“These days, whenever I start hiring and training people at a new facility, I tell them that the absolute last thing I ever want to do is to have to call their family and say their dad or mom isn’t coming home,” says Duncan, who is now site manager at Bigler Terminals LP in Pasadena, Texas. “However, managing people is harder than managing equipment because people can change because of what’s happening to them outside their jobs. No one intends to harm themselves or their coworkers on purpose, but accidents and injuries happen because of a lack of knowledge or thought. Increasing throughput is always an outlying reason because people will put themselves in danger to get a job done and do what their managers ask of them.”
Damage resulting from the March 2005 explosion in an isomerization unit at BP Texas City, which killed 15 people and injured 170 others.
Bigler Terminals is a 50-tank terminaling facility that just opened in January 2007. A division of Bigler LP, it was previously BP’s chemical production facility in Pasadena.
“Before we could open our doors this past January, our first order of business was to develop specific operating procedures, a process safety management (PSM) plan, a hazardous operations (hazop) plan that complies with IEC 61511 and ISA S84 standards, and a management-of-change plan to document and review any changes or deviations, and file them with the PSM,” says Duncan. “We have a team that shares as much safety knowledge as it can. Developing our PSM and hazop plans was a team effort.”
Renovating the facility from production to storage required Bigler to remove smaller lines and install two larger transfer lines. In fact, as it brings new lines and tanks into its operation as business grows, Duncan says his company must do a hazop plan for each new component to evaluate its safety and show how it will fit into the overall facility and safety plan.
Neglecting History
Unfortunately, while most, if not all, process facilities have some kind of well-documented safety plan and ostensibly follow good engineering practices, some safety measures reportedly become outdated, neglected and/or bypassed in favor of maintaining 24/7 availability, uptime and production. For a few facilities, these lapses lead to trips, downtime, accidents and occasional catastrophes, such as the BP Texas City explosion in March 2005 that killed 15 and injured 170.
This tragedy caused the U.S. Occupational Safety and Health Administration (OSHA) to fine BP more than $21 million for safety violations, and reportedly forced the company to set aside $1.6 billion to pay more than 1,500 legal claims and promise to spend more than another $1 billion to upgrade its U.S. facilities.
The BP Texas City incident is just the latest in a series of well-known disasters, which typically result in litigation, occasional legislation and some increased regulatory enforcement. For example, the U.S. Chemical Safety and Hazard Investigation Board recently called on OSHA to increase its oversight of the U.S. refining industry.
“Texas City was a big wake up call,” says Bud Adler, business development director for AE Solutions, a system integrator in Greenville, S.C. “BP is demanding S84 compliance and setting very aggressive timetables because it doesn’t want to be embarrassed again, and everyone else is saying they don’t want it to happen to them either.”
This overall unease and uncertainty is reflected in the results of a 114-reader survey Control conducted earlier this year (see sidebar below). This poll revealed that 58% of respondents believe their company’s safety instrumented systems (SIS) are not up to date or complete, and that 57% use ISA S84’s grandfather clause to continue using older systems.
“We have five refineries near us, and they’ve got a lot of safety-related improvement projects, but there aren’t enough outfits to help meet their all their different demands,” says Alan Klingelhafer, automation engineering manager at Bay-Tec Engineering Inc. in Napa, Calif., a CSIA-certified system integrator. He adds that drugmakers’ use of flammable solvents and alcohol for sanitizing can make them just as dangerous as oil and gas applications. Food and beverage makers’ increasing use of ammonia also requires detection, monitoring and alarming devices.
“Process safety in many companies has suffered significantly from cost cutting and resource reductions over the last 10 years,” says Angela Summers, Ph.D., PE, president of Sis-Tech Solutions LLC, a process safety consulting firm in Houston, Texas. “I’m afraid that the incidents we’re seeing now are only the tip of the iceberg.
“Common sense is lost when it isn’t handed down by senior engineers mentoring young engineers,” Summers says. “Documented internal practices must be periodically updated to reflect current practices, and good engineering practices need to be published,” she continues. “In addition, changes in operability, functionality, reliability or maintainability expectations may require implementation of more rigorous design or management practices. Also, proof test, failure investigation, alarm, trip and audit reports may indicate the need for improvement, and users must continuously monitor existing system performance so gaps in common sense are closed.”
Looking at the sheer number of refinery accidents, it might seem that most happen at U.S. facilities, but there is little or no thorough, historical accounting to confirm this anecdotal evidence. One of the most current studies, published in 2004 in AIChE’s Process Safety Progress concluded, “We identified that: (a) there are some problems with the government databases, (b) even with these problems, some important information can be extracted, and (c) descriptions of accidents are especially useful and educational. Some surprising and useful conclusions have also been developed; e.g., (a) major accident performance is continuing to degrade, (b) although PSM may be making a mark, something else is needed to improve industry’s accident performance, and (c) runaway reactions continue to be a significant cause of major accidents.”
European and other facilities worldwide have had significant accidents, but apparently on a less regular basis than in the U.S. If there are more accidents in the U.S., some observers say it may simply be because the U.S. has more refining operations and capacity, or that Europe regulates more closely because its denser population puts its refineries generally closer to populated areas.
There’s less debate about the fact that regulators in Europe have greater authority than their U. S. counterparts to inspect and enforce process safety rules before plants are built, when they’re operating and after incidents occur, and that civil and criminal penalties are more severe for violators. The bulk of OSHA’s and other U.S. authorities’ regulatory presence occurs after accidents happen.
Going beyond guidelines, IEC 61511 has been adopted as national law in Spain, Belgium, the Netherlands and Australia. In fact, following one disaster, Australia’s government passed an industrial manslaughter law mandating jail time for plant managers found guilty of contributing to staff fatalities. According to former ExxonMobil safety guru and director of Invensys’ Premier Consulting Services, Bob Adamski, “We get lots of people from Australia going through our training classes to become TÜV-Certified Functional Safety Experts because they’ve found they can’t work without the certification.”
Though industrial regulations supposedly lag in the former Third World, several Asian nations with growing refining operations reportedly are studying European and Australian regulatory model and plan to adopt similar rules.
“When we recently proposed several jobs in Hong Kong and some smaller Asian countries, they all stated that we had to conform to IEC 61511,” reports Adler. “The larger, more sophisticated process applications are trying to follow these standards, but many of the mom and pops are fighting it kicking and screaming because they don’t understand that process safety can pay for itself.”
Substandard Use of Standards
Widely varying facilities, technologies, applications, risks and other factors make it hard to draft process safety standards that can be applied to all settings in each process industry, let alone one that can be applied across all of them.
Still, there are common threads, which led International Electrotechnical Commission’s (IEC) developers to draft its 61508 and 61511 standards and updates. ISA and its SP84 committee adopted IEC 61511 as the ANSI/ISA S84.00.01 standard and revised it in 2004. OSHA recently recognized S84 as one of its Recognized and Generally Accepted Good Engineering Practices.
One important difference between IEC 61511 and ISA S84 is a grandfather clause that encourages non-compliant applications to be updated, but allows them to continue operating if they’re doing so safely until the application is renovated or otherwise altered.
The grandfather clause, it should be clearly noted, is not a license to keep on with the status quo ante. As Dr. Summers noted in her article for Control, “The Grandfather Clause Is Not a Jolly Fat Man in a Red Suit” (August 2005), all that the grandfather clause does is provide for not having to do a “rip and replace” in order to assure compliance with current standards. You’re still expected to do all the engineering, training, testing and continuous improvement necessary to meet the current standards.
Summers adds the American Institute of Chemical Engineers’ (AIChE) Center for Chemical Process Safety is is publishing a new book, Guidelines for Safe and Reliable Instrumented Protective Systems (IPSs), to expand on the SP84 committee’s effort to address the development and implementation of a comprehensive management system.
“Where S84 focuses on the life cycle of one layer of instrumented protection—the SIS—this new IPS book provides requirements and guidance for any instrumented system identified as providing risk reduction during a process hazards analysis,” she says.
Instilling process safety standards into a firm’s core values isn’t easy, says Rick Dunn, consultant and senior project engineer in DuPont’s engineering division in Wilmington, Del. “Companies exist to make money, but more are recognizing that safety can pay for itself, and that a lack of safety can make their profit and revenues vanish,” he says. “S84 has been implemented into DuPont’s internal standards because we recognize that process safety pays.”
Certifications Sufficient?
Process safety technologies are evolving as rapidly as plant-floor applications and the standards that cover them.
Traditional process safety manufacturers, such as HIMA, Triconex and ICS Triplex, have been making redundant systems for many years. However, they’ve recently been joined by several dozen control system manufacturers, who report that safety and control devices can be more closely integrated, while their functions remain separate. Supporters of integrated SISs report that using multiple microprocessors gives their solutions enough computing power to do constant monitoring, test applications more frequently, conduct more internal diagnostics, trigger fewer nuisance trips and perform safe shutdown operations when needed.
“The old concept that a PLC can perform both BPCS and SIS has been repackaged by the vendors and given credibility by certification,” adds Summers. “This isn’t a new concept. The only thing that’s new is the ability to get it certified. This wasn’t allowed in previous process sector SIS standards, but is allowed in IEC 61508, since it covers other sectors, such as transportation, and medical, as well as manufacturing.”
Of course, any PLC with digital and analog I/O and appropriate algorithms can do both,” Summers continues. “The problem is that most process industry users don’t rigorously document, validate, control access to or manage changes to their control system. This is required when control systems and safety instrumented systems are combined.”
Dunn reports that users are implementing SISs in more new projects to see if they improve safety and integrate better with controls systems. “Certification helps, but there are many folks who don’t understand what this means,” says Dunn. “It’s still buyer beware out there. The end user is still responsible for the safety of his operation.”
Adler adds that, “Whatever SIS you pick, you must still look at the entire loop from the field to the control and back. You can install the best safety PLC ever, but if it’s applied improperly by relying on old transmitters and valves with bad measurements, then you haven’t accomplished anything.”
To-Do List for Safety
Despite the limitations of present standards and certifications and the variable applications where process safety is needed, there are some basic procedures that all must follow to implement it. Most versions of this laundry list are based on OSHA’s 1910.119 process safety management (PSM) of highly hazardous chemicals regulations (see sidebar), which tells users to perform a process hazard analysis (PHA).
- First, a risk analysis of the process application and facility must be done to determine what equipment and functions may need an SIS based on the probably of an adverse event occurring, especially one that’s undetected, and the consequences if one does happen.
- Second, users need to look at safety measures already in place in their facility, identify the gaps in what they have and what they need, and address these weak links in the recommendations for each application. A hazop analysis can identify particular risks, and S84 can help users choose devices with the right Safety Integrity Level (SIL) to include in their application. These performance-based risk calculations also are typically ranked according to each user’s pre-established corporate risk level.
- Third, once appropriate equipment is selected, users must calculate the failure on demand for each device, and fit them into the application’s overall loop and lifecycle.
Control's Exclusive SIS Market Study
To identify use and application trends of safety instrumented systems (SIS) among process automation professionals, Control conducted an electronic survey of 114 readers in February 2007. Key findings of the survey include:
- 58% of respondents believe their company’s SISs are not up to date or complete.
- 57% use ISA S84’s grandfather clause to continue using older systems.
- 79% audit their SISs’ compliance and 90% believe an ongoing compliance program is important.
- 31% have a program for partial-stroke testing of safety-control valves.
- 44% say a SIS should not be connected to a basic process control system (BPCS), while 56% say it’s safe to do so.
- 38% say the SIS should be independent, while 62% say it’s okay to have both systems on the same backplane.
- 34% say it’s desirable to communicate with the SIS from outside the plant, while 66% said this is unacceptable.
- 61% consider integrated SISs to be “very safe” or “reasonably safe.” 85% believe standalone SIS is “very safe” or “reasonably safe.” However, 5% say integrated SIS is “not very safe,” and 6% say they “would never use it.”
- 70% are unaware that there’s more than one TÜV agency for certifying SISs, while 11% agree that certifications from any TÜV agency are equivalent, and 11% say they’re not. Meanwhile, 34% are “not sure” and 44% “don’t know.”
OSHA's PSM Compliance Rules
U.S. Occupational Safety and Health Administration’s guidelines for complying with its 1910.119 process safety management (PSM) of highly hazardous chemicals regulations are the foundation for many individual PSM plans. Expanded versions of these rules are available online at www.osha.gov. In short, these guidelines instruct users to:
- Define the hazards of chemicals used in their processes; technology and equipment used; and show how employees are informed about safety issues
- Conduct a process hazard analysis (PHA)
- Describe the application’s operating procedures
- Demonstrate an employee training program
- Describe involvement by outside contractors
- Perform pre-startup safety reviews
- Evaluate mechanical integrity of equipment, including process defenses, written procedures, inspection and testing and quality assurance
- Describe non-routine work authorizations
- Conduct a managing-change program
- Perform incident investigations
- Demonstrate emergency preparedness
- Conduct compliance audits and provide for planning, staffing, performing the audit, completing it and taking corrective action