Engineering Safety:

Going Lower - Reducing Risk, Enhancing Projects

Howard Thompson – February 2013AMEC Brownfield Projects & Operations Management - Technical Safety Manager

AMEC Europe – Head of Engineering Assurance & Governance

1

Outline of Presentation

Explore some of the trends that influence Engineering Safety

Explore some of the limitations of Hazard & Risk Management as an approach to Engineering Safety

Outline the principles of an Inherently Safer approach

Consider the organisational implications in developing an Inherently Safer approach to Engineering Safety

2

In the Beginning ...

... low sensitivity to Consequences or the Likelihood of them!

3

More Recently ...

4

The Hoover Dam:

112 people died

during construction

Attitudes to Hazards

and Risks are

constantly evolving

Trends in Occupational Safety

0

1

2

3

4

5

1993

1995

1997

1999

2001

2003

2005

Inc

ide

nts

pe

r 2

00

,00

0 w

ork

ho

urs

API

Bayer

BP

Chevron Texaco

Concawe

ConocoPhillips

Dow

DuPont

ExxonMobil

OMV

Shell

Trend Line

5

6

Unrevealed Safety Issues

• Despite improving HSE Performance indicators, the Texas City refinery suffered a major event in May 2005 … and a second event two months later …

OSHA Recordable Incident Frequency (RIF)

Texas City refinery: From 1.73 (1999) to 0.64 (2004)

API US refining average: 0.84 (2004)

BP Global: 0.53 (2004)

• Occupational safety data can give misleading indications of ‘design’ or ‘process’ safety performance

• ‘Process’ or ‘Design’ Safety was not widely measured in 2005, however, indicators of hardware safety issues are more widely recorded and assessed now … although there are many more Lagging indicators in use than Leading ones!

7

Texas City

Trends in Refinery Damages

8

Incident costs - $ per 1000bbls refinery capacity corrected to 2000 prices

0.00

5.00

10.00

15.00

20.00

25.00

30.00

1964

1966

1968

1970

1972

1974

1976

1978

1980

1982

1984

1986

1988

1990

1992

1994

1996

1998

2000

Dam

age

$/10

00 b

bl r

efin

ery

pro

du

ctio

n a

t 20

00 p

rice

s

Raw data

5-year average

Linear (5-yearaverage)

Trends

Increased and increasing public risk aversion

Reducing regulatory tolerance

Increased damages where legal action ensues

Increased focus on occupational safety and statistics

Increasing focus on ‘technical’ safety and statistics

Increased Management of Change (MoC) challenges– Through the life of modern engineered facilities and products

– Due to evolution in stakeholder organisations

– Changing operational requirements

9

An Increasing Complex world … Nimrod 2006

After an Air-to-Air Refuelling (AAR), the plane caught fire

Experienced crew acted with calmness, bravery and professionalism, and in accordance with training, but could not control the fire

Aircraft exploded

All 14 on board died

Why Did it Happen?

Cross-Feed –

Supplementary Cooling Pack

Duct (HOT)

No 7 Fuel tank

Fuel vent pipes and couplings

↓

→

Airframe anti-icing

pipe←

Fuel pipes – refuel

and feed←──────

Uninsulated Bellows

Why Did it Happen?

Probable cause was fuel coming into contact with extremely hot surfaces; an overflow due to the Air to Air Refuelling, ignited by the cross-feed / Supplementary Cooling Pack (SCP) duct,

which could be at up to 400ºC,

and was not properly insulated

Major design flaws:

Original fitting of cross-feed duct

Addition of SCP

AAR modification

Why Did it Happen?

Fuel pipe / vent coupling seals sourced from new supplier

Couplings not to original specification

– Although thought to be by the procurement function

Fuel pipe / vent couplings known to be unreliable by maintenance teams

–This information never fed back to the design or safety case teams

Why Did it Happen?

A number of previous incidents and warning signs ignored

Safety case existed but contained significant errors

Widespread assumption that Nimrod was “safe anyway” after 30 years of successful flights

Safety case became a “tick-box” exercise

Missed key dangers, should have been the best opportunity to prevent the accident

Financial pressures and cuts led to there being distraction from safety as an overriding priority

15

A crucial ...

LIMITED

... contributor to safety!

Hazard and Risk Management ...

Hazard and Risk Management Paradigm

What could happen?

What could happen?

So what?So what?

What do I do?What

do I do?

How often?How often? How bad?How bad?

16

Hazard and Risk Management

RiskRisk Management

RiskAnalysis

RiskAssessment

HazardIdentification

HazardIdentification

Evaluation ofHazard & RiskEvaluation of

Hazard & Risk

ManageResidual Risk

ManageResidual Risk

FrequencyAnalysis

FrequencyAnalysis

Consequence Analysis

Consequence Analysis

17

Event Sequences

18

A corner stone of the Hazard & Risk Management Paradigm is the concept of Event Sequence

The idea is that all event sequences are identified in the analysis, or covered within some more general event sequence

A key limitation is the issue of foresee-ability What is foreseeable? Is it really possible to foresee all categories of event

The case law is demanding engineers and experts are expected to foresee relatively remote events

The O&G industry regulator is not as demanding as for example the Nuclear industry regulator in these matters

Underlying techniques of Hazard and Risk Management Process

REQUIRED – The Hierarchical use of controls and barriers

REQUIRED – The Demonstration of ALARP

ALARP - As Low As Reasonably Practicable

19

We identified the Hazards and ensured there were adequate Safeguards, consistent with the ALARP principle“

“

Safe?

N.b. ... The cost emphasis of ALARP ... an encouragement to add safeguards until increased benefits through risk reduction can not be justified

21

Some North Sea Events

The SEA GEM 27th December 1965 – 13 Lost Mineral Workings (Offshore Installations) Act 1971

The ALEXANDER KEILLAND 27th March 1980 – 123 Lost Norway – Created a clear source of Authority for Abandonment The sister rig the Henrik Ibsen also got into difficulty a few months later

The PIPER ALPHA July 1988 – 167 Lost Mineral Workings (Offshore Installations) Act 1971

The SEA GEM – The First Rig to Find Hydrocarbons in the NS

The Alexander Keilland Semi Sub Drilling RigAdjacent to a Production Platform

24

Alexander Keilland – Structural Arrangement

Piper Alpha

26

Ocean Ranger with Draupner Wave shown for comparison

1 – The Draupner wave 59 ft / 18 m2 – Location of unprotected portlight 28 ft / 8.5 m

3 – Location of the ballast control room

The Ocean Ranger – Capsized off Newfoundland February 1982 – 84 lost

Metocean Conditions - Foreseeable ?

So what can we do differently?“

“How Can We Make It Safer ?

28

Inherently Safer Design

The concept supports the view that the achievement of safe operations requires that HAZARDS are addressed during concept development and all subsequent phases of System, Structure, or Equipment design AND IMPLEMENTATION

The intent of Inherently Safer Design is to eliminate a hazard completely or reduce its magnitude significantly

Thereby eliminating / reducing the need for safety systems and procedures

Furthermore, this hazard elimination or reduction should be accomplished by means that are inherent in the design and process and thus permanent and inseparable from them

Principles of Inherent Safety

Inherent Safety

Principles

29

Examples - Minimise

Minimise storage of hazardous gases, liquids and solids

Minimise inventory by phase change (liquid instead of gas)

Eliminate raw materials, process intermediates or by-products

Just-in-time deliveries of hazardous materials

Hazardous materials removed or properly disposed of when no longer needed

Hazardous tasks (e.g. working at height or above water, lifting operations) combined to minimise the number of trips

Need for awkward postures and repetitive motions

minimised

30

Examples - Substitute

Substitute a less toxic, less flammable or less reactive substance

–Raw materials, process intermediates, by-products, utilities etc.

–Use of water-based product in place of solvent- or oil-based product

Alternative way of moving product or equipment in order to eliminate human strain

Allergenic materials, products and equipment replaced with non-allergenic alternatives

31

Gas Hot Oil

GasHot Water

Examples - Moderate

Reduce potential releases by lower operating conditions (P, T)

–Process system operating conditions

–New / replacement equipment that operate at lower Speed, P or T

Dilute hazardous substances to reduce hazard potential

Storage of hazardous gases, liquids and solids as far as way as possible in order to eliminate risk to people, environment and asset

Segregation of hazardous equipment / units to prevent escalation

Relocate facility to limit transportation of hazardous substances

New / replacement equipment that produces -

less noise or vibration

32

Examples - Simplify

Simplify and / or reduce - connections, elbows, bends, joints, small bore fittings

Separate single complex multipurpose vessel with several simpler processing steps and vessels

Equipment designed to minimize the possibility of an operating or maintenance error

Minimise number of process trains

Reactors designed / modified to eliminate auxiliary equipment (e.g. blender)

Eliminate or arrange equipment to simplify material handling

Ergonomically designed workplace

33

34

• Replace flammable hydraulic fluids with water-based equivalents

• Replace oil-filled switchgear with vacuum-insulated equivalent

• Replace Ex instrumentation with intrinsically safe equivalents

• Use low toxicity oils to replace PCBs in transformers

• Use low smoke, zero halogen, cable insulation

• Use PFP coatings that resist water ingress so avoid Corrosion Under Insulation

Examples of Equipment Level ISD in Brownfield & Operations Development 1

35

• Arrange equipment layout to minimise restrictions on explosion venting

• Arrange “Deluge on Gas” where advantageous to minimise explosion overpressures

• Arrange beam detection to replace or supplement point F&G detectors

• Position acoustic leak detectors to supplement gas detection for high pressure gas systems

• Position hand rails at all locations where there would be unguarded height, if equipment was removed for service

• Position pipe work, including flanges and rodding points, so that service leaks will be caught, and not by operators!

Examples of Equipment Level ISD in Brownfield & Operations Development 2

36

Inherently Safer Design – Why Bother?

Helps us to achieve safer operations, both in terms of day to day safety, and importantly ...

–In avoiding low likelihood high consequence events

–Through the elimination and reduction of hazards and unrevealed system vulnerabilities

Reduced number of Engineered Safeguards

Reduced Complexity

Reduced component and vessel sizes

Reduced energy consumption

Inherently Safer Designs have reduced CAPEX and OPEX and

are easier to operate and maintain!

37

An Example of how Design without the application of ISD results in unrevealed vulnerabilities

Mumbai High

How the cook cut his finger ... and the platform fell into the sea ...

A Case Study ...

38

Mumbai High North (27 July 2005)

39

Mumbai High North – Background

Mumbai High Field was discovered in 1974 and is located in the Arabian Sea 160 km west of the Mumbai coast

The field is divided into the north and south blocks, operated by the state-owned Oil & Natural Gas Corporation (ONGC)

Four platforms linked by bridges:–NA small wellhead platform (1976)

–MHF residential platform (1978)

–MHN processing platform (1981)

–MHW additional processing platform

Complex imported fluids from 11 other satellite WHPs and exported oil to shore via pipelines, as well as processing gas for gas lift operations

The seven-storey high MHN platform had 5 gas export risers and 10 fluid import risers situated outside the platform jacket

40

Mumbai High North – Sequence of Events (1)

Noble Charlie Yester jack-up was undertaking drilling operations in the field

The Samudra Suraksha was working in the field supporting diving operations

A cook onboard the Samudra cut off the tips of two fingers

Monsoon conditions onshore had grounded helicopters

The cook was transferred from the Samudra to the Mumbai High platform complex by crane lift for medical treatment

41

Mumbai High North – Sequence of Events (2)

While approaching the platform the Samudra experienced problems with its computer-assisted azimuth thrusters and was brought in stern-first under manual control

Strong swells pushed the Samudra towards the platform, causing the helideck at the rear of vessel to strike and damage one or more gas export risers – the resultant leak ignited

The close proximity of other risers and lack of fire protection caused further riser failure - the fire engulfed the Samudra and heat radiation caused severe damage to the Noble Charlie Yester jack-up

Emergency shutdown valves were in place at the end of the risers which were up to 12 km long - riser failure caused large amounts of gas to be uncontrollably released

42

Mumbai High North (27 July 2005)

43

Mumbai High North (27 July 2005)

44

Mumbai High North – Aftermath

The seven-storey high processing Platform collapsed after around two hours, leaving only the stump of its jacket above sea level

The Sumadra suffered extensive fire damage and was towed away from scene but later sank on 01 Aug 2005, about 18 km off the Mumbai coast

A total of 384 personnel were on board the platform and jack-up at the time of the accident … 22 reported dead (only)

Significant problems were reported with the abandonment of all the installations involved, only 2 of 8 lifeboats and 1 of 10 life rafts were launched

45

How could a better design

have avoided this disaster or reduce its impact?

• Position risers inside jacket structure• Location of boat landing on lee side of

platform• Larger separation distance between

platforms• Subsea Isolation Valves to reduce

hydrocarbon inventory during release• Relocation and fire proofing of risers to

prevent escalation• Improved availability of evacuation means

Would it be possible to eliminate the

hazard altogether?

46

Inherently Safer Design – How do we do it?

Establish an ISD Culture

Develop processes that support specific structured ISD events

47

Inherently Safer Design – How do we do it?

Establish an ISD culture within the organisation

–Driven from the top

–Involvement of all technical and project personnel

–Roll-out progressively – presentations, posters, pilot events

–Establish processes and guidance for their use

Ensure every project has planned ISD events in every phase

–Including each phase of Implementation

–Measure ISD uptake performance across all projects

–Sustain awareness and interest ensure all new starts involved and encourage champions

48

Success or Failure of ISD – Some Factors

All engineers and project personnel provided with ISD Awareness training as part of Induction

Ownership - ISD is not owned by HSSE or Technical / Process Safety personnel but by All engineering and project personnel

Operations personnel should be involved in all ISD workshop / study events

The language of ISD should be sustained in each project, ISD features should be captured and presented in appropriate media

Often “ISD design features” do not receive the credit and attention they should, or are only known amongst a few

–ISD design features should be acknowledged and shared with a wider audience

Putting it all together ...

49

50

Integrating ISD & Existing Safety Processes

AMEC Several Years On – A Summary of Findings

To have, and to communicate, a clear systematic process

Definitions and Terms of Reference shared in advance with all workshop participants and stakeholders

Create an ISD Register at the earliest time and maintain through all phases

Expect to identify some possibilities that will not be actionable until a future phase, register needs to keep track of these

Develop and maintain an ISD culture, make ISD wins visible to the team as a whole

51

Encourage Each Project ...

An ISD Workshop Process

52

SET ISD GOALS

IDENTIFY HAZARDS

BRAINSTORM OPTIONS

IDENTIFY AND UNDERSTAND THE SPECIFIC HAZARDS AND RISKS OF REMAINING OPTIONS

DEVELOP EACH REMAINING OPTION FOR SELECTION•Eliminate hazards•Confirm that it will be practical to manage the residual hazards

SELECT / REJECT OPTION•Meets goals?•Meets economic criteria?•Possible to manage residual risks with defined protection layers and an aim of continuous risk reduction?

DEVELOP SELECTED OPTION•Meets goals•Minimise risks from residual hazards•Define minimum design standards/limits•Conduct risk management activities

RECOMMEND DISCONTINUING DEVELOPMENT

Final NoNo

Yes

INITIAL REDUCTION OF OPTIONSReject options that clearly cannot meet the goals

If multiple iterations fail to deliver a suitable outcome

ISD Goals - Examples of High Level Goals

53

LAYOUT EXAMPLES Minimise explosion overpressure potential Minimise frequency of occurrence of explosion overpressures Minimise escalation potential from fire and explosion events Minimise vulnerability of Emergency Escape and Rescue systems to fire and explosion; including Temporary Refuge

PROCESS EXAMPLES Maximise simplicity of plant Minimise hydrocarbon inventories and pressures Minimise leak potential Maximise integrity of containment envelope from internal and external loadings and hazards

High level goals require to be pursued through the development of low level goals with the involvement of each and every technical discipline contributing to the project

An ISD Register

54

An ISD Output

55

Bridge length set to optimise separation between Process and Well Bay areas and the Temporary Refuge

Minimal inventory fuel gas for GTs

Both jackets designed for a minimum Reserve Strength (RSR) of 2.5

Diverse Fire Pump locations

Designed so as to minimise HP / LP interfaces

56

AdditionalEngineeringControls

InherentlySafer Design (ISD)

Strategy for Hazard Management - UK HSE (OTH 96 521)

Identify Hazards

Understand /Assess Hazards

Avoid Hazards

Reduce Severity

Reduce Likelihood

Segregate / Reduce Impact

Apply Passive Safeguards

Apply Active Safeguards

Apply Procedural Safeguards

Risks ALARPNo

OKYes

In Summary

Attitudes to safety continue to evolve and pose engineering project stakeholders ever greater safety challenges

The ‘traditional’ Hazard and Risk Management’ paradigm is imperfect and further steps are now required to meet modern challenges

Inherently Safer Design (ISD) consists of straightforward principals that can be widely applied

ISD when integrated with Hazard and Risk Management changes the emphasis on how safety is driven within design and planning processes

This change of emphasis is not only beneficial to safety but to other project and operational parameters including cost and maintenance burden

57

That’s all for now ... ?

Hindenberg