0 оценок0% нашли этот документ полезным (0 голосов)
136 просмотров7 страниц
Management of Change (MOC) procedures were first formalized in the nuclear power industry in the 1960s and have since spread to other process industries. MOC aims to manage risks from any planned changes to equipment, procedures, software, or organization at chemical facilities. While initially focused on physical equipment, the scope of MOC is now recognized to also include changes to computer control systems and software. Failure to properly manage changes through MOC procedures has been linked to several major accidents. Regulators now require considering impacts of any control system changes through formal MOC programs.
Исходное описание:
Management of Change of Chemical Process Control Systems
Management of Change (MOC) procedures were first formalized in the nuclear power industry in the 1960s and have since spread to other process industries. MOC aims to manage risks from any planned changes to equipment, procedures, software, or organization at chemical facilities. While initially focused on physical equipment, the scope of MOC is now recognized to also include changes to computer control systems and software. Failure to properly manage changes through MOC procedures has been linked to several major accidents. Regulators now require considering impacts of any control system changes through formal MOC programs.
Management of Change (MOC) procedures were first formalized in the nuclear power industry in the 1960s and have since spread to other process industries. MOC aims to manage risks from any planned changes to equipment, procedures, software, or organization at chemical facilities. While initially focused on physical equipment, the scope of MOC is now recognized to also include changes to computer control systems and software. Failure to properly manage changes through MOC procedures has been linked to several major accidents. Regulators now require considering impacts of any control system changes through formal MOC programs.
Management of Change of Chemical Process Control Systems
M. Sam Mannan and Harry H. West* Mary Kay !Connor Process Safety Center Chemical "ngineering #epartment $e%as &'M (ni)ersity System College Station* $e%as ++,-.-.1//* (S& 01+12 ,-5-.-,1* hh3est4che.tam5.ed5 &6S$7&C$ Management of Change (MOC) has been recommended to be an important part of chemical process safety since the British Inquiry Boards investigation report of the 1!" #li$borough %& incident' (he %)* Occupational )afety and +ealth *dministration (O)+*) regulation formali,ed MOC as one of the 1" elements of its process safety management regulation in 1-' +o.ever/ most facilities focused their MOC program on equipment changes/ particularly changes that .ould change the 01I2s or equipment specifications' 0rocedural changes/ organi,ational changes and computer control system changes are not universally considered .ithin the scope of the MOC program' 3ven though formal MOC is also a part of the I)O 444 and I)O 1"444 global management standards/ the need for controlling changes to plant computer soft.are is not generally ac5no.ledged' )everal recent incidents/ in .hich a degraded control system has been identified as one of the contributing factors/ most notably as alarm floods or bypassed safeguards/ have put the spot light on the need to maintain the control system effectiveness' (he gaining recognition of the functional safety instrumented system standards/ I)* 6"'41 and I)O 71811/ .ith MOC as a part of its safety life cycle concept/ has helped' (he *bnormal )ituation Management consortium/ the .or5 of the British +ealth and )afety 3$ecutive on *larm Management and the recommendation of )C*2* system assessment by the %)* Office 0ipeline )afety are among the positive indicators that regulators and safety professionals are attempting to add soft.are changes to the very important MOC program' K"8W7#S Management of Change/ MOC/ )C*2*/ 2C)/ )I)/ O)+*/ *bnormal )ituation Management/ *larm Management 9:$7#(C$9: Management of Change (MOC) procedures .ere first formali,ed in the fledgling nuclear po.er industry 9:est/ 1-; and quic5ly spread to the defense industry 9Mil )td !<;' )everal different names .ere used to describe MOC/ including concurrent engineering/ process change control/ and configuration management' MOC procedures have received increased attention due to the introduction of requirements .ithin the ne. O)+* and 30* process safety management regulations 9O)+* 1-= 30*/ 16; in the %)*' (he more recent I)O 444 quality initiatives 9I)O 444; have provided further significance to the need for process change control management' +o.ever/ many firms applied MOC only to equipment and field operational procedure changes' (he intent of all MOC standards and regulations clearly includes process control systems' MC SP&7K"# 68 C&$&S$7PH9C 9:C9#":$S *bsence of management control over process changes has resulted in several catastrophic failures' One of the first catastrophic incidents to have identified MOC as a root cause .as the #li$borough accident in 1!"' (he %& royal commission 9#li$borough/ 1!8; recommended that chemical plants institute MOC procedures to avoid such devastating accidents' *lmost every ma>or incident can be lin5ed to a change that .as not sub>ected to a proper safety revie. as required by MOC 9)anders/ 1<= &let,/ 166;' #ollo.ing the Bhopal incident/ the formation of the Center for Chemical 0rocess )afety by the *merican Institute of Chemical 3ngineers (*ICh3) lead eventually to the publication of the ma>or principles of 0rocess )afety/ including MOC' (he *ICh3 definition 9*ICh3 1-; of MOC is? * temporary or permanent substitution/ alteration/ replacement (not in 5ind)/ modification by addition or deletion of critical process equipment/ applicable codes/ process control/ catalysts or chemicals/ feed stoc5s/ operating limits/ mechanical procedures/ electrical procedures/ safety procedures/ emergency response equipment from the present configuration of the critical process equipment/ procedures/ or operating limits' In the aftermath of the 16 0hillips polyethylene plant disaster/ O)+* published the 0rocess )afety Management regulation .ith the follo.ing e$cerpt defining MOC in - C#@ 114'11 section (l)= (1) (he employer shall establish and implement .ritten procedures to manage changes (e$cept for Areplacements in 5indA) to process chemicals/ technology/ equipment/ and procedures? and/ changes to facilities that affect a covered process' (-) (he procedures shall assure that the follo.ing considerations are addressed prior to any change? (i) (he technical basis for the proposed change= (ii) Impact of change on safety and health= (iii) Modifications to operating procedures= (iv) Becessary time period for the change= and (v)*uthori,ation requirements for the proposed change (<) 3mployees involved in operating a process and maintenance 1 contract employees .hose >ob tas5s .ill be affected by a change in the process shall be informed of/ and trained in/ the change prior to startCup of the process or affected part of the process' (") If a change covered by this paragraph results in a change in the process safety information required by paragraph (d)/ such information shall be updated accordingly' (8) If a change covered by this paragraph results in a change in the operating procedures or practices required by paragraph (f)/ such procedures or practices shall be updated accordingly (he tenets of quality management also contain a management element essentially identical in philosophy as the process safety MOC' )ection 6'6 of the I)O 44" *B)ID*)EC E" 9I)O 444; is entitled Fdesign change control (configuration management)G' )ection 11'7 is entitled Fprocess change controlG' (herefore/ the total quality management initiative has a change management requirement e$tremely similar to the MOC principles defined herein (he first specific mention of MOC concepts in the petroleum production safety and loss prevention literature .as the *0I @ecommended 0ractice/ Management of 0rocess +a,ardsH 9*0I 14;' (he Cullen report 9Cullen 166; recommendations led to British regulations in the north sea that also included MOC requirements' MC &PP;9"S $ C:$7; S8S$"MS Bote that paragraph (") of the O)+* regulation above lin5s MOC to Fprocess safety informationG/ .hich in turn mentions safety systems and control systems' +ence/ O)+* includes the entire control system .ithin the >urisdiction of process safety regulations' Many O)+* official interpretation letters also reinforce vie.point' (he *ICh3 definition above clearly defines process control .ithin the areas to be .ithin MOC control procedures' (he safety instrumented systems ()I)) standards/ such as I)* 6" and I3C 71811 9*ICh3 1<= I)* 17= I3C 71811; define a safety life cycle concept for safety control system components in .hich MOC is highlighted' Many other recently updated or revised standards crossCreference the need for MOC' (he 3uropean *(3I rules on ha,ardous area classification are but one e$ample' (he %) Office of 0ipeline )afety issued an advisory that strongly suggests pipeline )C*2* systems be sub>ected to MOC procedures' (his recommendation resulted from the analysis of the Billingham pipeline catastrophic accident/ .hich listed reduced control system response time as a root cause of the incident' (herefore/ MOC must be applied to all changes in the process control system' ";"M":$S < P7C"SS C:$7; S8S$"MS )ome of the ma>or elements of a typical modern process control systems include= Hardware #ield instrumentation 2ata high.ay Jogic solvers (computers/ electronic devices) 0o.er supplies Software Operating )ystem 2C)D)CK*2*D 0JC system soft.are *pplication soft.are *larm system *pplying MOC to hard.are changes is similar to the equivalent practices for changes to other process equipment' (hree areas have proved to be more difficult to bring .ithin MOC >urisdiction Configuration Jimit values Operating systems Changes to the process control configuration/ such as adding alarms/ appears to be a benign change/ +o.ever/ the cumulative effect of adding too many alarms can cause alarm floods' Changes to limit values/ even temporary changes/ can lead to safety problems' )everal incidents have been attributed to temporary changes that have not been restored to their original interloc5 limit values' Changes to operating systems are even more challenging/ since minor soft.are patches/ larger system upgrades/ or even ma>or version upgrades are possible' (he only .ay to be sure that no impact on the control system has been made is to conduct another site acceptance test' P;&: <7 C:$7; S8S$"MS CH&:=" :hile process equipment is typically designed for a -4C<4 year pro>ect life/ )C*2*/ )I) and 2C) systems are more li5ely to be replaced or seriously upgraded on a 14 year cycle or less' (herefore/ ma>or future changeout of the control system must also be considered in the original pro>ect plan' :hereas/ for.ard thin5ing pro>ect designers planned for future changeout by specifying po.er supplies .ith additional parallel load capability/ >unction bo$es .ith large spare capacity/ 0JC=s .ith additional spare contact capability/ and telemetry .ith additional frequency pairs/ the evolving e$pansion of operations over the years sometimes scavenges the changeout capability' If the original pro>ect documentation has identified the spare capacity as reserved for future changeout/ then the Management of Change system should 5eep operations management a.are of encroachments on the ne$t control system upgrade pro>ect' #9=9$&; 6&6"; In his letter to the editor of the I)* Intech monthly maga,ine/ internationally noted control system author Bela Jipta5 9Jipta5/ -44"; .arned of the safety implications of the chaotic state of the currently 6 different digital data high.ays .ith the concomitant problems of message translation' +e also deplored the control system vendor practice of BO( including tested .or5ing control soft.are/ leaving the users to select among many independent soft.are suppliers &PP;89:= MC ;"SS:S ;"&7:"# $ P7C"SS C:$7; (he most important lesson learned in applying MOC procedures in the earlier e$periences .as to categori,e facilities into safety critical and nonCsafety critical systems' If nonCsafety critical equipment are sub>ected to safety revie. at the level of detail required by safety critical items/ then the MOC system bogs do.n in itLs o.n paper.or5' :hile this may .or5 for process areas that are not safety critical or instrument loops that are controlling non ha,ardous systems/ there may be many control subsystems (data high.ay/ operating systems/ etc) .hich coCmingle safety and non safety critical systems It is interesting to note that each recommended practice or regulation delegates the level of safety revie. detail to the applicable facility management' :hile some of the management practices espoused in the recent MOC standards have long been practiced by many firms/ it is the formali,ation of MOC and the ability to audit the program that is relatively ne. to the petroleum and chemical industry' (his translates into paper.or5 D documentation of changes applied to the control system operators and engineers' C:C;(S9:S Management of Change is required to maintain the safety integrity of the chemical process facility' *dministration of a cost C effective Management of Change program requires careful planning' )ince the brunt of Management of Change operational effectiveness is dependent on the first and second line process supervisors/ a simple Management of Change procedural .or5flo. and a document management system are practical necessities' #urthermore/ various screening techniques have been used to optimi,e scarce technical resources/ particularly by allo.ing small ha,ard D lo. ris5 changes to be analy,ed and authori,ed .ithout the need for unnecessary red tape' #requent verification of actual practice is particularly critical until Management of Change becomes part of the corporate culture' &CK:W;"#=M":$S (he authors .ould li5e to than5 our colleagues for the many discussions and pro>ects/ .hich assisted in the evolution of the ideas and concepts presented herein' 696;9=7&PH8 0rocess )afety Management of +ighly +a,ardous Chemical= 3$plosives and Blasting *gents= #inal @ule/ - C#@ 0art 114/ 2epartment of Jabor/ Occupational )afety and +ealth *dministration/ :ashington/ 2C/ #ebruary -"/ 1-/ #ederal @egister/ Kolume 8!/ Bo' <7' (he #li$borough Cyclohe$ane 2isaster/ +er Ma>estyLs )tationery Office/ Jondon/ 1!8' ('*' &let,/ 0lant Operations 0rogress/ vol 8/ M </ *merican Institute of Chemical 3ngineers/ Nuly 167/ p'1<7' 0lant Ouidelines for (echnical Management of Chemical 0rocess )afety/ Center for Chemical 0rocess )afety of the *merican Institute of Chemical 3ngineers/ Be. Por5/ 1-' I)O 444/ Euality Management of Industrial #acilities/ Jondon/ %&/ latest edition' @evie. )afety Euestions in the Buclear 0o.er Industry/ 14 C#@ 84'8/ 2epartment of 3nergy/ Buclear @egulatory Commission/ :ashington/ 2C' Military )tandard !</ Configuration Management at Oovernment #acilities/ (MIJC)(2 !<)/ 2epartment of 2efense/ :ashington/ 2'C' @is5 Management 0rograms for Chemical *ccidental @elease 0revention/ (itle "4 C#@ 0art 76 )ection 76'<7 0revention 0rogram C Management of Change/ 3nvironmental 0rotection *dministration/ :ashington/ 2'C' @ecommended 0ractices for 2evelopment of a )afety and 3nvironmental 0rogram for Outer Continental )helf (OC)) Operations and #acilities/ *0I @ecommended 0ractice !8/ *merican 0etroleum Institute/ :ashington 2'C' latest edition/ 1<' )' B' &ovach/ 0ractical Method for Management of Change/ *ICh3 0rocess 0lant )afety )ymposium/ +ouston/ (e$as/ -6 #ebruary 1"' British )tandard 7"66 Configuration Management/ Jondon/ 3ngland' +'+' :est and @' 2anna/ Course te$t for the *ICh3 Continuing 3ducation Course= Management of Change/ *merican Institute of Chemical 3ngineers/ Be. Por5/ 1-' @' 3' )anders/ Management of Change in Chemical 0lant; Butter.orthC+einemann/ O$ford/ 1<' Jord Cullen/ A(he 0ublic Inquiry into the 0iper *lpha 2isaster/A Kolumes 1 1 -/ +is Ma>estyLs )tationary Office/ Jondon/ Bovember 14 ('*' &let,/ :hat :ent :rongQ Case +istories of 0rocess 0lant 2isasters/ Oulf 0ublishing Company/ +ouston/ 166' +'+' :est/ M')' Mannan/ @' 2anna 1 3'M' )tafford/ Ma5e 0lants )afer .ith a 0roper Management of Change 0rogram/ Chemical 3ngineering 0rogress/ *merican Institute of Chemical 3ngineering/ 16' +'+ :est/ 3'M' )tafford/ Management of Change * @equirement for Joss 0revention )uccess/ 0rocess 0lant )ymposium/ Kol' -/ *merican Institute of Chemical 3ngineering/ 17' Bela Jipta5/ 2igital Babel/ I)* Intech/ page / Nune -44" *ICh3/ Ouidelines for )afe *utomation of Chemical 0rocesses American Institute of Chemical 3ngineers/ Center for Chemical 0rocess )afety (CC0))/ 1< *B)IDI)* )6"'41C17/ *pp lication of )afety Instrumented )ystems ()I)) for the 0rocess Industries/ I)* @esearch (riangle BC 17' I3C 71811/ #unctional safety? )afety Instrumented )ystems for the process industry sector/ -44<
The Safety Critical Systems Handbook: A Straightforward Guide to Functional Safety: IEC 61508 (2010 Edition), IEC 61511 (2015 Edition) and Related Guidance