Friday, October 22, 2010

A new definition of RISK

Yesterday I received the September/October issue of Intech by snail mail. It contains an article about safety and security, which I think every control engineer should read. The title is "Balancing security and safety with risk", and you can find it online at the ISA website. Of course the article is partly triggered by the Stuxnet virus, which got quite a bit of attention this past summer, but the article also considers the more fundamental problem of the need for control engineers and IT professionals to cooperate at the plant level.

The article contain the following definition of risk:

risk = threat x vulnerability x target attractiveness x consequence

To this date when teaching chemical engineering students and others risk assessment of chemical processes I usually define risk as:

risk = probability of event x consequence

So the question of course is: Is probability of event equal to threat x vulnerability x target attactiveness? I am not sure.
Target attractiveness clearly depends on the attracker and the purpose of this person or organisation. In case of the Stuxnet virus the creaters clearly found Siemens control systems attractive, but not control systems from Yogogawa, Honeywell or others. It clearly relates to external threats, such as terrorist attacks or cyber attacks, and not operational dangers of explosions, fires or toxic releases.

Vulnerability depends on the protective layers of the facility. However, the protective layers which prevents an explosion, a fire or a toxic release from occuring, are not the same as those which prevents a terrorist attack or a cyber attack. Although the process safety related protective layers may reduce the target attractiveness and also the consequences of a terrorist or cyber attack. While safety interlocks, emergency relief valves, emergency shutoff valves, emergency shutdown systems etc. prevent and/or mitigate explosions, fires or toxic releases, you need fire walls, antivirus software etc. to prevent cyber attacks and you need physical site barriers, such as fences etc. to prevent terrorist attacks.

So even though both the control engineer and the IT professional may talk about protective layers the nature of these layers are quite different. The IT professionals protective layers aim to prevent an attacker from reaching a target. The control engineers protective layers prevents the process from operating outside the safe envelope. The IT professionals protective layers protect against an unknown attacker. The control engineers protective layers protect against a known process becoming unsafe.

Finally threat depends also on whether you look at the situation from the view of the IT-professional or the control engineer. To the control engineer the threat or danger of the process becoming unsafe are things like: run away reaction, loss of cooling, etc. To the IT professional the threat is anyone attempting to get unauthorized access to the system - or physically to the site. Again while the words are very similar the focus is quite different. Control engineers and IT professionals should keep this in mind while they need to cooperate about securing the process control system - and hence the plant site from undesired events.

Wednesday, October 20, 2010

Executive orders - the new way towards safer workplaces?

Some times working in the process safety area can be really frustrating. Accidents seems to continue to happen - also the ones, which we should have learned from - and regulations seem rather slow to change. Today, however an e-mail from the CSB, hinted at a new an quicker way towards safer workplaces: the executive order.

Following its investigation of the fatal accident at Kleen Energy in Middletown, CT, the CSB called the practice of cleaning natural gas piping in power plant by blowing natural gas through them an inherently unsafe practice. The CSB issued urgent recommendations to OSHA, NFPA and ASME to prohibit and/or change the practice of natual gas blows. As with many other good recommendations from the CSB, we are still waiting to hear from OSHA and NFPA on this recommendation to create safer workplaces.

Governor M. Jodi Rell of the State of Connecticut, where the fatal accident occured appearantly did not want to wait any longer. So the governor has issued an executive order banning the use of natural gas blows during power plant construction in the State of Connecticut. For this the governor should be highly applauded! He took action to prevent any further loss of life in his state from an inherently unsafe practive.

Of-course the CSB would like other state governors to take actions similar to that of the State of Connecticut. I however, find it very disturbing that such executive action is necessary and it certaintly don't make it any easier to find out what you can and cannot do when constructing or operating process plants.

There seem to be little connection between the event at Kleen Energy earlier this year, and the spill of toxic red sludge from an aluminia plant in Hungary earlier this month. That is only on the surface. Both are examples of inherently unsafe practives. The procedure of the Hungarian plant to keep on producing a waste product and just storing it on site is an inherently unsafe operational practice. Likewise the idea of blowing natural gas through buildings during plant construction is an inherently unsafe construction practice.

It is many years since Trevor Kletz published his book outlining the ideas of inherently safer plants. At the same the idea of sustainability in construction as well as production appears everywhere. Companies as well as many internatonal and national association produce statement on sustainability. Universities at the same time create courses on the topic. But can we see the results? Are we creating and operating plant in more sustainble fashion? Or are we as an industry just waiting for the next round of regulations from our governments?

Just like it makes sence for industry to look at internal energy consumption, it also makes sence for companies to look at inherently safer production. So why is it not happening?