Sei sulla pagina 1di 7

Paper # H-15

Management of Change of Chemical Process Control Systems


M. Sam Mannan and Harry H. West*
Mary Kay !Connor Process Safety Center
Chemical "ngineering #epartment
$e%as &'M (ni)ersity System
College Station* $e%as ++,-.-.1//* (S&
01+12 ,-5-.-,1* hh3est4che.tam5.ed5
&6S$7&C$
Management of Change (MOC) has been recommended to be an important part of chemical
process safety since the British Inquiry Boards investigation report of the 1!" #li$borough %&
incident' (he %)* Occupational )afety and +ealth *dministration (O)+*) regulation
formali,ed MOC as one of the 1" elements of its process safety management regulation in 1-'
+o.ever/ most facilities focused their MOC program on equipment changes/ particularly
changes that .ould change the 01I2s or equipment specifications' 0rocedural changes/
organi,ational changes and computer control system changes are not universally considered
.ithin the scope of the MOC program'
3ven though formal MOC is also a part of the I)O 444 and I)O 1"444 global management
standards/ the need for controlling changes to plant computer soft.are is not generally
ac5no.ledged'
)everal recent incidents/ in .hich a degraded control system has been identified as one of the
contributing factors/ most notably as alarm floods or bypassed safeguards/ have put the spot light
on the need to maintain the control system effectiveness'
(he gaining recognition of the functional safety instrumented system standards/ I)* 6"'41 and
I)O 71811/ .ith MOC as a part of its safety life cycle concept/ has helped' (he *bnormal
)ituation Management consortium/ the .or5 of the British +ealth and )afety 3$ecutive on
*larm Management and the recommendation of )C*2* system assessment by the %)* Office
0ipeline )afety are among the positive indicators that regulators and safety professionals are
attempting to add soft.are changes to the very important MOC program'
K"8W7#S
Management of Change/ MOC/ )C*2*/ 2C)/ )I)/ O)+*/ *bnormal )ituation Management/
*larm Management
9:$7#(C$9:
Management of Change (MOC) procedures .ere first formali,ed in the fledgling nuclear po.er
industry 9:est/ 1-; and quic5ly spread to the defense industry 9Mil )td !<;' )everal different
names .ere used to describe MOC/ including concurrent engineering/ process change control/
and configuration management'
MOC procedures have received increased attention due to the introduction of requirements
.ithin the ne. O)+* and 30* process safety management regulations 9O)+* 1-= 30*/
16; in the %)*' (he more recent I)O 444 quality initiatives 9I)O 444; have provided
further significance to the need for process change control management'
+o.ever/ many firms applied MOC only to equipment and field operational procedure changes'
(he intent of all MOC standards and regulations clearly includes process control systems'
MC SP&7K"# 68 C&$&S$7PH9C 9:C9#":$S
*bsence of management control over process changes has resulted in several catastrophic
failures' One of the first catastrophic incidents to have identified MOC as a root cause .as the
#li$borough accident in 1!"' (he %& royal commission 9#li$borough/ 1!8; recommended that
chemical plants institute MOC procedures to avoid such devastating accidents' *lmost every
ma>or incident can be lin5ed to a change that .as not sub>ected to a proper safety revie. as
required by MOC 9)anders/ 1<= &let,/ 166;'
#ollo.ing the Bhopal incident/ the formation of the Center for Chemical 0rocess )afety by the
*merican Institute of Chemical 3ngineers (*ICh3) lead eventually to the publication of the
ma>or principles of 0rocess )afety/ including MOC' (he *ICh3 definition 9*ICh3 1-; of
MOC is?
* temporary or permanent substitution/ alteration/ replacement (not in 5ind)/
modification by addition or deletion of critical process equipment/ applicable codes/
process control/ catalysts or chemicals/ feed stoc5s/ operating limits/ mechanical
procedures/ electrical procedures/ safety procedures/ emergency response equipment from
the present configuration of the critical process equipment/ procedures/ or operating
limits'
In the aftermath of the 16 0hillips polyethylene plant disaster/ O)+* published the 0rocess
)afety Management regulation .ith the follo.ing e$cerpt defining MOC in - C#@ 114'11
section (l)=
(1) (he employer shall establish and implement .ritten procedures to manage changes
(e$cept for Areplacements in 5indA) to process chemicals/ technology/ equipment/ and
procedures? and/ changes to facilities that affect a covered process'
(-) (he procedures shall assure that the follo.ing considerations are addressed prior to
any change?
(i) (he technical basis for the proposed change=
(ii) Impact of change on safety and health=
(iii) Modifications to operating procedures=
(iv) Becessary time period for the change= and
(v)*uthori,ation requirements for the proposed change
(<) 3mployees involved in operating a process and maintenance 1 contract employees
.hose >ob tas5s .ill be affected by a change in the process shall be informed of/ and
trained in/ the change prior to startCup of the process or affected part of the process'
(") If a change covered by this paragraph results in a change in the process safety
information required by paragraph (d)/ such information shall be updated accordingly'
(8) If a change covered by this paragraph results in a change in the operating procedures
or practices required by paragraph (f)/ such procedures or practices shall be updated
accordingly
(he tenets of quality management also contain a management element essentially identical in
philosophy as the process safety MOC' )ection 6'6 of the I)O 44" *B)ID*)EC E" 9I)O
444; is entitled Fdesign change control (configuration management)G' )ection 11'7 is entitled
Fprocess change controlG' (herefore/ the total quality management initiative has a change
management requirement e$tremely similar to the MOC principles defined herein
(he first specific mention of MOC concepts in the petroleum production safety and loss
prevention literature .as the *0I @ecommended 0ractice/ Management of 0rocess +a,ardsH
9*0I 14;' (he Cullen report 9Cullen 166; recommendations led to British regulations in the
north sea that also included MOC requirements'
MC &PP;9"S $ C:$7; S8S$"MS
Bote that paragraph (") of the O)+* regulation above lin5s MOC to Fprocess safety
informationG/ .hich in turn mentions safety systems and control systems' +ence/ O)+* includes
the entire control system .ithin the >urisdiction of process safety regulations' Many O)+*
official interpretation letters also reinforce vie.point'
(he *ICh3 definition above clearly defines process control .ithin the areas to be .ithin MOC
control procedures'
(he safety instrumented systems ()I)) standards/ such as I)* 6" and I3C 71811 9*ICh3 1<=
I)* 17= I3C 71811; define a safety life cycle concept for safety control system components in
.hich MOC is highlighted' Many other recently updated or revised standards crossCreference the
need for MOC' (he 3uropean *(3I rules on ha,ardous area classification are but one e$ample'
(he %) Office of 0ipeline )afety issued an advisory that strongly suggests pipeline )C*2*
systems be sub>ected to MOC procedures' (his recommendation resulted from the analysis of the
Billingham pipeline catastrophic accident/ .hich listed reduced control system response time as
a root cause of the incident'
(herefore/ MOC must be applied to all changes in the process control system'
";"M":$S < P7C"SS C:$7; S8S$"MS
)ome of the ma>or elements of a typical modern process control systems include=
Hardware
#ield instrumentation
2ata high.ay
Jogic solvers (computers/ electronic devices)
0o.er supplies
Software
Operating )ystem
2C)D)CK*2*D 0JC system soft.are
*pplication soft.are
*larm system
*pplying MOC to hard.are changes is similar to the equivalent practices for changes to other
process equipment' (hree areas have proved to be more difficult to bring .ithin MOC
>urisdiction
Configuration
Jimit values
Operating systems
Changes to the process control configuration/ such as adding alarms/ appears to be a benign
change/ +o.ever/ the cumulative effect of adding too many alarms can cause alarm floods'
Changes to limit values/ even temporary changes/ can lead to safety problems' )everal incidents
have been attributed to temporary changes that have not been restored to their original interloc5
limit values'
Changes to operating systems are even more challenging/ since minor soft.are patches/ larger
system upgrades/ or even ma>or version upgrades are possible' (he only .ay to be sure that no
impact on the control system has been made is to conduct another site acceptance test'
P;&: <7 C:$7; S8S$"MS CH&:="
:hile process equipment is typically designed for a -4C<4 year pro>ect life/ )C*2*/ )I) and
2C) systems are more li5ely to be replaced or seriously upgraded on a 14 year cycle or less'
(herefore/ ma>or future changeout of the control system must also be considered in the original
pro>ect plan'
:hereas/ for.ard thin5ing pro>ect designers planned for future changeout by specifying po.er
supplies .ith additional parallel load capability/ >unction bo$es .ith large spare capacity/ 0JC=s
.ith additional spare contact capability/ and telemetry .ith additional frequency pairs/ the
evolving e$pansion of operations over the years sometimes scavenges the changeout capability'
If the original pro>ect documentation has identified the spare capacity as reserved for future
changeout/ then the Management of Change system should 5eep operations management a.are
of encroachments on the ne$t control system upgrade pro>ect'
#9=9$&; 6&6";
In his letter to the editor of the I)* Intech monthly maga,ine/ internationally noted control
system author Bela Jipta5 9Jipta5/ -44"; .arned of the safety implications of the chaotic state of
the currently 6 different digital data high.ays .ith the concomitant problems of message
translation' +e also deplored the control system vendor practice of BO( including tested
.or5ing control soft.are/ leaving the users to select among many independent soft.are
suppliers
&PP;89:= MC ;"SS:S ;"&7:"# $ P7C"SS C:$7;
(he most important lesson learned in applying MOC procedures in the earlier e$periences .as to
categori,e facilities into safety critical and nonCsafety critical systems' If nonCsafety critical
equipment are sub>ected to safety revie. at the level of detail required by safety critical items/
then the MOC system bogs do.n in itLs o.n paper.or5' :hile this may .or5 for process areas
that are not safety critical or instrument loops that are controlling non ha,ardous systems/ there
may be many control subsystems (data high.ay/ operating systems/ etc) .hich coCmingle safety
and non safety critical systems
It is interesting to note that each recommended practice or regulation delegates the level of safety
revie. detail to the applicable facility management' :hile some of the management practices
espoused in the recent MOC standards have long been practiced by many firms/ it is the
formali,ation of MOC and the ability to audit the program that is relatively ne. to the petroleum
and chemical industry' (his translates into paper.or5 D documentation of changes applied to the
control system operators and engineers'
C:C;(S9:S
Management of Change is required to maintain the safety integrity of the chemical process
facility' *dministration of a cost C effective Management of Change program requires careful
planning' )ince the brunt of Management of Change operational effectiveness is dependent on
the first and second line process supervisors/ a simple Management of Change procedural
.or5flo. and a document management system are practical necessities'
#urthermore/ various screening techniques have been used to optimi,e scarce technical
resources/ particularly by allo.ing small ha,ard D lo. ris5 changes to be analy,ed and authori,ed
.ithout the need for unnecessary red tape' #requent verification of actual practice is particularly
critical until Management of Change becomes part of the corporate culture'
&CK:W;"#=M":$S
(he authors .ould li5e to than5 our colleagues for the many discussions and pro>ects/ .hich
assisted in the evolution of the ideas and concepts presented herein'
696;9=7&PH8
0rocess )afety Management of +ighly +a,ardous Chemical= 3$plosives and Blasting *gents=
#inal @ule/ - C#@ 0art 114/ 2epartment of Jabor/ Occupational )afety and +ealth
*dministration/ :ashington/ 2C/ #ebruary -"/ 1-/ #ederal @egister/ Kolume 8!/ Bo' <7'
(he #li$borough Cyclohe$ane 2isaster/ +er Ma>estyLs )tationery Office/ Jondon/ 1!8'
('*' &let,/ 0lant Operations 0rogress/ vol 8/ M </ *merican Institute of Chemical 3ngineers/ Nuly
167/ p'1<7'
0lant Ouidelines for (echnical Management of Chemical 0rocess )afety/ Center for Chemical
0rocess )afety of the *merican Institute of Chemical 3ngineers/ Be. Por5/ 1-'
I)O 444/ Euality Management of Industrial #acilities/ Jondon/ %&/ latest edition'
@evie. )afety Euestions in the Buclear 0o.er Industry/ 14 C#@ 84'8/ 2epartment of 3nergy/
Buclear @egulatory Commission/ :ashington/ 2C'
Military )tandard !</ Configuration Management at Oovernment #acilities/ (MIJC)(2 !<)/
2epartment of 2efense/ :ashington/ 2'C'
@is5 Management 0rograms for Chemical *ccidental @elease 0revention/ (itle "4 C#@ 0art 76
)ection 76'<7 0revention 0rogram C Management of Change/ 3nvironmental 0rotection
*dministration/ :ashington/ 2'C'
@ecommended 0ractices for 2evelopment of a )afety and 3nvironmental 0rogram for Outer
Continental )helf (OC)) Operations and #acilities/ *0I @ecommended 0ractice !8/ *merican
0etroleum Institute/ :ashington 2'C' latest edition/ 1<'
)' B' &ovach/ 0ractical Method for Management of Change/ *ICh3 0rocess 0lant )afety
)ymposium/ +ouston/ (e$as/ -6 #ebruary 1"'
British )tandard 7"66 Configuration Management/ Jondon/ 3ngland'
+'+' :est and @' 2anna/ Course te$t for the *ICh3 Continuing 3ducation Course= Management
of Change/ *merican Institute of Chemical 3ngineers/ Be. Por5/ 1-'
@' 3' )anders/ Management of Change in Chemical 0lant; Butter.orthC+einemann/ O$ford/
1<'
Jord Cullen/ A(he 0ublic Inquiry into the 0iper *lpha 2isaster/A Kolumes 1 1 -/ +is Ma>estyLs
)tationary Office/ Jondon/ Bovember 14
('*' &let,/ :hat :ent :rongQ Case +istories of 0rocess 0lant 2isasters/ Oulf 0ublishing
Company/ +ouston/ 166'
+'+' :est/ M')' Mannan/ @' 2anna 1 3'M' )tafford/ Ma5e 0lants )afer .ith a 0roper
Management of Change 0rogram/ Chemical 3ngineering 0rogress/ *merican Institute of
Chemical 3ngineering/ 16'
+'+ :est/ 3'M' )tafford/ Management of Change * @equirement for Joss 0revention )uccess/
0rocess 0lant )ymposium/ Kol' -/ *merican Institute of Chemical 3ngineering/ 17'
Bela Jipta5/ 2igital Babel/ I)* Intech/ page / Nune -44"
*ICh3/ Ouidelines for )afe *utomation of Chemical 0rocesses American Institute of Chemical
3ngineers/ Center for Chemical 0rocess )afety (CC0))/ 1<
*B)IDI)* )6"'41C17/ *pp lication of )afety Instrumented )ystems ()I)) for the 0rocess
Industries/ I)* @esearch (riangle BC 17'
I3C 71811/ #unctional safety? )afety Instrumented )ystems for the process industry sector/ -44<