Why Is Safety So Hard?

May 4, 2008
Are Accidents Caused by Poor Safety Standards or by Poor Implementation?

By Dan Hebert, PE

Accidents and incidents occur in process plants on a too-regular basis. Why? Is the root cause incorrect and incomplete standards? Or do most accidents occur because mostly correct standards are not implemented as intended? Getting the right answers to these questions is critical because wasting time and money implementing bad standards diverts resources from preventing accidents.

For more on this subject, go to
For the most part, process control professionals think that safety standards are correct—with a few  important exceptions. “I think the basic theories and standards of process safety and alarm management are right and are not the cause of most incidents,” says Lothar Lang, Ph.D., consulting engineer for control systems and electrical engineering at chemical giant LyondellBasell, Rotterdam, The Netherlands.

“Problems occur because standards are not known, are not enforced or are not followed thoroughly. It is one thing to have the theory and another actually to put it in place and have it working,” he adds.

Gene Niewoehner, the director of environmental, health and safety at systems integrator, Maverick Technologies, agrees with Lang. “Safety theories and standards are correct and accurate,” he says. “The theories are based on physics, chemistry and available technologies to control conditions and a series of sometimes unrelated events which can result in catastrophic failure. The safety standards and methodologies used today build layers of protection that guard against potentially harmful events.”

Dr. Bill Goble, co-founder and managing partner of automation safety systems vendor exida and a certified process safety expert, concurs. “Based on the accident reports and accident studies I have read, it appears as if the process safety and alarm management standards are right,” he says.

It’s the Implementation, Stupid

Most process plants preach safety incessantly, but they don’t walk the talk. “The majority of accidents occur because organizations have failed to implement best practices and guidelines on process safety,” observes Edward Naranjo, Ph.D., and product manager at gas and flame detection system vendor General Monitors.

“Despite widespread reference to safety first in corporate mission statements and communications, the changes in culture that basic safety principles entail haven’t sufficiently permeated the entire workforce. Even companies with gilded safety records have gaps in their approach to preventing hazards,” adds Naranjo.

One of the main reasons why implementation of safety standards falls short is a lack of training and expertise. “Safety implementation still has a long way to go, and one of the main problems is getting those responsible up to speed,” says Ed Bullerdiek, control group leader at Marathon Ashland Petroleum, Findlay, Ohio.

“The scope of control systems and, therefore, training time has increased greatly during my career. We have reached the day where external experts will be used for many aspects of system design and implementation, such as safety. Having internal staff competent in all aspects will be impossible for all but the biggest operations to support and justify,” adds Bullerdiek.

Having said all that, it’s also true that there are gaps in critical safety standards.

Where Standards Come Up Short

Alarm management is the primary area of safety standard shortcomings. “The basic safety theories and standards are sound, but alarm management standards are non-existent, which consistently contributes to process accidents,” says John Bass, senior plant process computer analyst at Minneapolis, Minn.-based Xcel Energy’s Pawnee Station.

Robert Weibel, president of alarm management vendor TiPS, says, “While there are comprehensive standards regarding process safety, the few existing alarm management regulations are buried within documents of a much larger scope. ISA is currently developing a dedicated alarm management standard through the efforts of the SP.18 committee, but alarm management as a discipline is less mature than safety and is evolving.”

Poor or non-existent alarm management standards lead directly to operational problems. “There are too many alarms, and the operator does not know which alarms require action, so they just ignore all of them,” says Douglas Rheinheimer, principal controls manager at Pittsburgh-based Heinz North America. “Alarms should have two levels. The first level should notify the operator that he or she must take corrective action. The second level for the same parameter should take control and shut the process down in a safe mode.”

Modern control systems make it easy to add too many alarms. “Alarms tend to be added constantly, but rarely deleted,” says Gary Woodward, director product marketing and business development, Emerson Process Management. “The mindset of ‘If it costs nothing, why not alarm it?’ becomes an easy trap to fall into. The situation is often further exacerbated by inadequate operator training and poorly designed operator displays.”

Another safety standard area that needs improvement is operator interface design. “Of all the theoretical aspects of safety, graphics needs the most improvement,” claims Bullerdiek. “Current literature talks about limiting the amount of information on a page, and we’ve tried to adhere to these standards. But DCS system operators don’t want to navigate to find information; thus, they have a tendency to want to put more information on a display than is recommended,” he continues. 

“I think the theoretical writing has a flaw because too much information on a screen is better than forcing the operator to go hunting for information when he needs it. The cognitive problem is the effort it takes to search for hidden objects—the effort to recall what display the information is on and the keystrokes and time required to recover it,” he concludes.

Alarm management and operator interface issues are directly related to the proliferation of modern digital control systems. Older control systems had limited capacity for alarms and other operator information displays, so only the most important operating conditions were displayed. Newer systems have nearly infinite capacity for information display. These capabilities are often abused, and safety standards haven’t always kept pace with ever expanding control system capabilities.

“The problem is not that existing standards are wrong; it is that they have become obsolete as technology has advanced,” explains Dr. Nancy Leveson, professor of engineering systems and director of the Complex Systems Research Lab at MIT. “New technology, particularly digital technology, does not match the assumptions of the process safety techniques developed for the much simpler analog electro-mechanical systems of the past.”

Inadequate Implementation Causes Accidents

The other culprit is poor implementation. “For many years after my retirement, and while I was consulting, I had a standing bet of $100 against a plant manager’s $1 that given four hours, I could find enough violations of safety standards to put his plant in danger,” says Warren Thompson, formerly with Citgo, explaining how people can die when safety implementation falls victim to production mandates. “I didn’t mean an occasional violation, but a continuing violation that was known by everyone. In one plant, I asked the unit operator if he was violating any limits of operation. His answer was yes. I asked him if he knew he could be disciplined for that action. His response was he would be fired if he didn’t violate the limit because the limit was wrong. These statements were made with the safety manager standing next to me. Later this plant had an accident resulting in deaths.”

An anonymous end user from a major chemical company says correct implementation depends on a thorough understanding of standards and procedures. “The root cause of most incidents is an action or lack thereof by a person or group. Most incidents, especially the serious ones, have multiple small causes or events that come together to permit and initiate the incident. Many of these enabling events are failures to follow procedures or recommendations prescribed by the hazards analysis. They are often committed by people with good intentions, but poor understanding of the consequences,” he says.

Initial assessment of hazards is not enough; continuous attention and improvement are required. “In many cases, the expertise that maintained proper deployment of safety standards is gone,” says John Bass of Xcel Energy. “Some of the implementation detail is very subtle, and in the process of upgrading to newer instrumentation and control systems, some safety features can get lost.”

Dr. Lang of LyondellBasell adds, “The biggest issue is the need for a continuous improvement process that measures performance, sets goals and ensures that safety standards are met. Plant managers need to provide the appropriate working environment, including communication, operator graphics and support resources to foster continuous improvement in safety. ”

Accidents Don’t Count

So how do we change attitudes so that more time and money are applied to safety?

“Accidents continue to happen because many companies use injuries and fatalities as the predominant metric to demonstrate safe operation,” says Dr. Angela Summers, CEO and founder of safety system consultancy SIS-TECH. “But injuries and fatalities should occur so infrequently that the data is meaningless. A focus on injuries and fatalities often leads to a normalization and tolerance of loss-of-containment events, increasing the likelihood of injuries and fatalities. Effective metrics that include minor incidents must be used to monitor required management system activities, expected behavior and work quality to ensure continuous safe operation.”

Rick Hakimioun, a senior instrument/electrical and control systems engineer at Paramount Petroleum, Paramount, Calif., agrees. He observes, “All accidents, no matter how small, must be analyzed, and steps taken to avoid future occurrences. If we get into the habit of ignoring safety and thinking that the accidents are part of doing business, we are 100% wrong.”

In addition to using correct metrics, developing a proper safety culture is critical. “Safety does not happen by itself or by external enforcement,” says Romel Bhullar, PE, technical fellow and director of control systems at Fluor Corporation, Irving, Texas. “Safety has to be inbred, developed, nurtured and encouraged by management and every member of the organization. Safety cannot be implemented by instilling a culture based solely on return of investment. There is no way to put a price/benefit analysis on safety.”

Safety expert Dave Harrold, co-founder and president of AFAB Group, and a past recipient of ISA’s E.G. Bailey Award for his efforts to promote process safety, sums it all up.

“Accidents occur for one of two reasons. First is improperly trained personnel. These accidents can be eliminated by conducting robust and regularly scheduled training. The second cause is equipment failure, such as a pump, a valve or a faulty instrument reading. These types of causes are nearly impossible to prevent. But a proper HAZOP/CHAZOP (Control System HAZOP) study should identify these risks and result in the installation of mitigating safety functions that will minimize accident consequences.”

For more on this subject, go to

Standards Not Keeping up with Technology

Dr. Nancy G. Leveson, professor of engineering systems and the director of the Complex Systems Research Lab (CSRL) at MIT, shares her take on safety standards.

“Safety culture and management impact on safety has largely been ignored. Emphasis has instead been placed on physical systems and human operators. But we are now building process systems and working within global social and management systems that are much more complex. This complexity overwhelms our ability to understand the implications of decisions and to assure ourselves that all risk-related scenarios have been understood and mitigated.

The results of this complexity is demonstrated in the different nature of accidents today. We are starting to see an increasing number of accidents not caused by failures of individual components, but by dysfunctional and unsafe interactions among components. Each component worked as it was designed to do, but the overall design of the system led to an accident.

Standard safety engineering techniques of increasing component integrity and of adding redundancy will not increase system safety. What is needed are better ways of evaluating risk and identifying optimal decisions about tradeoffs and how specific risks will be controlled. Building inherently safe systems or preventing hazards is going to be much more effective and much less expensive than simply trying to mitigate damage.”

Anatomy of an Accident

Pete Atkinson, an engineer in manufacturing information systems at Boehringer Ingelheim Vetmedica, St. Joseph, Mo., describes a near-miss, the subsequent post mortem and resulting improvements.

“The most serious incident that I know of was a catastrophic failure of a transfer hose that burst during a clean-in-place (CIP) function. Operators in the area at the time of the failure narrowly escaped without any serious injuries, but only due to the fact that they were some distance away from the immediate area of the hose failure.

“Two operators were sprayed with hot caustic wash solution, but did not sustain any injuries because they were wearing protective equipment, including lab coats, safety glasses and hair nets. Their quick reaction to evacuate the area also helped them evade harm.

“The area sustained substantial flooding of CIP solution and water because the CIP system pump continued to pump out the entire contents of the wash-solution vessel. The tank volume was 1,000 liters, so you can get a picture in your head of the extent of the flooding that occurred with a hazardous chemical.

“Investigation revealed that operators had noticed that the hose had been kinked, but they judged it OK for use. An inspection was conducted on all transfer hoses in the building right after the incident. Of the 250 hoses inspected, about half were found to be near a point of failure and were removed from service. Many of our operators knew that a number of hoses had physical damage, but didn’t do anything about it.

“There were a number of corrective actions taken to ensure that a similar incident did not occur again. One was to invoke a control system alarm and automatic shutdown of the CIP skid pump upon a sudden loss of line pressure.

“We also started regular and documented inspections of all transfer hoses, including visual and pressure testing. Area procedures were written to instruct operators to visually inspect and reject any hose that showed any signs of abnormal wear or physical damage prior.

“Since this incident occurred and the above mentioned corrective actions were invoked, there have not been any similar incidents.”

The Trouble with Safety Standards

  1. Standards have not kept pace with new control system technologies.
  2. Alarm management standards are inadequate.
  3. Graphics standards don’t match operator needs.
  4. Standards focus too much on components and not enough on systems.

Implementation ISsues

  1. Production mandates trump safety-standard enforcement.
  2. Lack of training on safety standards.
  3. Minor incidents not measured and analyzed.
  4. Safety reassessment neglected after process and control system changes.

Automation Not the Best Path to Safety

Automation, instrumentation and operator interface systems all play key roles in making a plant safe. But Joe Kaulfersch, a market analyst with Pepperl+Fuchs, says that designing inherently safer process plants is better than attempting to automate and control dangerous conditions.

“The future of process plant safety is inherently safer design. Inherently safer design can be defined as the design of processes and products with specific attention to eliminating hazards from the manufacturing process, rather than relying on the control of these hazards,” says Kaulfersch.

He says there are four questions designers should ask when they have identified a hazard. 

  1. Can I eliminate this hazard?
  2. If not, can I reduce the magnitude of the hazard?
  3. Do the alternatives identified in questions 1 and 2 increase the magnitude of any other hazards or create new hazards?
  4. What technical and management systems are required to manage the hazards which inevitably will remain?

He says a chemical process is described as inherently safer if it reduces or eliminates one or more process hazards, and if this reduction or elimination is accomplished through changes that are permanent and inseparable. Approaches to the design of inherently safer processes and plants have been grouped into four major strategies:

  1. Minimize—Use small quantities of hazardous substances.
  2. Substitute—Replace a material with a less hazardous substance.
  3. Moderate—Use less hazardous conditions, a less hazardous form of materials or facilities that minimize the impact of a release of hazardous material or energy.
  4. Simplify—Design facilities that eliminate unnecessary complexity and make operating errors less likely and that are forgiving of errors which are made. For example, intrinsic safety wiring practices ensure that errors will not cause an electrically induced accident.

Protect Personnel First

The first goal of any safety program should be protection of personnel, and the best way to protect people is to get them out of harm’s way before accidents occur.

“Minimizing personnel within the plant exposes fewer people to risks,” says Warren Thompson, now retired but formerly with Citgo. “When I worked at Citgo, they moved their central control room outside of the refinery’s fence, and the console operators never entered the plant. Moving the control room outside the fence meant that it didn’t need to be blast proof.”

“Many gas plants operate in remote sites without on-site staff, and pipelines are operated from remote control areas. There is no reason why refineries and chemical plants cannot operate the same way,” he adds.

Industry veteran Romal Bhullar of Fluor seconds Thompson’s points. “Digital devices, fieldbus communication and closed-circuit television are reducing the need to be in process units or next to dangerous equipment for startup or monitoring. Remote monitoring also allows plants to bring external resources to bear when needed,” observes Bhullar.

“The location of control buildings needs to be revisited in light of current automation technologies. Most units don’t require local control rooms. Some refiners have operator shelters dangerously close or even in the explosion zones; a serious effort should be made to locate these to a safe environment,” says Bhullar.