Cyber Attacks Could Look Like Equipment Malfunction
Training of control engineers urgently needed
Operational technology cyber monitoring is not sufficient to identify many significant control system cyber incidents, writes Joe Weiss in the Unfettered Blog on ControlGlobal. A major news organization have been a sanitized sample of 20 cyber incidents from Joe Weiss database. The sample included;
- combination of cases representing domestic and international, unintentional and malicious, multiple industries (e.g., power, water, pipelines, transportation, etc.),
- various levels of impact (e.g., business disruption, major environmental spills, major blackouts, catastrophic failures including deaths, etc.)
An important finding from this sample was, that many cases would NOT have been detected from operational technology network monitoring as these were control system cyber incidents. This is a clear cry for training the control system engineers to question when incidents happen if they could be cyber-related. This becomes very important as sophisticated hackers can, and have, made cyber attacks look like equipment malfunctions, e.g. Stuxnet.
Explosion during maintenance
3 contract workers killed and 7 injured
The Packaging Corporation of America's DeRidder, Louisiana, Pulp and Paper Mill was shutdown for maintenance, but unknown to the maintenance workers the shutdown created an explosion hazard in a tank storing foul condensate. On February 8, 2017 - that is about three years ago as of this writting -an explosion occurred in the tank killing 3 contract workers and injuring seven others.
Watch this Chemical Safety Board (CSB) video and learn how to avoid killing people during maintenance work at your facility. You properly also have tanks with mostly water.
This CSB video shows the importance of performing a hazard analysis as required by the MoC - Management of Change procedures, when a plant is shutdown and equipment is isolated without being emptied. The exploding tank was a 100,000 gallon foul condensate tank. The foul condensate was mostly water contained small amount of terpentine and sulfur compound. In the tank the water and terpentine separated with the later creating a terpentine layer on top of the water, which would normally be skimmed off and recovered. However, due uncertainty about who was responsible for this operation, that had not been done for several months prior to the shutdown, and hence the tank contained all the terpentine for this period. After isolation of the tank the content cooled, a vacuum relief valve, which was designed to protect the tank from collapsing under vaccum, opened and let air into the tank, thus creating an explosive atmosphere of air and terpentine vapor. Somehow the tank content exploded during or shortly after hot work was performed on the water pipe running above the foul condensate tank. The explosion catapulted the 100,000 gallon tank over a six story building.
Unfortunately the part of the plant, which exploded, did not require a hazard analysis or MoC review to be performed before isolating the tank or performing hot work near it. So to put it bluntly, this was another loss of life due to the company "just following the rules" and using common sense in the application of hazard analysis and MoC review. When will this stop? Read the full CSB report about this event here.
IJH - It Just Happens
But why only in process control?
Five years ago ExxonMobil challenges the process control suppliers to make process control system implementation, upgrade and operations smarter. The first result of the challenge - smart junction box - has reduced the time to commission a loop from 1 hour to 5 minutes.
At Schneider Electri Innovation Days in Austin, Texas about a week ago attendees were challenged to take this to the next level: IJH 2.0. With EJH 2.0 - to be deployed from 2021 - the challenge is to define a modularized functional container for software, a smart standard controller, and a standard, integrated engineering tool, as well as cyber security.
Erik Bruyn - senior technical professional, upstream, at ExxonMobil asked the audience: "Why can't upgrading a process control system be as easy as getting a new smartphone?" Your old software apps works seamlessly on your new hardware. Often with your customizations preserved through the hardware upgrade.
Modularized Functional Container
The vision with IJH 2.0 is a modularized functional container for software connected to an asset, with control, alarms and cybersecurity built in, and including functionality for startups and shutdowns. An asset could be a distillation column or other piece of equipment. Eric adds: “You should be able to order a pre-engineered module, and modify the standard configuration to what you want.” Cyber-security for access, intrusion detection etc. should be built-in, but configurable.
The new module should also be plug-and-play with your existing graphics displays. No need to upgrade displays just because of a process control hardware upgrade. With the overhead of extra training of operators.
The control componet of IJH 2.0 should be a smart, standard controller that would have an industry-standard, real-time abstraction layer; be auto-binding; run third-party, vendor-agnostic applications; and come in standard enclosures.
Finally on the engineering side there should be a virtualized engineering tool for all automation that supports visualization, simulation, testing, and automated build of functional containers. It would be self-documenting, and come with a smart data interface and a library of prefabricated functional containers.
Why limit the vision to process control?
This to me sound a bit like a vision, which has been inspired by IT companies like Google and facebook. But why not look beyond the it world? From an overall process design and maintenance point of view the vision of IJH should be taken a few steps further to standard size heat exchanger pre-configured with standard instrumentation allowing for both monitoring the process and the equipment for making preventive maintenance possible. And while we are at it: Why limit ourselves to one type of equipment?
Phenomena based process design
At the Technical University of Denmark a group of Ph.D. students under the supervision of now retired professor Rafiqul Gani, who is currently CEO of PSE for SPEED, have developed a methodology for creating phenomena based optimized designs of chemical plants. Phenomena relevant for process design are defined in "An Innovative Synthesis Methodology for Process Intensification" the Ph.D. Thesis of Philip Lutze. Examples of phenomena are mixing, stream split, phase transition, phase change, phase separation, reaction and energy transfer; for a complete list of phenomena see Lutze's thesis. Lutze combine phenomena info simultaneous phenomena building blocks, which are further combined into stages, unit operations and processes. The first step of Lutze's framework is to create an initial process design to accomplish the task. This flow sheet of unit operations is then converted to a phenomena based network, and then the network of phenomena is optimized w.r.t. capital cost, operational cost, environmental impact, safety, etc. See detailed examples in the Ph.D. thesis of Lutze and the publication "Phenomena Based Methodology for Process Synthesis Incorporating Process Intensification" of Lutze et.al.
Functional modelling review
The methodology used by by Gani and co-workers is an example of functional modelling, which has resently been reviewed by Jørgensen et.al in "Functional Modeling View on Product and Process Engineering in Design and Operations" in a special IECR Festschrift Honoring Sirish L. Shah, who retired as professor at University of Alberta a few years ago. The figure to the right shows how different types of models is based on a fundamental functional model.
Important learnings from war games
Report from the 2019 Naval War College Cyber War Game
Control system cybersecurity expert Joe Weiss participated in the above war game, and reported his learnings and observations on Control Global in the Unfettered Blog, which is highly reommended reading.
Learnings from the Cyber War Game
- Mutual assistance doesn’t work for cyber attacks – so don’t count on it.
- Trained control system cyber security personnel is a highly limited ressouce – so you’re on your own.
- Isolating the OT networks from the IT networks and the Internet is still not being followed – this has to change or the OT networks will be hit.
- When you conduct an exercise, then design a scenario to help determine whether you’ve involved the right people in continuity of operations and incident response planning and execution.
- Malware isn’t the only way to “turn the lights off” - denial-of-service or physics issues can do the same or worse, and they may not be detected by OT network monitoring.
- Operations expertise is needed to determine electric system risk - it wasn’t readily available during the game.
- Control system devices, e.g, process sensors, actuators, drives, etc., need to be included in the scope af NERC CIP or NERC Supply Chain because they are critical for keeping lights on, which means expand the Electronic Security Perimeter to include these devices.
Harris Country takes on ExxonMobil
In the Texas Standard Shelly Brisbin on August 2nd, 2019 reported on a fire earlier that week at a Houston-area petrochemical plant that left 37 people with minor injuries. The fire happened at Irving-based ExxonMobil’s Baytown plant, and it was just the latest industrial accident to blacken the skies near Houston.
Shelly further reported, that in a quick – some say bold – move, the Harris County attorney’s office filed a lawsuit against the company. Earlier this year, county commissioners decided to let the office file lawsuits without their approval. Harris County Judge Lina Hidalgo says the county’s suit alleges “environmental violations, illegal outdoor burning, creating a condition of air pollution, and a nuisance, as well.”
Effort to change company behavior
Hidalgo says state regulations often result in “a slap on the wrist” for polluters. She says the county’s legal actions are aimed at changing behavior more forcefully. And proceeding quickly prevents the state from intervening to weaken potential remedies, she says. “Lately, there’s been a cap, for example, on fines,” Hidalgo says.
Safepark believe this action by Harris County is unfortu-nately necessary to protect citizens against the conse-quences of reduced efforts by companies to prevent process incidents, that have a negative impact on the community.
Needless killing of innocent people
Death toll rises to 85 people - and oil industry image suffering again!
The Guardian reports, that more than 70 people were killed and more than 70 people injured in the explosion at a Pemex pipeline in Mexico. Appearantly fuel theft is a major problem in Mexico, and the people don't understand that it is extrimely dangerous to get covered in liquid fuel, which happened to many people while they were stealing petrol from a leaking pipeline.
There is speculation, that in this event the thives actually cut holes in the pipeline. Pipelines are difficult to protect as they run through uninhabited areas for many miles, and often are not burried. However, it appeas the Pemex - and not just the Mexican government - has a major educational need to educate the general public about the dangers of cutting holes in pipelines and stealing the content.
Unfortunately this is another nail in the coffin of the oil industry, which I years ago were very proud to work in. The negative effect of an explosion like this one goes beyond the company involved. It has impact on the whole industry, and especially the construction of new piplines, which are otherwise one of the safest ways to transport liquid fuel over large distances. It also seems the many negative events at Pemex during the past ten years indicate, that process safety is an afterthought in that company. So I think the question is how can industry internationally ensure companies make pipeline safety a priority?
Train Accident on Great Belt Bridge in Denmark
Major train accident on Great Belt Bridge in Denmark2010-01-02 10.30 Niels Jensen
Police on Fuen in Denmark report about a train on the way towards Copenhagen being hit by items from a freight train passing in the direction of Fuen around 7:30 AM local time. At this all that is know is that several persons have died and other have been seriously injured.
Appearantly the passenger trains was hit by items from the passing freight train resulting in the damage shown. Source of picture: TV2 News on Twitter.
Cause of train accident currently unknown 2019-01-02 10.45 Niels Jensen
But strong wind perpendicular to bridge could be a factor in damaging trailors. It is well known, that when trains travelling in opposite directions are passing each other at high speed, then dynamic pressures are created between the two trains. It is possible that strong winds from the north at the time could have combined with the effect of the passing trains to rip appart one or more trailers on the freight train. Source of picture: Jyllandsposten.
Unsecured trailor hid front of high speed train2019-01-03 16.15 Niels Jensen
Accident facts a day after are: 8 people died, of 16 people hospitalized only 2 remain in hospital. Also is appears a truck trailor with empty beer bottles hit the train and severely damage the left side of the train (the one you can't see on the picture). What remain to be established is why the trailor did not remain on the freight train. The focus is on how the trailor was attached to the freight car. A possible cause could be metal fatique. Source of picture: Jyllandsposten.
Accident investigation report available
To day the accident investigation Board released its report of the early January accident on the Great belt bridge in Denmark together with the animation shown here. The complete report and some test are available here (in Danish).2019-01-20 11:00 Niels Jensen
Train accident investigation update
The accident investigation is focused on a number of different issues:
- The mechanism which locks tractor trailors to the rail cars, and how to ensure they work properly. The system is used across Western Europe, and there has been at least one more event involving the locking mechanism.
- Wether the wind measurements on the south side of the bridge are representative of the wind the train is exposed to on the north side - especially when the wind direction is from the north.
- The basis for the wind limits to reduce train speeds and to stop train passage altogether.
Are your level control loops working correctly?
When I joined the process industry as a chemical engineer with some knowledge of process control more than 40 years ago the site had a team of engineers like me, whoes job it was to create higher level control applications on site for a major player in the oil and gas industry.
These higher level control applications, e.g. destillation column product quality control, depended on the performance of the button level instrumentation control loops, such as flow control loops and level control loops. In those days part of our job was to tune the lower loops often in collaboration with instrument technicians.
Replacing people with software
Since then most of the team of engineers have gone due to downsizing. So today there are no one to take care of improperly tuned control loops after the commissioning is finished. The result is, at descripted in the PAS webinar, that operators put more loops in manual, which generally give higher variability and hence poorer loop performance. Since the people for loop tuning have been made redundant, it is good news, that you can now get software, that automatically monitor the performance of lower level control loops and recommends improvements. One set of such software tools are ControlWizard and TuneWizard from PAS. However, there are many others, so you may want to read an article in Control Engineering or listen to PAS on-demand webinar on operations risk management here. The above slides are from this webinar.
Are you Safe from Proces Accidents?
The October issue of "CONTROL" features a story headlined "Safe yourself" with the subheading "Use standards and software to achieve process safety". However, the opening message is that in US the current regulations don't do the job of improving safety as well as the goal based European Seveso III directive in the EU.
Several safety consultants, such as Angela Summers of SIS-TECH, argue that currently on the big players such as ExxonMobil, Shell and DowDupont perform safety at the highest level, but insurers are pushing others in the right direction. And a Calgary company have created a Functional Safety Index, which already is being used to indicate ROI of process safety investments.
Read the whole article here: https://www.controlglobal.com/issues/2018/september/ . Read the latest remarks from Dr. Sam Mannan, the director of the Mary Kay O'connor Process Safety Center at Texas A&M University, who past away on September 11, 2018.
What is a safety life cycle?
If after watching this 2 minute long video you can define what a safety life cycle is, then please tell me, by writing to firstname.lastname@example.org . At Safepark we started by defining what WE mean by safety, and particularly process safety.
However, how many times have you listened to someone taking about safety without including af definition of the term in their talk or presentation? How about combined terms, like functional safety?
Control Global HMI video
Control Global has started publishing a series of control education videos. Safepark has watch the 4th of these, which gives an introduction to HMI. It is a short just 10 minute video, so very basic. However, it does provide som excellent advice in those 10 minutes. In particular the fact that an emergency shutdown button cannot be replaced with a soft button on a display. Ever!
You can find the other 3 videos on level measurements, flow measurements and industrial networking here. Once Safepark have watched these comments will be added here.
Clamp-on temperature sensors
At Emerson Global Users Exchange BP reported on a test comparing the new wireless clamp-on pipe temperature sensor with a type K temperature sensor in a thermowell. The test showed the clamp-on sensor measured 5 Deg.F lower than the nearby thermowell thermocouple in the temperature range from 446 Deg.F to 485 Deg.F. A typical type K thermocouple has accuracy of +/- 4 Deg.F. So the observed lower readings from the clamp-on sensor could easily be due to incorrect parameters for either the clamp-on sensor or the thermowell thermocouple. The clamp-on sensor have three parameters: pipe diameter, pipe material and pipe wall thickness. The thermowell thermocouple have nine design inputs.
Could it be used for tower temperature control?
Having worked quite a bit with tower control both in chemical plants and in academia, it is easy to ask if it would be possible to developed a "clamp-on" sensor for distillation towers to give control engineers a low cost option to monitor the tower temperature profile and use it for advanced process control? Would be nice if some enterprising academics could follow up on this idea.
Do you give away your email for useless templates?
In stead learn Excel - or better Sheets, and create your own templates
LinkedIn protect your privacy by not showing your email adress in discussion groups such as HSEQ Professionals, which has more than 130,000 members currently. However, lately some group members have promotes rather simple Excel templates as a free give away for your email.. These post look like the one in the picture on the right (identifying information have been removed using GIMP).
Group members are promised an Excel template for creating a funnel chart, if they respond to the post with their email address. In stead of given away you email to the poster (and all other group members) then google the term "excel funnel chart template" or take a look at http://asli.aetherair.co/funnel-charts-excel/ , which has several more elegant suggestions for funnel charts, than the one posted in the LinkedIn group. Then choose the one, that best fit your data.
LinkedIn protect your personal or business email address
However, generally LinkedIn don't expose your email to others. But by posting your email adress in a response to post, then you break the privacy, which LinkedIn is attempting to create. Similarly LinkedIn protect you from receiving messages form members you are not connected with.
If one google either "how to create funnel chart in excel" or "how to create funnel chart in google sheet" then one get links to numerous posts with instruction on how to create such charts.
Are HSE professionals internet literate?
So I wonder if HSE professionals are so internet illiterate, that they are unable to find simple things on the internet, such as instructions on how to create certain charts? I how that is only the case for the minority 0.15% who responded to the post shown here.Here is a link to a 3 minute video on YouTube, which shows you how to make a funnel chart in Excell: https://youtu.be/c4dSHaKHc_8
The above is another of this programmers offering. An audit tracking chart. It shows open, closed and total audits per department, i.e. three bar charts for what could better be shown on a single stacked bar chart. So again, you are better off creating your own charts for reporting HSE data, and protecting your privacy on LinkedIn.
You properly spend more time collecting your data
Also ask yourself compared with the time you spend collecting your data, how much extra time would it take to create a chart, which convey your message clearly to your audience?
Human error at the Oscars
- What we can learn from it!
At the Oscars 2017 the wrong movie was at first declared a winner of the best movie award. That turned out to be a mistake.
Others would properly call it a human error, because the wrong envelope was handed to one to the two host on the stage in Hollywood. If you are in the latter group, then I suggest using a few minutes to watch a video from Lund University's Human Factors and System Safety department here.
First learning: This was NOT a human error
I would classify what happen as an envelope design error. However, one could also argue, that it was a envelope transport control error. Maybe it was actually the circulation system, which malfunctioned this time around.
In his blog Steven Shorrock points out, that what happened at The Oscars was essentially the start of the discipline human factors and ergonomics during WWII. More relevant however, is that the design of the envelopes, were such, that it is a surprise, that this has not happened before in the history of The Oscars. On the outside all the envelopes at the Oscars were completely identical. This means if was completely up to the assistancts from PriceWaterhouseCooper to ensure that the correct envelope was handed to the host on the stage. Given the number of envelopes and the fact, that duplicates of each were available the likelihood of a wrong envelope being handed to a host can easily be calculated.
Second learning: Handing information from one person to another should be analyzed as a transportation system
where items can e.g. be wrongly delivered. Although the Oscars considered something could happen to the host on stage, their risk assessment did not consider the transportation risk involved in handling the envelopes.
As Steven writes: "Experience of human factors suggests a number of coding methods, e.g. shape, colour, size, that used appropriately, can help to make vital distinctions.", and points out that within the pharma industry both the European Medicines and the UK's National Health Service have developed guidelines for design for patient safety of medication packaging, attached below.
From the outside it appears, the stage host at the Oscars did in some way realize, that he did not have the correct envelope. Since this situation was properly not covered in the rehearsal for the Oscars, the host became uncertain about what to do.
Third learning: You should train people on abnormal situation handling
Steven finnish by writing that, for the post part the human in the system is less like a golden Oscar, and more like someone using the abilities of mind and body to connect parts of a system that only work because people make them work. This aspect of human performance in the wild is usually taken for granted. But in the real world, peopel create safety. And for that, they deserve an Oscar.
What to be alarmed about
in your chemical plants and refineries?
Post date: Mar 31, 2016 5:21:41 PM
Alarm systems are integral to the safe operation of chemical plants and refineries. They alerts the operations personel when a plant condition is about to escalate to an undesired situation, such as the fire shown in the picture to the right (Source of picture: www.csb.gov). The fire at Morton International was the result of a so-called run away reaction. A run away reaction in chemical plant or refinery happens, when the energy and / or material balance are significantly off balance.
What to be alarmed about in chemical plants and refineries is usually decided by senior process engineers in collaboration with senior operators. Sometimes equipment vendors provide long lists of things to be alarmed about around the operation of a particular piece of equipment. We call such list c.y.a.-lists, and recommend, that you either ignore them completely - after all the plant and its operation is your responsibility - or at least reduce them from alarm events to just logging events in the secondary control room or the maintenance shop. Otherwise your operators become accustomed to just acknowledging these nuisance alarms. However, the big question is how do senior engineers and senior process operators decide what to be alarmed about in your particular plant or refinery? Most likely the answer will be based on experience! So what happens when your plant involve new technology?
We think a more fundamental approach is needed to decide what to be alarmed about in chemical plants and refineries. If a chemical plant or refinery runs smoothly, then energy and material balances are in balance. That means there is no accumulation of neither energy nor material in your facility. Accumulation of energy and material in a chemical plant or refinery usually occur, then something is not working or functioning as designed. We believe, that this is where functional models such as Multilevel Flow Models - MFM - can help you decide what to be alarmed about and when to be alarmed. A properly designed MFM model of your plant or refinery will allow you to reason about how a deviation moves through your facility until it eventually disturb the ability of the facility to achieve its goal, e.g. producing certain chemicals in certain amounts and purety. The result of reasoning with the MFM model and plant status information will allow your operators to intervene in the process before the deviation has escalated beyond recovery. The MFM model may even be used to arrive at possible actions for counteracting the initial deviation.
Currently we are working closely with researchers and others at leading universities and companies to make these ideas move from research to operations. For more information about this project write to email@example.com.
Should safety be measured?
Post date: Dec 17, 2014 9:23:20 PM
Today Safepark attended a seminar with Erik Hollnagel and Sidney Dekker with the title "Measuring Safety". Erik Hollnagel, who is currently at Syddansk University, opened the show with a presentation titled "Should safety be measured?" about the difference between safety I and safety II. Safety I is what we have been doing for the past 80 years, that is measuring the absence of safety. This is done by counting things, which are easy to count, such as number of fatalities, number of near miss event (a bit more difficult), number of first aids and other such numbers. However, the events behind these numbers clearly indicate the absence of safety. If safety existed, then no one would die or get hurt. Safety II focus on understanding the work being done. This is much more in line with how performance is measured and improved in professional sports. You measure what is happening, and you try to become the best. To me this is much in line with the ideas of Jens Rasmussen, who used to work at RISØ in Denmark, on analyzing work.
Sidney Dekker started by describing the Australian problem, that many top level people spend almost a quarter of their workweek on compliance with regulations. Clearly that leaves less time for making things safer. Much along the same line is was reported earlier this week, that the average hospital department had to deal with thousands of regulations during their daily work. These regulations take time away from focusing on patients and their needs. So too many rules is not just an Australian problem.
What about counting incidents?
Can safety be measured by counting incidents? The opinion of world-leading safety experts Erik Hollnagel and Sidney Dekker were very clear at today's seminar: No! In order to improve safety you need to focus on the work being done and how it is being done. Erik Hollnagel and Sidney Dekker argued that our well-known and widely implemented measurements tend to be misleading and thus an unfortunate waste of the limited resources dedicated to safety. We tend to measure failures rather than successes, and we focus on what we believe to be precursors of accidents, but rarely are. Are there better and more useful ways of measuring safety?
Erik and Sidney does not say, that we should stop doing PHA, HAZOP, FTA and ETA and all that. They just say that in order to improved safety we need to put more focus on the outcome of the work actually being done. To me, that seem to have parallels in the Japanese approach to quality after WWII guided by Deming and Conway. What do you thing?
Programme in Risk and Safety Management
New 2 year M.Sc. program at AAU in Esbjerg
Post date: Feb 13, 2014 6:43:08 PM
Starting this month Aalborg University in Esbjerg, Denmark are accepting enrolment in their new 2 year M.Sc. programme in Risk and Safety Management. The language of instruction is English, and in order to be enrolled in the program you need a relevant bachelor of science or bachelor of engineering degree.
You can read more about the programme on the Aalborg University in Esbjerg homepage at http://www.studyguide.aau.dk/programmes/postgraduate/78503/. Or in the document attached to this note.
Currently Safepark Consultancy is performing a survey of engineering education in Europe with a special focus on process safety elements.
Computers & Chemical Engineering
- most downloaded paper award
Post date: Jun 14, 2014 4:16:26 PM
We have just been informed, that the Editor-in-Cheif Rafiqul Gani and the Publisher Angela Welch of Elsevier's Computers & Chemical Engineering journal that our paper "A functional HAZOP methodology" authored by Netta L. Rossing - currently at FLS, Morten Lind - emeritus professor at DTU, Niels Jensen - owner of Safepark, and Sten Bay Jørgensen - emeritus professor at DTU, was the most downloaded in the period from September 2012 to August 2013.
The work on the functional HAZOP methodology is currently being extended by visiting Chinese Ph.D.-student Jing Wu under the supervision of Gürkan Sin from DTU-Kemiteknik and Morten Lind from DTU-Elektro, and by Ph.D.-student Xinxin Zhang under the supervision of Morten Lind from DTU-Elektro.
Recently Jing Wu presented work on validation of functional models at a World Oil & Gas Conference in Okayama, Japan.
Computers & Chemical Engineering
- also a most cited paper award
Post date: Oct 12, 2013 10:55:24 AM
We have just been informed, that the Editor-in-Cheif Rafiqul Gani and the Publisher Angela Welch of Elsevier's Computers & Chemical Engineering journal have given the award "Most Cited Articles, 2010 - 2012" to the paper "A functional HAZOP methodology" authored by Netta L. Rossing - currently at FLS, Morten Lind - emeritus professor at DTU, Niels Jensen - owner of Safepark Consultancy, and Sten Bay Jørgensen - emeritus professor at DTU.
- The work on the functional HAZOP methodology is currently being extended by visiting Chinese Ph.D.-student Jing Wu under the supervision of Gürkan Sin from DTU-Kemiteknik and Morten Lind from DTU-Elektro.
Prescriptive Process Safety
- US may move away it
Post date: Jul 11, 2013 12:58:08 PM
In a recent hearing in the US Senate Committee on Environment and Public Works related to the ammonium nitrate explosion in West, Texas and the more recent Williams Olefins explosion the chairperson of the US Chemical Safety Board Rafael Moure-Eraso hinted that a changed approach to process safety could be needed in the USA. At the end of his prepared statement he said that the current situation some of the positives are:
- "Following the Chevron refinery fire last year, and acting on CSB recommendations, California is poised to triple the number of dedicated process safety inspectors ... funded by industry fees.
- Another promising approach is the 'safety case' - successfully used in other nations, which insurers say have much lower petrochemical accidents rates than we do.
- Companies identify and commit to follow the best safety standards from around the world, subject to approval and oversight by a competent, well-funded regulator. Many experts believe this is the best safety regime for complex, technological industries, rather than the US system which calls upon a prescriptive and often outdated rule book."
As a past teacher of risk assessment to chemical engineering students at DTU for more than 10 years I can only agreed. However, it is important that the entities given commercial permits to different activities are aware of the risk involved and know when to ask for advice outside ones own organisation. In my view it is the duty of state legislators to ensure that facilities are covered no mater where they locate themselves.
During the course at DTU groups of students should prepare a safety report according to the EU Seveso II directive including aspects such as site selection, and transportation routes for raw materials and products. The object was not to make them experts at HAZOP, FMEA, ETA or any other tool, but to give them a overview of the complexity and bread of preparing a 'safety case' according to the EU Seveso II directive. The course continue to this day, and I know international students are most welcome. It is my experience that multicultural groups add an extra dimensions to the group work by giving students insights into the different regulatory regimes in different countries around the world.
Safepark Consultancy would be most happy to participate in the development of similar courses for chemical engineering students elsewhere or for groups of professionals from industry or regulators.
What is all the fuss about alarms?
Post date: Jun 27, 2013 1:39:22 PM
In recent years we have gotten an updated EEMUA guide on the design, management and procurement of alarm systems and also new ISA standard on Management of Alarm Systems for the Process Industries. Both of these documents recommended, that an individual operator is not exposed to more than 300 alarms per day. But what does 300 alarms per day mean?
300 alarms per day means we are asking an operator to solve potentially 300 unique problems each day. That is 12½ unique problems per hour or approximately 1 new problem every 5 minutes! Who in the world can be expected to cope with that kind of a workload? I am pretty sure that I can't. Unless many of the alarms require little or no analysis - and hence in my view should be handled by the automatic process control system (DCS or SCADA) - the requirements of the recent standard and guideline are in my view insane. Even half these numbers could be too much - just imagine an engineer having to work on a new problem every 10 minutes?
I recall being introduced to a very closely managed approach to alarms on my first job as a computer process control engineer - computer applications engineers, we were called - with a major Canadian integrated oil company. The general philosophy was, that computer process control applications should not generate any alarms, and they should cope with situations such as an online analyzer not being available due e.g. to calibration by the instrument technician without any bothering of the operator. Only when the measurement was unavailable for an extended period should the computer control application hand the situation over to the operator.
I recall days when there was less than one alarm every hour. We were using Honeywell's PMX II process control computers on which is was very easy to implement alarms both on the TDC 2000 image points and on the computer control points. However, that did not result in a large number of alarms because, an alarm required the process engineer to specify the required operator action. Alarms hence were being managed - even without an alarm management application.
So what has happened since these early days of process control computers in the 1980's? My guess is that in many companies the process engineer has been eliminated as a filter of alarms implemented on the DCS or SCADA. This has allowed e.g. equipment vendors to implement alarms on turbines at major power plants - alarms without any required operator action. This should be stopped!
I believe articles such as Kevin Patel's "Managing the Alarms That Manage You" are treating the symptoms in stead of the root cause of too many alarms. However, the ISA standard does provide facility owners with a framework for managing alarms during the whole plant life cycle, just like all other aspects of plant operations.
Who is responsible for safety at work?
The company performing the work is responsible for safety at work. Period!
Post date: Apr 29, 2013 3:18:00 PM
The fireworks seized on Hawaii consisted of so-called cakes - in Denmark they are called firework batteries, and are sold to the general public in the week prior to the New Years celebrations on December 31st, when people greet the new year by a country wide fireworks display during the first half hour after midnight. In Denmark these cakes are sold in either cardboard boxes - like those seized on Hawaii - or wooden boxes, as shown on this picture.Here in Denmark the Danish Working Environment Act is a framework act, which lays down the general objectives and requirements in relation to the working environment. The act aims at preventing accidents and diseases at the workplace and at protecting children and young persons on the labor market through special rules. WEA guidelines give specific direction in many areas, e.g. crane operators. The guidelines are not binding on companies, but the authorities will take no further action if the guidelines have been followed. After the explosion and fire at Seest near Kolding (that event should properly have been referenced in the report) the Danish Working Environment Authority have had increased focus on places manufacturing and/or handling fireworks, and unused firework has to be handled as dangerous waste. In Denmark the unused fireworks is destroyed by NORD on Fuen, but especially dangerous firework is handled by the DoD's EOD. The question has as far as I know never come up, but my guess is that seized firework would be handled by the DoD's EOD.
The CSB investigation report on the explosion and fire at DEI contain 12 recommendations. However, strangely enough none are directed to Donaldson Enterprises, Inc. who ultimately was responsible for the safe disposal of the seized firework. I think that in line with the Baker Report after the BP Texas City event, that at least the CSB should recommend to the board of Donaldson Enterprises, Inc. that the company ensure they have the necessary expertise to handle the contracts into which they enter. Clearly DEI did not have that in the area of fireworks disposal. Sadly enough it appear that the company who lost the bid to DEI did have the necessary expertise.
In CSB's investigation report about the explosion and fire on Hawaii it is never directly stated, that a subcontractor with insufficient knowledge was selected. However, 9 of the 12 recommendations aim to improve the contractor selection process for fireworks disposal. I somehow feel this would be additional work on any subcontractor, and hence increase cost on all disposal subcontracts. In my view a much simpler approach would be to let the subcontractor selection for disposal of dangerous goods, such as firework, be handled by an office in the DoD which has the necessary expertise. This would also be in line with another CSB investigation on recycling of ammunition. As always I am attempting to keep things as simple as possible.
Why do you perform HAZOP?
- Chevron Richmond Refinery did because they had to!
Post date: Apr 26, 2013 9:46:00 AM
Last Monday the Chemical Safety Board (CSB) released a draft report on the pipe rupturing event at Chevrons Richmond Refinery last August. This report is scary reading about a company that goes through the motions, a public inspection service that don't see the problems and company management not listening to either local or corporate experts. The picture of the vapor cloud is courtesy of CSB.
The most surprising is paragraph #57 where a Chevron employee recommended replacement of the pipe, which ruptured last August, in the 2007 turnaround because in had just 4 years life left until it reached refinery throwaway thickness. Unfortunately this employee was to correct about his predictions.
Apparently Chevron perform PHA (HAZOP) just because it has to. One example from the draft report is that the HAZOP of the crude unit did not include corrosion. Another is that Chevron after the rupture event ruched to replace some carbon steel piping in the crude unit without first considering what would be the best replacement material. Or when a unit to remove hydrogen sulfide from the #4-sidecut was removed a MoC was not performed. Neither was a MoC performed when switching to feeding more sulphur rich crudes to the unit.This draft report is also richly illustrated and with many references to relevant literature from both CCPS, API and others. There is a good explanation of abbreviations at the start, and many explanatory footnotes, which makes the report very informative for non-experts. Unfortunately the draft report does not clearly identify the root causes of the release and fire. I hope this will happen in the final report, although it seems clear, that among the root causes are an insufficient mechanical integrity program at the refinery. At another refinery I had the opportunity to visit with a group of university professors about 10 years ago we were told that corrosion measurement points were moved if a particular point did not indicate any corrosion during 3 measurement periods.
The draft report contain 14 (or 20 depending on how one count them) recommendations of which only two are to the company. Of the remaining one is to US EPA and the remaining to authorities in the City of Richmond, the Contra Costa County and the State of California. This distribution of recommendations concerns me. A recommendations usually means that the receiving part have to do some new or extra work. For authorities already under significant economic pressure this is unsustainable. We need to find an approach, to the burden of work after a process safety event is on the company, and not the authorities.
Furthermore any regulation should use shall, and be as broad and general as possible. After all the purpose is simple enough: to ensure no employees or members of the public are harmed by the activities of the company. This is not that different from requiring, that drugs produced and marketed by pharmaceutical companies are safe to use for their intended purpose. After all the purpose of physical design of a refinery is to keep the hydrocarbons inside the process, and the purpose of maintenance is to ensure this continues to be the case.
- Safepark continue to be involved!
Post date: Jan 21, 2013 9:04:52 PM
Safepark continues to be involved in functional modeling and in particular MFM. Last november Niels presented ideas on functional alarm design at the International Workshop on Functional Modelling (IWFM) at DTU. The workshop was attended by about 25 researcher involved in functional modeling - some from as far away as Japan and China.
During the fall part of our involvement centered around the synthesis of inorganic reactions using so-called Solvay circles. More information about the results of this effort should be available later this year.
PDF-files with the abstract of Niels Jensen's contribution and his presentation at IWFM are attached below.
The Cyber Threat
- does the process industry understand it?
Post date: Dec 20, 2012 9:15:57 PM
On December 14th Joe Weiss asked on the Control Global Community pages "Another survey says utilities taking cyber security seriously - really?". The background for the question is the so-callled Aurora Vulnerability, which is a threat to electrical distribution grid reliability, which appearantly can be mitigated by a hardware change in the substations. Joe Weiss is questioning if the utilities have really upgraded their substations.
Some years ago I visited a major hospital and had a tour of their ventilation system. That was quite impressed just by the size of the ventilations channels, and the underpressure generated on the doors to these. However, the system was controlled by standard of-the-shelf hardware which quite conveniently included an internet connection. That internet connected saved the technician for many 100 kilometer trips to fix small operational problems at odd hours of the day and on weekends. They simply connected to the ventilation control hardware using another of-the-shelf product: PC Anywhere. However, at the time a single login was shared among all the technicians. I wonder if this has changed today?
I also wonder how many facilities still use software vulnerable to Stuxnet? Many facilities would require a shutdown to upgrade software on critical hardware. For some that shutdown window has yet to appear. Today I also learned about some malware in the Middle East which erase all non C: partitions on the Windows computers it finds itself on.
Cyber threats are really annoying, since they require you to change how you work on a day to day basis, and you never know if you have stopped anything. For example you may need to establish special procedure for getting data from the process control network to the business network for e.g. performance analysis, design debottleknecking etc.
Have you ever heard about mainframe virus or mainframe malware? Maybe the exist in a laboratory somewhere, but their development and deployment would require Stuxnet like efforts. Have you considered a mainframe solution for your plant? Some did in the 1970's. They are now extending the life of their more than 30 year old investment. That is they have been running the same process control computer for more than 30 years! What other computer systems can provide that length of service?
Today you can actually get a mainframe with one or more extenders. So you naturally place the mainframe in or close to your head office (or other protected environment) and then extenders in each of your major plants. The extender can run both Windows and Linux software. Now the trick is to ensure there is no connections to your extenders except form your process control system - and that this system don't have any direct internet connections. Then there is a safe data channel from the process to the head office mainframe, where the process data could be used for optimization, performance monitoring using complex models, etc. Since the Windows and Linux systems on the extenders are isolated from the internet, there should be no need to regularly patch them with security upgrades.
Well, at the moment there is a small problem with the concept described here: The mainframe and the extender currently have to be rather close to each other. That currently rules out the mainframe solution, but the basic idea of a secure data channel from the process to computers for optimization, etc. could properly be implemented with other means. The concept is based on secure data delivery from plant to user, and no internet connection directly to any part of the process control systems.
Will such a structure eliminated the cyber threat? Only if you can prevent your engineers from using random USB-drives to transport process data away from the process control network. For this to be a reality you would to provide the engineers with another easy means for access to the necessary process data. That I think is possible!
Failure is NOT an option!
- upgrade of DCS on a running plant
Post date: Dec 14, 2012 8:15:04 PM
A recent article on ControlGlobal "DCS Migration: Failure is not an option!" reminded me on a simple upgrade of a Honeywell DCS during my time in the Canadian petrochemical industry. The plant had been running for a number of years using the PMX variant of Honeywells DCS at the time, and our team of control and system engineers at the time had the attitude: if it is not broken, then don't fix it. The result was, that after half dozen years of operation an upgrade of the PMX software had become unavoidable. Unfortunately business was doing well, and there was no window long enough to bring down the computer control system, upgrading and testing the new software and including our local add-ons, and restarting the system with all computer control strategies operational. Failure was not an option.
Since we were in the lucky situation, that the control computer room had enough empty floor space to stage a second PMX computer control system, it was decided to do that. That is to buy a new PMX computer system, install the software including our local patches and our computer control applications on this system, and then do a fast switchover from the old PMX system to the new PMX system. This was successfully done with minimal impact on process operations - except for some temporary postponement of computer control application improvements to after the upgrade.
That was more then twenty years ago. Long since the PMX system have been replaced with current generation Honeywell process control systems.
Bayer CropScience event
- Critical review of CSB report
Post date: Sep 15, 2012 7:25:25 PM
The CSB investigation report into the process safety event at Bayer CropSciences in Institute, WV on August 28, 2008 is quite unusual. As usual it gives event causes and recommendations, but the majority of these are aimed at regulatory issues. You can read the full critique in the attached PDF-file.
This critique is part of our project which look at how learning from the events being investigated by the CSB can be improved. Comments on this and the previous critique of the investigations into the events at DuPont's Belle site, are most welcome. Just write to firstname.lastname@example.org.
- Critical review of CSB report
Post date: Sep 13, 2012 11:30:13 AM
As part of a project concerned with learning from past process safety events Niels have started reading of the latest CSB investigation reports. The first report which has been reviewed as part of this effort is CSB Report No. 2010-6-i-WV from 2011. That is the investigation report form the methyl chloride, oleum and phosgene releases occurring in January 2010 at E I DuPont de Nemours Belle site in the Khanawha Valley near Charleston in West Virginia.
The critical review of this investigation report is attached below. The review contains commendation on good work, and recommendations on how learning from the process safety events through the report could be improved.
Laboratory safety presentation
at conference in Lodz, Poland
Post date: Nov 28, 2011 9:00:23 AM
Last week the 1st International Conference on Modern management standards of Occupational Safety and Health took place in the city of Lodz in central Poland. Niels was invited to give a key note talk on laboratory safety titled "A sandbox - risk assessment in experimental research". The presentations featured forms for risk assessment of chemicals (Chemical APV Form - see below) and risk assessment of experimental setup (Laboratory ExpSetup Risk Assessment - see below). These forms are based on input from industry, and have been used for a number of years in a university environment.
The conference on Wednesday, November 23rd featured simultaneous translation between Polish and English. The first session on day one were "Occupational safety and health management as a system including law regulation and control institutions", which included presentations from the National Labour Inspectorate in Poland on accident prevention and from the University of Lodz on psychosocial threats in the working environment. The second session was "Role of education ub forming proper OSH attitudes" was dominated by presentations from the University of Lodz, while the third session "Psychological and physiological aspects of occupational safety" featured an excellent presentation by professor Teresa Makowiec- Dabrowska from the Nofer Institute of Occupational Medicine.
The second day featured visits to one of two local companies: Sonoco Poland - Packaging Services or Flextronics Logistics Poland. Niels visited Flextronics, which is part of a major international corporation involved in logistics as well as assembly and repear of electronics. The tour of the warehouse showed, that the degree of automation is not as high as in comparable facilities in Denmark and other western European countries. Niels wonders what the long term prospects of such manually operated warehouses are?
The next Conference on Modern management standards of Occupational Safety and Health is planed to take place on 17. - 18. September 2013 in Lodz, Poland. Further information at www.mordernsafetystandards.com.
Process Safety Competence
Presentations at special session at ECCE-8
Post date: Oct 7, 2011 7:37:55 PM
The two day special session on "Process safety competence - European strength degrading to weakness" at ECCE-8 in Berlin included the following presentations:
- "Avoiding accidents - process safety competence could make the difference" was the title of the keynote by Dr. Mauel Gomez, who is director of recommendation at the US Chemical Safety Board in Washington, DC.
- "Competence - concepted introduction form a pedagogic and scientific point of view" was the title for the first presentation delivered by professor P Dehnbostel from the Helmut Schmidt University in Hamburg.
- "Universities teaching process and plant safety - the European map" was the second presentation by Niels Jensen from Slangerup, Denmark.
- "Process and plant safety - ProcessNet's curriculum recommended to universities" was the titel of J. Schmidt presentation after lunch. Dr. Schmidt is with BASF in Ludwigshafen and Karlsruhe Institute of Technology.
- "Safety competence - key insights from a study of the Dutch situation" was the titel of Dr. Hans Pasman's presentation. Dr. Pasmas represented the Council of Harzardous Substances due to be disbanded by the government in the following week.
- "How to achieve high quality teaching in higher education? General approaches applied to the field of process and plant safety" was the titel of professor J. Steinbach's presentation. Dr.Steinbach is with the Technical University of Berlin.
- "Leading form the top in making process safety competence a reality" was the titel of talk delivered by Lee Allford of the EPSC on behalf of Dr. D. Brown of the Institution of Chemical Engineers in Rugby, UK.
- "Process safety competence management" was the titel of the first presentation after the coffee break by Dr. Paul Delanoy of the Dow Chemical Company in Norfolk, UK.
- "Promoting process safety competency - work of the Center for Chemical Process Safety (CCPS)" was the titel of the talk given by Louisa Nara of the CCPS in New York.
- "The DECHEMA approach to process and plant safety knowledge transfer" was the titel of the presentation by Dr. A. Förster from DECHEMA in Frankfurt.
- "Promoting Incident prevention - decades of experience to share" was the titel of the presentation by Dr. G. Uhlmann from Berufgenossenschaft der chemischen industrie (BG Chemie) in Malkammer.
- "Teaching safety in chemical engineering - what, how and who?" was the titel of professor Martin Pitt's keynote as the start of the second days session. Professor Pitt is from University of Sheffield in UK.
- "Process and plant safety competence - the authorities view" was the titel of Jan Slijpen's presentation. Jan Slijpen is with the Ministry of Social Affairs and Employment in Utrecht, the Netherlands.
- "Process and plant safety competence - how to sustain the success factor for European chemical industry" was the titel of the presentation by Dr. Peter Schmelzer, who in this connection represented a committee under CEFIC.
- "High process safety competence - an asset to a chemical company" was the title of Dr. H.V. Schwarz presentation after lunch. Dr. Schwarz is with BASF in Ludwigshafen.
- "Process safety through operational management" was the titel of van Roost presentation. van Roost is with Total Petrochemicals in Brussels.
- "Training engineers in safety and risk management: the OECD experience" was the titel of Mr. M. Hallwood's presentation. Mr. Hallwood is with LUBW Landesanstalt für Umwelt, Messungen und Naturschutz in Baden- Würtemberg.
After presentation of the 2011 EPSC Process Safety Award to a German researcher in the field of static electricity the two day special session was rounded off by a panel discussion. The panel included Dr. Hans Pasman, who is currently at the Mary Kay O'Connor Process Safety Center in Texas, Prof. Martin Pitt from University of Sheffield, Dr. Norbert Pfeil from BAM, Dr. Peter Schmelzer from Bayer and Ms. C. Schalbe representing an NGO in Brussels. The panel discussion was titled "Process Safety Competence - the way forward".
The organizers of the two day special session on process safety competence promissed to have updated presentations and conclusions from the two day event available on an unspecified website before the end of November this year. Presenters have until the end of October to sanitize their presentations for publication. Further details will be provided here when available.
European map of process safety education
presented at special session at ECCE-8
Post date: Oct 7, 2011 6:25:38 PM
Last week - more specifically Wednesday September 28th, Niels presented the European map of process safety education at the university level at the special two day session "Process safety competence - European strength degrading to weakness" in connection with the 8th European Congress of Chemical Engineering at the ICC in Berlin.
The two day special session was attended by more than 50 people from industry, consultancies and academia. The four organizers Peter Schmelzer from Bayer, Norbert Pfeil from BAM, Christian Jochum from EPSC and Konstantinos Mitropetros form Dechema had put together a program which covered all aspects of process safety competence.
A highlight of the special session was the keynote on the second day given by professor Martin Pitt from Sheffield University. He delivered a very entertaining talk about teaching process safety in a university environment. In the talk he called process safety the most difficult subject to teach, and showed how a simple investigation of runaway reaction, such as the explosion at T2 Laboratories in the USA would required knowledge of all subjects of chemical engineering as well as solid knowledge of physics.
Niels' presentation was the last one before lunch on the first day of the special session. A PDF-file with presentation slide has been attached to this note together with a short document with the oral comments delivered to the attendees at the symposium. Further information from the successful two day session will be provide by the organizers of the event in the coming months, and a link will then be added to this note.
The Eurpean map was created by surveying websites of almost 1400 hundred European universities. The initial survey only considered the traditional engineering disciplines such as civil, chemical, electrical and mechanical plus process safety. However, an updated survey which includes the many new types of engineering education available at European university have been started based on feedback from attendees at the special session in Berlin. The spreadsheet with information gathered have also been attached to this note in the LibreOffice format. If you find errors in the information in the spreadsheet, then please tell us using the contact us form.
EFCE WP Loss Prevention web-site
Post date: Feb 6, 2011 8:59:17 PM
The European Federation for Chemical Engineering (EFCE) Working Party on Loss Prevention and Safety Promotion (WP Loss Prevention) now has it own web-site at www.wp-lossprevention.eu. Take a look!
Update July 2018
Safepark is no longer active on the Working Party on Loss Preventation and Safety Promotion, and therefore the update and maintenance of the website has been passed on to an active member of the WP. In fact Safepark already at the end of the Symposium in Firenze announced, that we Niels Jensen no longer would be the Danish representative on the WP.
Goal based HAZOP article
published in International Electronic Journal of Nuclear Safety and Simulation
Post date: Aug 8, 2010 2:43:42 PM
In the June issue of International Electronic Journal of Nuclear Safety and Simulation (IJNS) the article "A goal based methodology for HAZOP analysis" by Rossing et.al was published. You can read the article online or download a PDF-file at IJNS. You can also download the PDF-file in our resources section.
Niels was supervising the M.Sc.-thesis work of Netta Rossing on which the work is based. Co-supervisors were professors Sten Bay Jørgensen and Morten Lind from DTU. Nette Rossing is currently employes af FLSmidth - a Danish engineering company with more than 100 years of experience in delivering equipment for the globla cement and minerals industries.
25+ years after Bhopal - have we learned the lesson?
"Properly NOT!" was the answer at LP 2010 in Bruges
Post date: Jun 11, 2010 1:06:18 PM
There was standing room only at Safepark's presentation Tuesday afternoon on the second day of the Loss Prevention 2010 symposium in Bruges. The point of the presentation titled "25+ years after Bhopal - Have we learned the lesson? Properly NOT!" was the reason for the continuously increasing number of government regulations both in the USA and in Europe since the watershed events at Seveso in 1976 and Bhopal in 1984 is the lag of proactive action by industry and its organizations, such as Responsible Care. The presentation was given by Niels Jensen, the owner of Safepark.
Currently there is however insufficient evidence, that the increased regulation of the industry - expected to further increase as a result of Deepwater Horizon - is actually reducing the number of accidental releases of chemicals or the nummer of fires and explosions involving chemicals. Each new major event, such as the explosion at BP's Texas City refinery in March 2005 or the explosion at the Buncefield Oil Depot in December 2005, are one of a kind events, even though evidence presented at Loss Prevention 2010 showed this not to be the case.