Being Safe, Thinking Safe, Staying SafeThe process engineer’s commitment to safety and how to deliver it

333

Introduction

Safety in PEMEX is a priority

Priorities need methods and procedures to be managed properly

The consequences of failure are so great that some procedures need to be re-evaluated

This means that safety requirements need to be specified in a different way

Process Engineers have had methods of evaluating risk for several years – HAZOP, Fault Tree Analysis …

But now technology gives huge opportunities

Linking the technical possibilities with the realities of modern demands of productivity and profitability is the responsibility of … who???

Safety has to be part of the culture of EVERYONE – we are all responsible

444

The cost of ignoring safety

$41,000,000,000 (= $41billion)

The amount allocated by BP for the overall costs of the Deepwater Horizon accident -

- A totally avoidable accident, caused by poor management decisions and inadequate maintenance procedures

555

Failures cost lives

666

Failures hurt the environment

777

The productivity loss ruins businesses

888

Learning what safety costs

Why is it so difficult to learn from mistakes others have made

Would you prefer to learn from the mistakes of others or make them all yourself?

Certainly, you will learn better by making your own mistakes,

But learning that way can be very risky and very expensive

999

Modern history of industrial disastersFlixborough, Nypro UK, 1st June 1974

Reactor 5 removed for maintenance

Improper temporary connection made between Reactor 4 & 6

Release of flammables caused massive explosion killed 28 and seriously injured 36 others

101010

Modern history of industrial disastersBhopal, Union Carbide India, 2-3 December 1984

3 tanks holding Methyl IsoCyanate(MIC),

MIC at temp >15 ºC decomposes into deadly components such as hydrocyanic acid or cyanide

The 4 layers of protection were defeated by 1 common cause failure and operator / maintenance errors

111111

Modern history of industrial disastersBhopal, Union Carbide India, 2-3 December 1984

> 3,000 – 5,000 people killed by inhaling 41 tons of poisonous gas

> 500,000 people were exposed to the deadly gas

> June 2010: 23,000 dead and counting…

121212

Modern history of industrial disastersTexas City, BP USA, 23rd March 2005

Several equipment failures, safety culture was superficial

$ 21.3 Million fine was paid to OSHA

$ 700 Million was reserved to compensate the victims

> $2 Billion set aside for development over 5 years at US BP plants

131313

Modern history of industrial disastersTexas City, BP USA, 23rd March 2005

15 killed

> 180 injuries

141414

© HIMA 2008

Mogford reportDec 2005192 pages

Baker panel reportJan 2007374 pages

CSB final reportMar 2007337 pages

Modern history of industrial disasters

151515

© HIMA 2008

Baker report findings

1. Inadequate process safety knowledge and training

2. Failure to follow specified procedures

3. Ineffective management of change reviews

4. No refinery-level management review system to monitor process safety performance

5. Inadequate review of practices against both internal and generally-accepted external standards

161616

© HIMA 2008

Safety Review Panel’s Recommendations

1. Process Safety Leadership

2. Integrated and Comprehensive Process Safety Management System

3. Process Safety Knowledge and Expertise

4. Process Safety Culture

5. Clearly Defined Expectations and Accountability for Process Safety

171717

© HIMA 2008

Safety Review Panel’s Recommendations

6. Support for Line Management

7. Leading and Lagging Performance Indicators for Process Safety

8. Process Safety Auditing

9. Board Monitoring

10. Industry Leader

181818

Modern history of industrial disastersHertfordshire, UK, 11th December 2005

Massive fire at Buncefield fuel depot owned by Total & Chevron

Single overfill protection/alarm failed causing a spill that created a huge mist of fuel that ignited…

> 1 Billion Euro damage

191919

Again reviews documented…

202020

Macondo Field, Gulf of Mexico

Most recently of all:

Deepwater Horizon

… this must make all Oil & Gas management review their Values and their Procedures

212121

Modern history of industrial disastersDeepwater Horizon, BP, 21st April 2010

222222

Modern history of industrial disasters

Deepwater Horizon, BP, 21st April 2010– The environment in which the oil drilling took place – 5,000 feet

below the ocean's surface – is extremely hazardous

– 126 workers were on board at the time of the explosion

– 11 people killed

– The huge environment pollution is estimated at

> 41,000,000,000 US $,

232323

Modern history of industrial disasters

The US government holds BP solely responsible

for the 11 lives lost

For the catastrophic damage to the community

For the reduction in BP Shareholder’ dividend

242424

Preliminary Analysis already released…

252525

Have we learned anything

You would think so, but . . .

262626

It seems that no one ever learns . . .

Buncefield Tank Farmexploded 11th December 2005

BUT it was not the first!

272727

Organizations have NO Memory!Incidents that have similarities with Buncefield:

– April 1962, Houston Texas, USA

– Jan 1977, Baytown Texas, USA

– Jan 1983, Texaco, Newark, New Jersey, USA

– Dec 1985, Naples Harbour, Italy

– Oct 1991, St Herblain, France

– Jan 1993, Jacksonville, Florida, USA

– Dec 1999, Laem Chabang, Thailand

– Dec 2005, Buncefield, UK

– Oct 2009, Jaipur IOC, India

282828

© HIMA 2008

The birth of “Functional Safety”

First microcomputer based safety related

device

Y2000certification

‘64 ‘75 ‘81 ‘86

Oil pipeline Italy-Germanyapproval distributed electronic protective

system

Book “Microcomputers inSafety Techniques” published

‘89 ‘92 ‘93 ‘00‘95 ‘98 ‘10

Certification of Organizations & People

IEC 61508 maintenance rev.

released

Accreditation scheme for test and certification bodies in Europe for safety and quality certification of HW and SW of industrial electronics

‘99

HW and SW approval of distributed safety related PES

for process and machinery industry

IEC 61508 released

Dynamic, fail-safe HW systems for

large installations

IEC 61511= =

ANSI/ISA 84.00.01

‘04

SW quality engineering forlarge DCS for conventionaland nuclear power plants

National Accreditation Scheme for railroad equipment and

information security

‘97‘96

ISA 84.00.01 released

292929

1984 TUV Guidelines for PES (SK Safety Classes 1-9)

1987 HSE PES Guidelines Parts 1 & 2

1989 DIN 19250/ VDE 0801 for PES (AK Safety Classes 1 - 8)

1994 Appendix to VDE 0801 - Harmonisation Document

1996 ISA SP84 - Safety Lifecycle, Quantitative Approach

1997 IEC 61508 - Safety Lifecycle, Quantitative and Qualitative Approach

2003 ANSI/ISA 84.01 = IEC61511 - Functional Safety, SIS for the Process industry sector

2004 DIN 19250 withdrawn and Introduction of Machine Safety Standard IEC 62061

Today Many more to come?

The most recent Standards to emerge

303030

Safety Instrumented Systems (SIS) –defined in USA and Europe 1996-2004

Instrumentation, Systems, and Automation Society (ISA), ANSI/ISA 84.01, Application of Safety Instrumented Systems for the Process Industry, 1996 (revised 2004).

International ElectrotechnicalCommission (IEC), IEC 61511, Functional Safety: Safety Instrumented Systems for the Process Sector

Performance Based Standards

313131

Evolving Standards

IEC 61508 is an “umbrella standard” for functional safety across all industries

Each industry then uses IEC 61508 as a guide to develop industry specific standards

•IEC/AS 61511 – Process Industry•IEC 61513 – Nuclear Industry•IEC 62061 – Machinery Industry•Future – Rail, Medical, Automotive, Transport

323232

Everyone now knows who is responsible

333333

Functional safety was developed to prevent events like this

343434

Functional Safety Standards

IEC 61508

IEC 61511

Process Industry

ISA S84.01

Process Industry

IEC 62061Machinery

EN 50128Railway

IEC 61513

Nuclear Industry

IEC 61800-5-2Power Drive

SystemsIEC 60601Medical

353535

Functional Safety Standards

IEC 61508

IEC 61511Process Industry

ISA S84.01

Process Industry

IEC 62061Machinery

EN 50128Railway

IEC 61513

Nuclear Industry

IEC 61800-5-2Power Drive

SystemsIEC 60601Medical

363636

Evolving Standards

Other standards reference safety standards

•FM AS 7605 – Programmable Logic Control (PLC) Based Burner Management

•FM AS 7610 – Combustion safeguards and Flame Sensing

•NFPA 85 – Boiler and Combustion Systems Hazards Code

•OSHA Process Safety Management & duty of care.

373737

Why do we need Functional Safety?

44 %Specifications

15%Design and

implementations

6%Installations

and commissioning

15%Operations and

maintenance

20 %Changes after

commissioning

Analysis of 34 incidents, based on 56 causes identified

Out of control: Why control systems go wrong and how to prevent failure?(2nd edition, source: © Health & Safety Executive HSE – UK)

383838

© HIMA 2008

HSE Summary

Analysis of incidentsMajority of incidents could have been anticipated if a systematic risk-based approach had been used throughout the life of the system

Safety principles are independent of the technology

Situations often missed through lack of systematic approach

393939

© HIMA 2008

Design problemsNeed to verify that the specification has been met

Over dependence on single channel of safety

Failure to verify software

Poor consideration of human factors

HSE Summary

404040

© HIMA 2008

HSE Summary

Operational problems

Training of staff

Safety analysis

Management control procedures

414141

Systematic Failures – Human Errors44 % of failures occurred when the systems did exactly what they had been designed and programmed to do - and failed anyway

Less than 15% of accidents can be blamed on operator or maintenance error

Bad things keep happening

Systems aren't perfect, stuff goes wrong. We need to design for failure

424242

Systematic Failures – Human Errors?

434343

“If only we had known …”

“Accidents are not due to lack of knowledge but failure to use the knowledge we have.”

Lessons from Disaster (T. Kletz 1993)

444444

Functional Safety - what is it for?

• Analyses possible hazardous events

• Proposes the engineering which needs to be done

• Helps maintenance to identify the processes needed to maintain safety

454545

“Human Errors”: an excuse for an accident?

Given the right conditions all things succumb to human or systematic error

– operator makes a mistake closing a valve,

– transmitter left in ‘test’ mode following repair,

– poorly trained engineers leading to bad maintenance,

– hazard poorly identified

– etc…

464646

Making the process safe

It’s a commitment by the Operator

to the people working in the plant

to the community where the Process Equipment is located

to the shareholders and partners

REMEMBER: It is defined that the Operator is responsible for the safety of the plant

474747

Using Technology to make things safer

“The factory of the future will have only two employees, a man and a dog. The man will be there

to feed the dog. The dog will be there to keep the man from touching the equipment.”

Warren G. Bennis

484848

Technology in SIS

Currently-used SIS logic solvers are very different in their design

They range in age from 1983 to the present-day

Originally SAFETY was sacrificed in favour of AVAILABILITY

The early designs needed a 2oo3 architecture to be able to reduce the PFD to acceptable (SIL 3) levels

Finally the industry realised that TMR is ‘only’ an architecture

494949

What matters in a logic solver?

• Is it a system you can work with easily?• People make mistakes when using / maintaining logic solvers which they

don’t understand

• Does it meet the required SIL – level according to IEC61511?• If you still believe that TMR is better than 2oo4 or any other architecture,

you are WRONG

• Can EPCs develop configurations and easily change those configurations later?

• EPCs never get the configuration right first time

• Can the logic solver work equally well with local or remote I/O?• If not, you are limiting the flexibility of the design

505050

Choosing a SIS Logic Solver

• Can the Program be continuously edited – with no need EVER to take the SIS offline?

• There is no need to accept that this limitation is unavoidable

• If you intend to follow IEC 61511 recommendations, does the logic solver make it easy to do so?

• Think about PROOF TEST INTERVALS

515151

Think about HOW you will apply the SIS

• Don’t leave the design of the SIS to the EPC alone

• You have good FS engineers – involve them in the design

• DON’T FORGET – PEMEX operations have to live with the SIS long after the EPC has left the site

525252

Making the process safe

It’s a commitment by the Operator

to the people working in the plant

to the community where the Process Equipment is located

to the shareholders and partners

REMEMBER: It is defined that the Operator is responsible for the safety of the plant

535353

Think about HOW you will apply the SIS

• Don’t leave the design of the SIS to the EPC alone

• You have good FS engineers – involve them in the design

• DON’T FORGET – PEMEX operations have to live with the SIS long after the EPC has left the site

545454

Use technology creatively

• Don’t stay with old ideas and concepts

• Many new projects use old specifications ‘to save money’- IT DOES NOT EVER SAVE MONEY

555555

Use technology creatively

• EXAMPLE 1 – Remote I/O is a very economical way of creating local SIS enclosures

565656

Use technology creatively

• EXAMPLE 2 – Use one redundant CPU for as many I/O as possible

• It’s cheaper than multiple CPU sets

• It’s safer than many CPU sets

• It’s more available than having many CPU sets

575757

Use technology creatively

• EXAMPLE 3 – Run as many safety-related applications as possible in one CPU, together with the ESD

• Fire and Gas - can be cheaper and easier to maintain

• Turbomachinery control – easy to run as a separate ‘task’

• Burner Management

• etc

If this seems to break too many rules – ask yourself: “where did these rules come from?”

585858

Work with Operations Maintenance

• Design and Implementation of SIS needs consultation with Maintenance

• Training

• Who

• When

• Why

• Maintenance Work Stations

• Should they be separate or part of the Control Room Operator responsibility?

• Spares supply and ‘shelf life’

• Consider supplier maintenance contracts – with redundant systems there is PLENTY of time for them to respond, within 4, 8 or 12 hours

• Use trained specialists to make changes and repairs to the SIS

595959

New ideas about the DCS – SIS communications requirements

The safety responsibilities of the Contractor are totally different

Contractor’s responsibilities

Operator’s responsibilities

It is the OPERATOR who has responsibility for safety – for the lifetime of the plant – so don’t leave this to the EPC!

606060

The Operator must be involved with the decisions being made by the Contractor

Functional Safety methodology must be followed by the Contractor(who often gets support from Safety System suppliers like HIMA)

Technology changes fast

• but that is not an excuse to not be interested

• it’s an opportunity to get better systems

• newer systems provide increased ways of being safe

616161

• New technology systems provide increased ways of being safe

• Process Automation needs ‘Best of Breed’ safety solutions

• Safety systems should be Harmonized throughout the plant

• The concept of the MAC should be challenged by the Operator• It does not provide the SAFEST Safety System

• It does not provide the MOST AVAILABLE SIS

• The EPC will buy the CHEAPEST Safety System

• PEMEX should define which SIS they want – and make this a condition of the award to the EPC.: The MAC becomes a Conditional MAC ( C-MAC )

Since PEMEX is responsible, PEMEX should specify what is wanted

626262

The myth of “Integrated Safety”

There is no such thing as an Integrated Control and Safety System

Safety must not be integrated into the Control System

DCS CONTROLLER

SAFETY

SAFETY

DCS CONTROLLER

636363

Integrated Safety

DCS CONTROLLER

SAFETY

SAFETY

DCS CONTROLLER

What’s this?

646464

Connecting SIS to DCS

Some operators want management info to be passed from the SIS to the DCS for display and historization.

The data is passed via a standard communication bus (non-safe)

So there is no integration between SIS and DCS

SAFETY

DCS CONTROLLER

Conclusion 1: there is no such thing as an ICSS

656565

Connecting SIS to DCS

Some operators want management info to be passed from the SIS to the DCS for display and historization.

The data is passed via a standard communication bus (non-safe)

So there is no integration between SIS and DCS

SAFETY

DCS CONTROLLER

Conclusion 2: there is no requirement for the DCS supplier to provide the SIS

666666

Challenges of process safety implementation

Complex process operations need equipment to be HARMONISED– Particularly safety equipment

– Complexity increases new risks

– Different safety products confuse maintenance engineers – Causes mistakes and shutdowns

– Or worse – accidents

676767

Challenges of process safety implementation

Poor management – lack of awareness

– lack of competency

– limited focus on optimizing production

– Ineffective communication

… Only solved with training

686868

Challenges of process safety implementation

Technology transfer from one world region to countries with different culture and attitudes towards standards

– A shortage of process-specific experience

– Reduced know-how

. . . Solved by using global specialists with international coverage

696969

SummaryAll YOU need is:

– Know How – Know How – Know How

– Experience – Experience – Experience

– Competency - Competency – Competency

In order to achieve the adequate safety culture, competency of every human being working in the lifecycle of our process industry is becoming the ‘de facto standard’ for those who want to keep their plant safe, productive and avoid very costly penalties and lawsuits should things go wrong like they have in the past.

707070

Have COMPETENT people

working and helping you

keeping YOUR plant

FUNCTIONAL SAFE. Nonstop.

717171

Thank you for your attention