Upload
dangkhue
View
213
Download
0
Embed Size (px)
Citation preview
Being Safe, Thinking Safe, Staying SafeThe process engineer’s commitment to safety and how to deliver it
333
Introduction
Safety in PEMEX is a priority
Priorities need methods and procedures to be managed properly
The consequences of failure are so great that some procedures need to be re-evaluated
This means that safety requirements need to be specified in a different way
Process Engineers have had methods of evaluating risk for several years – HAZOP, Fault Tree Analysis …
But now technology gives huge opportunities
Linking the technical possibilities with the realities of modern demands of productivity and profitability is the responsibility of … who???
Safety has to be part of the culture of EVERYONE – we are all responsible
444
The cost of ignoring safety
$41,000,000,000 (= $41billion)
The amount allocated by BP for the overall costs of the Deepwater Horizon accident -
- A totally avoidable accident, caused by poor management decisions and inadequate maintenance procedures
888
Learning what safety costs
Why is it so difficult to learn from mistakes others have made
Would you prefer to learn from the mistakes of others or make them all yourself?
Certainly, you will learn better by making your own mistakes,
But learning that way can be very risky and very expensive
999
Modern history of industrial disastersFlixborough, Nypro UK, 1st June 1974
Reactor 5 removed for maintenance
Improper temporary connection made between Reactor 4 & 6
Release of flammables caused massive explosion killed 28 and seriously injured 36 others
101010
Modern history of industrial disastersBhopal, Union Carbide India, 2-3 December 1984
3 tanks holding Methyl IsoCyanate(MIC),
MIC at temp >15 ºC decomposes into deadly components such as hydrocyanic acid or cyanide
The 4 layers of protection were defeated by 1 common cause failure and operator / maintenance errors
111111
Modern history of industrial disastersBhopal, Union Carbide India, 2-3 December 1984
> 3,000 – 5,000 people killed by inhaling 41 tons of poisonous gas
> 500,000 people were exposed to the deadly gas
> June 2010: 23,000 dead and counting…
121212
Modern history of industrial disastersTexas City, BP USA, 23rd March 2005
Several equipment failures, safety culture was superficial
$ 21.3 Million fine was paid to OSHA
$ 700 Million was reserved to compensate the victims
> $2 Billion set aside for development over 5 years at US BP plants
131313
Modern history of industrial disastersTexas City, BP USA, 23rd March 2005
15 killed
> 180 injuries
141414
© HIMA 2008
Mogford reportDec 2005192 pages
Baker panel reportJan 2007374 pages
CSB final reportMar 2007337 pages
Modern history of industrial disasters
151515
© HIMA 2008
Baker report findings
1. Inadequate process safety knowledge and training
2. Failure to follow specified procedures
3. Ineffective management of change reviews
4. No refinery-level management review system to monitor process safety performance
5. Inadequate review of practices against both internal and generally-accepted external standards
161616
© HIMA 2008
Safety Review Panel’s Recommendations
1. Process Safety Leadership
2. Integrated and Comprehensive Process Safety Management System
3. Process Safety Knowledge and Expertise
4. Process Safety Culture
5. Clearly Defined Expectations and Accountability for Process Safety
171717
© HIMA 2008
Safety Review Panel’s Recommendations
6. Support for Line Management
7. Leading and Lagging Performance Indicators for Process Safety
8. Process Safety Auditing
9. Board Monitoring
10. Industry Leader
181818
Modern history of industrial disastersHertfordshire, UK, 11th December 2005
Massive fire at Buncefield fuel depot owned by Total & Chevron
Single overfill protection/alarm failed causing a spill that created a huge mist of fuel that ignited…
> 1 Billion Euro damage
202020
Macondo Field, Gulf of Mexico
Most recently of all:
Deepwater Horizon
… this must make all Oil & Gas management review their Values and their Procedures
222222
Modern history of industrial disasters
Deepwater Horizon, BP, 21st April 2010– The environment in which the oil drilling took place – 5,000 feet
below the ocean's surface – is extremely hazardous
– 126 workers were on board at the time of the explosion
– 11 people killed
– The huge environment pollution is estimated at
> 41,000,000,000 US $,
232323
Modern history of industrial disasters
The US government holds BP solely responsible
for the 11 lives lost
For the catastrophic damage to the community
For the reduction in BP Shareholder’ dividend
262626
It seems that no one ever learns . . .
Buncefield Tank Farmexploded 11th December 2005
BUT it was not the first!
272727
Organizations have NO Memory!Incidents that have similarities with Buncefield:
– April 1962, Houston Texas, USA
– Jan 1977, Baytown Texas, USA
– Jan 1983, Texaco, Newark, New Jersey, USA
– Dec 1985, Naples Harbour, Italy
– Oct 1991, St Herblain, France
– Jan 1993, Jacksonville, Florida, USA
– Dec 1999, Laem Chabang, Thailand
– Dec 2005, Buncefield, UK
– Oct 2009, Jaipur IOC, India
282828
© HIMA 2008
The birth of “Functional Safety”
First microcomputer based safety related
device
Y2000certification
‘64 ‘75 ‘81 ‘86
Oil pipeline Italy-Germanyapproval distributed electronic protective
system
Book “Microcomputers inSafety Techniques” published
‘89 ‘92 ‘93 ‘00‘95 ‘98 ‘10
Certification of Organizations & People
IEC 61508 maintenance rev.
released
Accreditation scheme for test and certification bodies in Europe for safety and quality certification of HW and SW of industrial electronics
‘99
HW and SW approval of distributed safety related PES
for process and machinery industry
IEC 61508 released
Dynamic, fail-safe HW systems for
large installations
IEC 61511= =
ANSI/ISA 84.00.01
‘04
SW quality engineering forlarge DCS for conventionaland nuclear power plants
National Accreditation Scheme for railroad equipment and
information security
‘97‘96
ISA 84.00.01 released
292929
1984 TUV Guidelines for PES (SK Safety Classes 1-9)
1987 HSE PES Guidelines Parts 1 & 2
1989 DIN 19250/ VDE 0801 for PES (AK Safety Classes 1 - 8)
1994 Appendix to VDE 0801 - Harmonisation Document
1996 ISA SP84 - Safety Lifecycle, Quantitative Approach
1997 IEC 61508 - Safety Lifecycle, Quantitative and Qualitative Approach
2003 ANSI/ISA 84.01 = IEC61511 - Functional Safety, SIS for the Process industry sector
2004 DIN 19250 withdrawn and Introduction of Machine Safety Standard IEC 62061
Today Many more to come?
The most recent Standards to emerge
303030
Safety Instrumented Systems (SIS) –defined in USA and Europe 1996-2004
Instrumentation, Systems, and Automation Society (ISA), ANSI/ISA 84.01, Application of Safety Instrumented Systems for the Process Industry, 1996 (revised 2004).
International ElectrotechnicalCommission (IEC), IEC 61511, Functional Safety: Safety Instrumented Systems for the Process Sector
Performance Based Standards
313131
Evolving Standards
IEC 61508 is an “umbrella standard” for functional safety across all industries
Each industry then uses IEC 61508 as a guide to develop industry specific standards
•IEC/AS 61511 – Process Industry•IEC 61513 – Nuclear Industry•IEC 62061 – Machinery Industry•Future – Rail, Medical, Automotive, Transport
343434
Functional Safety Standards
IEC 61508
IEC 61511
Process Industry
ISA S84.01
Process Industry
IEC 62061Machinery
EN 50128Railway
IEC 61513
Nuclear Industry
IEC 61800-5-2Power Drive
SystemsIEC 60601Medical
353535
Functional Safety Standards
IEC 61508
IEC 61511Process Industry
ISA S84.01
Process Industry
IEC 62061Machinery
EN 50128Railway
IEC 61513
Nuclear Industry
IEC 61800-5-2Power Drive
SystemsIEC 60601Medical
363636
Evolving Standards
Other standards reference safety standards
•FM AS 7605 – Programmable Logic Control (PLC) Based Burner Management
•FM AS 7610 – Combustion safeguards and Flame Sensing
•NFPA 85 – Boiler and Combustion Systems Hazards Code
•OSHA Process Safety Management & duty of care.
373737
Why do we need Functional Safety?
44 %Specifications
15%Design and
implementations
6%Installations
and commissioning
15%Operations and
maintenance
20 %Changes after
commissioning
Analysis of 34 incidents, based on 56 causes identified
Out of control: Why control systems go wrong and how to prevent failure?(2nd edition, source: © Health & Safety Executive HSE – UK)
383838
© HIMA 2008
HSE Summary
Analysis of incidentsMajority of incidents could have been anticipated if a systematic risk-based approach had been used throughout the life of the system
Safety principles are independent of the technology
Situations often missed through lack of systematic approach
393939
© HIMA 2008
Design problemsNeed to verify that the specification has been met
Over dependence on single channel of safety
Failure to verify software
Poor consideration of human factors
HSE Summary
404040
© HIMA 2008
HSE Summary
Operational problems
Training of staff
Safety analysis
Management control procedures
414141
Systematic Failures – Human Errors44 % of failures occurred when the systems did exactly what they had been designed and programmed to do - and failed anyway
Less than 15% of accidents can be blamed on operator or maintenance error
Bad things keep happening
Systems aren't perfect, stuff goes wrong. We need to design for failure
434343
“If only we had known …”
“Accidents are not due to lack of knowledge but failure to use the knowledge we have.”
Lessons from Disaster (T. Kletz 1993)
444444
Functional Safety - what is it for?
• Analyses possible hazardous events
• Proposes the engineering which needs to be done
• Helps maintenance to identify the processes needed to maintain safety
454545
“Human Errors”: an excuse for an accident?
Given the right conditions all things succumb to human or systematic error
– operator makes a mistake closing a valve,
– transmitter left in ‘test’ mode following repair,
– poorly trained engineers leading to bad maintenance,
– hazard poorly identified
– etc…
464646
Making the process safe
It’s a commitment by the Operator
to the people working in the plant
to the community where the Process Equipment is located
to the shareholders and partners
REMEMBER: It is defined that the Operator is responsible for the safety of the plant
474747
Using Technology to make things safer
“The factory of the future will have only two employees, a man and a dog. The man will be there
to feed the dog. The dog will be there to keep the man from touching the equipment.”
Warren G. Bennis
484848
Technology in SIS
Currently-used SIS logic solvers are very different in their design
They range in age from 1983 to the present-day
Originally SAFETY was sacrificed in favour of AVAILABILITY
The early designs needed a 2oo3 architecture to be able to reduce the PFD to acceptable (SIL 3) levels
Finally the industry realised that TMR is ‘only’ an architecture
494949
What matters in a logic solver?
• Is it a system you can work with easily?• People make mistakes when using / maintaining logic solvers which they
don’t understand
• Does it meet the required SIL – level according to IEC61511?• If you still believe that TMR is better than 2oo4 or any other architecture,
you are WRONG
• Can EPCs develop configurations and easily change those configurations later?
• EPCs never get the configuration right first time
• Can the logic solver work equally well with local or remote I/O?• If not, you are limiting the flexibility of the design
505050
Choosing a SIS Logic Solver
• Can the Program be continuously edited – with no need EVER to take the SIS offline?
• There is no need to accept that this limitation is unavoidable
• If you intend to follow IEC 61511 recommendations, does the logic solver make it easy to do so?
• Think about PROOF TEST INTERVALS
515151
Think about HOW you will apply the SIS
• Don’t leave the design of the SIS to the EPC alone
• You have good FS engineers – involve them in the design
• DON’T FORGET – PEMEX operations have to live with the SIS long after the EPC has left the site
525252
Making the process safe
It’s a commitment by the Operator
to the people working in the plant
to the community where the Process Equipment is located
to the shareholders and partners
REMEMBER: It is defined that the Operator is responsible for the safety of the plant
535353
Think about HOW you will apply the SIS
• Don’t leave the design of the SIS to the EPC alone
• You have good FS engineers – involve them in the design
• DON’T FORGET – PEMEX operations have to live with the SIS long after the EPC has left the site
545454
Use technology creatively
• Don’t stay with old ideas and concepts
• Many new projects use old specifications ‘to save money’- IT DOES NOT EVER SAVE MONEY
555555
Use technology creatively
• EXAMPLE 1 – Remote I/O is a very economical way of creating local SIS enclosures
565656
Use technology creatively
• EXAMPLE 2 – Use one redundant CPU for as many I/O as possible
• It’s cheaper than multiple CPU sets
• It’s safer than many CPU sets
• It’s more available than having many CPU sets
575757
Use technology creatively
• EXAMPLE 3 – Run as many safety-related applications as possible in one CPU, together with the ESD
• Fire and Gas - can be cheaper and easier to maintain
• Turbomachinery control – easy to run as a separate ‘task’
• Burner Management
• etc
If this seems to break too many rules – ask yourself: “where did these rules come from?”
585858
Work with Operations Maintenance
• Design and Implementation of SIS needs consultation with Maintenance
• Training
• Who
• When
• Why
• Maintenance Work Stations
• Should they be separate or part of the Control Room Operator responsibility?
• Spares supply and ‘shelf life’
• Consider supplier maintenance contracts – with redundant systems there is PLENTY of time for them to respond, within 4, 8 or 12 hours
• Use trained specialists to make changes and repairs to the SIS
595959
New ideas about the DCS – SIS communications requirements
The safety responsibilities of the Contractor are totally different
Contractor’s responsibilities
Operator’s responsibilities
It is the OPERATOR who has responsibility for safety – for the lifetime of the plant – so don’t leave this to the EPC!
606060
The Operator must be involved with the decisions being made by the Contractor
Functional Safety methodology must be followed by the Contractor(who often gets support from Safety System suppliers like HIMA)
Technology changes fast
• but that is not an excuse to not be interested
• it’s an opportunity to get better systems
• newer systems provide increased ways of being safe
616161
• New technology systems provide increased ways of being safe
• Process Automation needs ‘Best of Breed’ safety solutions
• Safety systems should be Harmonized throughout the plant
• The concept of the MAC should be challenged by the Operator• It does not provide the SAFEST Safety System
• It does not provide the MOST AVAILABLE SIS
• The EPC will buy the CHEAPEST Safety System
• PEMEX should define which SIS they want – and make this a condition of the award to the EPC.: The MAC becomes a Conditional MAC ( C-MAC )
Since PEMEX is responsible, PEMEX should specify what is wanted
626262
The myth of “Integrated Safety”
There is no such thing as an Integrated Control and Safety System
Safety must not be integrated into the Control System
DCS CONTROLLER
SAFETY
SAFETY
DCS CONTROLLER
646464
Connecting SIS to DCS
Some operators want management info to be passed from the SIS to the DCS for display and historization.
The data is passed via a standard communication bus (non-safe)
So there is no integration between SIS and DCS
SAFETY
DCS CONTROLLER
Conclusion 1: there is no such thing as an ICSS
656565
Connecting SIS to DCS
Some operators want management info to be passed from the SIS to the DCS for display and historization.
The data is passed via a standard communication bus (non-safe)
So there is no integration between SIS and DCS
SAFETY
DCS CONTROLLER
Conclusion 2: there is no requirement for the DCS supplier to provide the SIS
666666
Challenges of process safety implementation
Complex process operations need equipment to be HARMONISED– Particularly safety equipment
– Complexity increases new risks
– Different safety products confuse maintenance engineers – Causes mistakes and shutdowns
– Or worse – accidents
676767
Challenges of process safety implementation
Poor management – lack of awareness
– lack of competency
– limited focus on optimizing production
– Ineffective communication
… Only solved with training
686868
Challenges of process safety implementation
Technology transfer from one world region to countries with different culture and attitudes towards standards
– A shortage of process-specific experience
– Reduced know-how
. . . Solved by using global specialists with international coverage
696969
SummaryAll YOU need is:
– Know How – Know How – Know How
– Experience – Experience – Experience
– Competency - Competency – Competency
In order to achieve the adequate safety culture, competency of every human being working in the lifecycle of our process industry is becoming the ‘de facto standard’ for those who want to keep their plant safe, productive and avoid very costly penalties and lawsuits should things go wrong like they have in the past.