Engineering Safety:

Going Lower - Reducing Risk, Enhancing Projects

Howard Thompson – February 2013
AMEC Brownfield Projects & Operations Management - Technical Safety Manager
AMEC Europe – Head of Engineering Assurance & Governance

1
Outline of Presentation

 Explore some of the trends that influence Engineering Safety

 Explore some of the limitations of Hazard & Risk Management

as an approach to Engineering Safety

 Outline the principles of an Inherently Safer approach

 Consider the organisational implications in developing an

Inherently Safer approach to Engineering Safety

2
In the Beginning ...

... low sensitivity to Consequences or the Likelihood of them!

3
More Recently ...

The Hoover Dam:

112 people died
during construction

Attitudes to Hazards
and Risks are
constantly evolving

4
Trends in Occupational Safety

5
 Unrevealed Safety Issues

• Despite improving HSE Performance indicators, the Texas City refinery suffered a
major event in May 2005 … and a second event two months later …

OSHA Recordable Incident Frequency (RIF)

Texas City refinery: From 1.73 (1999) to 0.64 (2004)
API US refining average: 0.84 (2004)
BP Global: 0.53 (2004)

• Occupational safety data can give misleading indications of ‘design’ or ‘process’

safety performance

• ‘Process’ or ‘Design’ Safety was not widely measured in 2005, however,

indicators of hardware safety issues are more widely recorded and assessed now
… although there are many more Lagging indicators in use than Leading ones!

6
Texas City

7
Trends in Refinery Damages

Incident costs - $ per 1000bbls refinery capacity corrected to 2000 prices

8
Trends

 Increased and increasing public risk aversion

 Reducing regulatory tolerance

 Increased damages where legal action ensues

 Increased focus on occupational safety and statistics

 Increasing focus on ‘technical’ safety and statistics

 Increased Management of Change (MoC) challenges

– Through the life of modern engineered facilities and products
– Due to evolution in stakeholder organisations
– Changing operational requirements

9
An Increasing Complex world …
Nimrod 2006

 After an Air-to-Air Refuelling (AAR), the

plane caught fire

 Experienced crew acted with calmness,

bravery and professionalism, and in
accordance with training, but could not
control the fire

 Aircraft exploded

 All 14 on board died

 Why Did it Happen?

Fuel vent pipes and couplings

No 7 Fuel tank ↓
Airframe anti-icing
← pipe
Cross-Feed –
Supplementary →
Cooling Pack
Duct (HOT) ←────── Fuel pipes – refuel
and feed

Uninsulated Bellows
Why Did it Happen?

Probable cause was fuel coming into contact with extremely hot
surfaces; an overflow due to the Air to Air Refuelling, ignited by the cross-
feed / Supplementary Cooling Pack (SCP) duct,
which could be at up to 400ºC,
and was not properly insulated

Major design flaws:

 Original fitting of cross-feed duct

 Addition of SCP
 AAR modification
Why Did it Happen?

 Fuel pipe / vent coupling seals sourced from new supplier

 Couplings not to original specification

– Although thought to be by the procurement function

 Fuel pipe / vent couplings known to be unreliable by maintenance

teams

–This information never fed back to the design or safety case teams
Why Did it Happen?

 A number of previous incidents and warning signs ignored

 Safety case existed but contained significant errors

 Widespread assumption that Nimrod was “safe anyway” after 30 years

of successful flights

 Safety case became a “tick-box” exercise

 Missed key dangers, should have been the best opportunity to prevent
the accident

 Financial pressures and cuts led to there being distraction from safety
as an overriding priority
Hazard and Risk Management ...

A crucial ...

LIMITED

... contributor to safety!

15
Hazard and Risk Management Paradigm

Whatcould
What could
happen?
happen?

Howoften?
How often? Howbad?
How bad?

Sowhat?
So what?

What
What
doI Ido?
do do?

16
Hazard and Risk Management

Risk
Analysis Hazard
Hazard
Identification
Identification

Frequency
Frequency Consequence
Consequence
Analysis
Analysis Analysis
Analysis

Risk
Evaluationofof
Evaluation
Assessment
Hazard&&Risk
Hazard Risk

Risk Manage
Manage
Risk ResidualRisk
Residual Risk
Management

17
Event Sequences

 A corner stone of the Hazard & Risk Management

Paradigm is the concept of Event Sequence

 The idea is that all event sequences are identified in

the analysis, or covered within some more general event
sequence

 A key limitation is the issue of foresee-ability

 What is foreseeable?
 Is it really possible to foresee all categories of event

 The case law is demanding engineers and experts are

expected to foresee relatively remote events

 The O&G industry regulator is not as demanding as for

example the Nuclear industry regulator in these matters
18
 Underlying techniques of Hazard and
Risk Management Process

 REQUIRED – The Hierarchical use of controls

and barriers

 REQUIRED – The Demonstration of ALARP

ALARP - As Low As Reasonably Practicable

19
 Safe?

“
“
We identified the Hazards and ensured there
were adequate Safeguards, consistent with
the ALARP principle

N.b. ... The cost emphasis of ALARP ... an

encouragement to add safeguards until increased
benefits through risk reduction can not be justified
 Some North Sea Events

 The SEA GEM 27th December 1965 – 13 Lost

 Mineral Workings (Offshore Installations) Act 1971

 The ALEXANDER KEILLAND 27th March 1980 – 123 Lost

 Norway – Created a clear source of Authority for Abandonment
 The sister rig the Henrik Ibsen also got into difficulty a few months later

 The PIPER ALPHA July 1988 – 167 Lost

 Mineral Workings (Offshore Installations) Act 1971

21
The SEA GEM – The First Rig to Find Hydrocarbons in the NS
The Alexander Keilland Semi Sub Drilling Rig
Adjacent to a Production Platform
Alexander Keilland – Structural Arrangement

24
Piper Alpha
Metocean Conditions - Foreseeable ?
The Ocean Ranger – Capsized off Newfoundland February 1982 – 84 lost

Ocean Ranger with Draupner Wave shown for comparison

1 – The Draupner wave 59 ft / 18 m

2 – Location of unprotected portlight 28 ft / 8.5 m
3 – Location of the ballast control room
26
How Can We Make It Safer ?
“
“ So what can we do differently?
Inherently Safer Design

The concept supports the view that the achievement of safe

operations requires that HAZARDS are addressed during concept
development and all subsequent phases of System, Structure, or
Equipment design AND IMPLEMENTATION

The intent of Inherently Safer Design is to eliminate a hazard

completely or reduce its magnitude significantly

Thereby eliminating / reducing the need for safety systems and

procedures

Furthermore, this hazard elimination or reduction should be

accomplished by means that are inherent in the design and
process and thus permanent and inseparable from them

28
Principles of Inherent Safety

Inherent
Safety
Principles

29
Examples - Minimise

 Minimise storage of hazardous gases, liquids and solids

 Minimise inventory by phase change (liquid instead of gas)
 Eliminate raw materials, process intermediates or by-products
 Just-in-time deliveries of hazardous materials
 Hazardous materials removed or properly disposed of when no longer needed
 Hazardous tasks (e.g. working at height or above water, lifting operations)
combined to minimise the number of trips

 Need for awkward postures and repetitive motions

minimised

30
Examples - Substitute

 Substitute a less toxic, less flammable or less reactive substance

–Raw materials, process intermediates, by-products, utilities etc.
–Use of water-based product in place of solvent- or oil-based
product

 Alternative way of moving product or equipment in order to

eliminate human strain

 Allergenic materials, products and equipment replaced with non-

allergenic alternatives

31
Examples - Moderate

 Reduce potential releases by lower operating conditions (P, T)

– Process system operating conditions
– New / replacement equipment that operate at lower Speed, P or T

 Dilute hazardous substances to reduce hazard potential

 Storage of hazardous gases, liquids and solids as far as way as possible in
order to eliminate risk to people, environment and asset

 Segregation of hazardous equipment / units to prevent escalation

 Relocate facility to limit transportation of hazardous substances

 New / replacement equipment that produces -

less noise or vibration

32
Examples - Simplify

 Simplify and / or reduce - connections, elbows, bends, joints, small bore

fittings

 Separate single complex multipurpose vessel with several simpler

processing steps and vessels

 Equipment designed to minimize the possibility of an operating or

maintenance error

 Minimise number of process trains

 Reactors designed / modified to eliminate auxiliary equipment (e.g. blender)
 Eliminate or arrange equipment to simplify material handling
 Ergonomically designed workplace

33
 Examples of Equipment Level ISD in
Brownfield & Operations Development 1

• Replace flammable hydraulic fluids with water-based equivalents

• Replace oil-filled switchgear with vacuum-insulated equivalent

• Replace Ex instrumentation with intrinsically safe equivalents

• Use low toxicity oils to replace PCBs in transformers

• Use low smoke, zero halogen, cable insulation

• Use PFP coatings that resist water ingress so avoid Corrosion Under Insulation

34
Examples of Equipment Level ISD in
Brownfield & Operations Development 2

• Arrange equipment layout to minimise restrictions on explosion venting

• Arrange “Deluge on Gas” where advantageous to minimise explosion

overpressures

• Arrange beam detection to replace or supplement point F&G detectors

• Position acoustic leak detectors to supplement gas detection for high

pressure gas systems

• Position hand rails at all locations where there would be unguarded

height, if equipment was removed for service

• Position pipe work, including flanges and rodding points, so that service
leaks will be caught, and not by operators!
35
Inherently Safer Design – Why Bother?

 Helps us to achieve safer operations, both in terms of day to

day safety, and importantly ...

–In avoiding low likelihood high consequence events

–Through the elimination and reduction of hazards and
unrevealed system vulnerabilities

 Reduced number of Engineered Safeguards

 Reduced Complexity
 Reduced component and vessel sizes
 Reduced energy consumption
 Inherently Safer Designs have reduced CAPEX and OPEX and
are easier to operate and maintain!

36
 A Case Study ...

An Example of how Design without the application of

ISD results in unrevealed vulnerabilities

Mumbai High

How the cook cut his finger ... and the platform fell into the sea ...

37
Mumbai High North (27 July 2005)

38
Mumbai High North –
Background

 Mumbai High Field was discovered in 1974 and is located in the

Arabian Sea 160 km west of the Mumbai coast
 The field is divided into the north and south blocks, operated by
the state-owned Oil & Natural Gas Corporation (ONGC)
 Four platforms linked by bridges:
– NA small wellhead platform (1976)
– MHF residential platform (1978)
– MHN processing platform (1981)
– MHW additional processing platform
 Complex imported fluids from 11 other satellite WHPs and
exported oil to shore via pipelines, as well as processing gas for
gas lift operations
 The seven-storey high MHN platform had 5 gas export risers
and 10 fluid import risers situated outside the platform jacket

39
Mumbai High North –
Sequence of Events (1)

 Noble Charlie Yester jack-up was undertaking drilling operations

in the field

 The Samudra Suraksha was working in the field supporting

diving operations

 A cook onboard the Samudra cut off the tips of two fingers

 Monsoon conditions onshore had grounded helicopters

 The cook was transferred from the Samudra to the Mumbai

High platform complex by crane lift for medical treatment

40
Mumbai High North –
Sequence of Events (2)

 While approaching the platform the Samudra experienced problems with its
computer-assisted azimuth thrusters and was brought in stern-first under
manual control

 Strong swells pushed the Samudra towards the platform, causing the helideck
at the rear of vessel to strike and damage one or more gas export risers – the
resultant leak ignited

 The close proximity of other risers and lack of fire protection caused further
riser failure - the fire engulfed the Samudra and heat radiation caused severe
damage to the Noble Charlie Yester jack-up

 Emergency shutdown valves were in place at the end of the risers which were
up to 12 km long - riser failure caused large amounts of gas to be
uncontrollably released

41
Mumbai High North (27 July 2005)

42
Mumbai High North (27 July 2005)

43
Mumbai High North – Aftermath

 The seven-storey high processing Platform collapsed after around two

hours, leaving only the stump of its jacket above sea level

 The Sumadra suffered extensive fire damage and was towed away
from scene but later sank on 01 Aug 2005, about 18 km off the
Mumbai coast

 A total of 384 personnel were on board the platform and jack-up at the
time of the accident … 22 reported dead (only)

 Significant problems were reported with the abandonment of all the

installations involved, only 2 of 8 lifeboats and 1 of 10 life rafts were
launched

44
 How could a Would it be possible
better design to eliminate the
have avoided this hazard altogether?
disaster or
reduce its • Position risers inside jacket structure
impact?
• Location of boat landing on lee side of
platform
• Larger separation distance between
platforms
• Subsea Isolation Valves to reduce
hydrocarbon inventory during release
• Relocation and fire proofing of risers to
prevent escalation
• Improved availability of evacuation means

45
Inherently Safer Design – How do we do it?

 Establish an ISD Culture

 Develop processes that support specific structured ISD

events

46
Inherently Safer Design – How do we do it?

 Establish an ISD culture within the organisation

–Driven from the top
–Involvement of all technical and project personnel
–Roll-out progressively – presentations, posters, pilot events
–Establish processes and guidance for their use

 Ensure every project has planned ISD events in every phase

–Including each phase of Implementation
–Measure ISD uptake performance across all projects
–Sustain awareness and interest ensure all new starts
involved and encourage champions

47
Success or Failure of ISD –
Some Factors
 All engineers and project personnel provided with ISD Awareness training
as part of Induction

 Ownership - ISD is not owned by HSSE or Technical / Process Safety

personnel but by All engineering and project personnel

 Operations personnel should be involved in all ISD workshop / study events

 The language of ISD should be sustained in each project, ISD features
should be captured and presented in appropriate media

 Often “ISD design features” do not receive the credit and attention they
should, or are only known amongst a few

– ISD design features should be acknowledged and shared with a wider

audience

48
Putting it all together ...

49
Integrating ISD & Existing Safety Processes

50
AMEC Several Years On – A Summary of Findings

Encourage Each Project ...

 To have, and to communicate, a clear systematic process

 Definitions and Terms of Reference shared in advance with all workshop

participants and stakeholders

 Create an ISD Register at the earliest time and maintain through all
phases

 Expect to identify some possibilities that will not be actionable until a future
phase, register needs to keep track of these

 Develop and maintain an ISD culture, make ISD wins visible to the team as
a whole

51
An ISD Workshop Process

SET ISD GOALS

IDENTIFY HAZARDS

BRAINSTORM OPTIONS

INITIAL REDUCTION OF OPTIONS

Reject options that clearly cannot meet the goals

IDENTIFY AND UNDERSTAND THE SPECIFIC HAZARDS

AND RISKS OF REMAINING OPTIONS

DEVELOP EACH REMAINING OPTION FOR SELECTION

•Eliminate hazards
•Confirm that it will be practical to manage the residual
hazards
If multiple iterations
fail to deliver a
SELECT / REJECT OPTION suitable outcome
•Meets goals?
No •Meets economic criteria?
Final No
•Possible to manage residual risks with defined
protection layers and an aim of continuous risk
reduction?
Yes
DEVELOP SELECTED OPTION
•Meets goals
•Minimise risks from residual hazards RECOMMEND
•Define minimum design standards/limits DISCONTINUING
•Conduct risk management activities DEVELOPMENT

52
ISD Goals - Examples of High Level Goals

LAYOUT EXAMPLES
 Minimise explosion overpressure potential
 Minimise frequency of occurrence of explosion overpressures
 Minimise escalation potential from fire and explosion events
 Minimise vulnerability of Emergency Escape and Rescue systems to fire and
explosion; including Temporary Refuge

PROCESS EXAMPLES
 Maximise simplicity of plant
 Minimise hydrocarbon inventories and pressures
 Minimise leak potential
 Maximise integrity of containment envelope from internal and external loadings
and hazards

High level goals require to be pursued through the development of low

level goals with the involvement of each and every technical discipline
contributing to the project
53
An ISD Register

54
 An ISD Output

 Bridge length set to

optimise separation
between Process and
Well Bay areas and
the Temporary
Refuge

 Minimal inventory
fuel gas for GTs

 Both jackets
designed for a
minimum Reserve
Strength (RSR) of 2.5

 Diverse Fire Pump

locations

 Designed so as to
minimise HP / LP
interfaces
55
Strategy for Hazard Management -
UK HSE (OTH 96 521)

Identify Hazards

Understand /Assess Hazards

Inherently
Safer Avoid Hazards
Design (ISD)
Reduce Severity

Reduce Likelihood

Segregate / Reduce Impact

Additional
Engineering Apply Passive Safeguards
Controls
Apply Active Safeguards

Apply Procedural Safeguards

No
Risks ALARP
Yes
OK
56
In Summary

 Attitudes to safety continue to evolve and pose engineering project stakeholders ever greater
safety challenges

 The ‘traditional’ Hazard and Risk Management’ paradigm is imperfect and further steps are
now required to meet modern challenges

 Inherently Safer Design (ISD) consists of straightforward principals that can be widely applied
 ISD when integrated with Hazard and Risk Management changes the emphasis on how
safety is driven within design and planning processes

 This change of emphasis is not only beneficial to safety but to other project and operational
parameters including cost and maintenance burden

57
That’s all for now ... ?

Hindenberg