optimum level (remember there is a balance and an ultra-safe organisation may quickly go out of
business if it is too risk averse). We want to know all this at a glance and we want to know that if
things are slipping, we know immediately. Let’s face it today’s society expects instant answers to
everything that is important to us.
Why can’t we? We have the people, we have the data, we have the technology so why is it not
possible today not tomorrow?
People need to be reading off the same page. We need openness and sharing of best practice and
information, across departments, across company, across industry. How is this possible? Ask your 16
year old son or daughter, they know what everyone of their friends have done recently, what they are
doing now and what they are doing tomorrow. They have discussed at length all of these subjects,
they are ‘in the know’ they are ‘open’. Indeed, Elon Musk at Tessla published all their patents to open
source in an attempt to further research into electric cars. His goal? ‘To save the planet from global
warming’? That lofty goal is still to be achieved I’m sure but safe operation of plant to protect people,
environment and asset is not a commercial advantage. A disadvantage if you don’t do it certainly.
There are secure applications available but built with an open philosophy. If we know what we’re
doing, when and why, we can only continue to improve.
A Cause & Effect actually contains an awful lot of data that in turn relates to an awful lot of other
data. It can only define the transition from one mode of operation to another i.e. running to shut down
and it only represents certain protective and mitigating barriers. It identifies a possible cause, say
‘high level in tank’. It represents a protective layer usually the SIF/SIS and it shows the action of
certain mitigating barriers such as alarms, ESDVs and possibly deluge systems.
There may be thirty or forty sheets of C&Es and if we represented all the modes individually like idle,
start up and reset maybe we have 120 sheets. Possibly as much as 2000 I/O on one SIS with 10,000
soft points. Add to this interfaces to third party systems, BPCS, DCS, alarm management, operator
interfaces. This is becoming big data, but I would argue that it is long understood data we just find it
hard to inspect, maintain and test in a manner that includes every combination and allows for all safe
modes and pre-conditions.
In addition, how do we visualise this data? If we trip due to a SIF (spurious or not) what do we have?
A sequence of events historian that streams 250 input and output points that have changed state during
a level 2 shutdown, a flashing symbol on a DCS screen and a GA in the CCR so we can’t think. The
operator hopefully knows his process has shutdown, but why, where, how, that may take some time
and the trip came without warning. If we do not know the current state of out protective systems and
devices how can we predict how fast we nearing our next unplanned shutdown?
If we can understand our protective barriers and the integrity of each of them and have analysed the
tipping points and the velocity with which each cause or threat can take us to a major accident hazard
then surely shutdown events should not be a surprise or take time to interpret.