Engineering Safety: Going Lower - Reducing Risk, Enhancing Projects

1
Engineering SafetyGoing Lower - Reducing
Risk, Enhancing Projects

• Howard Thompson February 2013
• AMEC Brownfield Projects Operations Management
  - Technical Safety Manager
• AMEC Europe Head of Engineering Assurance
  Governance

2
Outline of Presentation

• Explore some of the trends that influence
  Engineering Safety
• Explore some of the limitations of Hazard Risk
  Management as an approach to Engineering Safety
• Outline the principles of an Inherently Safer
  approach
• Consider the organisational implications in
  developing an Inherently Safer approach to
  Engineering Safety

3
In the Beginning ...

• ... low sensitivity to Consequences or the
  Likelihood of them!

4
More Recently ...
The Hoover Dam 112 people died during
construction
Attitudes to Hazards and Risks are
constantly evolving
5
Trends in Occupational Safety
6
Unrevealed Safety Issues

• Despite improving HSE Performance indicators, the
  Texas City refinery suffered a major event in May
  2005 and a second event two months later
• OSHA Recordable Incident Frequency (RIF)
• Texas City refinery From 1.73 (1999) to 0.64
  (2004)
• API US refining average 0.84 (2004)
• BP Global 0.53 (2004)
• Occupational safety data can give misleading
  indications of design or process safety
  performance
• Process or Design Safety was not widely
  measured in 2005, however, indicators of hardware
  safety issues are more widely recorded and
  assessed now although there are many more
  Lagging indicators in use than Leading ones!

7
Texas City

8
Trends in Refinery Damages
Incident costs - per 1000bbls refinery capacity
corrected to 2000 prices
9
Trends

• Increased and increasing public risk aversion
• Reducing regulatory tolerance
• Increased damages where legal action ensues
• Increased focus on occupational safety and
  statistics
• Increasing focus on technical safety and
  statistics
• Increased Management of Change (MoC) challenges
• Through the life of modern engineered facilities
  and products
• Due to evolution in stakeholder organisations
• Changing operational requirements

10
An Increasing Complex world Nimrod 2006

• After an Air-to-Air Refuelling (AAR), the plane
  caught fire
• Experienced crew acted with calmness, bravery
  and professionalism, and in accordance with
  training, but could not control the fire
• Aircraft exploded
• All 14 on board died

11
Why Did it Happen?
Fuel vent pipes and couplings
?
No 7 Fuel tank
Airframe anti-icing pipe
?
Cross-Feed Supplementary Cooling Pack Duct
(HOT)
?
Fuel pipes refuel and feed
?------
Uninsulated Bellows
12
Why Did it Happen?

• Probable cause was fuel coming into contact with
  extremely hot surfaces an overflow due to the
  Air to Air Refuelling, ignited by the cross-feed
  / Supplementary Cooling Pack (SCP) duct,
• which could be at up to 400ºC,
• and was not properly insulated
• Major design flaws
• Original fitting of cross-feed duct
• Addition of SCP
• AAR modification

13
Why Did it Happen?

• Fuel pipe / vent coupling seals sourced from new
  supplier
• Couplings not to original specification
• Although thought to be by the procurement
  function
• Fuel pipe / vent couplings known to be
  unreliable by maintenance teams
• This information never fed back to the design or
  safety case teams

14
Why Did it Happen?

• A number of previous incidents and warning signs
  ignored
• Safety case existed but contained significant
  errors
• Widespread assumption that Nimrod was safe
  anyway after 30 years of successful flights
• Safety case became a tick-box exercise
• Missed key dangers, should have been the best
  opportunity to prevent the accident
• Financial pressures and cuts led to there being
  distraction from safety as an overriding priority

15
Hazard and Risk Management ...
A crucial ... LIMITED
... contributor
to safety!
16
Hazard and Risk Management Paradigm
What could happen?
How often?
How bad?
So what?
What do I do?
17
Hazard and Risk Management
Risk Risk Management
Risk Analysis
HazardIdentification
FrequencyAnalysis
Consequence Analysis
Risk Assessment
Evaluation ofHazard Risk
Manage Residual Risk
18
Event Sequences

• A corner stone of the Hazard Risk Management
  Paradigm is the concept of Event Sequence

• The idea is that all event sequences are
  identified in the analysis, or covered within
  some more general event sequence

• A key limitation is the issue of
  foresee-ability
• What is foreseeable?
• Is it really possible to foresee all categories
  of event

• The case law is demanding engineers and experts
  are expected to foresee relatively remote events

• The OG industry regulator is not as demanding
  as for example the Nuclear industry regulator in
  these matters

19
Underlying techniques of Hazard and Risk
Management Process

• REQUIRED The Hierarchical use of controls and
  barriers
• REQUIRED The Demonstration of ALARP
• ALARP - As Low As Reasonably Practicable

20
Safe?


We identified the Hazards and ensured there were
adequate Safeguards, consistent with the ALARP
principle
N.b. ... The cost emphasis of ALARP ... an
encouragement to add safeguards until increased
benefits through risk reduction can not be
justified
21
Some North Sea Events

• The SEA GEM 27th December 1965 13 Lost
• Mineral Workings (Offshore Installations) Act
  1971

• The ALEXANDER KEILLAND 27th March 1980 123
  Lost
• Norway Created a clear source of Authority
  for Abandonment
• The sister rig the Henrik Ibsen also got into
  difficulty a few months later

• The PIPER ALPHA July 1988 167 Lost
• Mineral Workings (Offshore Installations) Act
  1971

22
The SEA GEM The First Rig to Find Hydrocarbons
in the NS
23
The Alexander Keilland Semi Sub Drilling
Rig Adjacent to a Production Platform
24
Alexander Keilland Structural Arrangement
25
Piper Alpha
26
Metocean Conditions - Foreseeable ?
The Ocean Ranger Capsized off Newfoundland
February 1982 84 lost
Ocean Ranger with Draupner Wave shown for
comparison 1 The Draupner wave 59 ft / 18 m2
Location of unprotected portlight 28 ft / 8.5
m3 Location of the ballast control room
27
How Can We Make It Safer ?


So what can we do differently?
28
Inherently Safer Design

• The concept supports the view that the
  achievement of safe operations requires that
  HAZARDS are addressed during concept development
  and all subsequent phases of System, Structure,
  or Equipment design AND IMPLEMENTATION
• The intent of Inherently Safer Design is to
  eliminate a hazard completely or reduce its
  magnitude significantly
• Thereby eliminating / reducing the need for
  safety systems and procedures
• Furthermore, this hazard elimination or reduction
  should be accomplished by means that are inherent
  in the design and process and thus permanent and
  inseparable from them

29
Principles of Inherent Safety
Inherent Safety Principles
30
Examples - Minimise

• Minimise storage of hazardous gases, liquids and
  solids
• Minimise inventory by phase change (liquid
  instead of gas)
• Eliminate raw materials, process intermediates or
  by-products
• Just-in-time deliveries of hazardous materials
• Hazardous materials removed or properly disposed
  of when no longer needed
• Hazardous tasks (e.g. working at height or above
  water, lifting operations) combined to minimise
  the number of trips
• Need for awkward postures and repetitive motions
• minimised

31
Examples - Substitute

• Substitute a less toxic, less flammable or less
  reactive substance
• Raw materials, process intermediates,
  by-products, utilities etc.
• Use of water-based product in place of solvent-
  or oil-based product
• Alternative way of moving product or equipment in
  order to eliminate human strain
• Allergenic materials, products and equipment
  replaced with non-allergenic alternatives

32
Examples - Moderate

• Reduce potential releases by lower operating
  conditions (P, T)
• Process system operating conditions
• New / replacement equipment that operate at lower
  Speed, P or T
• Dilute hazardous substances to reduce hazard
  potential
• Storage of hazardous gases, liquids and solids as
  far as way as possible in order to eliminate risk
  to people, environment and asset
• Segregation of hazardous equipment / units to
  prevent escalation
• Relocate facility to limit transportation of
  hazardous substances
• New / replacement equipment that produces -
• less noise or vibration

33
Examples - Simplify

• Simplify and / or reduce - connections, elbows,
  bends, joints, small bore fittings
• Separate single complex multipurpose vessel with
  several simpler processing steps and vessels
• Equipment designed to minimize the possibility of
  an operating or maintenance error
• Minimise number of process trains
• Reactors designed / modified to eliminate
  auxiliary equipment (e.g. blender)
• Eliminate or arrange equipment to simplify
  material handling
• Ergonomically designed workplace

34
Examples of Equipment Level ISD in Brownfield
Operations Development 1

• Replace flammable hydraulic fluids with
  water-based equivalents
• Replace oil-filled switchgear with
  vacuum-insulated equivalent
• Replace Ex instrumentation with intrinsically
  safe equivalents
• Use low toxicity oils to replace PCBs in
  transformers
• Use low smoke, zero halogen, cable insulation
• Use PFP coatings that resist water ingress so
  avoid Corrosion Under Insulation

35
Examples of Equipment Level ISD in Brownfield
Operations Development 2

• Arrange equipment layout to minimise
  restrictions on explosion venting
• Arrange Deluge on Gas where advantageous to
  minimise explosion overpressures
• Arrange beam detection to replace or supplement
  point FG detectors
• Position acoustic leak detectors to supplement
  gas detection for high pressure gas systems
• Position hand rails at all locations where there
  would be unguarded height, if equipment was
  removed for service
• Position pipe work, including flanges and
  rodding points, so that service leaks will be
  caught, and not by operators!

36
Inherently Safer Design Why Bother?

• Helps us to achieve safer operations, both in
  terms of day to day safety, and importantly ...
• In avoiding low likelihood high consequence
  events
• Through the elimination and reduction of hazards
  and unrevealed system vulnerabilities
• Reduced number of Engineered Safeguards
• Reduced Complexity
• Reduced component and vessel sizes
• Reduced energy consumption
• Inherently Safer Designs have reduced CAPEX and
  OPEX and are easier to operate and maintain!

37
A Case Study ...
An Example of how Design without the application
of ISD results in unrevealed vulnerabilities Mu
mbai High How the cook cut his finger ... and
the platform fell into the sea ...
38
Mumbai High North (27 July 2005)
39
Mumbai High North Background

• Mumbai High Field was discovered in 1974 and is
  located in the Arabian Sea 160 km west of the
  Mumbai coast
• The field is divided into the north and south
  blocks, operated by the state-owned Oil Natural
  Gas Corporation (ONGC)
• Four platforms linked by bridges
• NA small wellhead platform (1976)
• MHF residential platform (1978)
• MHN processing platform (1981)
• MHW additional processing platform
• Complex imported fluids from 11 other satellite
  WHPs and exported oil to shore via pipelines, as
  well as processing gas for gas lift operations
• The seven-storey high MHN platform had 5 gas
  export risers and 10 fluid import risers situated
  outside the platform jacket

40
Mumbai High North Sequence of Events (1)

• Noble Charlie Yester jack-up was undertaking
  drilling operations in the field
• The Samudra Suraksha was working in the field
  supporting diving operations
• A cook onboard the Samudra cut off the tips of
  two fingers
• Monsoon conditions onshore had grounded
  helicopters
• The cook was transferred from the Samudra to the
  Mumbai High platform complex by crane lift for
  medical treatment

41
Mumbai High North Sequence of Events (2)

• While approaching the platform the Samudra
  experienced problems with its computer-assisted
  azimuth thrusters and was brought in stern-first
  under manual control
• Strong swells pushed the Samudra towards the
  platform, causing the helideck at the rear of
  vessel to strike and damage one or more gas
  export risers the resultant leak ignited
• The close proximity of other risers and lack of
  fire protection caused further riser failure -
  the fire engulfed the Samudra and heat radiation
  caused severe damage to the Noble Charlie Yester
  jack-up
• Emergency shutdown valves were in place at the
  end of the risers which were up to 12 km long -
  riser failure caused large amounts of gas to be
  uncontrollably released

42
Mumbai High North (27 July 2005)
43
Mumbai High North (27 July 2005)
44
Mumbai High North Aftermath

• The seven-storey high processing Platform
  collapsed after around two hours, leaving only
  the stump of its jacket above sea level
• The Sumadra suffered extensive fire damage and
  was towed away from scene but later sank on 01
  Aug 2005, about 18 km off the Mumbai coast
• A total of 384 personnel were on board the
  platform and jack-up at the time of the accident
  22 reported dead (only)
• Significant problems were reported with the
  abandonment of all the installations involved,
  only 2 of 8 lifeboats and 1 of 10 life rafts were
  launched

45
How could a better design have avoided this
disaster or reduce its impact?
Would it be possible to eliminate the hazard
altogether?

• Position risers inside jacket structure
• Location of boat landing on lee side of platform
• Larger separation distance between platforms
• Subsea Isolation Valves to reduce hydrocarbon
  inventory during release
• Relocation and fire proofing of risers to prevent
  escalation
• Improved availability of evacuation means

46
Inherently Safer Design How do we do it?

• Establish an ISD Culture
• Develop processes that support specific
  structured ISD events

47
Inherently Safer Design How do we do it?

• Establish an ISD culture within the organisation
• Driven from the top
• Involvement of all technical and project
  personnel
• Roll-out progressively presentations, posters,
  pilot events
• Establish processes and guidance for their use
• Ensure every project has planned ISD events in
  every phase
• Including each phase of Implementation
• Measure ISD uptake performance across all
  projects
• Sustain awareness and interest ensure all new
  starts involved and encourage champions

48
Success or Failure of ISD Some Factors

• All engineers and project personnel provided with
  ISD Awareness training as part of Induction
• Ownership - ISD is not owned by HSSE or Technical
  / Process Safety personnel but by All engineering
  and project personnel
• Operations personnel should be involved in all
  ISD workshop / study events
• The language of ISD should be sustained in each
  project, ISD features should be captured and
  presented in appropriate media
• Often ISD design features do not receive the
  credit and attention they should, or are only
  known amongst a few
• ISD design features should be acknowledged and
  shared with a wider audience

49
Putting it all together ...
50
Integrating ISD Existing Safety Processes

51
AMEC Several Years On A Summary of Findings
Encourage Each Project ...

• To have, and to communicate, a clear systematic
  process
• Definitions and Terms of Reference shared in
  advance with all workshop participants and
  stakeholders
• Create an ISD Register at the earliest time and
  maintain through all phases
• Expect to identify some possibilities that will
  not be actionable until a future phase, register
  needs to keep track of these
• Develop and maintain an ISD culture, make ISD
  wins visible to the team as a whole

52
An ISD Workshop Process
53
ISD Goals - Examples of High Level Goals

• LAYOUT EXAMPLES
• Minimise explosion overpressure potential
• Minimise frequency of occurrence of explosion
  overpressures
• Minimise escalation potential from fire and
  explosion events
• Minimise vulnerability of Emergency Escape and
  Rescue systems to fire and explosion including
  Temporary Refuge
• PROCESS EXAMPLES
• Maximise simplicity of plant
• Minimise hydrocarbon inventories and pressures
• Minimise leak potential
• Maximise integrity of containment envelope from
  internal and external loadings and hazards
• High level goals require to be pursued through
  the development of low level goals with the
  involvement of each and every technical
  discipline contributing to the project

54
An ISD Register
55
An ISD Output

• Bridge length set to optimise separation between
  Process and Well Bay areas and the Temporary
  Refuge
• Minimal inventory fuel gas for GTs
• Both jackets designed for a minimum Reserve
  Strength (RSR) of 2.5
• Diverse Fire Pump locations
• Designed so as to minimise HP / LP interfaces

56
Strategy for Hazard Management - UK HSE (OTH 96
521)
Identify Hazards
Understand /Assess Hazards
InherentlySafer Design (ISD)
Avoid Hazards
Reduce Severity
Reduce Likelihood
Segregate / Reduce Impact
AdditionalEngineeringControls
Apply Passive Safeguards
Apply Active Safeguards
Apply Procedural Safeguards
Risks ALARP
No
Yes
OK
57
In Summary

• Attitudes to safety continue to evolve and pose
  engineering project stakeholders ever greater
  safety challenges
• The traditional Hazard and Risk Management
  paradigm is imperfect and further steps are now
  required to meet modern challenges
• Inherently Safer Design (ISD) consists of
  straightforward principals that can be widely
  applied
• ISD when integrated with Hazard and Risk
  Management changes the emphasis on how safety is
  driven within design and planning processes
• This change of emphasis is not only beneficial to
  safety but to other project and operational
  parameters including cost and maintenance burden

58
Thats all for now ... ?

Hindenberg