Tues 11 35 W Boyes Keynote2011

8/10/2019 Tues 11 35 W Boyes Keynote2011

1/28

Careful, we dont want to learn from this!

These words are from Bill Watterson's great comic strip, "Calvin andHobbes." They could be the motto of all the accidents in all the processplants that have killed people through just plain bad alarm management andfaulty process safety thinking. Based on the results of the past 30 years, wereally don't want to learn anything from what has happened from Bhopal to

Deepwater Horizon.If you read the final report on Deepwater Horizon, you will understand that"the blowout was not the product of a series of aberrational decisions madeby rogue industry or government officials that could not have beenanticipated or expected to occur again. Rather, the root causes are systemicand, absent significant reform in both industry practices and governmentpolicies, might well recur."


2/28

Why is Safety so HARD?

Between January and February this year, there have been more than adozen incidents, resulting in at least 36 injuriessome serious and onefatalityin process plants as reported by the ASM Consortium in its RSSfeed, echoed by my website, ControlGlobal.comwww.controlglobal.com/articles/2010/asm_news.html . And the hits just keep

on coming.It's not an excuse to say "the process industries are dangerous." If that werea valid reason to ignore safety, then miners would still be going down in theground with acetylene lanterns and canaries. Not that mining safety is sowonderful either.

We've been doing significant research on safety and promulgating safetystandards for nearly 50 years. And the results are poor. We keep trying tofigure out how to produce satisfactory alarm management schemas, trainoperations and maintenance personnel, focus management eyes on safety,and, based on results, none of that seems to work very well.

Just recently, HSE released figures that noted that there had been fewerinjuries this year than last, but that the number (42) was about average forthe last five years. In other words, it isnt getting noticeably better.


3/28


4/28

Insanity is doing the samething over and over and

expecting differentresults!

The definition of insanity is doing the same thing over and over andexpecting different results. It is clear that we are doing the same things to tryto make our process workplaces saferand we're not getting differentresults.

Variously, we've tried alarm management strategies, graphical user interfacedesigns, high fidelity simulations and operator training.

In most cases, what we have not tried is mandating safety as "Job One, andreally, really meaning it. For example, J. M. "Levi" Leathers, when he wasgeneral manager of Dow Chemical Company's Texas division in the 1960sreacted to a major accident with a number of deaths at a Dow plant, andsimply noted that safety was more profitable than unsafety. This dedicationto safety before all else, including profit, has held true for Dow in the 50years since. Andrew Liveris, Dows CEO says, We operate a safety first,

production second mindset at Dow, and our Drive to Zero global safetygoals will always come first because its whats right for our employees, ourcommunities, our customers, our business partners and our environment.

If Dow can do it, why cant everyone?


5/28

Now, Back to BP

Former BP CEOTony Haywood

Clearly, it is notenough to mean

well

Haywood, however good his intentions were, never successfullycommunicated to his staff and operating managers that there were no waysto skimp, no ways to hurry, and no short cuts to a safety culture. The resultwas that the Deepwater Horizon operators felt pressure to cut corners andpay lip service to safety in the service of getting the Macondo well dug,

capped and producing as fast as they could. And the ultimate payment forthat lip service was that 11 of them died and the financial consequences toBP have yet to be completely totted up.


6/28

And then there was ICL

Glasgow, May 11, 2004 theworst disaster since PiperAlpha

The explosion that destroyed the ICL plastics plant in Glasgow, Scotland, onMay 11, 2004, was caused by an LPG line that leaked into a basementbeing used as a storage locker by a contractor. He was killed along withseveral other workers when he went into the basement and flipped on thelight or something.

How in the name of anything did that happen?

It went down like this. The son of then-ICL Tech managing director, FrankStott, was hired as a co-op student for a holiday job and given theresponsibility of inspecting the pipeline. He didnt see anything major wrong.Of course, he likely didnt know what to look for, and ICL had not availeditself of any of the corrosion monitoring technologies on the market either.

The HSE (U.K. Health and Safety Executive similar to OSHA in the USA)had told ICL that they should take care of the corrosion in the line, but that itwas not essential to replace the pipeline, which was installed without anycorrosion protection. So after the accident the HSE fined ICL about $60,000

per dead person, and let them keep right on operating.


7/28


8/28

and the Olympic PipelineDisaster

A cyber incident that costlives and destroyed acompany

EEMUA, the ASM Consortium, and the Center for Chemical Process Safety,ISA, the IEC, HSE and every other organization of government and processindustry professionals have been out beating the drum for increasedoperator training and improved alarm management and human-machine-interfaces for decades now. In the US, the National Electrical Code and the

National Fire Protection Association standards reflect many of theseimprovements, as do regulations elsewhere in the world, and still theaccidents keep right on happening.

In the Bellingham case, note that this was a cyber incident, not just adamaged pipe incident.


9/28

The problem isnt just safety SIS Security Alarm

Management Operations Training Company Goals

There is a highly complex interaction between a large number of thosevectors. Safety, security, alarm management, operations, training, and ofcourse, your company goals all interact, and, like any complex system,simply changing one vector makes more changes than can often bevisualized or calculated in advance.

No one expected the operators to have difficulty seeing both the inlet andthe outlet flows to the isomerization process and the raffinate splitter tower atBPs refinery in Texas City. No one expected ALL the level measurementdevices on the tower to fail at the same time. No one expected the safetysystem to fail. No one expected that the operators would consistently makewrong decision after wrong decision as they tried to recover from theimpending disaster. No one expected the diesel pickup truck to be running inthe same area as the cloud of hydrocarbon vapor.

Yet all of these things happened. And people died. There have been manymore accidents in the years since the BP disaster, and there will be many

more. And many more people will die.We need to start thinking about safety, security, alarm management,operations and training as an integrated whole, and we need to have ourcompanies agree that the safe way is the most profitable way. We have notdone this yet, and until we do, people will continue to die.


10/28

Building SIS in a vacuum

SIS has to bepart of an overallproactive safetystrategy

Our first attempts to build safety systems took the form of dedicated systemsthat were stand-alone and completely separate from the basic processcontrol system. This was done to ensure that these multiply redundantsystems shared no points of failure with the control system itself.

This was both good and bad. The good news was that the safety system

could only be used for one thing. It was strictly to shut down the plant ifsomething abnormal occurred. The bad news was that it encouraged safetypractitioners to develop a curious tunnel vision, so that the interactions of thesafety system to the rest of the plant were often not investigated. Andoperations focused on spurious trips and how to turn off the system.

So, a few years ago, we began integrating safety systems and controlsystemswith many engineers still unwilling to do that to this day. What welearned immediately was that there were those interactions, and that aSafety Instrumented System cannot be built in a vacuum. It must be part ofan overall proactive operations strategy that includes safety, security, plant

operations and maintenance. Probably the best example of what I am talkingabout is what Dows Levi Leathers called for, almost fifty years ago, anoperating discipline in which safe operation is the most importantengineering rule of the company.


11/28

Building SIS in a vacuum

SIS must also bepart of an overallproactivesecuritystrategy:

Security is asafety issue!

Safety systems are part of the control systems in the plant, and safetysystems must be considered in any cyber security strategy we implement.Even a traditional standalone SIS system could be penetrated and damagedif connected in any way to a control system or to the plant informationnetwork, even by means of a serial data line. At the 2008 ACS Cyber

Security Conference, Bryan Singer, co-Chair of the ISA99 cyber securitystandard committee, and Nate Kube of Wurldtech Security Technologiesdemonstrated a hack of an integrated safety system (one that has receivedTUV approval and is being sold today). In less than 25 seconds, he was ableto cause the system to force it to fail unsafely. Other hacks have beendemonstrated to work against traditional stand-alone systems, too. And thenthere was Stuxnet. And there will be more.

This illustrates the absolute fact that safety and security interrelate. And sodo perimeter security, fire and gas safety controls, and personnel locatingtechnologies. In this age of integrated systems, nothing stands truly alone.

We often speak of Functional Safety. We are also going to have to beginspeaking of Functional Security. Security is a safety issue.


12/28

Alarm Managementreally

Alarmmanagement:cure orsymptom?

Make the

operator moreeffective

In the 1960s and 1970s, operators were able to get an instant grasp of theoperating condition of the plant or the part of the plant they were responsiblefor by looking at the panel wall. We gave up that viewpoint by migrating tosmall screens where only a part of the process could be seen. Now we aremoving back to screen walls and working on visibility issues. But for years,

weve had real problems with giving operators more ability to see the eagleseye view of their processes and we wonder why their tunnel vision leads toaccidents that certainly should have been prevented.

We also have a history of treating operators as less important to theoperation of the plant than the engineers and managers, when, in fact theoperator of a process plant is much more like a pilot of an aircraft. They areresponsible for the safe operation of the plant, and the optimization of theplant, and they should not be burdened, as so many of them are, with busy-work because some top manager noticed that they werent busy when heentered the control room. Really, good operators earn their salary during

those thirty seconds of terror when the plant is in upset, just like pilots dowhen something goes wrong with the plane.

If we just were able to look at operators in this way, and make improvingtheir HMIs and training critical, we could reduce accidents and save lives.


13/28

Using operators correctly

Optimizing theHMI and usingoperatorscorrectly are allpart of whatwere callingalarmmanagement

We now know that operator response to abnormal situations is highlydependent on how the information is presented to them. The BP accidentshows clearly that fact. If the operators had been able to easily see both theflow in and the flow out of the raffinate splitter tower, it is highly likely thatthey would have intervened long before they did.

We understand this but we have not been able to build this into the routineengineering dogma of control systems and safety systems.

We have seen the output of the ASM consortium. We have seen the EEMUAguidelines. We now have the ISA18 standard. And we continue to overloadoperators with too many inputs, too many distractions, and too many jobs todo.

Properly, the only parts of a process that an operator should be seeing arethe ones that arent working properly, or that the operator is engaged inoptimizing. Yet many HMIs are designed with lots of motion, pretty colorsand three dimensional effects because it is cool and has lots of marketing

sizzle.

Many HMIs are designed and installed with minimal input from the operators,because in many countries the operators are very often considered non-professional labor to be told where to go, and what to do by engineers andmanagers.


14/28

Operators are professionals

Operators needto be in chargeof the process

Operators arenot clerks or

technicians

I encourage you to consider that operators are highly skilled technicalprofessionals, whether they are trained engineers or not. This is the intent ofthe ISAs Certified Automation Professional designation automation isnt anengineering discipline. Automation is a multidisciplinary profession thatincludes chemical engineers, process engineers control system engineers,

operators, scientists, and technicians.The operator needs to be in charge of the process he or she is operatingand we need to provide the tools to really be in charge.

Operators cannot handle hundreds of alarms every minute and be in chargeof the process.


15/28

Functional alarm management

Like safety,alarmmanagementmust be acontinuous

process

Many people have real problems with IEC61508, IEC61511 andANSI/ISA84.01-2004. Were educated to be project-oriented. We proposeprojects, we get projects approved, funds are dedicated to those projects,and we do the project and then it is over. And so, with process safetyprojects, process optimization projects, and alarm management projects, we

have first success, then gradual decay after the project people turn theproject over to the operations staff.

But safety, alarm management, security and operator training are notamenable to project-oriented engineering thinking.

They are inherently processes, and they are best managed as continuousprocesses, and there are very few of us who instinctively think in thoseterms.

But if we are to meet the intent of the safety standards, and securitystandards like ISA99, and more than that, we are to begin to operate on thebasis that all these topics form an inter-related and interdependent

interconnected system, we are going to have to think instinctively in processterms rather than project terms.


16/28

A Fish Stinks from the Head

For safety,there must besupport fromhighestmanagement

levels

When I was a young man, I worked for a very badly run company. Theproblem was the founder and CEOwho had long reached the PeterPrinciple stage. We tried to run the company around him, but it didnt work. Amanagement consultant we talked to explained why. A fish stinks from thehead, she said.

Since the money comes from highest management, it doesnt matterfundamentally if we can change our thinking about alarm management,optimization, functional safety and functional security projects and beginthinking of them as issues that require continuous process control andprocess optimization themselves.

If we cannot communicate the importance of this paradigm shift to highermanagement, nothing will change, and people will continue to die.

And as the difference between Tony Haywoods results and those of AndrewLivelis shows, we have to really, really, really mean it.


17/28

Physical Security

Perimeter security

Personnel location

Physical security is another interrelated issue. How many fewer peoplewould have died at BP Texas City if the operators had been able to detectthe drivers of the diesel pickup truck as they moved into the danger zone,and stopped them? No one will ever know. But in emergency situations it iscritical to have firm control of the perimeter and to know where all of your

people and your assets are. Knowing where a fire truck or a staff memberwith first aid or CPR training is, and being able to vector them to the area ofmost need can make the difference between deaths and survival. And wherebetter to have the information than in the control room, as part of theoperators gestalt?


18/28

Functional Cyber Security

How do you protectsystems that weredesigned to beinherently open?

Call it FunctionalSecurity todifferentiate itsneeds

As I said, cyber security issues must be considered in any safetyimplementation in any process plant, just as safety issues must beconsidered when administering IT security issues. As I mentioned, in 2008 aparticular safety system hack was accomplished as part of a penetration testby Wurldtech that was requested by the safety system manufacturer.

Siemens asked Idaho National Labs for the same kind of evaluation for itsPCS7 system, and still was vulnerable to Stuxnet. Is your safety systemsecure, or just safe? Was it engineered in a vacuum, or was it designed incooperation and understanding of all the interacting factors in your plant? Dothe process engineers and operators live, breathe and eat safety andsecurity? Does your management? Are these core values for your company,and if not, why arent they?


19/28


20/28

It isnt just safety, its money SIS Security Alarm Management Operations Training Company Goals

We have not been able to communicate the intrinsic value of what we do asprocess and automation professionals to the management of our companies.For the past twenty years, the professions most laid off in reductions of staffhave been IT and process and automation professionals. Yet it is clear thatautomation has provided nearly all of the productivity gains of the same two

decade period. How can this be? The problem has both its origin and itssolution far from the plant at the CFO level in our companies.


21/28

manufacturing resource base

CEOBusiness Measurement Business Operations

COOCFOFinancialReporting

Plant Resource Management

sensors and control systems

Production Management

Enterprise Management

Real Time

Monthly

Daily

Dr. Peter Martin, of Invensys Operations Management, often shows a slidethat looks like this in presentations, and Ive borrowed the concepts withpermission. The CEO oversees two things: measurement and operations ofthe business. He has a CFO for measurement, and a COO for operating thebusiness. But look at the model. It is unbalanced, indeed it is broken. On the

operational side, we have good metrics, in fact, we have such good metricsthat weve been turning out those KPIs the CFO cant use for over a dozenyears now, in real time. Why cant he use them? Because they arenttranslated into transactional data for his ERP system.

Worse, on the financial side, the metrics between the manufacturingresource base and the enterprise are missing.

THIS is our challenge. As you can see, this is a measurement problem.

What do we know how to do, have been doing for over a hundred years?

We are really good at measuring things, collecting and analyzing the data,and using that data to provide operational control. We have to figure out howto provide financial management control, and, frankly, we are the onlypeople who can do it because we are the keepers of the processes, themeasurements and the data.


22/28

manufacturing resource base

CEOBusiness Measurement Business Operations

COOCFOFinancialReporting

Plant Resource Management

sensors and control systems

Production Management

Enterprise Management

Real Time

Monthly

Daily

There is no way to

put a price on functional safety

or functional security

The problem with expanding this kind of economic calculus to includeoperating inherently safely is that there is no way in any cost accountingsystem to account for savings that have not happened.

The costs of prevention, the costs of changing to inherently safe operationare accounted as unsupported costs, and they reduce the profit of theenterprise in the near term, and even sometimes in the medium term. Yetthere are always millions of dollars or Euros available to fix systems afterdisasters occur, because now there is a metric actual costs of lost revenueand fines and lawsuit settlements.

Because we have not been able to convince management of the value ofprocess control and automation at all, how can we expect to convince themto change their accounting practices so that the value of what we do shows

up?


23/28


24/28


These incidents just keep on happening, every day. One death, two deaths,three deaths, sixteen deaths. And thats not counting the injuries from theseincidents, or the injuries from incidents where nobody died.

Whats interesting about the aftermath reports on these accidents is that inhindsight most if not all were easily preventable. So why werent they? You

tell me.

We have been trying very hard to make workplace safety, process safetyand cyber security actually work in our plants. Well, at least some of us havebeen trying very hard. Others not so much. In a recent study of safetyprofessionals done by Kimberly-Clark, 89% said they had observed workersnot wearing their protective gear when they should have been, and 29% saidthey'd seen it happen frequently.

The record for process safety is equally dismal. From the DeepwaterHorizon disaster to the multiple incidents at Formosa Plastics and otherrefining and chemical plants throughout the world, from this vantage point, it

sure looks like we just don't get it.


25/28

Security is aSafety issue.If you didntbelieve that,

now you do...ormaybe not.

And Then There WasStuxnet

Stuxnet produced several incidents that were cyber breaches that causedplant safety issues. While Stuxnet is patched and gone, what Eric Byrescalls Son of Stuxnet is alive and welland applicable to any controlleranywhere, at any time. And yet, we dont seem to be that alarmed.

The yawn from many process and discrete manufacturing industry CEOs to

the cybersecurity dangers from follow-on Stuxnet attacks, the repeateddisasters, such as the fact that it took the ExxonMobil RTO (Real-TimeOperations Center) in Houston almost an hour to shut the isolation valvesafter the Yellowstone pipeline rupture earlier this year, and the SCADA-related findings released at the Black Hat hackers conference, makes mewonder why we're fiddling while the infrastructure catches fire.

There are several reasons. Some are, obviously, financial. But much scarieris another reason: the way human beings react to threats.

The financial reasons to try to ignore safety and security issues are prettyclear. The costs of making plants safer and more secure are substantial, and

they all impact the profitability of the enterprise negatively. There are alsorisk-management issues, but there is no clear and consistent effort bycorporate risk managers and their insurance auditors to make mitigatingsafety and security threats a very high priority. There's no way to include"protected the plant from security and safety threats" on the financial roll-up.


26/28


27/28

So, justwhere doesthat leave

YOU?


But if that's true, we may have come to the limit of what we can expectcorporations and government to do about workplace and process safety andcybersecurity. Big accidents like Deepwater Horizon, BP Texas City and theUranium Enrichment Facility in Iran may actually be necessary to force us totreat these threats as imminent danger and do something about them. But

theres more! Dick Morley, who invented the floppy disk and the PLC, amongmany other things, said to me at the ISA Marketing and Sales Summit twoweeks ago, when we discussed this talk, that it also has to do with theabsolute size of organizationsthat the size of companies and governmentswe have may make it impossible to change, not just merely hard.

That may be the scariest thought of all.

But all that begs the question. Where does it leave us as process andautomation professionals? Are we just to accept things as they are, andknow that because we work in dangerous places we have to accept thatpeople will die, unnecessarily, from mistakes and bad practices?

We can, and we must, change things. We can show our value as individualprofessionals and as process professionals, and the value of operatingsafely. We must.


28/28

Hero or Goat?

We are, as process and automation professionals, in a remarkably differentplace than we have been over the past 30 years. We are in demand, even ina drastically weakened economy.

We are scarce, and we now have the tools to prove that we are not onlynecessary, but irreplaceable. Imagine what would happen if all of us walked

off our jobs for 60 daysbut we dont have to do that.

What we MUST do is to stop thinking like instrument engineers, like controlsystems people, like safety systems engineersand start thinking like realautomation professionals with business skills.

We have a larger, deeper skill set that we need to learn than any otherdiscipline. It isnt enough to be an engineerin fact, many automationprofessionals arent engineers.

We must be able to engineer, to plan, to manage projects, to understandmany kinds of processes in many different industriesin a way, were like

the dancer Ginger Rogers. She could do everything her partner Fred Astairecould do and she did it backwards, and in high heels.

We are the ones with control.

If we dont change the way things are, who will? If not now, when?

Thank you very much.

Tues 11 35 W Boyes Keynote2011

Documents

Transcript of Tues 11 35 W Boyes Keynote2011