Don’t pay the price for skimping on safety
Author : Trevor Dunger and Stuart Nunns of ABB.
07 June 2010
Quite apart from any moral considerations, skimping on safety within the oil and gas industries can be an expensive mistake. The right safety instrumentation can deliver long-term security and a lower life-time cost.
The fire at the Buncefield oil terminal in 2005 is probably the most high-profile demonstration in recent years of what can happen when industrial safety systems are not up to scratch. In March 2009 after years of legal wrangling, the High Court found that French oil giant Total was wholly responsible for the accident, which left the company facing a bill of about £750 million.
While most industrial safety breaches have less spectacular and expensive consequences, they are sadly all too common. The Health and Safety Executive prosecuted 1137 offences in 2007/08 and achieved 839 convictions. The firms in question each faced an average fine of £12 896, and some had to cough up more than £100 000. In addition, fines are just one aspect of the costs of getting it wrong. Material damage, personal injury claims and the damage to a company’s reputation and subsequent sales can all send the price of poor safety sky high.
In spite of this, companies currently find themselves under considerable pressure to cut costs in every possible area. Against this backdrop everyone is understandably anxious not to spend more than they need to, even on safety. In addition, the standards currently accepted as good practice are not legal requirements so there is an obvious temptation to skimp on safety systems. However, the potential consequences of failure mean that this is unlikely to be a cost-effective strategy in the long run.
Higher standards
It is true that specialised instrumentation and control equipment for safety applications often commands a premium, but there are good reasons for this.
First, consider the job that a safety system has to do. In contrast with a normal process control loop that is operating most of the time, a safety system will typically kick in only when there is a problem. This sporadic operation means that it’s quite possible for a transmitter or other component within the safety loop to malfunction for weeks or months without being detected. However, if it fails when needed then the consequences can be dire.
Making sure that a safety system doesn’t fail demands good quality equipment that has been extensively tested and analysed. It may also mean building in a level of redundancy and a self-diagnostic capability that far outstrips that required for non-critical systems. All this pushes up the price.
The second point is that safety is a niche application. For example, an oil refinery might easily have 900 control loops distributed around the site but fewer than 100 safety loops. This more specialised market for safety equipment simply doesn’t benefit from the same economies of scale as the mass-market in standard controls.
Lifetime savings
Rather than looking for the cheapest option upfront, companies should therefore be looking for instruments and systems that offer the optimum combination of security and cost-effectiveness over their lifetime. It’s a complex area, and users hoping to find the best solution can benefit from getting to grips with some of the terminology surrounding safety.
First there are the parameters that define the overall effectiveness of a safety loop. The most well-known of these is the required Safety Integrity Level (SIL), as defined by IEC 61508. IEC 61508 is the "mother" standard that spawned corresponding "daughter" standards for the process industries (IEC 61511), nuclear facilities (IEC 61513) and machinery (IEC 62061). It is not a legal requirement for British businesses, but HSE accepts it as good practice.
Confusion can often arise when it comes to designing a safety system as it’s not as simple as just applying a blanket SIL to cover an entire process. Instead, operators must first consider the individual safety instrumented functions (SIF) within a process, these being the functions of a given device that are necessary to protect against a hazardous event. This can then be used as the basis for designing and engineering the safety system solution, consisting of the inputs, the logic solver and the final elements, including instrumentation.
As a general rule, it is almost always better to design risk out of a process before installing specialised systems to control it. This will often reduce the required SIL and therefore the cost of the safety systems needed to deliver it.
Next is the average probability of failure on demand (PFD). The acceptable PFD of a system varies depending on the required SIL as well as the required mode of operation of the safety instrumented function, which is the frequency with which a safety instrumented system will be used. For a safety function operating in a low demand mode of operation, the PFD ranges from ≥10-2 to =10-1 for SIL1 to ≥10-5 to =10-4 for SIL4.
The overall PFD is calculated by combining the PFDs of all the individual components in the loop. For example, a transmitter designed for safety will typically offer a lower PFD than a standard transmitter, bringing down the overall PFD of the system and potentially raising the SIL.
Other factors that determine whether an individual instrument is suitable for a particular SIL are the safe failure fraction (SFF) and the hardware fault tolerance (HFT).
The SFF is a function of the number of safe failures, the number of dangerous undetected failures and the number of otherwise dangerous failures that can be rendered safe by being detected, for example, by installing self-diagnostic capabilities.
The HFT indicates the number of faults that need to crop up within a device before a safety failure occurs. For instance, the failure of a standard transmitter might result in the output from a transmitter freezing on its last setting, but a transmitter designed for safety might revert to a prearranged fault setting, which could in turn trigger an alarm. Built-in redundancy can also raise the HFT from 0 to 1.
The integrity level provided by a given combination of SFF and HFT varies depending on whether the overall safety system is a well-proven Type A or less well-understood Type B, according to the IEC 61508 standard. The other key factor to be considered is the systematic capability. This relates to factors such as the methodology, techniques, measures and procedures used in the design and engineering of the element itself and the integration of elements to form the safety system.
The other thing to look out for is the quality of documentation available from the equipment supplier. Are their instruments certified by independent testing bodies? Have they got a sufficiently strong track record for the user to be confident that the equipment is "proven in use"?
Independent tests and extra paperwork may not sound like a cheap option, but there are several ways in which opting for higher integrity equipment can save money in the long term.
The first is that the safety systems do not need testing as often to check that they are still working properly. The required proof test interval can be extended significantly if equipment can demonstrate a higher HTF and a lower frequency of dangerous undetected failures. This will deliver lower operating costs for any user, but the difference is likely to be especially significant in industries such as offshore, oil and gas or nuclear, where gaining access to the systems can be difficult and expensive. It might, for example, mean the difference between sending inspectors out to an oilrig by helicopter every three months or once a year.
The second area where savings can be made is in insurance. In fact, some insurers now insist on complying with particular safety integrity levels before they will agree to provide cover.
However, it is the prevention of accidents that still offers the biggest potential financial savings, not just in terms of financial penalties, but also the impact that an accident or incident can have on a company’s share price and reputation. Add to this the imperative to protect personnel and be a good neighbour to the surrounding community and the case for excellence in safety systems is compelling – whatever the state of the economy.
Contact Details and Archive...