Safety and Risk Assessment

Hazard identification (HAZID)

A HAZID (Hazard Identification) is a systematic approach for identification and review of hazards in the early phase of design or during planning of activities. A HAZID is normally followed by a more comprehensive risk assessment. The study is often performed in a workshop and would typically take 1 to 3 days. In addition to a HAZID Chair and Secretary, participants should be from Operations and Engineering/Design. Hazards which are reviewed could be;

  • Pressure
  • Temperature
  • Hydrocarbons
  • Flammable materials
  • Moving objects
  • Working in heights
  • Working above sea
  • Extreme weather

Having identified the hazards, the facility’s measures to eliminate or reduce the probability of the hazards being realised, e.g. measures to avoid a ship impacting another ship, will be identified. Eventually, identification of measures mitigating the consequences of an accident is necessary to complete the overall coarse risk assessment.

Since a HAZID is solely an identification of (and qualitative assessment of) hazards, causes, consequences, preventive measures (PM) and mitigating measures (MM), it can rarely conclude on risk acceptance. But in case the workshop reveals insufficient controls or mitigating measures, alternative or additional controls/measures can be discussed in terms of risk reduction and cost/feasibility of implementation.

Notations used above can be structured in a bow-tie as displayed in the figure below.
bow-tie-analysis
 

Quantitative Risk Analysis (QRA)

A risk analysis comprises calculation/estimation of the probability of accidents as well as of the loads from the accidents. Such analyses are called QRAs – Quantitative Risk Analyses. A QRA could be comprehensive and take up to 6 months if the facility is large and when advanced models is required for flow, fire and explosion simulations. For small facilities or when only analytical models are used, the QRA could be completed within a period of 1-2 months.

There are several objectives of a QRA. The two most apparent are;

  • Compare calculated risks with the acceptance criteria given by the Operator and applicable Safety Legislations. Risk criteria are often expressed as a maximum tolerable frequency value (probability) of fatalities, of asset damage and of environmental impact.
  • To use the results for defining Design Accidental Load (DAL), i.e. to describe the accidental loads (e.g. blast pressures) for which the facility has to be designed to achieve an acceptable level of safety.

A QRA can be used for verification purposes only or as a tool to improve safety in the design and planning phase when changes have minor cost and weight impact.

A QRA is preceded by a HAZID and shall estimate risks associated with the hazards having the potential to develop into major accidental events. Computer codes used in QRAs are; ASAP, FLACS, KFX.

Example of Process Flow Diagram modelled in the risk analysis tool “ASAP”:

risk-analysis-pic-2
 

Safety Case Studies

A Safety Case, also denoted a HSE Case, is a document describing the facility with its activities, the safety management system for the facility and how various safety studies have been used and will be maintained to assure that the level of safety is controlled and maintained during the lifetime of the facility.

The most common safety studies required for preparing a Safety Case are

  • HAZID – Hazard identification
  • QRA – Quantitative Risk Analysis
  • EERS – Escape, Evacuation and Rescue Study
  • FES – Fire and Explosion Study
  • EPA – Emergency Preparedness Analysis
  • Performance standards for safety systems

The safety case document can be prepared by the Operator of the facility, or by a Consultant together with the Operator.
 

Emergency Preparedness Analysis (EPA)

An emergency preparedness analysis is an analysis of technical, operational and organizational measures/actions that are planned to be implemented by the emergency preparedness organization in case hazardous or accidental events occur. The analysis includes:

  • Selection of hazardous scenarios and accidental events that will be used for the dimensioning of the emergency preparedness, i.e. the DSHAs (Defined Situations of Hazard and Accidents)
  • Establish the emergency preparedness performance requirements for managing each DSHA for each emergency preparedness phase (alert, combat, rescue, evacuation and normalization)
  • Identify and describe mitigating measures (i.e. document how the performance requirements are fulfilled).

The intention of the analysis is to document a basis for establishing the emergency preparedness plan for a facility and to ensure that adequate emergency preparedness are established and a robust emergency preparedness organization.

The EPA is typically executed after the QRA is established. The analysis is often performed in workshop(s) that would typically take 1 to 3 days.  An EPA for a facility could be completed within a period of one month. It depends though on the size and complexity of the facility and project phase (an EPA of a facility in operation is more detailed and time-consuming than if the facility was at the concept stage).

epa-pic-1
 

Escape, Evacuation and Rescue Study (EERS)

The objective of this study is to evaluate the effectiveness of the EER systems in various accidental situations.

The escape routes, stairwells, shelter areas, evacuation means and rescue operations are modelled as a flow network and each part of the network is assigned performance values (e.g. walking speed). This network can also be superimposed on the 3D risk model in “ASAP” such that the vulnerability of the EER systems is calculated as part of the risk analysis.

Example of flow network superimposed on the 3D risk model in ASAP. One escape route from an area to mustering at a life boat is shown. The escape time is calculated by the program.

eers
 

Plug and Abandonment Studies (P&A)

Plug and Abandonment activities involve a much higher activity level at the facility and particularly in the wellhead areas. P&A studies can be performed as a sensitivity analysis in the existing QRA for normal operations. P&A studies can also be performed as a SIMOPS study.

The scope of a P&A sensitivity study (requires an available QRA) or a SIMOPS study can be performed within a period of 3-4 weeks.
 

Design Accidental Loads (DAL)

Design accidental loads can be prescriptive or defined by the results from a risk analysis. The four most common accidental loads which have to be designed for are

  • Heat load – incident heat for a certain time period
  • Blast load – pressure on a surface area as a function of time
  • Mechanical impact load – impact energy on the hit area
  • Environmental loads – extreme winds, waves and earth quakes

Lilleaker can advise on accidental loads which should be used and also prepare the DAL specification for implementation.
Recommendation to DALs is one of the main results of a QRA. For a facility in operation, the DALs determine the level of risk. The explosion exceedance graph below stems from a QRA and indicates that an in-built blast resistance of 1 barg will keep the escalation (catastrophic) frequency less than 10-4.

Explosion pressure exceedance curve is shown in the figure below.

dal-pic

Critical Valve Analysis

A critical valve analysis comprises an assessment of the increased consequences to a facility caused by failure to close of an emergency shutdown valve when there is a fire in one of the hydrocarbon segments. Failure to isolate will drain the adjacent segment volume into the segment that leaks and consequently give increased fire duration.

This assessment will rank the emergency shutdown valves in terms of criticality. The results are used to set requirements to testing, e.g. test frequency, closing time and requirement to maximum internal leakage in the valve.
 
critical-valve-analysis
 
 

Tank Explosion Analysis

Tank explosions on oil tankers and FPSOs are of particular concern as the consequences often are catastrophic. Historically, such explosions have occurred during manual interventions for inspections and cleaning. A systematic review of how tanks are filled and emptied along with the pressure control of blanket gas may reveal potential hazardous situations in case of mal-operation. The procedure for entering tanks with all preparatory work is of special importance to review.

tank-explosion-analysis
 

Simultaneous Operations (SIMOPS)

SIMOPS describes an operating situation in which drilling or well operations or other defined activities take place at the same time as production/injection in the same well area. A SIMOPS study will require risk assessments since the conditions for SIMOPS are that an abnormal operating situation in one activity shall not significantly increase the risk in other ongoing activities.

The safety scope of a SIMOPS study is usually to review the Operator’s risk assessment procedure for SIMOPS to verify its adequacy for the planned SIMOPS.

A SIMOPS is not necessarily related to drilling and well operations. Bunkering, heavy lifting and construction activities on a facility/ship in operation are normally defined as SIMOPS and require special risk assessments.

simops
 

Bow-Tie Analysis

Bow-tie diagrams are a simple and effective tool for communicating risk assessment results to employees at all levels. The diagrams clearly display the links between the potential causes, preventive and mitigating controls and consequences of a major accident. Bow-tie diagrams may be used to display the results of various types of risk assessments and are useful training aids.

bow-tie-analysis
 

Safety Strategies

A safety strategy document describes the overall safety strategies for a Facility.

The primary purpose of such document is to:

  • Provide an overview of the hazards and the means of controlling these hazards
  • Provide a basis for:
    • The development of area specific safety strategies
    • The development of safety performance standards for barrier systems
    • Philosophy documents generated for safety critical systems
    • The specification of safety critical systems and equipment
    • Risk assessments and safety studies in general

The document establishes the context for the design of safety barrier systems.  It further defines the role and main functional requirements for the barrier systems based on regulatory requirements.

The figure below shows the relation between the overall safety strategy and some of the other key barrier management documents.

safety-strategies
 

Performance Standards

A performance standard includes the overall measures of suitability and efficiency of the safety systems/-functions to carry out their designated role. Performance standards should ensure that the barrier (safety system or safety function):

  • Is suitable and fully effective for the type or has adequate resistance to any preceding hazard
  • Has sufficient capacity for the duration of the hazard or the required duration of operation/survival of the system. For example, a system may be required to keep functioning until evacuation has been completed.
  • Has sufficient availability to match the frequency of the initiating event and the acceptability criteria for escalation to a major accident or critical failure. This should determine whether or not backup systems or contingency measures are needed to cover for maintenance and breakdown.
  • Has adequate response time to fulfil its role.
  • Is suitable for the environmental conditions within the maintenance and repair constraints of the operation and maintenance philosophy.
  • Is suitable for typical operating conditions (impact, abuse etc.).
  • Is operable by the quality of the personnel available on the platform under realistic incident conditions. This could include initiation and/or isolation and reinstatement of damaged systems, e.g. ring mains.
  • Can be maintained under actual environmental and manning limitations and thus ensure the availability requirements are met.

 

Vulnerability Analysis

Safety systems and safety functions need to provide the necessary functionality in all foreseen circumstances. In the vulnerability analysis safety systems are assessed for relevant scenarios and accidental events to ensure that the systems will provide protection of personnel, environment and assets as assumed.

The vulnerability analyses are performed as a workshop with participants from a limited group of relevant personnel.

These assessments are performed systematically, system by system in sequence. The analysis should be performed at a stage when the design of the safety systems are sufficiently detailed, however not too late to incorporate changes as a result of findings in the analysis.

vulnerability-studies-pic-1
 

Installation Risk Analysis

Installation Risk Analysis (IRA) is normally performed prior to installation of a new facility or before revamping of an existing facility. The purpose is to identify major risks and to discuss risk reducing measures for implementation. The time schedule of an Installation Risk Analysis is typically from a couple of weeks to some months.

In many cases, both SIMOPS and Emergency Preparedness Analysis (EPA) will be a part of the Installation Risk Analysis (named TRA below). The diagram displays the connection between EPA, SIMOPS and IRA and reflects the scope for a major upgrade of a fixed offshore installation.

installation-risk-analysis
 

Generic Data Analysis

Analysis of accident recordings and databases form the basis of QRAs, RAM/SIL analyses and similar studies and may reveal learning points for existing projects and design. Lilleaker personnel have extensive knowledge of accident databases such as HCRD, OREDA, SINTEF offshore blowout database, CODAM etc. Gathering relevant data for a specific analysis is the starting point of the work and/or may reveal areas where more research and development is needed. Lilleaker personnel have participated in JIPs (funded by Operator companies) for development of process leak frequency models, ignition models and blowout frequency models.

generic-data-analysis
 

Hazard and Operability Study (HAZOP)

Lilleaker provides HAZOP Lead and secretary for jobs worldwide. We have conducted and scribed HAZOPs of one day duration and up to 6 months.

hazop