs on fault-tolerant Ethernet (FTE), and lets controllers talk peer-to-peer, allowing various plant sub-systems such as burner management systems (BMS), fire management, emergency shutdown (ESD), machinery control and HIPPSs to be securely integrated to the Experion DCS. "CDA is a publish-subscribe protocol that allows databases for safety systems to publish data to the network, which eliminates the need to maintain multiple databases and lets other nodes consume data as needed," explains LeFevre. "When upgrading the Experion DCS or safety system to a new revision level, you don’t need to worry about reconfiguring data points on either system like you would with a SCADA configuration. For example, all safety related alarms and events are automatically available to the FTE network and displayed on the Experion operator consoles without the need for any additional engineering or configuration. By default, all safety points are read-only, providing an additional layer of data transfer protection.”
In fact, Honeywell and aeSolutions reported Aug. 7 that they'll integrate aeShield into Honeywell's Process Safety Suite software. This integration pairs HazOp/LOPA, SRS, and SIL verification requirements in aeShield with Honeywell’s Safety Builder, PSA and Trace software to give users visibility throughout their process safety lifecycles.
Similarly, Brent Frizzell, U.S. product marketing manager for level at Endress+Hauser, reports that Endress+Hauser helps guide users on starting safety programs; incorporating safety-by-design in applications such as alkylation units and ammonia processes; and making engineers aware of data they can use to move from reacting and trying to control incidents after the fact to predicting and preventing incidents before they occur.
"Along with all the information that's more accessible due to digitalization, there's more data that can be used for safety," explains Frizzell. "It's moving from analog devices with individual variables to digital communications that can monitor multiple variables, and alert users about process, health and safety issues. Users can go beyond just looking at pressure to monitoring how often an overpressure limit was exceeded, and whether that number indicates a possible safety issue. Having this data accessible allows engineers and system integrators to make more educated decisions and designs, and lets users go from doing a regular RA to doing a full safety audit of their installed base including operations and people."
Not coincidentally, Endress+Hauser recently developed its Risk Analysis Excel Tool software that can, for example, help review and grade the population of a tank farm, evaluate their age and condition, examine the volatility of their contents, rank them by overfill risk, and prioritize which to repair first.
The tool consists of three pages, including its Operational Performance sheet (OPS) for gathering data about the tanks, Main sheet for grading likelihood factors related to an overfill and consequences, and Ranking sheet for adding tank age and final risk scores that are presented as a visual and quantitative bar chart. The supplier reports its Risk Analysis Excel Tool empowers any tank farm or terminal to perform an API 2350 standard risk program.
Several important changes have been made to IEC 61511, Parts 1, 2 and 3, second edition, "Functional safety—safety instrumented systems for the process industry sector." It was released in 2016, and adopted as U.S. national standard, ISA-61511, in late 2017 by the ISA 84 committee.
Angela Summers, instrumentation, control and safety instrumented system (SIS) guru, and president at engineering consultant SIS-TECH (sis-tech.com) in Houston, reports significant modifications to IEC 61511, second edition, include:
- Evaluation of existing SIS is covered by functional safety management. Changes to the SIS must meet IEC 61511. (See Summers’ article, "Does your existing SIS get the job done?")
- Functional safety assessments must now be performed periodically throughout the SIS’s life.
- Risk reduction claimed for a basic process control system (BPCS) is limited to two protection layers for a total risk reduction of 100 because the BPCS is not designed in accordance with IEC 61511.
- Multiple instrumented safeguards claimed for the same hazardous event must be evaluated for common cause and systematic failures. Risk reduction claims >10,000 must be justified based on quantitative analysis of systematic failures.
- Compensating measures are needed to address risk when a SIF is out of service for any reason while hazards are present.
- Security risk assessments must be performed on SIS to identify cyber-threats and the countermeasures necessary to enhance SIS resilience.
- More emphasis on monitoring performance of the installed SIS in the operating environment and verifying reliability assumptions made during design.
"Control engineers need to be aware of IEC 61511 because it impacts how control and safety systems are integrated with plantwide systems and operator interfaces,” adds Summers. "There's a common misconception that if you're not personally responsible for a SIS that you don’t need to worry about it. However, the control system engineer is responsible for ensuring that the control system only communicates approved information to the SIS and that the operator interacts with the SIS in a manner that sustains safe operation.
"For U.S. industry, the compliance clock started more than 20 years ago. Many refineries and chemical facilities have been working with ISA and the Center for Chemical Process Safety (CCPS) to publish cost effective and practical approaches for compliance. People new to the standard may feel overwhelmed on first read, but there are thousands of pages of guidance and multiple training courses to help them catch up.”
To aid the hardware side, Zachary Stank, product market specialist for safety at Phoenix Contact, reports that SIS controller suppliers have developed devices with supervisory modes based on output pulses from their logic cards, which can indicate if they're working properly and display this data through the controller.
"Similarly, Phoenix Contact's 6- and 12-mm PSRmini safety relays use input relay card pulses and disrupted output card pulses to secure diagnostics on relay and end-devices using one wire instead of the usual two wires," he says. "PSRmini includes SIL-certified modules for safe deactivation such as emergency shutdown and safe activation such as fire and gas. Thanks to the safety relays’ internal logic, the fail-safe PLC does not require any feedback to the safety-related inputs. In addition to reducing space and material requirements, PSRmini has simple diagnostics directly at the device or controller, which can reduce downtime. The safe coupling relays can be used in potentially explosive areas, simplifying the design of distributed concepts."
On the PLC programming frontier, Amir Kaufman, cofounder and COO of WonderLogix, reports its WonderLogix Studio software based on object-oriented design principles improves safety by taking plain-English instructions from engineers, and converting them to PLC code automatically, which eliminates many of the errors in manually written control programs that contribute to unsafe situations and events.
"In France, 20% of publicly disclosed process safety incidents are caused by PLC program errors, but no one believes how bad this situation is," claims Kaufman. "Regular control programs are such a mess because engineers get functional specifications based on process steps, but nothing is defined, and they write programs without a uniform language. It's very primitive, and it hasn't changed for 40 years because there are very few suppliers with little will to change. As a result, coding mistakes and errors in programs can shutdown a process and cause economic losses and safety issues. WonderLogix Studio defines logical sentences, creates specifications, builds software models, automatically converts to code, and gets rid of manual programming that's an obstacle to accuracy. We also design automatic checks and validations, such as prompting users to add an unlatch command after they've added a latch command for a locking device."
IIoT piles on
While process safety is greatly aided by new software and other tools, digitalization and IIoT provide organizational benefits that extend the gains of individual solutions.
"A completely digitalized database management system encourages consistent documentation and synchronization of updates across the database," says Toshiki Ogawa, product manager, Systems Business Center, IA Systems and Service Business, Yokogawa Electric Co. "This form of automated management of change helps uphold the overall consistency of safety system information, and allows smooth product execution. Also, easy access to historical safety records simplifies the regulatory auditing process. Being able to track, identify and remove unauthorized changes on the SIS is an important benefit to mitigate cyber threats."
Schneider's Elliott adds that, "Emerging IIoT technologies, when appropriately applied, can help manufacturers move from managing their process safety as a cost center to controlling it as a profit center. For example, the IIoT opens the door to forward-looking perspectives that enable plant managers and operators to accurately predict when their operations will exceed acceptable safety thresholds. Predictive analytics can be configured to identify looming threats to equipment assets. Also, new tools that adopt a digital twin concept allow testing in a virtual environment before actually implementing any recommended change to the process. This greatly reduces safety risks because the impact of the change on all possible variables can be evaluated before it is applied to production. In addition to the benefits in safe process design, digitization increases the awareness of issues through more efficient alerting, with the ability to distinguish between meaningful and nuisance alerts. In this way, the information delivered to safety experts has already considered the safety risk procedures and process constraints."
Joining the lifecycle
Beyond viewing process safety as an investment, some equally enlightened users are also integrating process safety into their overall lifecycle plans for their applications and facilities.
"Regardless of the current enforcement environment, my advice is it shouldn't be the only reason to do process safety or not," says Dr. M. Sam Mannan, PE, executive director of the Mary Kay O'Connor Process Safety Center at Texas A&M University, who just passed away on Sept. 11. "Safety is integrally tied to productivity and sustainability, and many companies that don't do well on safety probably don't perform well in other areas and probably won't stay in business very long. One process industry executive told me that, ‘Every molecule of chemical that leaves my facility due to an accident is one molecule that we can't sell as product.’ This is why safety is about more than following rules; it's also about keeping product in pipes and vessels, so it can generate revenue."
Mannan adds the Mary Kay O'Connor Process Safety Center is researching how human factors engineering, situation awareness, operator resources training and other emerging technologies can be used to improve process safety. "We're seeing that software and digitalization can help where rules haven't been applied," he says. "This goes beyond P&ID to bring in methods related to machine learning and artificial intelligence (AI). We don't know how well they'll aid safety yet, but we're looking deeply into them.
"We're also working on human-systems integration and engineering. Process applications generate huge amounts of data each day, so we're looking at how the information from an optimal, 'blue sky' day can be used to predict and prevent accidents. For example, heart attacks are rarely triggered by isolated or immediate causes. Instead, the conditions for them take years to develop, and provide early indicators of the risk that lay ahead. Process applications and plants have similar harbingers about incidents that will happen in two to five years, but can be dealt with now if everyone involved is willing to do it."
Yokogawa's Ogawa adds that: "SIS vendors are increasingly adopting holistic approaches to identifying and managing risks. The pervasiveness of big data and IIoT are key enablers for ad hoc data management and development of service-driven business models. This lets end users engage their vendor to provide robust, enterprise-level services that are correlated with monitoring and management of the plant's functional safety, with the selected vendor providing operational support when required."
Stefan Basenach, group vice president of process business segment at HIMA Paul Hildebrandt GmbH adds that, "Today, a holistic lifecycle approach should form the basis for any process safety concept. Within this concept, a regular review of all initially performed hazard and risk assessments should be standardized and implemented. Similarly, implemented processes and technology also needs to be a part of a regular review and/or investigation. This also includes a performance review of the installed technology and procedures in place. On top of these, should be the lifecycle management process as a permanent task to audit and improve the quality and effectiveness. Within this task, it needs to be recognized that, specifically for the subject of security, the cycle of reviewing security threats has to be higher than for typical safety matters."
[sidebar id=5]