Friday, April 27, 2012

Are we preaching to the converted?

Today CSB came out with a statement in which chairman Rafael Moure-Eraso promissed the following: 
recommit CSB to this important mission: preventing accidents by investigating them thoroughly and making the results public along with critical safety recommendations aimed at saying lives and protexting the public and the environment
Unfortunately the experience shows that little does investigation reports and recommendations change the industry or even a single company. Just look at the March 2005 BP Texas City Refinery Explosion and Fire. It was investigated by OSHA, CSB, and a special panel. Only CEO's change the actions of companies!

Less than 2 years after I left Exxon Chemical Canada the Exxon Valdez ran aground in Prince Williams Sound near Alaska, and created the largest and longest lasting oil spill in arctic waters to date. The CEO and board toke action. Since alcohol was involved in the event near Alaska all employee at North American sites were subjected to random test for alcohol in the blood when they showed up at work. These test was performed by an external company. The in the early nineties the Exxon board introduces the OIMS, and had Lloyd's of London regularly certify the quality of this system.

A few years before I returned to an academic career in Denmark the CEO of Dow Chemical had challenged his company to reduce a number of safety performance parameters by 90% before 1995. Much later some of my friends at Dow told me, that a the time of the commitment they had no idea how this should be done. Just that it could be done. Much like JFK's statement about putting a man on the moon before the end of the decade. Dow followed up there initial goals (not all were reached) with new and more challenging ones in both 1995 and 2005. Unlike ExxonMobil they state their goals publicly and provide quarterly progress reports.

So how can we get more CEOs and company boards to act like those of ExxonMobil and Dow? It does appear that boards and CEOs of major companies are aware of the issues and do take action. The question is how to make the CEOs of start-ups and small shops aware of the need for thorough process safety analysis, and then acquire the necessary expertise to execute a HAZOP and take action on it.

Monday, April 23, 2012

Fixing the real problem!

This morning I read an article (in Danish) about researchers at DTU Informatics finding low security in the Zigbee protocol, which is being developed for wireless communication with devices in your home, e.g. turning on your stove or your coffee maker remotely. Apparently the protocol could allow hackers to turn on your stove without anything being on it. That is of course a potential fire hazard.
However, fixing the security of the communications protocol does not fix the root cause of the problem. For the stove the root cause is that an element can be turned on without anything being on it. Most of us have at one time or another been standing in front of our stove, and turned on another element than the one we intended to. This can happen because the stove have no pot-on-stove-sensor built into each of the elements. Similarly many  coffee makers have no protection against turning them on without water in the reservoir.
So even though there may be a security problem with the Zigbee protocol, the root cause of the potential hazards which this problem allows exploitation of are safety problems with the particular devices. These device now have to be re-designed with the remote operation in mind.
The issues are no different when you introduce remote wireless monitoring and control in your chemical plant or refinery!

Thursday, April 05, 2012

Will the rest of the world follow?

In Houston, Texas at the 8th Global Congress on Process Safety it was announced, that the AIChE have recommended and ABET have approved, that proficiency in all chemical process hazards are required by a broad range of engineering disciplines. For those who don't know: ABET is an organisation which review and approve the curricula for engineering education at US universities.
This means that most if not all US universities will make the necessary changes to their engineering curriculum to comply with the new requirements before their curriculum is up for the next ABET review. So within the next few years we can expect that chemical engineers and other engineers educated at a US university will have basic process safety proficiency.
I think this is equivalent to the change that happened with chemical engineering education when it went from pure description of processes to become an engineering science with fundamental courses in thermodynamics, transport phenomena, process control, modelling etc. It is a big fundamental change. An the US is lucky, that their engineering curricula are reviewed and approved by an organisation independent of the universities providing the education. Europeans and others around the world are not that fortunate!
In Europe and properly many other parts of the world the university alone decide what goes into an engineering curriculum. Granted, in Denmark an education have to be approved by the Department of Education, but that approval does not involved a review of the curricula for the individual courses. Therefore it is a bit difficult to see what incentive universities outside the US have to follow the good recommendations from the AIChE.
FEANI does other the title EUR ING to graduates from European universities. However, this title have no requirements for the particular courses followed, just the duration of the university studies.
So how can Europe ensure, that its engineers are as well educated in process safety as their American colleaques? We can hope, that progressive universities will adapt their B.Sc. and M.Sc. engineering curricula to include a process safety requirement. We can ask organisations such as EFCE - European Fedration of Chemical Engineering and EPSC - European Process Safety Center to promote the requirement of proficiency in process safety for European engineers. In the United Kingdom there is a system to make it happen. It is called the chartered engineer. Organisations like the IChemE and their sister organisations can make is requirement for membership to have a proficiency in process safety. Will they do that? What will happen on continental Europe?

Causes of process safety events

In an InTech Tips and Strategies for Managers Eddie Habib and Bill Hollifield under the title "Alarm management: Stop designing for failure" put forward two interesting postulates:
  1. Engineers design for failure.
  2. All accidents are caused by human errror.
To the first one, I would simply say: Of course engineers design for failure. All engineered devices, even chemical plants and there equipment are designed from a specification. This specification tells the engineer, how many times a control valve is expected to open or close before it fails, or what temperature and pressure a vessel shold be able to withstand and for how long. Similarly a light bulb is designed with a certain number of hours of use in mind. Designing according to specifications such as these are what engineers do. Similarly they design bridges for a certain load, and high rises for a certain wind and snow load. So if engineers should stop designing for failure, then they should stop designing - period!

Failure is inherent in engineering design. Therefore companies implement systems for monitoring there processes and systems for preventive maintenance to exchanges pieces of equipment before they fail. Process alarms is just one tool to alert the operator to process safety events, which may be caused by a failing piece of equipment. The trick is to discover failures and weaknesses before they cause major process safety events, such as the explosion and fire at Texaco's refinery at Milford Haven on July 24, 1994. Good alarms system does that!

They alert the maintance people to equipment in need of inspection, before the equipment fails. They alert the process operator to plant situations in need of attention before the process automatically shuts down. The challenge is to design these alerting system, such that only the necessary alerts are produced. Here alarm system guidelines, such as those form the EEMUA and the Norwegian Petroleum Directorate, and books such as "Alarm Management: Seven Effective Methods for Optimum Performance" by Habibi and Hollifield, can help. Actual engieering approaches to when and how to design an alarm is an active field of research.

Now to the second postulate. I agree, that all accidents are caused by human error. The challenges is to not stop the accident investigation at the first human error discovered. Quite often this first human error is just the top of the iceberg. For example at BP's Texas City refinery during the startup of the raffinate splitter on the evening of March 22, 2005, the first human error was, that the operator filled the bottom of the splitter to 100% of the bottom level indicator. The startup procedure called for filling to 50% of the bottom level indicator.

As we now know from the accident investigation report from BP and the reports from OSHA, CSB and the Baker Panel there was more to this process safety event, than this initial error. There were errors in supervision, errors in maintenance, errors in process improvement, errors in allocation of funds, errors in training of people, errors in management etc. However, all of these errors are also human errors!

In my country we have experienced a number of train accidents. Some with fatalities. Some without fatalities. A common factor in the investigation of these events appear to be, that the investigation stops, when an error by the train driver is discovered, and there was found no errors in the train and signal equipment. This is rather unfortunate, since the chance of discovering errors in training, errors in train design, errors in signal design etc. are missed.

So, yes! All accidents are indeed caused by human error. To learn from the accident we must however discover human errors on all levels in the organisation from the operator to the CEO.