Being Safe, Thinking Safe, Staying Safe The process engineer s commitment to safety and how to deliver it
Introduction Safety in PEMEX is a priority Priorities need methods and procedures to be managed properly The consequences of failure are so great that some procedures need to be re-evaluated This means that safety requirements need to be specified in a different way Process Engineers have had methods of evaluating risk for several years HAZOP, Fault Tree Analysis But now technology gives huge opportunities Linking the technical possibilities with the realities of modern demands of productivity and profitability is the responsibility of who??? Safety has to be part of the culture of EVERYONE we are all responsible 3 3
The cost of ignoring safety $41,000,000,000 (= $41billion) The amount allocated by BP for the overall costs of the Deepwater Horizon accident - - A totally avoidable accident, caused by poor management decisions and inadequate maintenance procedures 4 4
Failures cost lives 5 5
Failures hurt the environment 6 6
The productivity loss ruins businesses 7 7
Learning what safety costs Why is it so difficult to learn from mistakes others have made Would you prefer to learn from the mistakes of others or make them all yourself? Certainly, you will learn better by making your own mistakes, But learning that way can be very risky and very expensive 8 8
Modern history of industrial disasters Flixborough, Nypro UK, 1 st June 1974 Reactor 5 removed for maintenance Improper temporary connection made between Reactor 4 & 6 Release of flammables caused massive explosion killed 28 and seriously injured 36 others 9 9
Modern history of industrial disasters Bhopal, Union Carbide India, 2-3 December 1984 3 tanks holding Methyl IsoCyanate (MIC), MIC at temp >15 ºC decomposes into deadly components such as hydrocyanic acid or cyanide The 4 layers of protection were defeated by 1 common cause failure and operator / maintenance errors 10 10
Modern history of industrial disasters Bhopal, Union Carbide India, 2-3 December 1984 > 3,000 5,000 people killed by inhaling 41 tons of poisonous gas > 500,000 people were exposed to the deadly gas > June 2010: 23,000 dead and counting 11 11
Modern history of industrial disasters Texas City, BP USA, 23 rd March 2005 Several equipment failures, safety culture was superficial $ 21.3 Million fine was paid to OSHA $ 700 Million was reserved to compensate the victims > $2 Billion set aside for development over 5 years at US BP plants 12 12
Modern history of industrial disasters Texas City, BP USA, 23 rd March 2005 15 killed > 180 injuries 13 13
Modern history of industrial disasters Mogford report Dec 2005 192 pages CSB final report Mar 2007 337 pages Baker panel report Jan 2007 374 pages 14 HIMA 2008 14
Baker report findings 1. Inadequate process safety knowledge and training 2. Failure to follow specified procedures 3. Ineffective management of change reviews 4. No refinery-level management review system to monitor process safety performance 5. Inadequate review of practices against both internal and generally-accepted external standards 15 HIMA 2008 15
Safety Review Panel s Recommendations 1. Process Safety Leadership 2. Integrated and Comprehensive Process Safety Management System 3. Process Safety Knowledge and Expertise 4. Process Safety Culture 5. Clearly Defined Expectations and Accountability for Process Safety 16 HIMA 2008 16
Safety Review Panel s Recommendations 6. Support for Line Management 7. Leading and Lagging Performance Indicators for Process Safety 8. Process Safety Auditing 9. Board Monitoring 10. Industry Leader 17 HIMA 2008 17
Modern history of industrial disasters Hertfordshire, UK, 11 th December 2005 Massive fire at Buncefield fuel depot owned by Total & Chevron Single overfill protection/alarm failed causing a spill that created a huge mist of fuel that ignited > 1 Billion Euro damage 18 18
Again reviews documented 19 19
Macondo Field, Gulf of Mexico Most recently of all: Deepwater Horizon this must make all Oil & Gas management review their Values and their Procedures 20 20
Modern history of industrial disasters Deepwater Horizon, BP, 21 st April 2010 21 21
Modern history of industrial disasters Deepwater Horizon, BP, 21 st April 2010 The environment in which the oil drilling took place 5,000 feet below the ocean's surface is extremely hazardous 126 workers were on board at the time of the explosion 11 people killed The huge environment pollution is estimated at > 41,000,000,000 US $, 22 22
Modern history of industrial disasters The US government holds BP solely responsible for the 11 lives lost For the catastrophic damage to the community For the reduction in BP Shareholder dividend 23 23
Preliminary Analysis already released 24 24
Have we learned anything You would think so, but... 25 25
It seems that no one ever learns... Buncefield Tank Farm exploded 11 th December 2005 BUT it was not the first! 26 26
Organizations have NO Memory! Incidents that have similarities with Buncefield: April 1962, Houston Texas, USA Jan 1977, Baytown Texas, USA Jan 1983, Texaco, Newark, New Jersey, USA Dec 1985, Naples Harbour, Italy Oct 1991, St Herblain, France Jan 1993, Jacksonville, Florida, USA Dec 1999, Laem Chabang, Thailand Dec 2005, Buncefield, UK Oct 2009, Jaipur IOC, India 27 27
The birth of Functional Safety Oil pipeline Italy-Germany approval distributed electronic protective system Book Microcomputers in Safety Techniques published SW quality engineering for large DCS for conventional and nuclear power plants Y2000 certification National Accreditation Scheme for railroad equipment and information security Certification of Organizations & People IEC 61508 maintenance rev. released 64 75 81 86 89 92 93 95 98 99 00 04 10 Dynamic, fail-safe HW systems for large installations First microcomputer based safety related device HW and SW approval of distributed safety related PES for process and machinery industry Accreditation scheme for test and certification bodies in Europe for safety and quality certification of HW and SW of industrial electronics 97 96 ISA 84.00.01 released IEC 61511 = = ANSI/ISA 84.00.01 IEC 61508 released 28 HIMA 2008 28
The most recent Standards to emerge 1984 TUV Guidelines for PES (SK Safety Classes 1-9) 1987 HSE PES Guidelines Parts 1 & 2 1989 DIN 19250/ VDE 0801 for PES (AK Safety Classes 1-8) 1994 Appendix to VDE 0801 - Harmonisation Document 1996 ISA SP84 - Safety Lifecycle, Quantitative Approach 1997 IEC 61508 - Safety Lifecycle, Quantitative and Qualitative Approach 2003 ANSI/ISA 84.01 = IEC61511 - Functional Safety, SIS for the Process industry sector 2004 DIN 19250 withdrawn and Introduction of Machine Safety Standard IEC 62061 Today Many more to come? 29 29
Safety Instrumented Systems (SIS) defined in USA and Europe 1996-2004 Instrumentation, Systems, and Automation Society (ISA), ANSI/ISA 84.01, Application of Safety Instrumented Systems for the Process Industry, 1996 (revised 2004). International Electrotechnical Commission (IEC), IEC 61511, Functional Safety: Safety Instrumented Systems for the Process Sector Performance Based Standards 30 30
Evolving Standards IEC 61508 is an umbrella standard for functional safety across all industries Each industry then uses IEC 61508 as a guide to develop industry specific standards IEC/AS 61511 Process Industry IEC 61513 Nuclear Industry IEC 62061 Machinery Industry Future Rail, Medical, Automotive, Transport 31 31
Everyone now knows who is responsible 32 32
Functional safety was developed to prevent events like this 33 33
Functional Safety Standards IEC 61508 IEC 61511 Process Industry EN 50128 Railway IEC 60601 Medical ISA S84.01 Process Industry IEC 61513 Nuclear Industry IEC 62061 Machinery IEC 61800-5-2 Power Drive Systems 34 34
Functional Safety Standards IEC 61508 IEC 61511 Process Industry EN 50128 Railway IEC 60601 Medical ISA S84.01 Process Industry IEC 61513 Nuclear Industry IEC 62061 Machinery IEC 61800-5-2 Power Drive Systems 35 35
Evolving Standards Other standards reference safety standards FM AS 7605 Programmable Logic Control (PLC) Based Burner Management FM AS 7610 Combustion safeguards and Flame Sensing NFPA 85 Boiler and Combustion Systems Hazards Code OSHA Process Safety Management & duty of care. 36 36
Why do we need Functional Safety? Analysis of 34 incidents, based on 56 causes identified 20 % Changes after commissioning 44 % Specifications 15% Operations and maintenance 6% Installations and commissioning 15% Design and implementation s Out of control: Why control systems go wrong and how to prevent failure? (2 nd edition, source: Health & Safety Executive HSE UK) 37 37
HSE Summary Analysis of incidents Majority of incidents could have been anticipated if a systematic risk-based approach had been used throughout the life of the system Safety principles are independent of the technology Situations often missed through lack of systematic approach 38 HIMA 2008 38
HSE Summary Design problems Need to verify that the specification has been met Over dependence on single channel of safety Failure to verify software Poor consideration of human factors 39 HIMA 2008 39
HSE Summary Operational problems Training of staff Safety analysis Management control procedures 40 HIMA 2008 40
Systematic Failures Human Errors 44 % of failures occurred when the systems did exactly what they had been designed and programmed to do - and failed anyway Less than 15% of accidents can be blamed on operator or maintenance error Bad things keep happening Systems aren't perfect, stuff goes wrong. We need to design for failure 41 41
Systematic Failures Human Errors? 42 42
If only we had known Accidents are not due to lack of knowledge but failure to use the knowledge we have. Lessons from Disaster (T. Kletz 1993) 43 43
Functional Safety - what is it for? Analyses possible hazardous events Proposes the engineering which needs to be done Helps maintenance to identify the processes needed to maintain safety 44 44
Human Errors : an excuse for an accident? Given the right conditions all things succumb to human or systematic error operator makes a mistake closing a valve, transmitter left in test mode following repair, poorly trained engineers leading to bad maintenance, hazard poorly identified etc 45 45
Making the process safe It s a commitment by the Operator to the people working in the plant to the community where the Process Equipment is located to the shareholders and partners REMEMBER: It is defined that the Operator is responsible for the safety of the plant 46 46
Using Technology to make things safer The factory of the future will have only two employees, a man and a dog. The man will be there to feed the dog. The dog will be there to keep the man from touching the equipment. Warren G. Bennis 47 47
Technology in SIS Currently-used SIS logic solvers are very different in their design They range in age from 1983 to the present-day Originally SAFETY was sacrificed in favour of AVAILABILITY The early designs needed a 2oo3 architecture to be able to reduce the PFD to acceptable (SIL 3) levels Finally the industry realised that TMR is only an architecture 48 48
What matters in a logic solver? Is it a system you can work with easily? People make mistakes when using / maintaining logic solvers which they don t understand Does it meet the required SIL level according to IEC61511? If you still believe that TMR is better than 2oo4 or any other architecture, you are WRONG Can EPCs develop configurations and easily change those configurations later? EPCs never get the configuration right first time Can the logic solver work equally well with local or remote I/O? If not, you are limiting the flexibility of the design 49 49
Choosing a SIS Logic Solver Can the Program be continuously edited with no need EVER to take the SIS offline? There is no need to accept that this limitation is unavoidable If you intend to follow IEC 61511 recommendations, does the logic solver make it easy to do so? Think about PROOF TEST INTERVALS 50 50
Think about HOW you will apply the SIS Don t leave the design of the SIS to the EPC alone You have good FS engineers involve them in the design DON T FORGET PEMEX operations have to live with the SIS long after the EPC has left the site 51 51
Making the process safe It s a commitment by the Operator to the people working in the plant to the community where the Process Equipment is located to the shareholders and partners REMEMBER: It is defined that the Operator is responsible for the safety of the plant 52 52
Think about HOW you will apply the SIS Don t leave the design of the SIS to the EPC alone You have good FS engineers involve them in the design DON T FORGET PEMEX operations have to live with the SIS long after the EPC has left the site 53 53
Use technology creatively Don t stay with old ideas and concepts Many new projects use old specifications to save money - IT DOES NOT EVER SAVE MONEY 54 54
Use technology creatively EXAMPLE 1 Remote I/O is a very economical way of creating local SIS enclosures 55 55
Use technology creatively EXAMPLE 2 Use one redundant CPU for as many I/O as possible It s cheaper than multiple CPU sets It s safer than many CPU sets It s more available than having many CPU sets 56 56
Use technology creatively EXAMPLE 3 Run as many safety-related applications as possible in one CPU, together with the ESD Fire and Gas - can be cheaper and easier to maintain Turbomachinery control easy to run as a separate task Burner Management etc If this seems to break too many rules ask yourself: where did these rules come from? 57 57
Work with Operations Maintenance Design and Implementation of SIS needs consultation with Maintenance Training Who When Why Maintenance Work Stations Should they be separate or part of the Control Room Operator responsibility? Spares supply and shelf life Consider supplier maintenance contracts with redundant systems there is PLENTY of time for them to respond, within 4, 8 or 12 hours Use trained specialists to make changes and repairs to the SIS 58 58
New ideas about the DCS SIS communications requirements The safety responsibilities of the Contractor are totally different Operator s responsibilities Contractor s responsibilities It is the OPERATOR who has responsibility for safety for the lifetime of the plant so don t leave this to the EPC! 59 59
The Operator must be involved with the decisions being made by the Contractor Functional Safety methodology must be followed by the Contractor (who often gets support from Safety System suppliers like HIMA) Technology changes fast but that is not an excuse to not be interested it s an opportunity to get better systems newer systems provide increased ways of being safe 60 60
Since PEMEX is responsible, PEMEX should specify what is wanted New technology systems provide increased ways of being safe Process Automation needs Best of Breed safety solutions Safety systems should be Harmonized throughout the plant The concept of the MAC should be challenged by the Operator It does not provide the SAFEST Safety System It does not provide the MOST AVAILABLE SIS The EPC will buy the CHEAPEST Safety System PEMEX should define which SIS they want and make this a condition of the award to the EPC.: The MAC becomes a Conditional MAC ( C-MAC ) 61 61
The myth of Integrated Safety There is no such thing as an Integrated Control and Safety System Safety must not be integrated into the Control System DCS CONTROLLER DCS CONTROLLER SAFETY SAFETY 62 62
Integrated Safety DCS CONTROLLER DCS CONTROLLER SAFETY SAFETY What s this? 63 63
Connecting SIS to DCS DCS CONTROLLER SAFETY Some operators want management info to be passed from the SIS to the DCS for display and historization. The data is passed via a standard communication bus (non-safe) So there is no integration between SIS and DCS Conclusion 1: there is no such thing as an ICSS 64 64
Connecting SIS to DCS DCS CONTROLLER SAFETY Some operators want management info to be passed from the SIS to the DCS for display and historization. The data is passed via a standard communication bus (non-safe) So there is no integration between SIS and DCS Conclusion 2: there is no requirement for the DCS supplier to provide the SIS 65 65
Challenges of process safety implementation Complex process operations need equipment to be HARMONISED Particularly safety equipment Complexity increases new risks Different safety products confuse maintenance engineers Causes mistakes and shutdowns Or worse accidents 66 66
Challenges of process safety implementation Poor management lack of awareness lack of competency limited focus on optimizing production Ineffective communication Only solved with training 67 67
Challenges of process safety implementation Technology transfer from one world region to countries with different culture and attitudes towards standards A shortage of process-specific experience Reduced know-how... Solved by using global specialists with international coverage 68 68
Summary All YOU need is: Know How Know How Know How Experience Experience Experience Competency - Competency Competency In order to achieve the adequate safety culture, competency of every human being working in the lifecycle of our process industry is becoming the de facto standard for those who want to keep their plant safe, productive and avoid very costly penalties and lawsuits should things go wrong like they have in the past. 69 69
Have COMPETENT people working and helping you keeping YOUR plant FUNCTIONAL SAFE. Nonstop. 70 70
Thank you for your attention 71 71