As soon as we hear the words safety, integrity and changes in combination, we start thinking about Safety Lifecycle Management or Management of Change (MoC) processes. This process is then naturally always applicable. When you work within a production facility with hazards, you have to follow different standards to ensure that your plant is always operating safely.
Most sites today use a combination of programmable control and safety systems, and the automated safety systems are often maintained according to a Safety Life Cycle process. The SLC is defined in the IEC 61508 standard. This life cycle process covers a repeatable framework and a systematic approach to ensure that all process hazards are detected and analyzed to ensure that the initial safety requirements are met, even after implementing a change or modification.
Why are changes implemented?
As soon as a new plant is handed over to operation, a long series of adjustments, improvements, and modifications will start to occur. The reasons are countless and different. Changes may be implemented to improve or enhance the production. Sometimes there are failures that must be mitigated or changes to the product specification. Operating conditions may also change over time. One thing is always the same: changes are never initiated to reduce the safety, but this may still be the result after a change.
A change impact analysis should always be performed prior to approving a modification to a plant. However, this is not always practical in everyday life. Temporary changes implemented due to failure of equipment may be left in the plant for longer periods of time than anticipated and could end up as a new permanent solution or operating procedure. This means that changes into impractical operational procedures may become permanent without being subject to the management of change process.
Also, the changes are normally classified according to how much impact they have to the engineered documentation. Is there a need to perform some more assessments and calculations to check if the engineering design basis is still met? During initial design, there is a large team available of design experts to check safety impact. During the operational phase, the assessments are often left to a smaller team of experts. Understanding the initial design and all the experience that went into that design is not always available anymore during operation. How can we mitigate this challenge? Making the initial design intensions available during operation will be a good help, and even better if we can combine with finding a good knowledge management system.
How can we ensure safe operation during and after changes?
For safety instrumented systems, the Safety Integrity Level (SIL) analysis and Layers of protection analysis (LOPA) needs to be maintained. If this is done according to the standards, the qualification of the team doing the assessment is also covered. There are separate and documented training and qualification requirements for the different roles and responsibilities handling a change. This might not be in place during operation. The personnel that have been part of the plant design, commissioning, and start-up has accumulated lots of tacit knowledge, which is not readably available during operation.
Several detailed HAZOPs (Hazard and Operability studies) are performed during engineering, construction, and commissioning, prior to handing a plant over to the operational team. It is common practice to do a re-HAZOP every 5 years after handover to ensure that the sum of all the small changes are not jeopardizing the safety integrity when placed on top of each other over time. Larger modification projects may also trigger a re-HAZOP of the system being changed.
What are the new possibilities within digitalization?
However, simply doing a re-HAZOP without considering the number of changes is not always effective. It may be too late because of a period with a high level of activity. Also, it might be too often, hence a waste of time due to the small number of changes. The ideal solution would be to have a digital twin where the process understanding and design intentions are maintained, along with operational experience. If this digital twin can instantly test the process design changes impact to the safety for verification prior to implementing the change, the result would be an always updated HAZOP.
The digital twin should be able to verify if a new failure mode will be introduced based on the change planned and if the new failure mode can be detected with the current implemented sensors. High fidelity process simulators are generally to slow to be used. Some extreme cases may be beneficial to model this way, but generally a qualitative method is preferable. Adding the ability to check causal modes (the relation between the root cause and it´s consequence) with relevant correction, verification or prevention would enable an early verification of the change. This could be achieved using functional modelling to establish a HAZOP twin.