As the days and weeks go on, answers will emerge about this specific accident, but the biggest question will, I suspect, remain unanswered: Why is process safety so hard?
It's not for want of trying. Every time an accident like this occurs, there are detailed post mortems. The PDF of the Baker report on the 2005 Texas City accident alone runs to 300+ pages. The costs are also well-known. In the 2011 Deepwater Horizon accident, the numbers run to the billions. But still the accidents happen.
One reason is because process safety is complicated. It's about managing risk. It's about safety. But it's also about efficiency. Downtime from unnecessary shutdowns wastes both time and money—lots of it. But it's hard to estimate the cost of an accident that doesn't happen. It's about compliance and regulation. It's about corporate culture and basic human behavior. Oh, yes, and these days it's about security—both physical and cyber.
Getting all the pieces of the safety puzzle to come together efficiently, effectively and without breaking the bank is an ongoing struggle.
Is the Struggle Worth It?
But it's a struggle that can't be avoided. Even putting aside any moral issues, economically it's making less and less sense to not take process safety seriously.
"People are realizing good safety leads to both top and bottom line improvements," says Steve Elliott, product director for Invensys Operations Management's Triconex safety family. Good safety systems generate a +5% improvement in the top line. Bottom line improvements are around cost reductions that can be quantified up to a point. You can reduce production costs by around 3%, capital costs by around 1% and maintenance around 5%."
The real eye-opener is the possible 20% reduction in insurance costs, according to Elliott. "You can have a real conversation with the insurance companies, and use this [potential reduction] to promote safety management," he says. And it is possible to begin to arrive at an estimate of the cost of the accident that doesn't happen, says Elliott. "The machinery industry uses the overall equipment effectiveness (OEE) metric. That approach is coming into the safety environment. [We're looking at] reduction in downtime, maintenance. It's the same kind of measurement. It's now possible, up to a point, to evaluate the costs related to accidents that don't happen. We're now seeing a move to use information from layers of protection analyses (LOPAs) to make evaluations of potential costs. That can be used to break through the barriers."
The Great Disconnect
It's not that companies don't think that safety is important. In a recent survey sponsored jointly by Control and ABB, respondents were pretty clear that safety is no trivial thing. A full 78% of respondents said that one of the key drivers that influenced their safety and safety instrumented systems (SIS) practices was safety incidents and injury prevention, and 65% said standards and regulatory compliance were a big motivation.
But it is, alas, still too common for safety to be given a wink and a nod at many operations. In the same survey, 16% of respondents said their plant's safety systems were not compliant with IEC 615I1/ISA 84 safety instrumented systems standards, and another third were unsure. Only 37% of those in non-compliance said they had an established roadmap and timeframe for becoming compliant, and 27% said they had no plans to do so. Another 36% said compliance was "on their to-do list," and we all know what happens to many items on such a list.
Barry Young, an analyst with ARC Advisory Group, observes, "There are still some very old systems out there that haven't been replaced. Why? It's my personal belief that end users kind of wink at you. You have a manager responsible for a unit. The guy wants to move up [in the organization]. He's got a couple of million dollars to spend. If he spends them on improving the unit, he's going to get more props for that than for improving safety. He's going to risk that the unit isn't going to blow up. It's tough to have a five-year plan when you're a quarterly company."
Chris O'Brien, partner at safety and security consultancy exida, also points to corporate culture as a big issue in process safety, and warns of the danger of looking at compliance as the total answer to safety or developing a "check-the-box" mentality. He cites the case of a facility where the feeling was "If we just use the TÜV data, we can get away with it."
O'Brien adds, "I was shocked. Just having the certificate is not enough. If the data isn't realistic, no matter what the certificate says, it's not right. That's not exercising engineering. They're not thinking it through."
The attitude that process industries are dangerous and accidents happen, so deal with it, also is finding less and less toleration.
Johan School, a product manager for Honeywell Safety Solutions points out. "In North America and Europe, there's a lot of regulation, and everyone needs to comply. There's a lot of incentive to enforce a safety culture. In those countries where there's regulation, there's a sense of not going around the system."
But perhaps as big a driver as legal liability is a shift in the outside culture.
"People are increasingly intolerant of industries that have accidents, especially if those accidents appear to be due to poor management of the associated risks," said Ben van Bourdon, executive vice president of Shell Chemicals Ltd., at the launch event for the Organization for Economic Cooperation and Development's Corporate Governance for Process Safety Initiative in Paris last June.
"Companies are ready to move on from the cost versus risk thing," adds O'Brien. "We don't want to be the guy who polluted the Gulf of Mexico. It comes down to awareness and internalization."
ARC's Young sees this shift in thinking in the market numbers. "What we're seeing is that the process safety system market is growing faster than the DCS replacement market. It's because of high-profile accidents. The C-suite is now paying attention and instituting corporate-wide safety initiatives. Safety has to start at the top."
The Role of Integrated Systems
For at least two decades, the major process automation vendors have been integrating parts of their safety systems with the rest of operations. This trend toward integration is increasing.
"There's a continued move toward greater integration with the control system," says Young. "The systems are integrated, but separate. There's a separate DCS controller and a separate safety system controller, but a common operator terminal and maintenance terminal for both. There are substantial savings from this approach, right from upfront engineering to end of system life."
Aslo Read: Plant Safety
Among the advantages of an integrated safety system are the cost reductions that come from not needing two completely separate systems; a reduction in the number of PCs necessary in a control room; visibility into what's happening on the safety side on the same HMI the operator is using for control; and easier installation and training.
Blue Skies for Bluewater
Bluewater Energy Services B.V. of Hoofddorp, the Netherlands, learned of the advantages of this kind of integration when it upgraded the integrated control and safety system (ICSS) on a floating production, storage and off-loading (FPSO) ship named the Glas Dowr (Figure 1). Bluewater was refurbishing the Glas Dowr for work in the Kitan oilfield about 500 km off the coast of Australia in the Timor Sea.
The communication infrastructure was replaced with a new one based on a redundant, fault-tolerant switched fiber-optic network to help ensure high system reliability.
The existing emergency shutdown and existing Triconex Tricon fire and gas system were upgraded with new I/O firmware to comply with IEC 61508 regulations. The Tricon system also got new main processors, cards and communication modules. The existing addressable fire detection system was replaced with a new central fire system and detectors, new Tricon fault-tolerant safety controllers and Trident triple modular redundant safety controllers.
That was a massive job, but getting it done on time, no matter the complexity, was absolutely essential. Crucial to the success of Bluewater's business of off-shore drilling is achieving "First Oil." Any delays around that deadline can result in costly penalties and lost production.
"To Bluewater, achieving First Oil on time is critical because income starts being generated for us at this time. Any delays here will have a direct effect on our income," says Ernest Hofstee, senior project manager at Bluewater.
Read Also: Safety is no accident
Invensys finished the project in 11 months, so the Glas Dowr was ready to leave the Sembawang shipyard in Singapore in June 2011, arriving at the Kitan Field in early July. First Oil was achieved on Oct. 14 of the same year.
Hofstee observes that part of the success was attributable to having the same people work on the entire system. "In my experience project delays often happen when work is handed over from one party to another. This didn't happen on the Glas Dowr Kitan project. All the work was carried out by the same people, which minimized project delays and disruption."
Not So Fast
There was a time, not so long ago, when SIS and control systems were completely separate, and best practice was to keep them that way from the time of their design until the end of their useful lives. Many companies still follow that practice.
"Safety has been more or less controlled by people of our generation, meaning older," says Dave Huffman, Oil, Gas and Petrochemical Business Development, Chemicals, for ABB. "We expect the safety system to be completely different technology from the regular controller system. Years ago, you didn't have the integration mechanisms you have today. As standards developed in the late 80s and early 90s, wording implied that safety systems have to be diverse, and one way to interpret diversity is to have the control system and the safety system from two different companies. This is the way it's been done, and there hasn't been a willingness to change."
It's also important to remember that the push to integrated systems is "vendor-driven," says Triconex' Elliott. "It does lead to a reduction of overall costs. It gives the ability to see all information from one source, however, when you solve one problem, you may create another one."
An integrated system may create security problems, he says. "Cyber threats make the landscape more complicated. Anything with an Internet connection makes for more vulnerability. Are the safety systems more exposed? What do we do in terms of protection?"
Cybersecurity issues aside, there are other good reasons why end users are often reluctant to integrate these two systems.
Answers to a question about separate or integrated safety systems posed in the LinkedIn Automation and Control discussion group are instructive about the complications of using an integrated system. But they also suggest that the choice of a separate or integrated system is not always and either/or proposition.
One respondent, a certified automation professional (CAP), says, "Risk or the potential for hazard is the main consideration. SIL [safety integrity level] is the measure of reliability of your risk-reduction system. These are two separate things for measurement, though it's obvious the higher risk figure has to be covered by a more reliable system. The automation choices finally depend on the SIL level determined. The most important figure is the PFDavg [probability of failure on demand, average], or the probability that the system will reliably fail in a safe mode when called upon to do so. The event requiring SIS [safety instrumented system] action could be a high/low probability, and thus has a high or low 'demand.' If without the use of an independent SIS, the required SIL level is attained, then you are spared the cost. However, if the risk prevails, you have to improve the SIL level by investing in an independent SIS, which will be one additional layer of protection and improve the reliability by a factor of 10."
Integrating your safety system is not an all-or-nothing proposition. One option is to have completely separate basic process control systems (BPCS) and safety systems from the same supplier, but with a common HMI. The engineering tools are also likely to remain separate.
Some companies use a single supplier and similar systems that are interfaced with one another. In this architecture, the two systems are deployed separately. The upside of such an approach is that the similar engineering tools and operational displays make it easier for the operators and reduce training costs. At the same time, the two systems will still need to be separately maintained and managed.
The deepest integration comes with a totally integrated system. The BPCS and the safety system are designed from the ground up to satisfy the requirements of both. This approach is based on common hardware and software, using diverse technology and implemented as one system. The argument in its favor is that it can leverage all the commonalities between the two systems. This architecture enables information, asset and production management to be operated across the entire automation platform.
He goes on to list some of the factors that need to be taken into account: whether the project is for a new plant or an upgrade, the size of the plant, the development and engineering issues, the impact on operations, maintenance and the lifecycle of the system, and the end user's standards, to name a few.
He also suggests that maintenance is easier with separate systems. "Two people can work on troubleshooting hardware/circuits issues at the same time because of separated cabinets, preventing human mistakes in case any work on the DCS leads to a trip from the ESDS [emergency shutdown system]. If there is hardware in common cabinets, there is higher probability this can happen."
Chris O'Brien, a partner at safety and security consultancy exida says, "Even with integrated systems, you have separate controllers. [The separation] sends the message, ‘Thou shalt not touch.' If you start blending the systems, people are not going to remember that they can't make changes. You want to keep the safety system separate, so that even mentally operators don't think they can get in and make changes to it."
Read Also: Good Safety = Good Business at Goodyear
Triconex' Elliott says, "Objections tend to be driven by application. If it's an upstream application, the last thing you want is an unsafe asset. Security is one of the things you have to think about. The threat is no longer just solely in the process." He adds, "People saw integration as allowing operations to see all the information in one place. OPC UA can integrate data and still be secure. I can have all the information I need and still keep a separate system."
Building a Safety Culture
The fact is, no matter where you come down on the separate/integrated issue, no safety system will be any good if the corporate culture doesn't take safety seriously. The money spent on a good system of whatever kind has to be authorized by the folks on the C-team. If they don't believe that safety is important enough to spend money on, it won't get spent.
And companies that take safety seriously go well beyond installing automated systems, separate or integrated.
In the aftermath of the 1989 Valdez accident, ExxonMobil launched a full-scale, top-to-bottom review of operations and implemented far-reaching actions that today guide every operating decision made on a daily basis, says Patricia Sparrell, Automation, optimization and global support manager, at ExxonMobil Research and Engineering Co. The vision was to reorient the company to put the safety of people, facilities and the environment at the heart of everything the company does." ExxonMobil created what the company calls its Operations Integrity Management System (OIMS)—a rigorous 11-point set of elements designed to identify hazards and manage safety, security, health and environmental risks.
But people are at the heart of the system. "Even the best safety systems are ineffective unless they exist as part of a broader culture of safety," says Sparrell. "OIMS is enabled by the belief that leadership influences culture, and culture drives behavior. Therefore, leaders have to set expectations, build structures that support safety efforts, and teach others to do the same."
She continues, "OIMS is not just window dressing, but rather integrated into day-to-day operations. The standard 11 elements and 65 expectations included in OIMS are the same for all employees, no matter where they are in the organization. From there, each business supplements the framework by establishing and maintaining guidelines relevant to its specific activities. Finally, local management systems provide additional guidance, including processes and procedures, responsible and accountable resources, and feedback mechanisms for continuous improvement. There is clear accountability from top to bottom."
At the Hungary-based MOL Group, one of the largest energy companies in central Europe, executives were not happy with the safety performance of the company and wanted to bring it up to a favorable comparison with its peers. In 2003, MOL had recorded 55 lost time injuries (LTI) and a lost time injury frequency (LTIF) rate of 2.6, an indicator measuring LTI cases against one million hours worked. The International Association of Oil and Gas Producers in its 2003 safety performance report recorded an average rate less than half that of MOL—1.16 LTIF—among its 36 member companies.
MOL decided to approach the safety issues in two phases: laying the foundations for an overall shift in mindset and attitude to safety and then building on the continuous cultural change.
MOL brought in safety consultants from DuPont to help. Working together, they developed the Safe Workplaces Project that involved MOL's 14,000 employees. The project covers everything from more training for employees to redesigning helmets and safety glasses to work together better to conducting audits of behavior—on everyone from the youngest operators to the top management.
The audits focus on a dialog with employees about safety, acknowledging positive behavior and convincing them that unsafe behaviors make for unnecessary risks. The next step is to jointly develop a safer approach to the work.
Kornélia Procházková, project manager at MOL Group, says, "Even executives conduct behavioral audits, and when they come to visit a plant, operatives can see that they now wear safety helmets, safety glasses and safety shoes; in other words, the same equipment the operatives themselves have to wear. That sends an important and positive message."
The result of the audits and subsequent HSE action plans was that the number of LTIs dropped from nine in 2005 to three in 2008, and the LTIF rate dropped from 1.53 to 0.6.
But MOL went even farther. It brought in a dedicated DuPont consultant to work onsite to help develop training programs, KPIs for evaluating success, workshops to train MOL employees to be safety experts and make the entire program self-sustaining.
To ensure that everyone in the group knows what is expected of them, all process safety management requirements have now been set out in the new MOL Group PSM Global Operative Regulation. Process safety management has been made mandatory for all hazardous operations, and contractors are given a set of standard requirements they have to abide by if they want to work for MOL Group.
Obviously, implementing such a system takes time, effort, commitment and reinforcement. Good automated systems can help by reinforcing safe procedures and making sure employees can't work around them, but systems can only go so far. At some point, beginning with top management, the decision has to be made that shortcuts are not acceptable, and that taking the time and spending the money to operate safely is mandatory.