An effective process safety management program requires a systematic approach to evaluating the whole process, including the process design, technology, operational and maintenance activities and procedures, emergency preparedness plans and procedures, training programs and other elements that impact the process, said Julien Chouinard during his ASC 2013 session, “Process Safety: What EHS Managers Should Know About Standards, Technology and Best Practices.
Chouinard, who’s the business director for critical control at Rockwell Automation, opened his session with some grim reminders of process safety failures. These incidents, he added, served as wake up calls for the UK, Europe, Asia and the United States:
- 1974: Flixborough (UK) – 28 deaths, > 100 injuries
- 1976: Seveso (Italy) – Major dioxin release
- 1984: Bhopal (India) – > 3,000 deaths, 200,000 injuries
- 1988: Piper Alpha (UK) – 167 deaths, destruction of platform
- 1989: Pasadena (Texas) – 23 deaths, > 130 injuries
- 2005: Texas City (Texas) – 15 deaths, 180 injuries
- 2010: Deepwater Horizon platform (Gulf of Mexico) – 11 deaths, 210 million-gallon oil spill
Sharing information from the UK Health and Safety Executive, he said control system incidents occur for several reasons:
- 44 percent incorrect and incomplete specification
- 20 percent changes after commissioning
- 15 percent operations and maintenance
- 15 percent design and implementation
- 6 percent installation and commissioning
“Functional safety standards address all of these issues,” he added.
How Process Safety Works
What is process safety? Essentially, when you are doing process control, said Chouinard, you ideally have everything under control. You have a piece of equipment that you are trying to maintain within operational ranges. For example, if you have pressure in a system, you want to maintain that pressure within a given range.
There is a basic process control system (BPCS) that essentially looks at the parameters and controls the pressure within the expected range. This system is a series of interventions that the process goes through should things get out of the expected range.
The first step is operator intervention. Alarms will ring and the operator will look at the actual process and try to act – based on the training he or she has received – to reduce the conditions or keep the conditions within control.
If the operator cannot do this, then the emergency shutdown system should kick in. It will trip and try to shut down the process or even the entire plant. Chances are, this will work.
If this doesn’t work, said Chouinard, then the relief valve will start releasing the pressure in the system. “At this point, we’re not protecting or preventing the events from occurring, we’re trying to contain the problem … [and] help prevent a catastrophe from happening,” he pointed out.
“When we talk about process safety, we talk about trying to keep the system in the prevention zone and never have to go to the mitigation zone. However, we have to plan for all possibilities,” said Chouinard.
He said the other type of system, other than the BPCS, is the safety instrumented system (SIS), which is “composed of sensors, logic solvers and final control elements for the purpose of taking the process to a safe state when pre-determined conditions are violated.”
So, he said, facilities have a basic process control system and a second system that will monitor the same pressure levels at the BPCS but at some given point, the SIS will decide to use the shut down valve to make sure the pressure doesn’t reach a level where that vessel can explode.
“SIS is passive. It doesn’t do anything,” said Chouinard. “It might sit there for six years without doing anything. But at some point, the pressure might go up and it will have to kick in.”
Reduce the Probability of Failure
The tragedies mentioned by Chouinard at the beginning of his talk happened because either prevention the BPCS failed or the system was not up to the task of managing that process.
What safety professionals and engineers need to do is “implement procedures to reduce the risk of that hazard causing harm,” said Chouinard.
They must first identify the risk, which in his example, was that the vessel might explode. Then, they need to determine the risk reduction they want to bring to that risk to avoid that explosion.
According to Chouinard, processes should be evaluated by looking at the safety integrity level, which is the measure of the risk associated with a specific hazard that’s been identified.
Chouinard said there are two failure modes to consider. One is what he calls a “safe failure,” which means the safety instrumented system shuts the process or facility down and there’s no harm.
There also are “dangerous failures,” which means that if they do happen, they will cause harm. “When a demand occurs – a specific situation occurs where we have a dangerous condition – and the system was unavailable, then we will have an accident,” said Chouinard. “We want to make sure we never have a demand and [have the SIS] not be available. The SIL level is a measure of the risk of a demand occurring and the system not being available.”
His suggestion to understand the risks at facilities is to determine the actual risk posed by each task or part of the process. In other words, he adds, “The probability of failure on demand.”
The actual measure can be rated zero through four. With a SIL at Level 1, the safety and engineering departments believe there’s a chance that one out of 10 demands will result in system failure. An SIL of 2 means one in 100 demands will result in system failure. “We can support a higher risk because the system is more reliable,” said Chouinard. SIL 3 means one in 1,000 demands will result in failure.
“When you have a plant, you might have one, two, 10, 100, 1,000 safety functions that all have different SIL ratings and you need to take each of them into consideration, look at them in isolation, do a thorough analysis of all the consequences and impact of that specific hazard,” he said.
“Look at them as individual elements but also look at them as a whole, and what could happen if we combined those elements in a given situation,” Chouinard suggested. “For example, we had a fire here and we thought that pipe there was pretty safe but the fire caused the pipe to burst. We want to avoid that, so we have to take that into consideration.”
He said that one approach that has proved effective to select the SIL is a risk graph. Look at consequences of that hazard or if the event occurs. Will there be minor injuries, serious injuries, one death, several deaths or many deaths if that event occurs? How often can that risk or event occur? Is it rare to frequent or frequent to continual? Can you avoid that risk, or is it almost impossible to avoid? What is the probability of occurrence? Is it very slight, slight or relatively high?
He suggested safety professionals ask these questions:
- Do we have to do this?
- What level of risk is tolerable?
- Which system is “suitable?”
- What technology should be used: Relay, solid state, PLC or TMR (Triple Modular Redundant)?
- What level of redundancy is appropriate: Single, dual or triple?
- How often should systems be tested: Quarterly, yearly or per shutdown?
- What about field devices: Technology, level of redundancy, etc.?
Always remember one thing when dealing with process safety, said Chouinard: “A system can and will fail.” But just because it fails doesn’t mean a catastrophe will occur.
The difference between another day at work and a tragedy that destroys facilities, lives and reputations is all in the risk assessment, planning and prevention.