A process of elimination01 March 2008

Mercifully, serious incidents in the process industries are few and far between. Sadly, however, when they do happen, they're devastating. Consider Flixborough back in 1974, Piper Alpha in the North Sea in 1988 and, much more recently, Buncefield and BP Texas City. So it's against this background that we now operate chemical, petrochemical and similar hazardous process plants in tightly regulated environments.

Relevant standards include BS EN 60079 and BS EN 13463 (electrical and mechanical protection respectively) from the European ATEX framework - itself based on two directives, 99/92/EC (ATEX 137, ATEX Workplace Directive) and 94/9/EC (ATEX 95, ATEX Equipment Directive) - and the DSEAR directive (Dangerous Substances and Explosive Atmospheres Regulations). Also key is BS IEC 61511 - the process industries' version of BS EN 61508 (functional safety, safety instrumented systems, SIS), not as yet harmonised under a single directive. And there is COMAH (Control of Major Accident Hazard regulations) - from the Seveso II directive (96/82/EC, amended in 2005 with 2003/105/EC).

So much for the nomenclature, but what do the directives mean for plant engineers and engineering managers on site? What about the implications for plants that were designed, built, and have since been operated and maintained under earlier legislation? What kinds of plant fall within the scope of the legislation? And, perhaps most important, what additional lessons is the industry now taking from Buncefield?

One essential point: as with most modern hazard thinking, everything is now risk-based, not prescriptive - and it's down to plant owners/operators to determine those risks themselves. Also, risk assessments have to be carried out at a detailed, not just umbrella, level: choices of appropriate safety equipment and configurations then fall out of the required safety integrity levels (SILs). Equally important, not only must everything be documented, but actions arising - such as inspection and test methods, periods and appropriate engineering competence - need to become part of the plant operating regime, and that includes maintenance.

Devil in the detail
Sounds draconian? Yes and no. It isn't that everything prior to ATEX was wrong and indeed, in a sense, little has changed. However, as ever, the devil is in the detail, as last year's Buncefield Major Incident Investigation Board (MIIB) report demonstrated. Among its key recommendations were: more systematic assessments of safety levels; operations to be overseen by high reliability organisations; and improvements required in plant safety cultures.

Those are particularly apposite, given the legacy of downsizing engineering departments across the process industries. As Mike Halliday, loss prevention consultant with process safety consultancy Burgoyne, says: 'Many plants have now lost virtually all their explicit and tacit plant knowledge, and those engineers that have been retained are overburdened. That means there's more reliance on the integrity of the management systems, including the PM [plant maintenance] system. Which is fine, but, for example, we recently carried out a safety survey on a site, and found that, yes, they had put safety critical interlocks, etc, on PM for regular testing - but without annotating them as safety-related.

'The problem with that is, say it's a valve that has to be proven to actuate every eight weeks, but management says the PM system has outgrown itself, so we'll cut back. Without a link to show that this valve has a safety-related test, they might say: ?We've operated that valve for three years and tested it every eight weeks, and it's never failed, so we'll cut out that task'? You can buy ATEX equipment, but, if you don't install and maintain it correctly, you can thwart it.'

If you're thinking this kind of point only applies to operators of major fuel storage facilities, as per Buncefield, think again. As Sira Test and Certification functional safety manager Paul Reeve says: 'Much of the outcome from Buncefield applies to other hazard sites. We certainly shouldn't think that this is the only site where systematic failures are waiting to surface. After all, fuel storage is a pretty benign process, compared to some - just pumping up containers, monitoring for leaks and providing alarms if tanks get too full.'

He contends that one of the central lessons from Buncefield is that senior management needs to get more involved with safety. 'Many sites don't appear to have benchmarked the levels of hazard or risks they're responsible for under 61511, even though that should be the first step. But that means they can't be sure if they're dealing with SIL 1 or SIL 3, even though there are very different requirements for each, in terms of equipment choices, the rigour of testing and so on.'

Following on from that, management also needs to ensure that safety cases are living documents, constantly under review and updated in line with changes in HSE guidance, plant modifications etc.

'They also need to firm up on aspects such as the procedures for ensuring operational competence, and they need different ways of measuring success - not just financial, but metrics around engineering and safety. Multiple failures occurred at Buncefield, so there's a clear need for improvements in both the installation and operational practices. The point is that, if management doesn't take this seriously, it certainly won't happen at the coal face.'

How far should you go?
How far should engineers be empowered? If, for example, a plant is deemed not free for safety testing, due to cost or operating pressures, at what point should engineering intervene? 'Suppose you have a vessel with automatic level measurement and an independent safety interlock, but the interlock hasn't had its latest PM check,' postulates Halliday. 'Most plant managers would say, ?We know the other unit was calibrated last year, so keep an eye on it and it'll be all right'.' But on a plant with the kind of safety culture recommended by the Buncefield MIIB, insisting on the PM check would be a legitimate call and safety people would have the authority to stop the process.

Not only that: people on plant would know its safety features - not just where the PPE (personal protective equipment) is stored, the location of emergency exits, showers, fire cylinder etc, but the process safety features. 'Management needs to promote knowledge of where safety-related plant is, what it's for and why it needs to be tested,' insists Halliday. 'Safety has to be the conscious consideration of everyone, from top to bottom. In the past, process and plant engineering brains were on-site, but now, without that corporate knowledge embedded in systems and culture, people can end up flying blind.'

Stopping that from happening is about ensuring that safety documentation is part of daily processes, not something that sits on a shelf, or a server. As Halliday says: 'Suppose you have a fluid bed drier and the risk assessment shows that it can't be operated away from an onset temperature, because the powder we're drying has thermal instability. When management suggests pushing the temperature up to improve throughput, that proposed change must trigger an action, with links to the safety case, so that no one can put the plant in a dangerous situation.'

Incidentally, Sira's Reeve makes the point that anyone working in gas or dust hazard areas - including contractors - must at least be awareness-trained. Additionally, plant engineers need to be fully trained in selection, use and installation of equipment, with particular attention to the ATEX protection concepts. 'If they understand the purpose of flame paths, they won't apply paint or tape that could affect flameproof equipment. It's the same with intrinsic safety: if someone alters the protection earth, then there's a danger of losing the safety features you spent a lot of money on.'

And he adds: 'Both engineers and management also need to be aware of the realities of maintenance - for example, that removing and disassembling items, such as sensors, switches and valves, for test, can actually introduce faults - so designing for in-situ proof testing is often best practice. Also, in considering work and operations, they need to be aware of human factors, such as fatigue - and that, in an emergency, alarm management systems can generate too many alarms for operators to handle.'

The last word goes to Halliday: 'There are things you can do to encourage management to spend money. If your risk assessment shows that, currently, an explosion could kill two people, but for £20,000 you can repair the loop and make it safe, that tends to open eyes. It's playing sensible hardball.'

What you need to do on SIS
What if your plant was designed, built and has been operating prior to IEC 61508/61511 and ATEX? Best advice is to revisit the safety case, using the systematic approach recommended post-Buncefield. But what exactly should that entail? What are our obligations?

'We are currently involved with engineering projects reviewing processes with plant owners,' says Thomas Steiner, business development manager SIS at Emerson Process Management. 'They know there may be issues, because the technology and standards have changed, so they are performing PHAs [process hazards analyses] to identify risks and risk reduction opportunities.

'Some have replaced, for example, relay-based safety equipment or even older systems, but kept the field instrumentation and plant the same - and are now doing recalculations to assess their SIL levels. It makes sense to do a step-by-step analysis, so we're supporting end users in performing the PFD [probability of failure-on-demand] calculations and identifying what additional plant redesign might be required to meet the plant's tolerable risk level. Maybe it's some new transmitters, adding some valves, or perhaps a partial stroke test to a valve. All sorts of things are possible to close the gap.'

How about countries where 61511 is not mandatory? In the US, for example, process plant legislation is vested in ISA SP84, which came out in 1996 and was updated in 2004 as more or less a ?copy and paste' of 61511 - but grandfathered so that plants that implemented SP84 in the mid ?90s didn't have to invest again. Steiner's view: 'In light of BP Texas City, I would definitely be instructing my plant people to look at what's changed, in terms of best practice and modern SISs. When they stand in court, the judge will take 61511 and SP84 2004 as best practice.'

What you need to do on plant
'One of the most frequently asked questions is about equipment that doesn't meet current standards,' says Mike Halliday, loss consultant with process safety consultancy Burgoyne. 'Examples would include explosion relief panels and dust collectors venting into roof spaces, mezzanines or even the workplace. We see clients being offered ductwork to vent outside, and that's not necessarily the answer. You have to go back to DSEAR being about safety of people. They have a right to go home with a full complement of fingers and toes. It's all in the Health and Safety at Work Act, but DSEAR makes it explicit.'

So the recommendation is a thorough risk assessment, including understanding what would happen in the event of an explosion, the escalation route, how many people might be affected and so on. 'Almost certainly, you'll end up relocating that dust collector and venting it externally to a safe area. There are alternatives, but the point is, you must protect your equipment in a way that doesn't compromise people or the plant,' he says.

Another classic case concerns safety-related equipment in stores, purchased pre-ATEX. Says Halliday: 'If a piece of equipment, such as a pump or a motor, was suitable for the plant before ATEX, then you now need to prove it against your risk assessment. You can't go back and put an ATEX plate on it. However, if it's missing Category 3g, or whatever, but you can show it's not a threat - and you record why you're using it and what you've done to ensure its suitability - then that's fine. If a supplier says: ?That's not ATEX-approved and you can't use it,' show him the door.'

Which leads us to motors and other plant likely to be operating uncertified in ATEX Zone 20 to 22 dust conditions. Previous regulations did not cover the risk of explosion by dust, but new equipment sold into areas with atmospheric or settled dust must be certified. Existing equipment in service requires a retrospective risk assessment to check on fit-for-purpose under DSEAR.

Dave Hawley, who manages Deritend's motor repair and rewind workshop, says: 'Compliance, as far as dust and electric motors are concerned, is relatively simple and the motor parameters required are not extreme, but there is a genuine need to know within industry.' Also, in this case, plant engineers must use appropriate suppliers and repairers for the job.

Incidentally, as a general point, under ATEX, there's an emphasis on better understanding of fit-for-purpose. 'Some suppliers just want to know the explosive atmosphere zone and many still don't ask what's going through their equipment,' says Halliday. 'There's got to be thorough dialogue that leaves both parties feeling that the right kit has been sold into the right application.'

He also warns plant engineers to beware of vendors selling components such as ATEX-certified earthing clamps. 'That belittles what it's all about: if a supplier tries to sell you expensive Category 3 equipment, find out why. How much more than ISO 9001 can possibly be required? If it's for Category 2 or 1, then, yes, clearly it's going to cost more to protect, prove and certify.'

On the other hand, Paul Mayer of process systems builder Braby makes the point that there is a world of difference between ?conformant' and ?compliant'. 'If I build some silos for you and follow the guidelines, they conform to ATEX. But, to make them compliant, I also have to validate the design calculations and stress analyses. I have to certify them, under our ISO 9001 accreditation, such that, in the event of an explosion, they won't fall apart and spread like confetti all over your car park.'

61511: the real deal
Aside from the entirely risk-based approach of BS IEC 61511 concerning functional safety in safety instrumented systems (SIS) - particularly programmable electronic systems (PES) - there are significant changes, compared with earlier process plant guidance. One of the most important is that, whereas on the plant design and specification side, whole sections of plant used to be treated as one overall safety case for SIS, today the approach is quite different.

'Whereas we used to say that all hazardous plant safety functions would be, say, two-out-of-three transmitters and one-out-of-two final elements, now it's appropriate SIS equipment for each individual loop, bearing in mind its contribution to the overall risk,' says Andreas Fuchs, Emerson Process Management director of SIS operations. 'So there's more analysis, but it can save plants a lot of money, not only in terms of equipment purchase, but ongoing operations, testing and maintenance.'

As for maintenance of safety-related plant and equipment, Fuchs explains: 'First of all, plant engineers need to know that they are working on part of the SIS, so it has to be properly labelled and documented. Then you also need to have good [risk assessed] documentation and procedures that specify proof testing to meet the specific PFD [probability of failure-on-demand] calculations.

'For example, you could do low-level proof testing that shows your transmitter is performing, because you have stimulated the analogue signal and it's responding. Or you can go further and take it from the process, using the impulse line. But you might decide you need to power down the transmitter and do formal health checks for full safety. If the plant engineer does the wrong test, it may not reveal all the potential issues.'

Points
- BS IEC 61511 is the basis for best practice with safety-related plant systems
- All hazardous process plants need to be risk assessed now for hazard exposure and SIL levels
- Safety cases and documentation must be alive and linked to all relevant systems, including PM
- The Health and Safety at Work Act and DSEAR put specific duties on plant owners and operators
- Pre-ATEX equipment and processes may be fine, but you need to run a new risk assessment to prove your specific safety case

SOE

This material is protected by MA Business copyright
See Terms and Conditions.
One-off usage is permitted but bulk copying is not.
For multiple copies contact the sales team.