Transcript Slide 1
Engineering Safety:
Going Lower - Reducing Risk, Enhancing Projects
Howard Thompson – February 2013
AMEC Brownfield Projects & Operations Management - Technical Safety Manager
AMEC Europe – Head of Engineering Assurance & Governance
1
Outline of Presentation
Explore some of the trends that influence Engineering Safety
Explore some of the limitations of Hazard & Risk Management
as an approach to Engineering Safety
Outline the principles of an Inherently Safer approach
Consider the organisational implications in developing an
Inherently Safer approach to Engineering Safety
2
In the Beginning ...
... low sensitivity to Consequences or the Likelihood of them!
3
More Recently ...
The Hoover Dam:
112 people died
during construction
Attitudes to Hazards
and Risks are
constantly evolving
4
Trends in Occupational Safety
4
API
Bayer
BP
3
Chevron Texaco
Concawe
ConocoPhillips
2
Dow
DuPont
ExxonMobil
OMV
1
Shell
Trend Line
05
20
03
20
01
20
99
19
97
19
95
19
93
0
19
Incidents per 200,000 work hours
5
5
Unrevealed Safety Issues
• Despite improving HSE Performance indicators, the Texas City refinery
suffered a major event in May 2005 … and a second event two months
later …
OSHA Recordable Incident Frequency (RIF)
Texas City refinery:
From 1.73 (1999) to 0.64 (2004)
API US refining average:
0.84 (2004)
BP Global:
0.53 (2004)
• Occupational safety data can give misleading indications of ‘design’ or
‘process’ safety performance
• ‘Process’ or ‘Design’ Safety was not widely measured in 2005, however,
indicators of hardware safety issues are more widely recorded and
assessed now … although there are many more Lagging indicators in use
than Leading ones!
6
Texas City
7
Trends in Refinery Damages
Incident costs - $ per 1000bbls refinery capacity corrected to 2000 prices
25.00
Raw data
20.00
5-year average
15.00
Linear (5-year
average)
10.00
5.00
20
00
19
98
19
96
19
94
19
92
19
90
19
88
19
86
19
84
19
82
19
80
19
78
19
76
19
74
19
72
19
70
19
68
19
66
0.00
19
64
Damage $/1000 bbl refinery production at 2000 prices
30.00
8
Trends
Increased and increasing public risk aversion
Reducing regulatory tolerance
Increased damages where legal action ensues
Increased focus on occupational safety and statistics
Increasing focus on ‘technical’ safety and statistics
Increased Management of Change (MoC) challenges
– Through the life of modern engineered facilities and products
– Due to evolution in stakeholder organisations
– Changing operational requirements
9
An Increasing Complex world …
Nimrod 2006
After an Air-to-Air Refuelling (AAR), the
plane caught fire
Experienced crew acted with calmness,
bravery and professionalism, and in
accordance with training, but could not
control the fire
Aircraft exploded
All 14 on board died
Why Did it Happen?
Fuel vent pipes and couplings
No 7 Fuel tank
↓
←
Cross-Feed –
Supplementary
Cooling Pack
Duct (HOT)
Airframe anti-icing
pipe
→
←────── Fuel pipes – refuel
and feed
Uninsulated Bellows
Why Did it Happen?
Probable cause was fuel coming into contact with extremely hot surfaces;
an overflow due to the Air to Air Refuelling, ignited by the cross-feed /
Supplementary Cooling Pack (SCP) duct,
which could be at up to 400ºC,
and was not properly insulated
Major design flaws:
Original fitting of cross-feed duct
Addition of SCP
AAR modification
Why Did it Happen?
Fuel pipe / vent coupling seals sourced from new supplier
Couplings not to original specification
– Although thought to be by the procurement function
Fuel pipe / vent couplings known to be unreliable by maintenance teams
–This information never fed back to the design or safety case teams
Why Did it Happen?
A number of previous incidents and warning signs ignored
Safety case existed but contained significant errors
Widespread assumption that Nimrod was “safe anyway” after 30 years
of successful flights
Safety case became a “tick-box” exercise
Missed key dangers, should have been the best opportunity to prevent
the accident
Financial pressures and cuts led to there being distraction from safety
as an overriding priority
Hazard and Risk Management ...
A crucial ...
LIMITED
... contributor to safety!
15
Hazard and Risk Management Paradigm
What could
happen?
How often?
How bad?
So what?
What
do I do?
16
Hazard and Risk Management
Risk
Analysis
Hazard
Identification
Frequency
Analysis
Risk
Assessment
Risk
Management
Consequence
Analysis
Evaluation of
Hazard & Risk
Manage
Risk
Residual Risk
17
Event Sequences
A corner stone of the Hazard & Risk Management
Paradigm is the concept of Event Sequence
The idea is that all event sequences are identified in
the analysis, or covered within some more general event
sequence
A key limitation is the issue of foresee-ability
What is foreseeable?
Is it really possible to foresee all categories of event
The case law is demanding engineers and experts are
expected to foresee relatively remote events
The O&G industry regulator is not as demanding as for
example the Nuclear industry regulator in these matters
18
Underlying techniques of Hazard and
Risk Management Process
REQUIRED – The Hierarchical use of controls
and barriers
REQUIRED – The Demonstration of ALARP
ALARP - As Low As Reasonably Practicable
19
Safe?
“
“
We identified the Hazards and ensured there
were adequate Safeguards, consistent with
the ALARP principle
N.b. ... The cost emphasis of ALARP ... an
encouragement to add safeguards until increased
benefits through risk reduction can not be justified
Some North Sea Events
The SEA GEM 27th December 1965 – 13 Lost
Mineral Workings (Offshore Installations) Act 1971
The ALEXANDER KEILLAND 27th March 1980 – 123 Lost
Norway – Created a clear source of Authority for Abandonment
The sister rig the Henrik Ibsen also got into difficulty a few months later
The PIPER ALPHA July 1988 – 167 Lost
Mineral Workings (Offshore Installations) Act 1971
21
The SEA GEM – The First Rig to Find Hydrocarbons in the NS
The Alexander Keilland Semi Sub Drilling Rig
Adjacent to a Production Platform
Alexander Keilland – Structural Arrangement
24
Piper Alpha
Metocean Conditions - Foreseeable ?
The Ocean Ranger – Capsized off Newfoundland February 1982 – 84 lost
Ocean Ranger with Draupner Wave shown for comparison
1 – The Draupner wave 59 ft / 18 m
2 – Location of unprotected portlight 28 ft / 8.5 m
3 – Location of the ballast control room
26
How Can We Make It Safer ?
“
“
So what can we do differently?
Inherently Safer Design
The concept supports the view that the achievement of safe
operations requires that HAZARDS are addressed during concept
development and all subsequent phases of System, Structure, or
Equipment design AND IMPLEMENTATION
The intent of Inherently Safer Design is to eliminate a hazard
completely or reduce its magnitude significantly
Thereby eliminating / reducing the need for safety systems and
procedures
Furthermore, this hazard elimination or reduction should be
accomplished by means that are inherent in the design and
process and thus permanent and inseparable from them
28
Principles of Inherent Safety
Eliminate
Simplify
Minimise
Inherent
Safety
Principles
Moderate
Substitute
29
Examples - Minimise
Minimise storage of hazardous gases, liquids and solids
Minimise inventory by phase change (liquid instead of gas)
Eliminate raw materials, process intermediates or by-products
Just-in-time deliveries of hazardous materials
Hazardous materials removed or properly disposed of when no
longer needed
Hazardous tasks (e.g. working at height or above water, lifting
operations) combined to minimise the number of trips
Need for awkward postures and repetitive motions
minimised
30
Examples - Substitute
Substitute a less toxic, less flammable or less reactive substance
–Raw materials, process intermediates, by-products, utilities etc.
–Use of water-based product in place of solvent- or oil-based
product
Alternative way of moving product or equipment in order to
eliminate human strain
Allergenic materials, products and equipment replaced with nonallergenic alternatives
Gas
Gas
Hot Oil
Hot
Water
31
Examples - Moderate
Reduce potential releases by lower operating conditions (P, T)
– Process system operating conditions
– New / replacement equipment that operate at lower Speed, P or T
Dilute hazardous substances to reduce hazard potential
Storage of hazardous gases, liquids and solids as far as way as
possible in order to eliminate risk to people, environment and
asset
Segregation of hazardous equipment / units to prevent escalation
Relocate facility to limit transportation of hazardous substances
New / replacement equipment that produces less noise or vibration
32
Examples - Simplify
Simplify and / or reduce - connections, elbows, bends, joints,
small bore fittings
Separate single complex multipurpose vessel with several
simpler processing steps and vessels
Equipment designed to minimize the possibility of an operating
or maintenance error
Minimise number of process trains
Reactors designed / modified to eliminate auxiliary equipment
(e.g. blender)
Eliminate or arrange equipment to simplify material handling
Ergonomically designed workplace
33
Examples of Equipment Level ISD in
Brownfield & Operations Development 1
• Replace flammable hydraulic fluids with water-based equivalents
• Replace oil-filled switchgear with vacuum-insulated equivalent
• Replace Ex instrumentation with intrinsically safe equivalents
• Use low toxicity oils to replace PCBs in transformers
• Use low smoke, zero halogen, cable insulation
• Use PFP coatings that resist water ingress so avoid Corrosion Under Insulation
34
Examples of Equipment Level ISD in
Brownfield & Operations Development 2
• Arrange equipment layout to minimise restrictions on explosion venting
• Arrange “Deluge on Gas” where advantageous to minimise explosion
overpressures
• Arrange beam detection to replace or supplement point F&G detectors
• Position acoustic leak detectors to supplement gas detection for high
pressure gas systems
• Position hand rails at all locations where there would be unguarded
height, if equipment was removed for service
• Position pipe work, including flanges and rodding points, so that service
leaks will be caught, and not by operators!
35
Inherently Safer Design – Why Bother?
Helps us to
achieve safer operations, both in terms of day to
day safety, and importantly ...
–In avoiding low likelihood high consequence events
–Through the elimination and reduction of hazards and
unrevealed system vulnerabilities
Reduced number of Engineered Safeguards
Reduced Complexity
Reduced component and vessel sizes
Reduced energy consumption
Inherently Safer Designs have reduced CAPEX and OPEX and
are easier to operate and maintain!
36
A Case Study ...
An Example of how Design without the application of
ISD results in unrevealed vulnerabilities
Mumbai High
How the cook cut his finger ... and the platform fell into the sea ...
37
Mumbai High North (27 July 2005)
38
Mumbai High North –
Background
Mumbai High Field was discovered in 1974 and is located in the
Arabian Sea 160 km west of the Mumbai coast
The field is divided into the north and south blocks, operated by
the state-owned Oil & Natural Gas Corporation (ONGC)
Four platforms linked by bridges:
– NA small wellhead platform (1976)
– MHF residential platform (1978)
– MHN processing platform (1981)
– MHW additional processing platform
Complex imported fluids from 11 other satellite WHPs and
exported oil to shore via pipelines, as well as processing gas for
gas lift operations
The seven-storey high MHN platform had 5 gas export risers
and 10 fluid import risers situated outside the platform jacket
39
Mumbai High North –
Sequence of Events (1)
Noble Charlie Yester jack-up was undertaking drilling operations
in the field
The Samudra Suraksha was working in the field supporting
diving operations
A cook onboard the Samudra cut off the tips of two fingers
Monsoon conditions onshore had grounded helicopters
The cook was transferred from the Samudra to the Mumbai
High platform complex by crane lift for medical treatment
40
Mumbai High North –
Sequence of Events (2)
While approaching the platform the Samudra experienced problems
with its computer-assisted azimuth thrusters and was brought in
stern-first under manual control
Strong swells pushed the Samudra towards the platform, causing
the helideck at the rear of vessel to strike and damage one or more
gas export risers – the resultant leak ignited
The close proximity of other risers and lack of fire protection caused
further riser failure - the fire engulfed the Samudra and heat
radiation caused severe damage to the Noble Charlie Yester jack-up
Emergency shutdown valves were in place at the end of the risers
which were up to 12 km long - riser failure caused large amounts of
gas to be uncontrollably released
41
Mumbai High North (27 July 2005)
42
Mumbai High North (27 July 2005)
43
Mumbai High North – Aftermath
The seven-storey high processing Platform collapsed after
around two hours, leaving only the stump of its jacket above sea
level
The Sumadra suffered extensive fire damage and was towed
away from scene but later sank on 01 Aug 2005, about 18 km
off the Mumbai coast
A total of 384 personnel were on board the platform and jack-up
at the time of the accident … 22 reported dead (only)
Significant problems were reported with the abandonment of all
the installations involved, only 2 of 8 lifeboats and 1 of 10 life
rafts were launched
44
How could a
better design
have avoided this
disaster or
reduce its
impact?
Would it be possible
to eliminate the
hazard altogether?
• Position risers inside jacket structure
• Location of boat landing on lee side of
platform
• Larger separation distance between
platforms
• Subsea Isolation Valves to reduce
hydrocarbon inventory during release
• Relocation and fire proofing of risers to
prevent escalation
• Improved availability of evacuation means
45
Inherently Safer Design – How do we do it?
Establish an ISD Culture
Develop processes that support specific structured ISD events
46
Inherently Safer Design – How do we do it?
Establish an ISD culture within the organisation
–Driven from the top
–Involvement of all technical and project personnel
–Roll-out progressively – presentations, posters, pilot events
–Establish processes and guidance for their use
Ensure every project has planned ISD events in every phase
–Including each phase of Implementation
–Measure ISD uptake performance across all projects
–Sustain awareness and interest ensure all new starts
involved and encourage champions
47
Success or Failure of ISD –
Some Factors
All engineers and project personnel provided with ISD Awareness
training as part of Induction
Ownership - ISD is not owned by HSSE or Technical / Process
Safety personnel but by All engineering and project personnel
Operations personnel should be involved in all ISD workshop /
study events
The language of ISD should be sustained in each project, ISD
features should be captured and presented in appropriate media
Often “ISD design features” do not receive the credit and attention
they should, or are only known amongst a few
– ISD design features should be acknowledged and shared with a
wider audience
48
Putting it all together ...
Inherently
Safer Design
Residual Risk
Control
(Hazard & Risk
Management
Process)
49
Integrating ISD & Existing Safety Processes
50
AMEC Several Years On – A Summary of Findings
Encourage Each Project ...
To have, and to communicate, a clear systematic process
Definitions and Terms of Reference shared in advance with all
workshop participants and stakeholders
Create an ISD Register at the earliest time and maintain through
all phases
Expect to identify some possibilities that will not be actionable
until a future phase, register needs to keep track of these
Develop and maintain an ISD culture, make ISD wins visible to
the team as a whole
51
An ISD Workshop Process
SET ISD GOALS
IDENTIFY HAZARDS
BRAINSTORM OPTIONS
INITIAL REDUCTION OF OPTIONS
Reject options that clearly cannot meet the goals
IDENTIFY AND UNDERSTAND THE SPECIFIC HAZARDS
AND RISKS OF REMAINING OPTIONS
DEVELOP EACH REMAINING OPTION FOR SELECTION
•Eliminate hazards
•Confirm that it will be practical to manage the residual
hazards
SELECT / REJECT OPTION
No
•Meets goals?
•Meets economic criteria?
•Possible to manage residual risks with defined
protection layers and an aim of continuous risk
reduction?
If multiple iterations
fail to deliver a
suitable outcome
Final No
Yes
DEVELOP SELECTED OPTION
•Meets goals
•Minimise risks from residual hazards
•Define minimum design standards/limits
•Conduct risk management activities
RECOMMEND
DISCONTINUING
DEVELOPMENT
52
ISD Goals - Examples of High Level Goals
LAYOUT EXAMPLES
Minimise explosion overpressure potential
Minimise frequency of occurrence of explosion overpressures
Minimise escalation potential from fire and explosion events
Minimise vulnerability of Emergency Escape and Rescue systems to fire and
explosion; including Temporary Refuge
PROCESS EXAMPLES
Maximise simplicity of plant
Minimise hydrocarbon inventories and pressures
Minimise leak potential
Maximise integrity of containment envelope from internal and external loadings
and hazards
High level goals require to be pursued through the development of low
level goals with the involvement of each and every technical discipline
contributing to the project
53
An ISD Register
54
An ISD Output
Bridge length set to
optimise separation
between Process and
Well Bay areas and
the Temporary
Refuge
Minimal inventory
fuel gas for GTs
Both jackets
designed for a
minimum Reserve
Strength (RSR) of 2.5
Diverse Fire Pump
locations
Designed so as to
minimise HP / LP
interfaces
55
Strategy for Hazard Management UK HSE (OTH 96 521)
Identify Hazards
Understand /Assess Hazards
Inherently
Safer
Design (ISD)
Avoid Hazards
Reduce Severity
Reduce Likelihood
Segregate / Reduce Impact
Additional
Engineering
Controls
Apply Passive Safeguards
Apply Active Safeguards
Apply Procedural Safeguards
Risks ALARP
No
Yes
OK
56
In Summary
Attitudes to safety continue to evolve and pose engineering project
stakeholders ever greater safety challenges
The ‘traditional’ Hazard and Risk Management’ paradigm is imperfect and
further steps are now required to meet modern challenges
Inherently Safer Design (ISD) consists of straightforward principals that can
be widely applied
ISD when integrated with Hazard and Risk Management changes the
emphasis on how safety is driven within design and planning processes
This change of emphasis is not only beneficial to safety but to other project
and operational parameters including cost and maintenance burden
57
That’s all for now ... ?
Hindenberg