The recently released report of the Independent Safety Review Panel that investigated the safety culture and practices at BP’s U.S. refineries in response to the deadly March 2005 explosion at Texas City, Texas, provides somber reading (see "Panel blasts BP's safety practices").
Portions of this article are excerpted from “Guidelines for Safe and Reliable Instrumented Protective Systems,” published this year by AIChE’s Center for Chemical Process Safety, New York.
The panel stressed that the failings identified undoubtedly occur elsewhere in the industry. “The panel's findings present a landmark opportunity for the boards of directors and executives of oil and chemical companies throughout the world to re-examine their own safety cultures and ask whether they are sufficiently investing in the people, procedures, and equipment that will make their workplaces safe from catastrophic accidents,” says Carolyn W. Merritt, chairwoman and CEO of the U.S. Chemical Safety Board . “This is an opportunity for review and reform on a worldwide scale.”
Finding the balance
Balancing safety and production goals can be a tenuous, delicate and complex act. It’s undeniable that safety and production are compatible. It’s indisputable that investments in safety yield long-term benefits. However, these benefits aren’t as obvious nor do they produce the rapid results associated with production investments, which generally have a high certainty of providing a measurable positive effect within a short time frame. For protection and safety, many of the benefits are less tangible.
When successful, the instrumented protective system (IPS) is blamed for a process outage; when an IPS fails, it’s blamed for the incident. Within the system, individual instrumented protective functions (IPFs) act to prevent specific hazardous events. When an IPF successfully operates as required, it should be given credit for the event avoided, including potential fatalities, injuries, environmental releases, equipment damage and financial losses. Also, the IPF should be credited when its fault-tolerant design allows equipment failure to be detected without causing disruptions to the process operation.
Figure 1 summarizes the decision-making process, illustrating how available resources must be allocated across safety and production goals. Decision-makers often have defensive filters that affect the receipt and interpretation of information .
Figure 1. This overview illustrates the complexity of the decision-making process. Adapted from Ref. 2.
Today’s business climate puts pressure on personnel in a variety of forms, such as production forecasts, budget cuts, resource reductions or colleague retirement.
In the absence of a strong safety culture, production and budget pressure can result in a culture of denial in which the decision-maker’s defensive filter refuses to acknowledge any evidence that doesn’t support production or budget plans. Risk assessment can become skewed, with credible safety recommendations and concerns being dismissed without appropriate consideration. Erroneous assumptions concerning equipment and procedure robustness lead to complacency and an acceptance of increased risk. Often, this is done in the absence of dependable documentation, information and data, or a rigorous mechanical-integrity program.
Good engineering practices should be applied in preventing process safety incidents. Benchmark internal practices against those of market sector peers or other process-industries companies. Conduct periodic gap analysis to determine if existing equipment is designed, maintained, inspected, tested and operated in a safe manner. Based on observed performance and benchmarking information, develop and implement action plans for improvement.
A series of catastrophic chemical incidents occurred during the 1970s and 1980s. These incidents are so legendary that they are often referenced by city only: Flixborough (1974), Seveso (1976), Mexico City (1984) and Bhopal (1984). They were catastrophes that awakened the world to chemical industry risk. Reference 3 summarizes these incidents.
Europe pioneered process safety regulations in the 1970s in direct response to the impact on the communities of Flixborough and Seveso. Nearly a decade later, the tragedy caused by the Mexico City explosion and the Bhopal chemical release resulted in process safety regulations being issued in the United States and many other countries. Industrial societies responded worldwide by publishing numerous codes, standards and practices on a variety of process safety topics.
Despite these incidents occurring more than three decades ago, similar errors and root causes still exist today. Trevor Kletz has recounted numerous cases where an incident occurs and is repeated just a few years later . Kletz finds that organizations have poor memory due to many factors such as insufficient failure investigation, inadequate communication and distribution of investigation findings, lack of information retention and little training concerning previous events.
A safety culture doesn’t rely on balance sheet improvements to justify IPSs. It understands that the potential for incidents is an inherent part of the process design and that, without focused effort, incidents invariably occur.
Benchmarking current status
A company should understand how its internal practices compare with recognized and generally accepted good engineering practices. This so-called benchmarking establishes the company’s position with regard to industrial and market peers. This often is the most painful part of the continuous improvement process, as it tends to shed light on the shortfalls and inadequacies of the protective management system as a whole.