hse design strategy final (short)

HSE Design Strategy

Petrofac Emirates LLC

HSE in Oil & Gas Conference Abu Dhabi – June 2012

HSE Design Strategy Approach• Safe Risk-Based Approach:

– Minimize frequency and consequences of gas releases– Minimize possibility of injury to personnel – Minimize impact on environment– Minimize damages to facilities– Save company reputation

• Reduce probability of incidents – provide suitable control systems – Process control, ESD systems, Corrosion Control, Isolation

• Provide adequate control measures to cope with residual risks

• Project specific HSE engineering approach will be generally spelled out in Project HSE Plan / Philosophy to meet client specific contract HSE requirements

• Petrofac BMS / Petrofac Emirates QMS procedures and standards will guide our safety engineers to deliver HSE design on projects

HSE Design Strategy Objectives• Full compliance with:

– UAE Legislative requirements– Company / ADNOC HSEMS– Company HSE Policies & Procedures– ADNOC Codes of Practice– Applicable international codes and standards

• Achieve demonstrable level of ALARP with regards to P, E, A, R

• Identify hazards and put in place appropriate controls, procedures and emergency response systems

• Inherently safe design of facilities

• Use industry best practices in the design

• Implement past industries lessons learnt into design

• Minimize degradation to local environment – air quality, flora, fauna

Inherent Safe Design – Specific Attention

• Plant Layouts

• Equipment Layouts

• Hazardous Area Classification

• Equipment Design

• Drains, Vents & Flares

• Equipment / Plant Isolation

• Control & Other Buildings Requirements

• Escape & Evacuation Means

HSE Risk Management

• Risk Management Approach:– Identify– Evaluate– Manage– Review

• Residual Hazard Management (RHM) Process Methodology – identify and try to minimize the risk AT SOURCE + PASSIVE PREVENTION

RHM Process Rules

• Rule No. 1 – Risk Based Approach:

RHM Process Rules• Rule no. 2 – Hierarchy of Risk Reduction Measures:

RHM Process Rules• Rule no. 3 – Effectiveness of Protection Systems:

HSE Design Methodology for ProjectsSTEP 1

HSE Design Methodology for Projects

STEP 1a

Step 1a – Identify Causes & Likelihood• Purpose:

– Seek ways to reduce likelihood– Put in place effective design & preventive measures– Establish minimum performance requirements– Assign criticality & follow up throughout the lifecycle of the plant

• Possible causes of incidents:– Human error in operation / maintenance– Unauthorized disassembly / operation– Incorrect assembly / reassembly– Deterioration due to internal (corrosion, erosion) or external environmental conditions– Overloading / Extreme Loads – Accidents, Impacts, Dropped Objects, Fires, Explosions– Monitoring / Control System Failure– Mechanical failure of a component / joint / weld– Plant startup / shutdown– Design Error

Step 1a – Identify Causes & Likelihood

• Studies to be performed:– Safety Layout Study– HAZID / ENVID / OHID Study– What-If Analysis– SIMOPS Study - by HSSE group– Bow-Tie Analysis– HAZOP Study– SIL Assessment Study– Failure Modes & Effects Analysis (FMEA)– Job Safety Analysis (JSA) – by HSSE group– Task & Activity Analysis – by HSSE group– Environmental Baseline Study– Environmental Emissions & Effluents Study / Emissions & Effluents Summary

HSE Design Methodology for Projects STEP 1b

Step 1b – Analyze Severity & Consequences• Purpose:

– Seek ways to minimize severity & consequences of events– Put in place effective detection, control & mitigation measures– Establish minimum performance requirements– Assign criticality & follow up throughout the lifecycle of the plant

• Characteristics to be considered:– Location of initial failure and the resultant effects– Hydrocarbon release rates, frequencies, durations & total released quantities– Spread & accumulation of any oil or liquid fuel releases– Kinetic energy & location of dropped objects– Location & severity of explosion overpressures– Location & severity of heat / flames resulting from process / other fires– Spread, density & toxicity of smoke from different fires– Particular dangers & severity of access to hazardous areas– Height & Weight of tall structures & areas onto which they may collapse

Step 1b – Analyze Severity & Consequences• Studies to be performed:

– Hydrocarbon Release Analysis– Blowout Analysis– Impact Analysis (including Dropped Object Study)– Hydrocarbon Liquid & Gas Dispersion Analysis– Fire & Explosion Hazard Analysis (FEHA)– Environmental Event Definition– Immediate Effects Analysis

Fire & Explosion Hazard Analysis (FEHA)• Quantify the severity of credible and extreme events in terms of overall size,

variation with time, duration, heat and blast loadings and smoke effects

• Components:– Ignition Probability Analysis– Computational Fluids Dynamics (CFD) Modeling– Physical Effects Modeling (PEM)– Flare / Vent Dispersion & Radiation Study– Fire Risk Assessment (FRA)– Smoke & Gas Ingress Assessment– Heat Radiation Contours– Blast Study– Blast Overpressure / Explosion Contours– Building Location Risk Assessment– Consequence Analysis – Fault Tree Analysis

HSE Design Methodology for Projects STEP 1c

Step 1c – Escalation & Evacuation Analysis• Purpose:

– Identify potential routes to escalation, together with the effects that could lead to evacuation

– Rigorously examine each hazard / group of hazards – could they realistically arise?– Draw event tree – primary routes to escalation, probability, sequence, timings,

characteristics of event progression, each event consequences– Determine overall risk picture / need for protection

• Factors to be considered:– Potential for & routes to escalation which would require evacuation (LOC of wells, LOC

from pipelines / flowlines, LOC of well control during critical drilling activities / workover, LOC of major HC / toxic inventory – H2S, Diesel fuel, separators, chemical storage, etc, Loss of integrity, etc)

– Impairment of accommodation, muster areas, control rooms– Routes for progressive escalation– Time at which escalation / impairment could occur– Exposure of escape & evacuation routes / evacuation systems, etc.

Step 1c – Escalation & Evacuation Analysis

• Studies to be performed:– Egress, Escape, Evacuation and Rescue Analysis (EEERA)– Emergency Systems Vulnerability & Survivability Analysis (ESSA)– Muster & Temporary Refuge Analysis– Emergency Preparedness Analysis – by HSSE group

• Documents / Plans to be developed:– Pollution Prevention & Control Report– Safety Case– Emergency Preparedness Action Plan– Emergency Response Plan– Spill Prevention & Control Plan– Spillage Response Plan

HSE Design Methodology for ProjectsSTEP 1d

Step 1d – Exposure Analysis / Risk Assessment• Likelihood and consequences of all hazards and effects are evaluated (qualitatively

and/or quantitatively) to demonstrate compliance to ALARP principle

• Studies to be performed:– Screening Level Risk Assessment (SLRA)– Temporary Building Risk Assessment– Environmental Risk Assessment (ERA)– Quantitative Risk Assessment (QRA)– Pipeline Risk Assessment– Preliminary Construction Risk Assessment– Preliminary Operation & Maintenance Risk Assessment– Preliminary Health Risk Assessment– Preliminary Demolition Risk Assessment

Quantitative Risk Assessment (QRA)• Steps:

– QRA Assumption Register– HAZID – What could go wrong– Scenario Definition – Where & How often things could go wrong– Plant Sectionalizing & Inventory Calculation – Event Tree Analysis – What could contribute to the accident– Consequence Modeling – Severity of accident & possible consequences– Risk Calculation & Sensitivity Analysis– Risk Assessment – compare risk levels with tolerability criteria– Identify practical Risk Reduction Measures


STEP 2

Step 2 – Eliminate / Minimize Hazards At Source

• Systematic approach will continue using outputs from all the HSE studies carried out

• For every identified hazard / hazardous activity – try to design out:– Fewer processing steps– Use permanently installed equipment to avoid heavy lifts associated with transient plant– Arrangement of drilling / workover facilities / pipe storage to avoid lifts over top deck– Location of HP gas plant to avoid explosion arising from confined gas release, etc– Minimization of processing, by exporting partially processed / lower specification fluids


• For every identified cause – seek ways to make failure inherently less likely to occur (through inherent strength, reliability, longevity, simplicity of design:

– Minimize potential for human error– Increase plant / component reliability to minimize disassembly– Inherent plant resistance to external / internal deterioration– Inherent plant strength to withstand unintentional overload / extreme & accidental events– Corrosion resistant materials– Minimize number of instruments in process plant– Avoid relief valves – design plant for maximum anticipated pressure, etc– Increased design tolerances – greater longevity, absorb process deviations / overloads– Minimize number of hazardous activities / requirements to enter hazardous areas (diving,

confined space entry, working at height, working over side / water, etc)


• Examine severity of consequences for opportunities to minimize them at source & limit their potential damage (where possible):

– Minimize HC release rates by limitation of potential hole sizes (instrument impulse line) / avoiding HP processing / reduction of vessel numbers / capacity / diameters / piping lengths

– Minimize explosion overpressures by minimizing the distances to vent areas– Maximize ventilation (reduce the gas cloud size)– Minimize type / frequency of activities requiring scaffolding in process areas– Optimize the layout of process plant / piping / support facilities (minimize explosion

overpressures)– Minimize elevation / weight of lifts– Minimize sources of ignition in process / production areas


• Make changes in layout or the way people operate to reduce their exposure:– Avoid exposing accommodation, TRS, muster points, CRs to flames, smoke or blast– Locate HP gas and liquids away from other major flammable inventories (oil processing,

fuel storage, etc)– Minimize activities requiring personnel on elevated platforms / areas where they might be

exposed / trapped by incident effects– Control ignited liquid spills to not impact critical plant / process areas– Optimize layout – avoid routine / extraordinary heavy lifts over the live plant– Locate large LP / atmospheric liquid inventories at lower level / in the spar to avoid

exposure of tanks / vessels / structures to fire from beneath– Provide plant / structure with sufficient inherent strength to withstand the effects of an

initial event– Avoid location of processing / drain systems in enclosed areas


STEP 3

Step 3 – Adopt Strategy to Manage Each Hazards• Four types of strategies will be applied sequentially until adequate defense in depth

has been provided:– Strategy to Prevent– Strategy to Control the Severity – limit the magnitude of the event– Strategy to Mitigate the Effects / Reduce Escalation– Strategy for Emergency Response, Evacuation & Recovery

• Decisions will be complex, considering:– Practicality to ensure that events without protection do not occur in the lifetime of the

installation– Practicality of counteracting the effects of more severe events with ensuring the effective

emergency response– Risk of strategy failures on P, A, E, R– Minimum design / operating standards, infrastructure and facilities provided– Any specific policies and procedures– Environmental consequences of an uncontrolled event

Step 3 – Adopt Strategy to Manage Each Hazards

• Review and update existing philosophies / strategies, or develop new ones where required:

– HSE & Loss Prevention Philosophy– Fire, Explosion & Toxic Release Strategy– ESD & Blowdown Philosophy– Drain & Vent Philosophy– F&G Detection Philosophy– Passive / Active Fire Protection Philosophy– Vibration, Noise Control & Noise Mitigation Philosophy– Boat Landing / Helicopter Approach Philosophy– Egress, Escape, Evacuation & Rescue Strategy (EEERS)– BAT Assessment Study– ALARP Demonstration Strategy

Strategy to Prevent

• It is not absolute – there will always be potential for human error, mechanical failure or any type of other failures

• It is viable if every cause has been identified, is fully understood and effective measures are put in place for the lifetime of the facility

• Studies and possible causes of incidents listed under the Step 1a are critical inputs to the decision

Strategy to Control Severity

• Next strategy is to control or limit the magnitude of events

• Process is started by reduction at source

• Addition of further systems to detect and then control the event will reduce the severity to make it unlikely to kill or cause escalation

• Analysis of severity (Step 1b) will indicate which variables within the possible scenarios may reduce the severity (detection and control options)

Strategy to Mitigate Effects / Reduce Escalation• Assessment of immediate consequences (Step 1b) will show which people and parts of the

plant could be exposed to the consequences

• Assessment of potential routes to escalation (Step 1c) will indicate the ways plant is likely to fail:

– Major loss of life– Critical failure (e.g. vessel rupture)– Major loss of HC inventory– Loss of critical safety / emergency systems needed to control the hazard– Loss of primary structure, etc

• After optimizing the design to minimize the exposure (Step 1d), a Mitigation strategy will be adopted to protect people, plant and environment

Strategy for Emergency Response, Evacuation & Recovery

• When everything practical has been done by design to control the escalation and mitigate the consequences of an unwanted event, finally consider if anything else is needed to limit the exposure of people and environment and protect their evacuation – defense in depth in case of an extreme event and/or failure of all the previous strategies

• Facilities to muster and evacuate are always provided, but this strategy aim is to reduce the dependence on them to an absolute minimum

• Where they are critical, make decision and use the equipment within the timescale and effects of the event confirmed by the studies on Step 1c


STEP 4

Step 4 – Select Systems

• Many systems (particularly Prevention systems) will be selected based on the requirements of applicable codes & standards, with long term assurance of plant integrity (by corrosion control & inspection), supported by operational controls and operators’ competence.

• Other systems will be selected to minimize the potential for failure (particularly human error) and to minimize maintenance (with the associated exposure to people) – fewer tasks to make mistakes, fewer people exposed.

Passive Systems

• First choice – act upon hazard simply by their presence – most reliable, require only inspection & maintenance

• Failure modes – long-term deterioration, physical damage, removal

• Examples – corrosion allowances, bunds, blast walls, fireproofing

Active Systems

• Second choice – require mechanical / electrical plant or control signals in order to work

• Susceptible to failure and downtime - less reliable (particularly where their failure may be unrevealed), require inspection, testing & maintenance

• Susceptible to human error and/or omission – cause increased number of personnel and activity on the plant

• Examples – HIPPS systems, depressurization systems, F&G detection systems, active fire protection systems, etc

Operational Systems

• Third choice – depend primarily upon people to initiate the system / carry out the whole function

• Least reliable, require sufficient trained people to be on the plant for their operation, with the associated minimum competence and procedures

• Effectiveness wholly dependent on the operator who decides their activation

• Examples – manual settings of choke valves, visual detection of oil leaks, manual initiation of ESD systems, etc

External Systems

• Final choice – depend on correct reaction of people beyond the company itself and its direct workforce

• Further room for errors due to longer communication lines and frequent changes of people involved

• Effectiveness dependent upon effective contracts and audit

• Examples – industrial fire fighters, isolation of third party feeder pipeline, external medical services, etc


STEP 5

Step 5 – Setting System Performance Standards

• Once the systems are selected – set the performance standards for all critical safety / emergency systems, competencies and procedures

• Performance standards reflecting minimum level of performance that must be achieved during the lifetime of the facility will be set.

• Will address role, functionality, criticality (quality, availability, reliability) and survivability, with respect to hazards to which they are assigned

• Role - Will be defined before any other parameter.

• Example: - role of a depressurization system is not only to meet a particular depressurization rate according to a particular code / standard, but also to prevent vessel rupture in a high pressure condensate fire or to reduce the duration of a gas fire so that it cannot cause critical escalation

Step 5 – Setting System Performance Standards• Functionality – will define the minimum performance necessary to fulfill the role,

but will not define how this will be achieved. Failure to achieve it will require repair / replacement

• Examples:– Sensitivity and response time of gas detectors– Weather limitations and response time of rescue systems– Application rate of fire water to keep vessel temperature down to a specific figure

• Criticality – will determine how reliable and available the system must be

• In case of prevention measures, will indicate the goal in terms of reducing the likelihood of the event

• For all other systems will determine the target success rate for the system (two components – reliability and availability)

Step 5 – Setting System Performance Standards

• Reliability will be verified by functional testing at predetermined intervals

• Availability is defined by maximum allowable downtime in a fixed period

• Exceedance of these limits will require further operational risk reduction measures, including shutdown

• Where required success rate cannot be achieved by a simple or conventional system, performance will be enhanced by increased reserves of strength, duplication or redundancy

• Existing criticality systems will be used (e.g. for competence, corrosion management, structural integrity, instrumented safety systems, etc) and will be integrated into an overall system for the facility management

Step 5 – Setting System Performance Standards• Example - a F&G detection system may have 85% probability of detection of small events, but

99% probability of detection of incidents with the potential to escalate or kill. This is achieved through the assurance of adequate coverage, testing of panel and detectors at predetermined intervals, clear definition of tolerable failure rates and limits for the duration of lockouts and obstructions such as scaffolding, which may impair effectiveness

• Survivability - will be expressed in terms of the severity of the event that it should survive. A system must have sufficient strength / protection / redundancy to fulfill its role and meet the required functional standards in order to operate and maintain its integrity during or after an event

• Examples– A fire and gas detection system does not need to survive a fire or explosion, as it should

already have fulfilled its role in the incipient stages of the event– A separator and connected piping and instruments may have to maintain its integrity when

exposed to a 0.5 bar explosion overpressure– An ESD valve actuator and power supplies may have to be fail safe or protected from a jet

fire until it has closed


STEP 6

Step 6 – Demonstration of Adequacy

• Final step is to demonstrate system adequacy

• Purpose – to show that design is good enough to go to the next phases of the project:– Design safety expectations have been achieved– Project goals are met– Risk acceptability criteria are satisfied and risk are reduced at least to ALARP level– Standards used on Process Safety / Integrity Management are fully respected– All Company / National Regulations will be satisfied during the next phases of project

Step 6 – Demonstration of Adequacy• Elements:

– Concept selection process has explored inherently safer options

– Project has chosen a concept in which risks can be minimized and managed effectively

– Overall process to identify, understand and manage hazards is complete

– Project has made a comprehensive attempt to identify and consider all practical means to minimize risks from residual hazards at source

– Three primary decisions on each MAH have been documented together with all the potentially better options and reasons for their non-selection:

• Selection of strategy for management of each MAH

• Choice of systems to implement this strategy

• Setting of realistically achievable performance standards for each system

Step 6 – Demonstration of Adequacy

• Studies / Workshops to be performed:– FIREPRAN– Formal Safety Assessment (FSA)– Peer Review– ALARP Demonstration (including CBA)– PHSER

ALARP Demonstration• Scope – demonstrate compliance with ALARP principle

• Company/ ADNOC risk tolerability criteria for individual risk of fatality will be applied

ALARP Demonstration (including Cost Benefit Analysis)• Demonstrate that all

risks are both tolerable and reduced to ALARP

• CBA will be used where decisions are not clear from qualitative reviews, in order to compare the costs for different options and identify the point at which the cost of risk reduction becomes grossly disproportionate.

RISK MAGNITUDE

Negligible Risk

Risk cannot be justified

Tolerable only if risk reduction is impracticable or if its cost is grossly disproportionate to the improvement gainedTolerable if cost of reduction would exceed the improvement gained

Necessary to maintain assurance that risk remains at this level

AsLowAsReasonablyPracticable

Broadly acceptable region(No need for detailed working to demonstrate ALARP)

Unacceptable region

LEVEL OF RISK

Specific Challenges• Is it good enough?

• Are codes and standards adopted suitable for the hazards and particular conditions on this facility?

• Have good international best practice been applied?

• Has there been suitable expert input?

• What is particularly dangerous, difficult or novel and how have the hazards been managed?

• What design safety factors have been applied to process and structures and how will they change with time?

• Has the rigorous process of safer design been followed?

• Why are not more corrosion resisting materials used?

• Why are so many people needed to operate and maintain it?

• For every hazard has there been an adequate examination of causes, probability, severity, immediate consequences and potential for escalation to a major accident?

• To what extent have the project safety goals been met?

Specific Challenges• Has there been a rigorous process to identify all possible options to reduce risks at

source by design, and have all the opportunities been implemented where practicable?

• Why is the protection not further up the passive / active / procedural hierarchy?

• Is there any specific individual activity needed to build, operate, maintain, inspect, repair or decommission the installation that is unusually dangerous, even with the best possible operational controls?

• Are there any groups of people who are highly exposed to serious hazards?

• Does the amount of hazardous activity, processing, simultaneous operations and exposure of personnel make any part of lifecycle unusually dangerous?

• Are there large numbers of people working on or near the facilities and exposed to major accidents which could realistically occur and from which they could not escape or be protected?

• Are the future operations happy with the risks on the facility, the proposed hazard management strategies, the systems provided and the dependence upon them to operate it safely?

• Do the facilities meet the used guidelines on risk acceptability?

hse design strategy final (short)

Documents

hse design

quantitative

explosion

step 1a identify

major loss

evacuation

rigorous process

esd systems