Wednesday, December 14, 2011

The WTT20YA Syndrome

Within the last year I have had the opportunity to look at literature in the very different area: Medical science. That was not only exciting from the point of view of learning something new, but also from the point of view of accessibility to information.

Many medical scientific journals, such as for example Blood, allows free access for personal use to all content more than 12 months old, and this for a journal with an impact factor above 10! The European Journal of Haematology, which as an impact factor above 2.5 goes a step further, it makes all content freely available on the internet either as HTML or PDF, on Wiley Online Library. I wonder what impact this free availability of new information in an area has on innovation and usage of new ideas? Wiley Online allow you to easily download and insert figures in your power-point presentation. This makes it extremely easy to use the material in ones own presentations with proper acknowledgement of the source.

Maybe the chemical engineering  community and especially the process safety community should implement similar free access to information about process safety in order to advance our common aim: to make our process plants and their products safer both for the people working in the plants and for the communities in which the operate.

Today an engineer working in one of our plants can read the table of content of most engineering journals online, but getting a personal copy of an interesting article can be quite challenging. It may require using his own money to buy the copy online. It may require convincing his manager, that the article, of which he has only read the abstract is relevant and worth investing money in. This may of course require additional paperwork - not something most engineers operating plants really are looking for. In all this sums up to many barriers for using time - evening or weekend - to become more knowledgeable about things relevant for operating the plant. Free access to scientific literature within chemical engineering would help break down some of these barriers. Furthermore, it would allow high school students easier access to information for their science project with the likely side effect, that more of these students choose chemical engineering as a carrier path.

I remember the presence of the WTT20YA syndrome at the facility I worked in more than 20 years ago. It killed many idea from young new and energetic professional. Read more about the WTT20YA syndrome and how it prevents or slow down innovation at Sustainable Plant.

Monday, October 31, 2011

How can you be better than the best?

The answer is rather simple. If you want to be better than the best in process safety, then you have to learn from the best - and improve on what you learn. It no secret that I admire The Dow Chemical Company for their safety performance and their attitude toward people. And I believe, that it starts with the people attitude. With some companies it starts already when they talk with potential new employees at the campus recruitment center. During the initial conversation to decide whether to offer a young university graduate a second interview and possibly a visit to their facility some companies include questions aimed at understanding the students attitude towards safety. However, it is important to realize, that one can drive a motorcycle, sky dive and perform other recreational activities without being unsafe. It us the attitude with which you approach such activities, that are important.
During a recent fall holiday to Thy in the northwestern part of Denmark I saw surfers at several places along the coast. However, I noticed, that none of them were surfing alone. They also entered the water in a safe way. They seemed to have an agreed upon path, so incomming and outgoing surfers did not collide. There also seemed to friends or others on the beach. Nonetheless, surfing in conditions you see on the picture here is not for beginners. It is for those who have learned from people that are better than them, and want to become better yet.
In a recent article, which by now have been published in several different electronic media, Michael R. Gambrell gives 5 tips on how to improve your company's safety performance. Most recent I have seen the article "Make Safety Second Nature" on . Here Mr. Gambrell, who is an executive with Dow gives these tips on achieving second to none safety performance:
  1. Make safety the top priority.
  2. Set the tone form the top.
  3. Hold everyone accountable.
  4. Establish bold goals.
  5. Learn and leverage.
I have heard Dupont employees say, that at their company safety is not a priority. It is the basis for being in business. It certainly help if the top guy or gal - the CEO - sets the tone, as the CEO of Dow did with an interview in Harward Business Review in the mid nineties just after the company had published their safety goals for 2005. If this does not happen you may be in for an uphill battle! What happened at Dow in 2005? Some goals were achieved, while others were not. Nonetheless Dow established still bolder goals for 2015. And ever since the first goals set in 1995 annual progress reporting have been published. That is a bold thing. Following the five tips year after year made Dow's safety performance 60% better than the chemical industry average in 2009 - see graph in referenced article.
Then how can you be better than Dow? There is no easy answer. One possibility is to look at your suppliers all the way from were things come out of the ground, and establish relationships with them to build an inherently safer and highly ethical supply chain all the way to the final consumer. Look at areas within social responsibility and customer relations in which others have not yet set goals. And then tell the world how you are working towards your goals, so others can learn too.

Saturday, October 29, 2011

Deaths of innocent children - is that allrigth?

For some time the Chemical Safety Board have investigated deaths near oil and gas exploration and production facilities - especially deaths of innocent children. Two days ago they released a report that found many oil and gas exploration and production facilities to be hazardous to the public and especially to children. The report contained numerous recommendations directed at the US Environmental Protection Agency, the Missisippi State Oil & Gas Board, the Oklahoma Corporation Commission, the Texas Railroad Commission, the American Petroleum Institute and the National Fire Protection Association. I immediately think, that something is severely missing from this list of recipients, but maybe it is just the nature of organisations. Maybe organisations have en tendency to just see those they serve as being other organisations.
Among the technical recommendations are the use of inherently safety tank design features such as flame arrestors, pressure-vacuum vents, floating roofs, and vapor recovery systems. Just this week I saw this demonstrated on a garbage bin for a whole apartment complex - several hundreds of apartments. They had replaced many 400 liter plastic containers with a single large iron bin, where the deposit of garbage worked like those astrays many families had in the fifties and seventies, where you press a button, and the ash disappears below a lid (improved versions of this design is still available at Smell killer ashtray). You could actually throw a burning match into this garbage bin whitout coursing a fire. With the old plastic container they experienced almost a fire a week. This is what the CSB calls for: that lighting a match near a gas or oil exploration or production facility does not cause an explosion and fire.
Unfortunately the CSB in their report does not recommend, that owners and operators of oil and gas exploration and production facilities use inherently safer design at all their sites. Unfortunately the CSB does not tell these owners that implementing such features at their sites often is less costly than a single explosion and fire with its potential for loss - including deadly outcomes.
As a test I wrote on my Google+ stream a public message about this report. In this message I called for the fine in case of deads around oil and gas explorations facilities should be at least equal to the amount of capital saved by not providing adequate access control. Within a short time one person responded, that jail time should be called for. What do you thing?
When I was working in Canada in the eighties there were some problems enforcing the environmental laws. However, that seemed to disappear overnight when the possibility of sending site managers to jail was introduced. I am sad to see the amount of bureaucratic measures needed just because owners and operators of facilities are insufficiently concerned about the safety of their fellow citizens.

Friday, October 07, 2011

What is the difference between the EPSC and the ISC?

At the special session "Process safety competence - European strength degrading to weakness" at ECCE-8 in Berling this I for the first time heard about an initiative of the IChemE called the IChemE Safety Center, properly abreviated ISC - see annoncement on EPSC website from 2009.

At the special session a representative from the IChemE was scheduled to give a presentation to the special PPS competence session, but unfortunately this person had an accident a short time before the event, and the persons doctor recommended, that he or she did not travel to Berlin. In stead an EPSC employee gave the presentation.

This made me wonder about a couple of things:
  • how an employee of the EPSC can represent the IChemE? Or why the IChemE could not have send another IChemE employee?
  • the similarity of the names of the two organisation European Process Safety Centre and IChemE Safety Centre. For some people the two organisations could easily be confused because of the similarity of the names. Especially since they are located on the same address in Rugby, and the abbreviated name also are similar, ie. ISC og EPSC.
In the brochure about the IChemE Safety Centre distributed to attendees it is further stated that the centre will offer leadership in the so-called six pillars of process safety: knowledge and competence, process design, systems and procedures, management and audit, human factors and culture. To me there appear to be an overlap with the areas where EPSC is active. I suggest, that the EPSC board should ask the though questions about possible conflicts of interest between the European wide organizaton EPSC and the national association of chemical engineers in the UK called the Institution of Chemical Engineers.

With the IChemE Safety Centre offering both public and in-house training course I see a possibility of EPSC finansing the development of courses offered by ISC to the chemical industry. I don't know if this is desirable. At least the EPSC board should reflect on the issues and ask the though questions about how ISC plan to develop their course offerings?

Maybe the questions have already been asked by the EPSC board. If so, the answers should be communicated to the wondering world in order to clearify the diffence between the aims of EPSC and ISC - both in Rugby.

I think it is important for an organisation like the EPSC to be as independent as possible of national interest in order to have the necessary influence on the European level and hence serve all process industries in all European countries.

Tuesday, September 20, 2011

Don't know how to create a great safety culture?

More and more you read about safety culture these days. Who has a goord safety culture? How do you progress to a good safety culture? How do you sustain a good safety culture? It all starts by hiring the right leaders, and then ensuring their careers and compensation is firmly related to their groups process safety performance.

If you still don't know what to do, then rush over to and read Michael Gambrell's article "Making Safety Second Nature". You will get away with 5 tips on how to create and sustain a world class safety culture. One of the tips is measuring the events, that did not occur at your site, i.e. the accidents that did not happen, or the leaks that did not occur because of your safety performance. Making safety second nature was also the theme of a conference I attended at the Mary Kay O'Connor Process Safety Center some years ago.

About 10 years ago I had the opportunity to meet with the then manager of Dow Chemical Canada's Sarnia Site and some of his senior people. The background for the meeting was some remarks in the local newspaper about the safety performance of the companies of Sarnia's Chemical Valley the year before. The visit was just a month after 9/11 and a week after attending the CCPS annual conference in Toronto - the first international conference in North America after the attacks. I still recall what the focus of the safety managers work at the time was. It was enhancing Dow's ability to respond globally to any emergency event at a company site. Implementing the same high emergency preparedness standard worldwide would allow Dow to call upon their experts to respond to events at any one of their sites, and be effective responders from the moment they sat feet on the site. Just because all was done to the same high company standard.

I have never had the opportunity to work for Dow, but I have had the pleasure of having friends who worked for Dow and I have also talked to many Dow People at safety conferences and workshops about safety. However, the story that foremost exemplify the companys attitude to people involve an employee at the Sarnia site on holiday in the Caribian. This employee was unfortunate to have a hearth problem at the end of the vacation. A phone call was made to Sarnia sites doctor, who was informed about the employees situation by a relative of the employee. The doctor believed, that the employee would be better helped in Sarnia than on the holiday island. The doctor therefore called Midland to check on the status of the corporate jet. Fortunately it was available, and within an hour is was on the way with a nurse and doctor on board to the Caribian. Before the end of the day the Sarnia employee was safely in the hands of doctors at a Sarnia hospital.

I could tell other stories about Dow's attitude towards people, but I will let this one stand alone. Nothing than this story better says 'People first = Safety first'.

Friday, July 22, 2011

How serious are you about workplace safety?

Two days ago Mike Bacidore over on asked this question in the article "Require Safety Compliance in Your Supply Chain" (login required to read this article!). The sad background for the article was that a major Chinese supplier to American high tech companies such as Apple, HP and Dell had 15 people injured at their Chengdu plant.

When you have a customer-supplier relationship with a company you have some influence over how the products you buy are being made. I experienced this first hand when working for a major integrated Canadian oil company a number of years ago. The site I worked at supplied to rail cars of a particular product to the Ford Motor Company which was at the time so concerned with how we ensured the quality of the product we delivered, that they sent two engineers to visit our facility to check our production process, check our quality control procedure, and talk to our operators and engineers. They were not interested in taking samples. They were interested in how we ensured delivery of a quality product each time. They spent two weeks at our site!

We in the west benefit from a lot of goods manufactured under horrible conditions in developing countries around the world. This has been documented in several newspaper articles, even in my local Danish engineering weekly "ingenøren". However, the best book about the workplace conditions in these third world countries is properly Naomi Kleins "NO LOGO". If you haven't read it yet, you should, and you will understand the type of influence consumers have on the workplace conditions and safety standards products are produced under - if they vote with their money!

I am sure the first technology company which gets serious about work place safety in their supply chain will benefit by increased sales, just like the Dow Chemical Company have benefited from their investments in process safety over the last more than 25 years. An Envy would create more envy if HP could document, that all parts of it was produced under good workplace standards and process safety standards. Maybe US OSHA could expand their photo contest to include cases of supply chain workplace safety, or join EU OSHA in creating a worldwide awareness champaign about workplace safety during the manufacturing of the products we enjoy? what do you think?

Wednesday, June 22, 2011

The battle in the clouds!

Yesterday I attended a seminar called "While we are waiting for the cloud" at Skuespilhuset in Copenhagen. The seminar was hosted by the Danish company Scriptor, which provides consultation services around print solutions and document solutions for major corporation in our country.

There were three speakers this morning. The first was sales director Erik Kaae from Microsoft Denmark. He is responsible for selling Microsoft Cloud solutions here. The second speaker was general manager Peter Koch from HP Denmark, and finally Kenneth Fill from Innovation Lab talked about the future. Kenneth's talk was much like those of weather forecasters on the daily news casts: 90% about how it has been lately, and 10% about tomorrows weather.

Erik Kaae explained, that all of Microsofts solutions will be available in the could, but some are not there yet. There are of course one pricing structure for enterprise customers and one for small and medium size enterprices. Those for small and medium sized companies include scaled down version of Microsoft Office, white the interprise versions include the full office package as well as the possibility of using the applications off-line, e.g. in an airplane. The subscription prices for the small package is about 8 US$ per person per month or just about 100 US$ per year per person. And then you need to have at least 5 persons needing the package in your company.

My own former company Safepark Consultancy had only one person employed. That is properly not uncommon for small consulting companies - at least in this country. We signed up for the free version of Google Apps. Today that cost 10 US$ annually for the domain registration. Google Documents and all the other Google products associated with a Google Account are free as long as you are less than 10 persons and no one uses more than about 7 GB storage for e-mail, 1 GB for on-line PDF-files and 1 GB for on-line pictures plus a web-site (which has a storage limit, which I have yet to discover).

Both the Microsoft and the Google solutions use commercial software, but at least to me it appears, that the entry cost for the Google solutions is quite a bit less than for the Microsoft solution. What do you think?

Now, I wonder if Microsoft clould solutions runs faster in Googles Chrome webbrowser than in Microsofts own Internet Explorer. Because clearly visible on the desktop of Erik Kaae was a Chrome browser icon!

Peter Koch in this presentation properly ignored most of HP (that part, which sells personal digital assistants, personal computers and servers). He started by stating, that after the move to the cloud the only thing for the CIO to take care of physically would be the printers. His talk was spiced up with facts about the cost of having people walk to a printer in stead of giving them personal printers. I guess, that I am guilty of that since the church office, at which I am chairman of the council have one large Xerox Multifunction printer for all to share (however, I do have good arguments from a former employee for that solution).

You may ask what this has to do with process safety and / or process operations in general. Not that much, except that possibly you will see companies storing historical plant data, i.e. anything older than one week in the cloud for easy access to these data by analysts and others, e.g. sharing with universities and others for research and other purposes. Just don't forget to also store information about the measurement units in the cloud. Standard cubic feet per hour and kilograms per hour are not quite the same.

Tuesday, May 17, 2011

Another approach to process safety textbooks!

The nature of core chemical engineering topics
Most of the core subjects on the chemical engineering curriculum at universities worldwide teach students how to improve things. Such as: How to select a more sustainable route to a given product, how to create a more effective catalyst, how to improve energy utilization in the plant using pinch technology, how to select the best solvent for a separation process. All this somehow translate directly into how to make more profit! Also in the view of most managers.

One core topic - or at least it should be a core topic in my opinion - stands out in this connection. That is process safety. That is all about prevention: Prevention of loss, prevention of injuries, prevention of fatalities, prevention of explosions, prevention of fires, prevention of chemical releases. All this somehow translate directly into expenses! At least in the view of many manager!

Motivating students
How could this be changed?`First textbooks - and fortunately there are not many - in process safety must be drastically changed. Secondly - and I am guilty of this too - we must change the way we start our process safety teaching from attempting to motivate our students with negative head lines from newspapers or dramatic videos of past disasters. People working on action theory, such as professor Morten Lind at DTU-Elektro, will tell you that avoiding some event is much more difficult than achieving something. This is because to avoid something we need to put barriers - i.e. safety systems - on all the possible routes to an event. On the contrary, to achieve something we just need to find one route to the goal. This is the fundamental difference between process safety and all the other subjects we try to teach our chemical engineering students (maybe with the exception of professional ethics).

I believe, that Walt Boyes at with his idea that process safety is all about uptime, is on the right track. All the negative events, which process safety is trying to prevent reduce uptime - if we somehow fail to prevent just one of the routes to them. So let us change things around, and work on improving uptime. Uptime also has the advantage, that it can be easily measured and related to profits. And as Peter Drucker said, what gets measured gets managed!

Starting the change
So how should a text book, which aim at driving home the point, that process safety is all about uptime be structured? Is should take off with a positive message. This could be a quote from an interview with the CEO of the Dow Chemical Company in the middle 90's. To Harward Business Review this CEO stated, that in the last ten years the company had not made a single investment in process safety, which had not contributed positively to the company buttom line.

Then it could go on to say, that if your company's OSHA incidence rate is half the industry average then that is improving your company buttom line by having improved uptime, and reduced cost of insurance, workers compensation, and properly other expenses. At all cost our new textbook should avoid comparing our fatal accident rate by that of motorcycling, coal mining, construction or rock climbing. Such comparisons are completely irrelevant for the safety performance of our industry or your company!

Unfortunately I don't have a finished manuscript. However, what subjects do you think a modern textbook on process safety with positive message should contain? And how should this be delivered to the students?

Saturday, May 07, 2011

MPC moving up the control pyramides!

Thursday I had the oppurtunity to attend a one-day conference on model based control here in Denmark at AutomationDESIGN. The conference was to honor Jim Rawling from Department of Chemical and Biological Engineering at University of Wisconsin, who on Friday received an honorary doctorate degree from the Technical University of Denmark (DTU). There has been close collaboraton between the Deparment of Chemical Engineering at DTU and the sister department at University of Wisconsin in Madison ever since John Villadsen went to Wisconsin to develop the ideas of orthogonal collocation with professor Warren Stewart in the 1960's. Today there is a formalized exchange of teachers between the two departments, and many Ph.D.-students from DTU spends some time in Wisconsin during the doctoral studies.

When I first heard about MPC I was working at Imperial Oils Sarnia Chemical Plant with an excellent group of control engineers. We develeped supervisory control applications for the many different units at the site: Gas Cracker, Polyethylene Plant, Higher Olefins Plant, Lube Oil Plant etc. to take advantage of online analyzers as much as possible. Most - but not all - of this was done on Honeywell Process Control Computers - mainly PMX, on black and white character based terminals. Only the operators had color screens, but these also only had character based graphics.Many of the applications used models. Very simple models. Often just first order with time delay models developed by fitting step responses manually. Nonetheless it was model based control.

MPC is an idea, which came from industry. During a strike by operators at Shell plants in USA engineers was put in charge of running the plants, an two of these engineers came up with the idea, that you could improve control by basing the control action not on a single measurement but on a series of past values of process inputs and outputs. They called the concept Dynamic Matrix Control (DMC), took out a US Patent on the idea and created a company to assist others in implementing it.

Since those early days in 1982 MPC has come a long way. There are many applications running in industry. Some small single loop controllers others control a whole battery of cracking reactors with a single MPC application or a destillation train for purifying ethylene for use in polymerization. As the number of applications grew, and the engineers who developed them moved on in their carriers the ugly question of maintenance appeared.

The title of Jim Rawling's keynote was “Optimizing Process Economic Performance with Model Based Control”. He started by describing predictive control in rather simple one-input one-output open loop problem, and explained that there are two sources of disturbances, which we can't know accurately: process noise and measurement noise – in the state estimation problem. Then he continued to explain optimal control and optimal feedback control. Feedback of course is important due to disturbances and uncertainties. Dynamic programming was applied to industrial systems that are mostly constrained and nonlinear, but practical usefulness was limited.

MPC, said Jim, is a large industrial success story with 800 to 1200 applications in ethylene alone with credits of 500 to 800 M$/year in 2007 (In my first job as a control engineer we also had to calculate on a monthly basis, what the applications had saved the company the previous month. However, few people believed in these numbers, especially not the control engineers. Later is was accepted, that the plant ran more smoothly with supervisory control, and credit calculations was a thing of the past at least at that site). Acccording to professor Rawling
Eastman Chemical has 55-60 applications and claims 30-50 M$/year due to increased troughput. Dow state they use MBC for the money. Praxair has 150 applications with increased profit of 16 M$/year.

Jim also discussed questions such as: Has the application base stopped growing? Is the theory complete? Do we have the tools to solve nonconvex optimization problems online? Do we have tools to decompose large-scale systems into manageable problems? Do we have tools to commission and maintain the controllers? Do we have tools to optimize dynamic economic operations?

Current treatment of economics in industrial practice is two layer structure: a steady state layer and a dynamic layer. Drawbacks are inconsistent models and re-identification of linear model as setpoint change. The time scale of separation may not hold, economics may be unavailable in the dynamic layer. Optimizing economics – what is really desirable?

Past practice is to define a steady-state economic problem, and define a plant profit function. Then find the economically optimal steady state solution, and use that as setpoints for the dynamic layer.
Maybe it would be better to give economic function to the MPC, and consider the questions: What closed loop behavior is desirable? Fast or slow tracking? Asymmetric tracking?
Initial work on this was done by DTU Ph.d.-students John Bagterp and Dennis Bonné in 2000 and 2002. The results were published in 2008. Since then a Lyaponov function discovered, and the technique demonstrated on a non-linear chemical reactor example with enforced convergence.

The keynote ended with a status of economic MPC, and a statement of opportunities and challenges, and a personal story about writting an MPC Research Monograph.

During the Q&A session the following topics were discussed: Current technology assume, that you can generate a candidate solution quickly from which the optimal may be found. This is not necessarily true for all non-convex problems.
The economic MPC needs displays, which the operator and manager can understand. Currently there is no systematic way of deciding when to implement an economic MPC solution or not.
Problems around commissioning and maintenance still remain for normal MPC, modular control structures are prefered due to startup and shutdown issues.

The conference continued with presentation from the three departments active in Model Based Control at DTU: DTU Informatics, DTU Electro and DTU Chemical Engineering. DTU Informatics was involved in among other things automatic feedback control insulin injection.

During the afternoon sessions different Danish companies talked about their involvement in Model Based Control. DONG Energy stated, that they used the technology mainly for analysis, but had jet to implement their first MPC loop. Siemens talked about cooling control of a rooling mill using MPC with just measurement at the start and end available. 2-Control talked about development of a MPC toolbox in C# and .NET (Note, it should be possible to run the toolbox under Linux using the Mono package from Novell, which a now also part of openSUSE).

Some of the issues which the presenters raised during the conference I have some difficulty seeing as issues. Several company presenters talked about lag of computing power for using MPC in realtime control applications. I find it rather strange, that computing power is an issue, when the French used MPC in the tracking control of their exocet missile in the late eighties.

I also have problems with the issues related to scalability. In an industrial setting the operator need to be in charge of deciding what the controller should do, i.e. which constraints should be active and also which process inputs may be manipulated. Hence a manipulated variable, which is suddenly switched to manual simply become a constraint to the MPC solver. Similarly a process output, which is suddenly not available due to either instrument calibration or analyzer maintenance, simply become an unknown disturbance to the MPC controller. In an industrial setting the MPC controller must cope with such structural changes - even if the theory behind implementing them may not be complete. What do you think?

Presentations from the conference will be made available at the AutomationDESIGN web-site within the next couple of weeks.

Sunday, April 03, 2011

Is killing 11 employees good safety performance?

This morning I heard on BBC World, that Transocean execs have received a bonus for good safety performance in 2010. My first thought was: This can't be true. So I googled 'transocean bonus', and payment of the bonus was confirmed by sources such as Business Insider, which qouted WSJ. According to WSJ the bonus was given for "best year in safety performance". Wait a minute. Transocean was the operator and owner of Deepwater Horizon the platform hired by BP, and which failed catastrofically in the Gulf of Mexico killing 11 workers on the drill deck.

So what is the Transocean board saying by giving a bonus to its execs for good safety performance in 2010? In my view they are saying, that a year in which 11 people are killed in company operations is a good year. They are also saying a year with equipment loses in excess of half a billion dollars is a good year. I am chocked, that a company these days can have business plans in which such performance is considered good. Did Transocean really plan on loosing 0.1% of their employees due to accidents in 2010?

I find the statements on the Transocean web-site about the Deepwater Horizon:
"The loss and impacts of the April 20 explosion on the Deepwater Horizon are felt throughout our entire Transocean family, and our thoughts and prayers remain with all who have been affected.

On May 25, Transocean honored the 11 missing crew members in a memorial service in Jackson, Mississippi, and we continue to support the families of those lost and those who survived."
a bit hollow.

The more serious question is who is paying for this? In the first places it is customers for Transocean, i.e. companies such as BP. However, these companies are just in business to discover oil and gas, recover it and sell it to consumers. So indirectly consumers pay at the gas pump or through the heating bill for the safety performance of companies like Transocean. I am beginning to think, that the earlier the consumers realize, that the cost of process accidents are passed on to them, the sooner we will improve process safety around the world.

Saturday, April 02, 2011

It is not rocket science!

Today at the anniversary of an accident, which killed 7 workers at the Tesoro refinery the Chemical Safety Board chairman has released a video safety message with the following recommendations to the US refining industry:

· Implement a robust mechanical integrity programs with an emphasis on thorough inspections of critical equipment
· Monitor process safety performance using appropriate leading and lagging indicators to measure process safety before major accidents occur
· Maintain an open and trusting safety culture where near-misses and loss of containment incidents are reported and investigated

To me this really is not rocket science. The first recommendation is simple good engineering practice for anyone operating and maintaining a refinery. I recall a remark from our guide during a visit by chemical engineering professors to the ExxonMobil refinery at Baton Rouge at the start of a SACHE Workshop "that the facility was maintained by engineers", i.e. integrity is more important than looks. It is indeed chocking how many times insufficient or improper maintenance has played a part in major negative events in the last decade, e.g. the 2005 explosion and fire at BP's Texas City Refiney, the later the same year the explosion and fire at Buncefield to mention just a couple of events.

The second recommendation is simply following the recommendations of many institutions to implement the recommendations of the Center for Chemical Process SAfety (CCPS) to measure safety performance. Even if you don't like the measures suggested by the CCPS, then you ought to develop your own indicators, as e.g. Bayer told the world about at last years 2010 Loss Prevention Symposium in Bruges, Belgium.

And the third recommendations is a necessity in order to have reliable results of the second recommendation. However, this is properly the most difficult recommendations for manager with an an engineering background to implement, especially if they have not been exposed to a good safety culture during their professional life. If you are new to safety culture, then join the discussion over at LinkedIn about creating a good safety culture. It is in the group for EHS Professionals.

Since it is not rocket science to implement the recommendations, which will prevent negative events such as that at the Tesoro refiney, I suggest that the business cost of these negative events creating serious equipment damage, killing workers and injuring many others must be too low compared with the cost of preventing them. What can we do about this?

Tuesday, March 29, 2011

zEnterprise - your next process control computer?

Some may recall that during the nineteenseventies and eighties mainframe computers entered the control rooms of some Northamerican refineries. I recall a visit to Imperial Oils Strathcona Refinery located in Refinery Row while I was studying in the computer process control group at the University of Alberta. We were showed around in the plant and then control room beforea Q&A session, and we were quite amused that the control screens - green text on black background - showed temperatures with four digits after the decimal point. Those were the early days of virtualization on the mainframe. In those days mainframe computers were only available with one propriotary operating system and I seem to recall green characterbased terminal access. Of course this fitted well with the character based lineprinters available at the time.

However, since those days things have changed. I have seen process simulators requiring more than 15 of the most powerfull multicore x86 based personal computers to give a reasonable response to operator console inputs. If you wanted to run the same in simulation mode, then add another 15 computers plus the necessary cabling, routers, network cards etc. All potential points of failure. Properly the company with this simulator also had personal computers for other parts of the business, e.g. process control, maintenance, and of course their business processes. Thus is is not uncommon for a single site to have a significant number of x86 based servers at each plant location. These servers of course require cabling, power, maintenance, updates etc. Maintenance and updtates are potential outtages. What is the MTBF of a single x86 based server? Some say two months if only considering hardware. Then what is the MTBF of our networked system of more than 15 x86 servers?

Now consider the newest mainframe computer zEnterprise 196. A couple of days ago I had the opportunity to attend a siminar titled "Smarter Linux for Enterprise Systems" at IBM Denmark. At this event features of the zEnterprise were demonstrated in live demos and technical presentations plus of course a business presentation about why these boxes would benefit your organisation. The zEnterprise has a MTBF of 30 years (Measure by having 30 systems in one location for a year). The zEnterprise will run hundreds or thousands of instances of the latest linux from either RedHat (RedHat Linux Enterprise Server 6.0) or Novell (SUSE Linux Enterprise Server 11.0) - of course with graphical interface from your laptop or other personal computer. It also comes with mainframe level security - a mainframe is still to be hacked, and it has been around for more than 40 years!

A mainframe system comes with a significant starting cost, but consider: You can run your process control software on one linux instance right on the hardware, and chose to run others systems, such as your similator and maintences systems on top of the hardware virtualization.

I you want further segregation of systems, then you may add one or more blade center extensions, which may run either linux based blade centers or x86 based blade centers. So you could have one x86 based blade center running your current Windows based control software, with another x86 blade center as a hot standby. This is just like in the old Honeywell TDC 2000 control systems, where one box served at a hot standby for seven other boxes on the same control net.

Consider that you get all this without exensive cabling between the servers, and with dedicated high speed link between the zEnterprise 196 and each blade center extension. Even disaster recovery comes cheap. If you need another zEnterprise for disaster recovery, then you only pay a fraction of its list price to have it available at your site.

Beside cost savings due to reduced cabling, increased security in face treaths such as stuxnet, better disaster recovery and testing, there could also be licence cost savings especially if you use commercial x86 databases at your site.

A further benefit is, that all these systems can interface to the same storage system. This allow you to easily give engineers, business analyst and others access to historical process control data on your mainframe based business network.

So next time you are shopping for a process control computer, and a simulator, and a maintenance system, then take a look at the newest mainframe. You may like what you see, and to run it you just need people with linux skils.

NOTE: I have never worked for IBM or any other mainframe company. My only connection with IBM was a user of the IBM 1800 Process Control Computer in the Computer Control Group at the Department of Chemical Engineering at the University of Alberta in the late seventees.

Thursday, March 03, 2011

Follow-up on an accident

During a lunch break an employee left a shovel near a restaurant. Another employee picked up the vehicle and went for a ride. Along the ride this employee picked up to more employees. The ride ended with an accident just outside the site. In the accident all three employees were seriously injured.
Questions that come up are
1. Why did the employee pick-up the vehicle?
2. Why did the employee pick-up other employees for the ride?
3. Is the accident a recordable incident? Does it affect LTI?
4. Should the employees be disciplined? How?
5. Would the workers be eligible for workers compensation for their injuries?
6. Should the company investigate the incident? Or leave it to the police, since it happened on public property?
Generally people working with safety for a company has at least two responsibilities
To ensure that company employees has a safe workplace, and goes home each day as safe as they arrived for work.
To protect the company from lawsuits by ensuring, that the company has the required procedures in place to ensure the employees are capable of performing their duties at work.
These dual responsibilities can of course lead to conflicts.

Accident investigation
The first two questions are clearly part of the accident investigation.
One need to determine the first employees intent when picking up the vehicle, and also his/her reason for picking up the other two workers. Also statements from vitnesses seeing the vehicle on its route from the resturant parking to the place of the accident would be relevant to the investigation of the event. Notice, that this would normally fall outside a police investigation of the accident, since that would only involve immediate causes.
Also outside the police investigation lie questions about whether company procedures for using company assets were followed prior to the accident.

Statistical impact
The third question would clearly depend on the jurisdiction, although one would expect some similarities among Western European countries – especially the EU, or between provinces in Canada, or states in USA. Although appearantly within Australia there are difference among the different states. Many would immediately look for a definition of reportable events in applicable legislation, but many times this is not sufficient. Some will look for definition in standards such as OHSAS 18001.

When working in Sarnia in southern Ontario in Canada many years ago I and a colleague had a vihicle at our disposal for transportation between the site main office and the plant. Since the main office was not located conveniently for public transport we often used this vehicle as part of our transport to and from work. During the night the vehicle was parked on company parking lot which was located conveniently for public transport. Was this use authorized by our manager? Definitely not! We also often used the vehicle to drive to a nearby donut store during lunch. Was this use authorized? Definitely not! Did we ever consider what would happen if we had an accident during these uses of the vehicle? No, it never entered our radar screen. Many other employees used company trucks to drive to the same donut store during lunch time, so at least that was at the time considered acceptable.

Some argue, that the incident is not recordable because it is not site related. However, a few years ago the annual report of Shell UK feature a report of two fatalities – both to subcontractors hired by logistics part of the company, and both occuring far from the site.
At the time I was working at a plant in Sarnia a down stream plant had an unfortunate release of perchloroethylene – a dry cleaning solvent in August 1985. The material quickly settled on the bottom of the St.Clair River, the release was immediately reported to relevant authorities. Somehow Greenpeace got word of the release, and in stead of the companys information about the release and the dangers of the substance released media across Ontario picked up Greenpeace's version of the story about the release. Despite company and authority efforts to analyse the content of the blob and release this information to the media even 20 years later it is Greenpeae's version which the media cites (see e.g. “Canadian petrochemical plants blamed for gender imbalance” by Paul Webster in The Lancet, Volume 367, Issue 9509, Pages 462-463, 11 February 2006, and available on the web-site ). This shows the importance of not just doing what is legally correct, but that you must also be seen to do the correct thing in the eyes of the public, i.e. the media.

Some even ague, that the recordability of the events depends on whether the employees where payed during their lunch break or not.

The bottom line is, that it is up to the company to define what should be reported and how it should be reported when company employees and/or company assets are involved in an accident. In companies operation multiple site in different jurisdiction company procedures and standards w.r.t. reporting accidents become more relevant, since differences in the legal requirements may make company reporting, e.g. in annual reports to shareholders more difficult.

Penalty impact
Some argue, that the employees involved in accident should be penalized, but that firing them is properly going too far. I am not sure that a penalty will have any positive effect. However, a prudent company would at least record the event on the employee file.

I was once told about a colleague of mine, who had difficulty leaving the liquor bottle alone, and often showed up for work under the influence of alcohol. This employee had been on several courses to get rid of the drinking habit, but it did not seem to help. Finally his supervisor told him, that if showed up for work one more time under influence of alcohol he would be immediately fired. He stopped drinking from that day. Unfortunately he started drinking again right after going on retirement, and within relatively short time managed to drink too much. In his case the treat of a penalty worked as long as the incentive to keep his job was there. After the incentive disappeared the old habits quickly came back.

Compensation impact
The fifth question also would clearly depend on the jurisdiction.
Some argue, that the workers are not eligible for compensation, since they were not performing a work activity. However, at least the first employee could argue, that he/she was just bringing the vehicle back to the site when the unfortunate accident happened, and he should have workers compensation because he/she was bringing an abandoned vehicle back to the company site. The other employees could argue, that they were just attempting to get back to the site faster.
Other correctly points out, that the question about compensation could involve determining whether or not the employees where payed during their lunch break.

Clearly the company is responsible for company assets and the proper use of these assets. If the company has neglected this responsibility by not having appropriate procedures in place to ensure adequate training, then the company would be at risk in some jurisdiction, e.g. in Denmark, of being judged as having failed to take every precaution for the safety of the worker, as the legal language in some jurisdiction define the responsiblity of the employer to provide a safe workplace.

Learning impact
The sixth question would depend on the safety culture at the company.
A company with a well developed safety culture would properly investigate the incident to learn as much from it as possible, so similar event could be prevented in the future. But the event is definitely an opportunity for learning.

If the company has procedures in place for training employees or otherways ensuring employees are training to properly handle company vehicles, which they need to use during their work, then it becomes much easier when an accident happened to decide what to do as a follow up on the event. The lag of such procedures could lead to an implied policy, i.e. in my use of a company car during part of transportation to / from work.

So what can one conclude from the above? One conclusion is, that any accident involving employees and / or company assets should be investigated. Simply because there is an opportunity to learn, and prevent similar events in the future.

My former employer in Sarnia, Ontario actually kept track of injuries sustained by employees in their spare time, that prevented them from comming to work the next day. Based on that information departmental safety meetings were arranged to to cover topics such as proper warm-up prior to exercises such as squash or handball games.

The thoroughness of the investigation should depend on the learning opportunity for the organisation as a whole. Someone need to make that call, and I think it should be the local safety manager.

What do you think about off-site accidents such as this one? Would you take the opportunity to learn, or would you rule it out as not relevant for your business?

Sunday, January 23, 2011

Alarm Design Ideas

In the litterature you find many articles about alarm management. One of the latest is by Nicholas Sands and Donald Dunn in November / December issue of Intech, which you can read online at the Intech web-site. Sands and Dunn headed the effort to get the ISA Alarm Management standard together. But how did we end in a situation were we need a standard for alarm management in the first place?

When I started work as a control engineer a generation ago one of the first lessons I learned was, that you don't implement an alarm to the operator console unless you also come up with guidance to the operator on what to do when that alarm comes in. I also recall, that noisy Decwriters used to print logs of alarms and other console events did not work overtime, except when a compressor or other major piece of equipment had problems. I guess I was lucky to join start at a time, when the efforts that required to implement alarms in the days before computer control had not been forgotten. It appears, that in the decades which followed control engineers discovered how easy it was to implement alarms in modern distributed control systems (DCS), and simply went to far - probably pushed along by equipment suppliers requesting equipment alarms.

Usually when people talk about alarm design, they talk about whether the alarm should just go to the DCS or it should also be displayed on the hardwired annonciator panel. That is the engineering is concentrated on how to display the process situation to the person, who is going to act on it.

However, it appears to me, that the fundamental question of alarm design, i.e. what to be alarmed about and when to be alarmed have not been addressed from an engineering perspective just like the design of other elements of the automation system such as the control loops. The available guides on alarm managements, such as the EEMUA Guide no. 191, seem to focus on the issues after you got to many alarms, and not how you got there.

It is generally recognized that alarms are used to signal to someone, that something is happening in the process, which requires an intervention beyond the capability of the automatic control system, and if you do nothing, then the automatic shutdown system will take over. This means that the ability of the process to do what is has been designed to do by the process engineers are threatened. It cannot reach the goal the designers had in mind. In other words alarms are used to indicate, that a goal cannot be reached.

On the opposite if the goal of the process can be reached then, we don't need to be alarmed. What the is the goal of the process then? Well, that depends on its current state. If the process has been down for maintenance with opening of vessels etc. then it first need to be enabled, i.e. put together again. The goal is to start up the process. Beside enablement, this also involve ensuring the process is ready for start-up, i.e. has been established by connecting the control system and putting valves, pumps etc. in proper state for startup.

If the process is producing, then the goal could be to maintain production, or to change to a different production rate, or to transition to producing a different product. The important thing to note, is that when the goal of the system changes, then what is normal and abnormal also changes, and hence the required alarms changes.

So a process is in the normal state, when it satisfying the goal it was built to accomplish, e.g producing a given amount of product of a given quality with a given time using the avaiable equipment and other resources. When this is the case, then the material and energy balances around the system are also satisfied. This means, that abnormal situations can be related back to significant deviations in material and energy balances for the plant, process unit or piece of equipment. The litterature abound with examples of disasters due to problems with these two fundamental balances, e.g. BP Texas City Refinery explosion and fire in March 2005.

So one approach to alarm design is to look for indicators of problems with material and energy balances at the equipment, process unit and plant level. Of course a necessary condition for no problems at the unit level is, the equipment balances within the unit are normal. Similarly at the plant level. A different way of stating this is, that when the goal of a process unit is satisfied, then the sub-goals of the process unit, e.g. the goals of the different pieces of equipment within the unit are satisfied. Hence the plant goal in a tree like structure may be related to the process units goals which are again related to the equipment goals.

Modelling such goal structures can be done using functional modelling. Currently work is ongoing at DTU on exactly the problem: What to be alarmed about? When to be alarmed?