Saturday, May 14, 2016

Can you learn to prevent overfilling of storage tanks by reading HP?

After the Buncefield explosion and fire there has been a significant increase in attention to  preventing overfilling events in connection with hydrocarbon storage tanks. As an example, already less than a month after the event one of the refineries in Denmark had already, checked that the dual level measurements on their storages tanks were not subject to common mode failure. The refinery is located 2-3 kilometers from the center of the city and 1½ kilometer from a major power plant. Therefore, I was happy to see Amjad Dokhkan's article "Prevent the overfilling of storage tanks" in the February issue of Hydrocarbon Processing. (Picture - from Wikipedia - shows the Buncefield fire moments after the explosion.).

After reading the article I am less enthusiastic, since in my view it contains a number of significant mistakes and incorrect statements and advice. I cannot refrain from reaching the conclusion that the problem is related to insufficient peer review of the articles. Nonetheless I enjoy each issue, and especially the insight of ones by Heinz Bloch on maintenance, such as "Transform ODR-OPPM into a worthwhile initiative" in the April issue or the article "How much fireproofing do we need" in the same issue. Such articles make each issue worth while.

I don't understand why Amjad Dokhkan already in the first section of the article state "Site owners are strongly advised to assess the risks posed by their stored inventories before they start planning to install these expensive automated protection systems". Why? In their simplest form I don't believe a semiautomatic overfill protection system or even an automatic overfill protection system can be considered. After-all these days most operators would like to have information about the inventories of all their tanks in the control room. So they would normally have at least one remotely monitored level measurements on each tank. Turning this level measurement into a semiautomatic overfill protection system requires just the implementation of an alarm on that level measurement. In modern DCS that is cheap and straightforward - once the appropriate alarm engineering has been done, which ensures the operator have sufficient time to react when the alarm is activate before it turns into an overfilling event.

Neither do I understand the statement in the section "Consequence analysis" that "They should also be able to determine the likelihood that an overfilling event could occur in the first place." If  there is a line feeding the tank, then an overfilling event can occur no mater what measurements and alarms the tank is equipped with. Measurements and alarms can fail when needed, automatic shutdown systems can fail - especially if only a single actuator is used, operators may overlook or forget to act on an alarm. However, if the tanks are designed to inherently avoid overfilling event - however I don't know how that could be done - then an automatic overfill protection system is not needed. (The picture - form Wikepedia - shows the firefighting in connection the splitter overfilling event at the BP Texas City Refinery in March 2005.)

Further on in the same section it stated "Obviously the larger the tank, the larger the risk". Mr, Dokhkan makes the common mistake to equal consequences and risk. Naturally the conseqences of overfilling a large tank can be larger than that of a smaller tank. However, the risk is a function of also the reliability of the automatic protection systems,which the tank is equipped with. I would argue, that a larger tank is more likely to be equipped with sophisticated protection systems, than a smaller one. In the same paragraph it is incorrectly stated "Smaller tanks have a lower storage capacity and, consequently, a greater likelihood of overfilling than larger tanks". The likelihood of an overfilling event depends on how often the tank is filled to capacity, not on the size of the tank. But naturally the consequences of an overfill event depends on the size of the tank.

At the end of the section "Consequence analysis" it is mentioned, that commercial consequence modeling software allows the simulation of overfilling events, but unfortunately it is not mentioned, what the such simulations could be used to in connection with preventing the overfilling of storage tanks - the subject of the article.

In the following section titled "Likelihood analysis and protection layers" the author argue, that likelihood analysis should start with the identification of events, which could initialize an overfilling event. Among initiating events is mentioned "filling an already filled tank". If a properly designed automatic overfill protection system was in place, then that system would not allow alignment of valves to fill an already overfilled tank. That was a standard feature of a polyethylene transfer system, which I helped implement in the early 1980's. Only if one envision - and I have great difficulty with that - a completely manual tank operation with field manipulated valve movements and pump starts can I visualize someone filling an already filled tank.

As the next step the authors want us to analyse existing protective systems. I begin to wonder what the scenario the author is discussion is? If it is analysis of a existing tank farm, then I believe the natural starting point  for an analysis would be a list of existing protection systems, level measurements, remote and manual valves, and a drawing of the piping network.

The author further argue, that a protection system must satisfy four criteria, i.e be dependable, be independent, be specific and be audit-able. These are not properties, which I have come across when reading about functional safety interlocks. Naturally a protection system must be dependable, and that I believe is what we calculate as PFD - probability of failure on demand. Generally we also a protection system to be independent, i.e. that the level measurement used in the interlock system does not come form the same sensor, as the level measurement used for level control. Although lately it appears the community is relaxing a bit on this requirement by allowing a measurement of sufficient reliability to be used but as input to a level controller and as input to a safety interlock. I think this is due to improved reliability of sensor technology.

However, I do indeed wonder how a certified functional safety professional and certified occupational safety practitioner can ever assign a reliability of 0.01 to an operator response, as he argues for in the section "Weighing operator response". Many of the safety professionals, which I know would even consider a PFD of 0.1 as too high for operator response to an alarm. They are more likely to give the PFD for operator response as either 0.5 or 1. Neither can I understand why the lighting of the tank area has any influence on a system to protect a tank against overfill. Is the author thinking about manual operations? In my view this has nothing to do with overfill protection systems, although it could be relevant in connection with a manually operated storage facility. Such a facility I have some difficulty seeing in the hydrocarbon processing industry.

Finally I don't believe it is correct to say, that one assigns PFDs to protections systems. The PFDs are calculated based on the reliability and failure modes of the components involved in a given protective system partly based on the plant experience with the involved components. Even here the issue of state of the tank pops up again in another discussion of the tank already being full. Again I would argue, that the operator should not be able to select a full tank, i.e. not be able to open the inlet valve to a full tank.

With knowledge about the tank level, the tank capacity and the flow rate into the tank it is rather simple to provide the operator with an indicator showing e.g. seconds or - better - minuts to a full tank based on the current scenario. I really don't see operators doing calculations of this kind in the facilities I have been in contact with. They monitor and optimize the operation of the facility based on e.g. weather and demand.

As a closing note I would consider tolerable risk of 0.001 or 0.0004 as rather high in connection with probable loss of life from an event at a hydrocarbon processing facility. In fact I think they are several orders too high, but may be tolerable in connection with a complete ALARP study. The operators I have been connected with would consider them as intolerble.

So to answer my own question. You cannot learn to prevent overfilling of storage tanks by reading HP unless the peer review is considerably improved. Just my honest opinion.

Sunday, May 08, 2016

Do online analyzers improve quality and safety?

Personally I have no doubt, that online analyzers improve quality. However, implementation and usage is key for operator acceptance. I used to work at a polyethylene facility, which has the luxury of having dual online process analyzers on the re-circulation stream to the fluidized bed reactor.
Initially we thought, great! By properly spacing the start of the sampling we could double the sampling frequency. However, at that time we failed to understand, that even though an attempt to create two identical analyser systems there were small differences in the sample lines and the columns used in the analyzers. The result was different results from the two analyzers.

Properly if our analyzer system had been subjected to a proper HAZOP study, like the rest of the plant, many of the operational issues, which we encountered would have been uncovered during such a study. There are properly at least two reasons why such a study was not performed when this system was put in operation in the mid eighties: i) dual systems were installed (redundancy to avoid quality issue during analyzer outtage), and ii) lag of expertise on online analyzer systems (just one analyzer engineer and control engineers with insufficient experience).

I was reminded about this experience by reading the article "Solve online analyzer time delays by improving sampling system design" by W. Tanthapanichakoon and K. Suriye in the january issue of Hydrocarbon Processing. While this article focus on a particular aspect of online analyzer design, it draws attention to the fact, that such system also should be designed with care and have performance issues. Hence it appears appropriate to ask: "Why are online analyzer systems not subjected to a HAZOP study like other parts of a refinery or chemical plant?". Note, that if the analyzers are used for online process control, then the systems are subject to MoC requirements.

In their article Tanthapanichakoon and Suriye shows, that sampling systems associated with online analyzers can be improved by paying attention to sampling system design. Other performance aspects of online analyzers could properly be equally improved. One aspect is the practice of regularly running a standard sample through the analyzer ones a week, and then adjust the analyzer based on the result. Hopefully this is no longer done, since we now know, that only when the result of the standard sample is outside the control limits on the control chart should the analyzer be adjusted,

A nice example of improved operator confidence in analyzer results when a facility moved from off-line laboratory measurements twice a day to online analyzer measures every two or four hours. The operators started to adjust the process, when they saw  a trend in these slow online measurement, With twice a day lab measurements the trends were not apparent to the operators since no one cared to plot the numbers and pass the results from shift to shift.

The article by Tanthapanichakoon and Seriye clearly shows, that even analyser systems benefit from having a team involved in their design. In the mid eighties an analyzer project was a one man project, and usually that was also the person, who once the analyzer was commissioned would be responsible for the day to day maintainance activities - possibly with an instrument technician lending a hand now and then.

I think that today with the focus of HAZOP being more on the hazard side, than the operations side, a large opportunity to improve the performance of online analyzers are missed during their design. This give improved analyzer, which result in improved control, which result in improved safety.

It is about time, that online analyzers get the same focus as instrumentation generally get in our project. They deserve it, and they will reward us with improved online analyzer performance. What do you think?

Friday, May 06, 2016

How do one get more focus on process safety?

Veronica Luna attempted with the article "Improve facility safety by understanding process and personal safety" to get people to focus more on the big process safety events. The article was published in the January 2016 issue of Hydrocarbon Processing, which is widely available to professional - including management - in the hydrocarbon industry. Unfortunately I don't think it got the impact it deserves. The problem is the title and especially the little word "and".

I think the title should have been more focused on the differences between process safety and personal safety, which is what I believe Veronica Luna attempts to describe in the article. Hence I suggest a more attention getting tittle would be "Improve facility safety by understanding the difference between process safety and personal safety".  With this title it become much clearer, that the article compare two concepts, and not a physical entity, i.e. a process, with an abstract concept "personal safety" - abstract in the sense John Searle explains in his first lecture of the course "Philosophy of Society". The meaning of the concept "personal safety" is observer relative, i.e. it does not exist in the physical world, whereas the process exist independent of the observer, and hence is observer independent. I believe that practicing engineers need some knowledge of the social reality they are working in.

In the first paragraph of her article Veronica Luna correctly states that knowledge and understanding of process safety is lacking in many hydrocarbon processing facilities. I think, that part of the reason for this state of affairs is that we often talk about "process and personal safety", when we should be talking about "process safety and personal safety". There is a big difference.

Veronica Luna continue by mentioning what she calls established personal safety metrics, and mention total recorded injury rate (TRIR) and lost time injury (LTI) as examples. The problem is, that LTI is not a metric. LTI is a label for a certain type of injury. A quick Google search reveals, that there are two types of metrics w.r.t. personal safety in use: i) injuries per 100 employees in a given time period, and ii) injuries per 1000000 hours worked in a give time period. Which is relevant depends on your focus, i.e. the individual or the facility.

In my view it would also help by pointing to similarities between process safety and personal safety: They are both concerned with avoiding hazards turning into incidents. More precisely are we concerned with two types of hazards: i) personal safety hazards, and ii) process safety hazards. Hazards are not just associated with the process. Hazards are also associated with e.g. the field operator climbing a tower (Some of my friends would argue, that a person should not climb an operating tower, and hence ladders should not be provided). The common point in dealing with both personal safety and process safety is the identification of the hazards. associated with a job task for personal safety, and present in the facility in case of process safety. Examples of personal safety hazards are poor housekeeping in an area, which leave trip hazards laying around, or insufficient rails on raised platforms leaving a fall hazard to mention just two. Examples of process hazards are a vessel not being properly purged before opening or corrosion of a vessel so it no longer can keep the hazardous material inside.

I think it would be very helpful have available list of potential personal hazards and potential process hazards in a given type of facility. Especially for young professionals. It seems that current practice is to create these list based on the knowledge and experience of the participants each time they are needed. This in my view does not facilitate professional development and building the knowledge of the group of professionals as a whole. List of potential hazards should be shared freely with others, since it is how you handle the hazards that make the difference.

Veronica Luna appear to argue, that a personal safety event have smaller consequences and affect fewer people, than a process safety event. I disagree with this viewpoint, as do properly also the families of the 90 workers killed each week on US workplaces in 2014. Losing a main source of income in a family is from the family point of view a high consequence event. It is only on the surface, that a personal safety event only affect one worker, since it also affects the workers family and friends. So both personal safety events and process safety events have significant consequences. It is to eliminate these consequences, that we work on both personal safety and process safety.

I also disagree with Veronica Luna's argument, that higher engineering and management skills are needed to deal with process safety than with personal safety. How do you measure a level of skills? I don't know. You can measure a persons ability to perform a task, whether that is an operations task or an engineering task. Naturally the skills needed for dealing with process safety and personal safety are different. However, I would claim,that both require engineering skills and management skills.

Further on in the article it is argued, that process safety incidents are major accidents events. Some process safety incidents are indeed also major incidents. However, at one Canadian company the CEO demanded a report on event the smallest fires on his desk within 24 hours. Why? He wanted to reduce the number of small process safety incidents in order to reduce the likelihood of a major process safety incident.

I think it is a good idea to relate major pieces of new regulations to the process safety incidents, which preceded them, as is done in the article. Although I don't think there is a one to one relationship. For example, it is doubtful, that the Macondo well blow-out in the Gulf of Mexico had any link to OSHA's Refinery National Emphasis Program.

In the discussion of safety performance the article would benefit from mentioning the process safety metrics recently developed by CCPS, and already modified and adopted by several European companies in the hydrocarbon processing industry.

The article end with a discussion of 3 process safety incidents from the past 20 years: Esso Longford gas release in Australia in 1998, BP Texas City Refinery explosion in 2005 and Gulf of Mexico well blowout in 2010. Unfortunately the purpose of choosing these events is unclear, and the discussion is in my view too superficial to allow the reader to decide if there is any learning relevant for her site. At Longford it is well known, that engineering staff, which could have advised operators during the abnormal situation they encountered was moved several hundred kilometers away to a major city - without the communications facilities that we today take for granted, such as a Google Hangout or Skype video call. At the BP Texas City Refinery HAZOP studies had years before recommended modifications, which were never implemented although opportunities had been there. Why not discus either Buncefield or Fukushima?

The takeaway is right on: "Understanding process safety hazards - and their fundamental difference from personal safety hazards - is a crucial step towards achieving a good level of safety in the facility." Now, I am just left with an easy question for  you: "What is a good level of safety?" Could someone please answer that simpel question!