Software Supported Isolations and IntelliPERMIT
Article by Gavin Halse, Henry Boshoff and Scott Bredin
To ensure that work takes place safely a number of essential principles must always be applied. One is the need to protect workers from uncontrolled or unexpected releases of energy.
Many industrial accidents occur when people perform maintenance work on equipment:
- without knowing that there is a source of energy present that presents a safety risk;
- when procedures for working safely in these situations are deficient; or
- when deactivated energy sources are accidentally or intentionally reactivated without the workers knowledge.
IntelliPERMIT is a software system that is designed to help protect workers performing work in hazardous situations. Its main strength is ensuring the correct safety procedures are always followed. The question sometimes arises as to whether IntelliPERMIT can in conjunction with the DCS or PLC system also control the isolation of plant or equipment so that people doing work are always protected from uncontrolled sources of energy.
The answer is a qualified “yes, but…”.
IntelliPERMIT can improve the controls around safe work, but there are some very real constraints to be aware of when using any computer-based system to manage isolations. Typically, DCS or PLC software is not used to isolate plant by (for example) just closing a valve and preventing the operator from opening it. In this article we will look at scenarios where IntelliPERMIT can improve the management of isolations, and where it cannot.
Why is this important
The proper management of isolations to control energy is a serious matter. The NIOSH Guidelines provide examples of a number of disturbing accidents that were the direct result of poor isolation management.
- In one fatal incident an employee was dismantling a drilling rig and after removing the main pin on the boom and walking back to the control center he was struck by the falling boom – he had failed to install a temporary safety pin as per procedure.
- In another fatal incident a conveyer started up while a man was standing on it to work on an overhead chute.
- A serious injury occurred when an employee working on four diverter valves inside a cabinet was struck on the head when one of the valves was actuated by computer control.
- A fatality occurred when a maintenance technician inside a large mixing drum was struck by the beater blades when they were inadvertently activated.
These incidents could all have been avoided had adequate isolations being in place to control the energy of the boom, the electrical supply to the conveyer driver motor, the pneumatic pressure lines to the valve actuators in the cabinet or the electrical power to the mixing drum motor.
Sources of energy
There are several sources of hazardous energy in a typical industrial plant. The main categories are:
- Movement (kinetic) – such as moving machinery, vehicles, conveyer belts, motors etc.
- Potential energy – the energy associated with an item or person that can fall from height, or a sudden pressure release.
- Electrical – the energy associated with electrical power or high voltages.
- Thermal – the energy associated with heat or cold, resulting from friction, radiation, physical processes, chemical reactions or electrical resistance.
In order to work safely all these energy sources must be identified and then isolated or blocked from causing any harm to people or equipment. These isolation/control points must be managed before, during and after work in order to reduce the risk of an incident.
Because of the importance of the isolation/control points a number of important principles apply:
- The control point should provide some form of “positive isolation”. This means that there is always a physical separation from the source of energy and the work taking place. Examples include removing segments of linkages such as sections of pipe, flywheels, fuses, switchgear etc. Positive isolations should maintain the integrity of the isolation even if equipment should fail or there is an operational error.
- The control point should be clearly identified so that workers are aware of it. Examples include warning signs and tags at each isolation point that expire after the job is complete.
- The control point should be protected from tampering and only removed in controlled circumstances. Practical examples include the use of multiple padlocks at isolation points and the use of lockboxes or key safes to manage multiple isolations together.
- The control point should preferably be close to the work so that it can be easily checked before and during the work. Examples are a local isolator switch within easy reach of the work taking place.
Safety Critical Software
Safety critical software is often associated with embedded control systems such as aircraft control systems, medical devices, traffic control etc.
Standards for safety critical software have been standardised on a scale from 0 (not safety related) to 4 (very high). Different constraints are applied to software development depending on the safety integrity level (SIL). These include using formal mathematical methods, implementing redundant software in case of failure, etc.
The higher the SIL, the higher the costs of software development and the more difficult it is to implement changes.
In certain scenarios, high integrity software in an embedded system can used to control elements of an isolation. One example is a remote isolation device developed by one of our Australian partners. This device allows isolation and de-isolations to be performed remotely in the field using software signals. The isolation device itself is designed in accordance with the necessary safety integrity level standards as well as incorporating several additional safety control measures such as padlocks etc.
IntelliPERMIT’s role in managing isolations.
IntelliPERMIT is software and as such it can never be a physical barrier between sources of energy and people in harm’s way. As already mentioned, software alone cannot positively isolate sources of energy. But IntelliPERMIT can be configured to proactively warn of abnormal conditions in the field or of procedural irregularities during work. These warnings can be in the form of alarms in the control room, exceptions in the system or alerts pushed out to mobile devices in the field. We refer to these applications as “software supported isolations”.
Whenever considering software supported isolations, the design principle should be that if for any reason should IntelliPERMIT fail, adequate physical fall back controls must be in place to ensure work takes place safely. IntelliPERMIT can help monitor the process and help enforce the proper procedures but can never substitute for any physical control measures that must always be in place.
Four ways in which IntelliPERMIT can help
1. By improving the disciplines around isolation procedures
IntelliPERMIT’s primary strength is to ensure that procedures are being followed, i.e. all hazards are identified, all risks assessed, the necessary precautions (and isolations) are in place to work safely and that workers are competent. Where there are any deviations from procedure IntelliPERMIT can flag these so that people can be warned, and proactive steps taken to remedy the problem. In the example above where the employee was struck by the boom IntelliPERMIT will likely have assisted in making sure the safety pin was installed.
2. By managing the isolation procedure when preparing the plant for safe work, during testing and for return to normal operations.
IntelliPERMIT has many features that ensure that isolations are put in place properly, that isolation dependencies and conflicts between several jobs in the same plant area are properly managed and that temporary removal of isolations for testing (for example) is properly controlled.
In the example of the conveyer being started, IntelliPERMIT might have flagged that other work was still taking place on the conveyer helping to prevent an accidental start.
3. By controlling the lock-out tag-out processes.
IntelliPERMIT can also ensure that isolation padlocks are managed together with the keys. IntelliPERMIT can control the printing of isolation tags, as well as allowing mobile scanning in the field of QR codes to verify that the correct equipment is being isolated.
In the example where the mixer was started while someone was in the vessel, IntelliPERMIT would have helped print tags and manage a local padlock on the isolation point at the mixer motor.
4. Through software supported isolations, IntelliPERMIT can provide early warning of potentially hazardous energy sources to workers in the field, and in the control room.
By interfacing IntelliPERMIT to selected instrumentation the system can monitor the plant for conditions that should not occur while work is underway, and proactively warn maintenance and operations personnel of unexpected sources of energy that might otherwise not be detected.
The measuring instruments can be existing in the control systems (DCS, PLC and SCADA), or can be temporarily installed (e.g. a temporary temperature probe transmitting readings via wi-fi to a device coupled to the network to which IntelliPERMIT has access).
Unlike a typical DCS, IntelliPERMIT theoretically “knows” exactly when work is taking place and can monitor for abnormal conditions over this period.
In the example where a pneumatic valve was actuated while a worker was still in the cabinet, IntelliPERMIT could have monitored these valves for operation during the job and put a temporary lock on the relevant DCS control signals until the permit was signed off.
In another example, when isolating a high-pressure vessel for maintenance work the incoming line typically needs to be depressurised and slip plates installed on the relevant gas inlet valves. Conceptually, during this procedure the pressure in the system can be constantly monitored through the existing vessel pressure sensor via the DCS system, and after depressurisation a temporary adjustment made automatically from the IntelliPERMIT system to the high-pressure alarm setting to warn of any increase in pressure above ambient while work is underway. This process can be automated by integrating IntelliPERMIT’s rules engine to read from the DCS present value (PV) and write a temporary change to the high alarm (AH) settings. The relevant logic for this procedure can be embedded in IntelliPERMIT’s isolation procedures and the associated business rules.
While the above examples are conceptually possible, it is very important that the overall solution be carefully engineered to consider the full implication on safe work. It is important when providing this type of added “intelligence” to the existing instrumentation system that people do not become over-reliant on automated monitoring solutions. A lot of maintenance involves non-routine work that cannot be pre-programmed. Nothing should ever substitute for the need for humans to do the necessary risk assessments ahead of work and follow the correct procedures, and this is where IntelliPERMIT is particularly strong. Having said this, IntelliPERMIT can reliably provide a supporting platform on which to build very good additional software-based monitoring of the actual conditions on the plant and correlate this with work taking place in order to raise alerts.
The IntelliPERMIT consultants at Adapt IT have implemented a number of software supported lockouts of the type mentioned in this article. They are able to assist you in determining whether your application would benefit from such an integration project.
You might also enjoy
To learn more about IntelliPERMIT and software assisted lockouts and to find out more about our partner and customer successes in this regard please contact the IntelliPERMIT team at Adapt IT.
- [Source: NIOSH Guidelines for Controlling Hazardous Energy During Maintenance and Servicing, September 1983 https://www.cdc.gov/niosh/docs/83-125/pdfs/83-125.pdf?id=10.26616/NIOSHPUB83125].