A.M. (Tony) Downes CCPSC 26 September 2017 Honeywell Internal IMPLEMENTING PROCESS SAFETY KPI SUITE AT A WORLD-SCALE HFO UNIT
Agenda 1 - Managing risks transparently - LOPA and the Integrity of the Layers What happens if/when the Layers/barriers don t work? (worked example) Common problems - Honeywell PMT s new HFO Unit How it s protected How we ensure the Layers stay in place - Operating and Maintaining so the Risk stays in the Green Regulatory requirements (PHA in the US) Consensus Standards give some guidance but aren t prescriptive Who does What? - Using Process Safety Analyzer and KPI Suite to manage the layers Enabling site-level automation specialists FSA in use - What leaders want to know COMMUNITY EMERGENCY RESPONSE PLANT EMERGENCY RESPONSE MITIGATION Mechanical Mitigation Systems Safety Instrumented Control Systems Safety Instrumented Mitigation Systems PREVENTION Mechanical Protection System Process Alarms Operator Supervision Safety Instrumented Control Systems Safety Instrumented Prevention Systems Basic Process Control Systems Monitoring Systems (process alarms) Operator Supervision Process Design - What is Honeywell doing differently? Real-time Risk Display & Corporate KPI Transparency
A Little About the Presenter 2 Led over 100 PHAs Did first LOPA in 1999 Led over 100 Incident Investigations Launched 4 Risk Reduction programs A.M. (Tony) Downes Global HSE Advisor 1978-1988 DuPont Canada. Project Eng, Process Eng, Product Development, Maintenance Eng, Project Manager 1988-1992 Bayer Canada, Supervisor LPE 1992-2001 Westlake Group, Principle PS Eng. 2001-2010 FMC. Global Safety & Sec. Mgr 2010-2017 Honeywell PMT Global PS Advisor CCPS Tech Steering and Planning Cmtes CCPS Certified Process Safety Engineer Everything I know about Process Safety, I learned in an investigation
Glossary of Terms American Term PHA LOPA PFD IEF BL What it generally means The Hazard and Operability Study (HAZOP) Layer of Protection Analysis, often done separately from the PHA. Often done selectively on bigger hazards or bigger risks. Usually involves deeper experts. Probability of Failure on Demand Initiating Event Frequency Base Likelihood (years -1 ) similar to IEF. 3 Honeywell Advanced Materials new Low-Global-Warming Refrigerant Plant in Geismar, LA
Basic Process Control Systems Monitoring Systems (process alarms) Operator Supervision Managing Risks Transparently 4 Like many operating companies, Honeywell Performance Materials does HAZOPS, has a Risk Matrix & has adopted Layer of Protection Analysis and international standards to reduce risks IEC 61511 COMMUNITY EMERGENCY RESPONSE PLANT EMERGENCY RESPONSE MITIGATION Mechanical Mitigation Systems Safety Instrumented Control Systems Safety Instrumented Mitigation Systems PREVENTION Mechanical Protection System Process Alarms Operator Supervision Safety Instrumented Control Systems Safety Instrumented Prevention Systems Process Design Senior VP Major Chemical Company What s my risk TODAY? Are all these systems functional? Am I achieving Green? Where is effort needed? What do I need to watch for? Business Director Major Chemical Company Why do I have to spend all this money?
LOPA and the Integrity of the Layers 5 Focus on the BPCS and SIS Layers COMMUNITY EMERGENCY RESPONSE PLANT EMERGENCY RESPONSE MITIGATION Mechanical Mitigation Systems Safety Instrumented Control Systems Safety Instrumented Mitigation Systems PREVENTION Mechanical Protection System Process Alarms Operator Supervision Safety Instrumented Control Systems Safety Instrumented Prevention Systems Basic Process Control Systems Monitoring Systems (process alarms) Operator Supervision Process Design Two key questions: 1. How steady is the control system (BPCS Layer)? - Any critical control loops Degraded? - What is the Initiating Event Frequency really? 2. Is the SIS Prevention layer ready? - Is it Degraded in any way today? - How did it perform during last Demand (Real or Spurious)? - What is the RRF/PFDavg over the past year or so?
What Happens if/when the Layers/Barriers Don t Work? 6 Example: Gasoline Tank Overflow Fire Initiating Event: LIT Error. IEF ~1/10 years 1 Safety Interlock: LSHH XZV SIL2 2 Conditional Modifier: Prob. Of Ignition ~0.99 3 Combined Probability of Fire ~ 0.001/year 1. Typical failure rate from CCPS LOPA Book. 2. Assumed RRF of 100 (PFD = 0.01 3. CCPS POI Tool for heptane at 60degF:POII ~.01; PODI ~0.99 POEGI ~0.5 Some potential problems Process measuring device faults (sticking) XZV fails to shut XZV closes, but slowly (degraded) LSHH Fail-dangerous unrevealed LSHH HHH HH H LIT LSHH left in bypass after trip test HV XZV
New HFO Unit (Overpressure Protection) 7 Two Different Columns There is a possibility of overpressure if the column pressure control loop fails Both have similar Overpressure SIFs and PSVs Design meets criteria PSH PIC PZIT PCV 1. How well is it working today? 2. How can we be assured we are in the Green year after year?
Calculating Risks is Complicated, but Do-able 8 RRRRRRRRRRRRRRRR SSSSSSSSSSSSSSSS = CCCCCCCCCCCCCCCCCCCCCC xx LLLLLLLLLLLLLLLLLLL LLLLLLLLLLLLLLLLLLL = (IIIIII xx PPPPPPP xx PPPPPPP eeeeee)
It s really an estimate of Risk 9 PHA teams estimate the Base Likelihood. - Likely based on typical industry probabilities and within an order of magnitude - A number of good references available these days - Teams have a bias towards Underestimating likelihood It s not simple to maintain a SIL2 PFD of 0.01 over a long time. Can we get more accurate numbers from our own facilities?
Leveraging Data to Ensure Safe Operations 10 Challenges Multiple, inconsistent data sources. Heavy dependence on spreadsheets and increasingly scarce skills. Little use of modern analytical tools as focus is on historical analysis, not prediction. Limited embedded intelligence and learning. Consequences Decisions are slow and not the best.
Process Safety Analyzer 11 Shutdown Analyzer Final Element Scout SIL Reporting
PSA - Shutdown Analyzer 12 Verifies that SIFs performed as expected by tracking SIF inputs and outputs against the C&E Matrix Analysis is done automatically. Highlights problems so: - Engineers can save time and focus on Solving any Problems - Operators know that valves reached the safe state. Speeds safe Restart after trip - Maintenance can focus on valves that had problems (Stuck or Slow) Cause and Effect Matrix All together, as a Structured data element
Shutdown Analyzer Outputs 13 - SingleEvent view for Operators - Engineer view (e.g. with more equipment information, etc.) - Blowdown view
PSA Safety Element Scout 14 Configurable to suit user requirements. Examples of information provided includes: - OK operations => command and response received within maximum travel time limit, including calculation of actual travel time - Operations with long travel time or travel time exceeding a warning limit - Failed operations (e.g. operations with no command or no response) Also provides: Trending of travel time Alerts to an AMS (e.g. Asset Sentinel) Long travel time Travel time warning Add operator or engineer comments
15 Consensus Standards Give Guidance but Don t Say HOW IEC61511: 16.2.2 tells us to develop the information which needs to be maintained on system failure and demand rates on the SIS and the information which needs to be maintained showing results of audits and tests on the SIS and have procedures for analysing systematic failures. 16.2.6 Discrepancies between expected behaviour and actual behaviour of the SIS shall be Analysed This shall include monitoring the following: the actions taken following a demand on the system; the failures of equipment forming part of the SIS established during routine testing or actual demand; the cause of the demands; the cause of false trips. It is very important that ALL discrepancies between expected behaviour and actual behaviour are analysed.
16 Functional Safety Assessment During Operations 16.3.1.5 At some periodic interval (determined by the user), the frequency of testing shall be reevaluated based on various factors including historical test data, plant experience, hardware degradation, and software reliability. Do this during the PHA Revalidation?
PSA SIL Reporting 17 Demand Report Test Interval Report Failure Rate Report Final Element Verification Report Valve Stroke Report
PSA SIL Reports Examples Test Interval Report Demand Overview Report 18
PSA SIL Reports Examples 19 Drill down on «bad actors» Final Element Verification Report
Functional Safety Assessment (FSA), Clause 5.2.6 20 FSA in 1 st edition was focused during the design phase up to and including the commissioning. In the 2 nd edition it is required to have a FSA to go through the impact assessment before start of the modification and also periodically during FSA during operation. The new requirements with regards to FSA are more strict ( Shall ) and more specific than before. We expected to see an increased number of FSA s connected to operation and modifications.
Distributed Responsibilities 21 - Process Safety focus on Consequences & IEF of Causes Not Underestimated? Credited Safeguards actually effective against the Cause and/or Consequences? - Engineering, Technical & Mechanical Maintenance look at the Relief Valves Calculations on file? All cases considered? Big enough? In the Preventive Maintenance Program? Inspected/Tested per schedule? Passed Pre-pop test OK? - Automation & Instrument Maintenance look at the SIS Interlocks (SIFs) SRS on file? In the C&E matrix? In the Preventive Maintenance Program? Inspected/Tested per schedule? Passed as-found test OK? RRRRRRRRRRRRRRRR SSSSSSSSSSSSSSSS = CCCCCCCCCCCCCCCCCCCCCC xx (IIIIII xx PPPPPP SSSSSS 1 xx PPPPPP PPPPPP eeeeee) Who is closing the loop?
IEC-61511 Automation Architecture Assess & Design IEC-61511 Hazard and risk assessment CSFE Assessment Facilitators PHA / HAZOP Docs Action Tracking Clause 8 IEC Requirements Eng g Services Deliverables Products 22 Automated Roll-up KPI Reports Operate & Maintain Data Entry via Forms, Checklists, Picklists Data Entry via Forms, Checklists, Picklists Cloud Database, Analytics & Reporting Engines Data mapping PSA Historian SIS KPI Suite Assess, Design, Implement Deliverables, Metrics & Reports O&M Metrics/KPI s, Reports CMMS / SAP SIS Safety Req t Spec TUV-certified Functional Design SRS Docs Clauses 10/12 Stage 1 SIS Design & Engineering TUV-certified Detailed Design Design Specs / C&E / Test Docs Clauses 10/12 Stage 2 SIS Implementation TUV-certified & I&C Engineers As-Built Updates to All Docs SIL2/3 SIS, SW, Instruments Clauses 14/15 SIS Operation & Maintenance SIS Engineers Corp, Site, Unit & Device Metrics Demand & Bypass Tracking Proven in Use Failure Data Proof Test Tracking Root-cause analysis of trips Software Clause 16 SIS Modification TUV-certified Engineers As-Built Updates to All Docs SIL2/3 SIS, SW, Instruments Clause 17 Allocation to protection layers CSFE LOPA, SIL Study Facilitators LOPA Docs SIL Calcs, Docs Clause 9 Stage 3 Stage 4 Stage 5 Decommissioning Design non-sil IPL s and other risk-reduction measures (e.g. Operator Alarms/Actions BPCS interlocks) Controls Design IPL Design Specs Clause 9 Non-SIS Implementation I&C Engineers As-Built Updates to All Docs BPCS, SW, Instruments Clauses 14/15 Non-SIS O&M I&C Engineers Corp, Site, Unit & Device Metrics Demand & Bypass Tracking Operator Alarm/Action Tracking Proof Test Tracking Root-cause of IPL demand Software Clause 16 Non-SIS Modification Controls Engineers As-Built Updates to All Docs BPCS, SW, Instruments Clause 17 Clause 18 Management of Functional Safety Clause 5 Organization, Processes & Procedures for Risk Mgmt Planning Execution Assessment Audit Safety Lifecycle Req ts Clause 6.2 As Defined in Clauses 8-17 Verification Clauses 7/12.4/12.7 Processes, Procedures & Records to Verify All Stages
Real-time Risk on Heat Map display Multiple Tools to Drill down for Details 23 IEF SIF PSV Configurable Outputs to suit your needs
Calculating and Summing Risks is Complicated, but Do-able 24 PHA and LOPA teams look at scenarios one-by-one Compare risk from each scenario to corporate risk criteria RRRRRRRRRRRRRRRR SSSSSSSSSSSSSSSS = CCCCCCCCCCCCCCCCCCCCCC xx (IIIIII xx PPPPPP 1 xx PPPPPP 2 eeeeee) If you re a Plant Manager or Operations VP or CEO, you re interested in the Big Picture TTTTTTTTTT CCCCCCCCCCCCCCCCCC RRRRRRRR = # SSiiiiiiss # UUUUUUUUUU aaaa ssssssss # HHHHHHHHHHHHHH SSSSSSSS kk UUUUUUUU jj CCCCCCCCCCCCCCCCCCCCCC ii LLLLLLLLLLLLLLLLLLL ii 1 1 1 You want to understand the risk from All the scenarios. - You want assurance that the safeguards are all in place and working properly - You want problems to be escalated and fixed
What keeps CEOs up at Night? 25 Managing a high hazard business requires oversight and transparency Better to know than not know 2015 by Honeywell International Inc. All rights reserved. Where are your weak links?
Process Safety Multi-Site Safety Function Analytics 26 Compare SIF types across units and sites Capture proven-in-use data for SIF elements Track SIF overrides, bypasses across units and sites Cloud Analytics Roll-up reports via email or to your device. Drill-down links Expected SIF Behavior from Cause/Effects Cloud Data Consolidation DCS/SIS Process Data Sequence of Events, Event Log Device information 2015 by Honeywell International Inc. All rights reserved. Connected Plant = Improved Safety
Plant & Personnel Safety 28 Assessment/Engineering COMMUNITY EMERGENCY RESPONSE Personnel Safety - Organizational Readiness & Compliance Personnel Safety - Hazardous-Condition Exposure PLANT EMERGENCY RESPONSE Command & Control Suite Process Safety - Multi-Site Safety Function Analytics MITIGATION Mechanical Mitigation Systems Safety Instrumented Control Systems Safety Instrumented Mitigation Systems PREVENTION Mechanical Protection System Process Alarms Operator Supervision Safety Instrumented Control Systems Safety Instrumented Prevention Systems Basic Process Control Systems Monitoring Systems (process alarms) Operator Supervision Process Design Connected Worker/Safety Suite Security & Fire Protection Safety Manager Gas Detection Honeywell has solutions for all the Layers of Protection inside the plant
29
Why Is Honeywell Different? 30 Data Analysis Results Not just a DIY platform and toolbox Embedded models. Embedded knowledge. Not just data scientists keen to have a go Leverages extensive experience along with state of the art analytics. Solve real-world problems to deliver improvements fast
31 Asset Sentinel enables many display possibilities