The FAQ and their answers provided below are intended to provide guidance / clarifications to offshore safety engineers ...
Offshore Technical Safety FAQ
Offshore Technical Safety FAQ The FAQ and their answers provided below are intended to provide guidance / clarifications to offshore safety engineers while carrying out technical safety assessments. 1.
In HAZID (Hazard Identification), how should the risk levels determined? Should the safety devices / procedures in place be considered in the probability while ranking risks?
The r isk isk levels for each of the identified hazards are determined using operator or field owner’s risk matrix considering the proposed safeguards. The probability gets reduced once the safeguards are considered, thereby lowering the risk levels. If the safeguards are not decided, then they will be recorded under the recommendations.
2.
Since HAZID is the logical starting point for safety assessment, assessment, the Major Accident Events (MAE) will have to be identified in this facilitated exercise. One of the common practice is to cull out the medium and high risks and categorize them as MAEs. Is this logical? In the definition of MAEs, probability aspect is not mentioned and hence it may not be logical to consider risks. MAEs should ideally be identified based on consequences alone.
3.
Can you summarize HAZID objectives and methodology?
HAZID is the logical starting point for FSA (Formal Safety Assessment) studies where the MAEs are identified through this facilitated exercise. The causes and consequences for all hazards are identified for various systems using guidewords. Then the consequences are ranked based on the agreed risk matrix.
4.
In ESSA (Emergency System Survivability Assessment), normally only the major subsystems are assessed. Is this the right approach?
All sub-systems for all emergency systems should be assessed in order to make the ESSA process complete.
Technical Safety FAQ / Sreejith / November 2008
Offshore Technical Safety FAQ
5.
Are all emergency systems designed designed to survive all MAEs?
No. The survivability of emergency systems depends on their performance objective. Some emergency systems will be designed to survive MAEs but not all. For details, the Technical Safety Note, ‘Insights on ESSA’ may be referred.
6.
In FPSOs (Floating Production, Storage and Offloading), typically all accommodation forward bulkhead is protected with A60 fire wall. A60 fire walls are designed to withstand cellulistic fires for 1 hour where as on FPSOs, hydrocarbon fires are possible. Is there a logical logical explanation for this?
A class fire walls are designed to withstand cellulistic fires for a defined period of time. Ideally, H class fire walls are recommended if hydrocarbon fires are expected.
7.
Can you explain the design specifications for A0, A0, B30, H15, J 30 fire wall & 7 bar Blast wall? A 0: Steel wall, will withstand 1 minute of jet fire and 8 minutes of pool fire (not designed for limiting temperature rise) A60: withstands 60 minutes of cellulistic fire (The partitions shall be made of steel or equivalent material. They shall be sufficiently braced and shall prevent flames and smoke from advancing for the duration designed for. A type firewall: partitions shall be insulated with non-combustible materials so that the average temperature on the side of the wall not being exposed does not exceed 139 degree C above the initial temperature and the temperature shall not at any place exceed 180 degree C above the initial temperature within the designed time limits)
B 30: (B type firewall: The partitions shall be made of non combustible materials and shall prevent flames from advancing for the duration designed for. The partitions shall be in such a way that the average temperature on the side of the wall not being exposed does not exceed 139 degree C above the initial temperature and the temperature shall not at any place exceed 225 degree C above the initial temperature within the designed time limits)
H 15: withstands 15 minutes of hydrocarbon fire (H type firewall: The partitions shall be insulated in such a way that the that the average temperature on the side of the wall not being exposed does not exceed 139 degree C above the initial temperature within the designed time limits)
J 30: withstands 30 minutes of hydrocarbon fire Blast wall 7 bar: withstand 7 bar over explosion pressure
Technical Safety FAQ / Sreejith / November 2008
Offshore Technical Safety FAQ
8.
While carrying out FEA (Fire & Explosion Analysis), why should the sensitive receivers be defined? Generally the emergency systems and critical areas / rooms are identified as sensitive receivers to check if any of the fires or explosion will cause impairment. Typical sensitive receivers on an FPSO are accommodation forward wall, escape routes, life boat access areas, control room, etc.
9.
Is it logical to provide water deluge for gas compression module?
No. Normally water deluge is provided for liquid hydrocarbon vessels to provide cooling to avert escalation from jet fires. The scrubbers in the gas compression modules could be provided with water deluge since they will contain some liquid hydrocarbon.
10. The sub sea reservoir design data will normally involve several Heat & Material Balance (HMB) diagrams for various cases (pressure, oil, water). Which case should be considered in FEA?
Generally, the HMB with maximum pressure and oil case is considered for assessment since this will be the worst case.
11. If the liquid hydrocarbon process equipment is provided with local coaming with a 6” open drain system, will there be still a pool fire possibility?
Technically, hydrocarbon leak from a 4” hole will get drained from the local coaming through the open drain system provided there is leak is not from pressurized equipment and the leak size is limited to the open drain size. But in FEA, these factors are not given credit since the assessment is based on worst case conditions. Sometimes, these design measures are considered when the pool fire can impair some sensitive receivers and the impairment frequency is higher than the industry acceptable value.
12. The blast assessment in FEA typically considers critical factors such as stoichiometric mixture, congestion, blockage ratio, etc. How is a practical balance achieved in determining realistic explosion over pressure?
These are the factors that finally decide the blast / explosion over pressure values. The explosion modeling software guidelines should be properly understood and interpreted while choosing the values. Since the blast results can cause lot of cost impact, it is very
Technical Safety FAQ / Sreejith / November 2008
Offshore Technical Safety FAQ
essential that this assessment is done with practical judgment. CFD (Computational Fluid Dynamics) modeling will provide realistic blast values when compared with point source models.
13. What is DOPE in the context of NHHA?
DOPE or Dropped Object Protection Equipment are identified from the DOA (Dropped Object Assessment) results. Based on the impact energy of dropped objects and the structure/deck design, it may be required to protect some critical areas / equipment. DOPE consists of both topsides, marine and sub-sea installations.
14. How DP (Dynamic Positioning) of marine vessels is is considered in ship collision assessments?
DP of marine vessels reduces possibility of collision with offshore installations and hence due credit should be given while calculating the collision frequency. One of the presentations by Dynamic Positioning Committee (part of Marine Technology Society) -5
gives the collision frequency with DP classed vessels of 1.45 x 10 (1998 -2004).
15. Typically, FPSOs have a trim to aft and transverse coaming in front of accommodation block. What does this mean from a pool fire perspective?
If local coaming is not installed on the main deck for process modules, in case of a leak, the hydrocarbon will get pooled up at the transverse coaming in front of the accommodation block. If there a pool fire, then the deck foam monitors will be used to fight this fire. Some engineers argue against this design with the point that with this design, the heat radiation from this pool fire is brought near the accommodation block.
16. Is frequency assessment part of a typical FEA?
Typically, frequency assessment is carried out in FRA (Fire Risk Assessment) or in QRA. In short, FEA report will provide only consequence based recommendations and not risk- based recommendations.
17. Generally AFP (Active Fire Protection) design is based on consequence whereas PFP design is based on risk / performance based recommendations. Why?
Technical Safety FAQ / Sreejith / November 2008
Offshore Technical Safety FAQ
AFP is based on identified fire scenarios and are considered as a minimum requirement, as part of standard design. PFP measures are identified and implemented based on impairment potential of sensitive receivers through a risk-based decision making process. Elasticity / Plasticity Structural study needs to be carry out in order to understand details of fire propagation with reference to flame spread and temperature gradients. Several FPSO operating companies and field owners insist on carrying out this extensive and expensive study to assess specific PFP requirements.
18. Inert Gas (IG) blanketing system plays an important barrier in preventing cargo tank explosions. How is this achieved?
Typically the boiler offtake contains inert gases and is connected to the Cargo Oil Tanks (COT) to provide the inert blanketing so that the hydrocarbon vapour does not mix with air to form explosive mixture. A vent will be connected from the cargo tanks to disperse off mixture of IG & crude vapours. When the offloading occurs, the COT will require more inert gas and when the COTs are filled, the excess vapour-IG mixture will be vented out. The PV (Pressure Vaccum) valve connected to the COT ensures constant pressure in the tanks. A detailed assessment is required to design the IG system.
19. What are the applications of Break-Away coupling? Where are the FPSO applications?
The Safety breakaway couplings consists of two halves, each with a poppet that has a flat type-sealing surface similar to a dry disconnect coupling. The coupling remains constantly open under normal use. The two halves of the breakaway coupling only close when there is excessive force, such as in a truck or railcar drive away situation or in a offtake tanker moving away from an FPSO, while the offloading is in progress. When the couplings separate, this allows the poppets to close. Loss of crude oil is minimized because the two poppets close rapidly, minimizing exposure to personnel and the environment.
20. In NHHA (Non Hydrocarbon Hazard Analysis), the FAR (Fatality Accident Rate) is considered to calculate occupational risk. But FAR includes all contributions from all risks (fire / explosions / dropped objects, etc.) and this means that we double count certain risks thereby increasing individual risks. Any solution?
Technical Safety FAQ / Sreejith / November 2008
Offshore Technical Safety FAQ
Yes, this will result in a double-count situation thereby increasing the individual risk levels. As per CMPT QRA Guidelines, around 30% of the FAR values correspond to occupational health issues.
21. What are MODU & MOPU?
MODU is the acronym for Mobile Offshore Drilling Unit and MOPU stands for Mobile Offshore Production Unit.
22. Are there any comprehensive assessment guidelines to assess adequacy of fire and explosion mitigation measures in offshore installations?
Yes. ISO 13702 ‘Control & Mitigation of Fires and Explosions-Requirements and Guidelines’ can be used to carry out this assessment, in a comprehensive manner.
23. Is FPSO deck protection design based on dropped object impact logical? Is there a performance / risk based solution for this?
DOA can be carried out using a specific risk assessment process to arrive at risk-based recommendations. Recommendations based on pure consequences may not necessarily result in risk benefits over the cost involved.
24. Is BLEVE (Boiling Liquid Expanding Vapor Explosion) possible with crude oil?
BLEVE is more probable with liquidified petroleum products such as LPG. When crude oil is heated, a hazardous condition known as Boil Over Explosion (BOE) can occur. Water deluge is provided on vessels / equipment containing crude on FPSOs is to avert BOE conditions from fire escalations.
25. For control of LOC (Loss of Containment) situations, plated decks are preferred over grated floors, especially for elevated equipment decks. How do we take a risk-based justification on this issue?
Technical Safety FAQ / Sreejith / November 2008
Offshore Technical Safety FAQ
Both plated and grated decks have their own advantages and disadvantages. For elevated equipment / vessels containing liquid hydrocarbon, it is recommended to have the secondary spill containment at the equipment floor so as to avert the catastrophe of COTs getting impaired from deck pool fires.
26. In almost FEA study, the explosion values are a major concern and can result in expensive modifications involving blast walls, deck steel strengthening, etc. What are the issues here?
The common point source modeling software / tools (although some are validated through scientific research) typically provide pessimistic explosion values due to their limitations. If the explosion values are found to be higher than the typical values, CFD analysis may be carried out to take a final decision.
27. In FPSO design and assessments, there is always a conflict between class rules and engineering standards. How is this major issue resolved?
Class rules (ABS, Lloyds, DNV, etc.) typically apply to vessel floating and stability aspects and marine systems (below deck) and the regulations (IMO-SOLAS, etc.) and engineering standards (API, NFPA, etc.) apply to topsides (above deck). Typically, class rules are prescriptive and the engineering standards are performance or risk based. Most common point of design conflict between class rules and standards is on the boarder. On FPSOs, it will be most often the deck. Impairment of main deck from topside hazards is always looked at and deliberated with interest by the classification societies.
28. Logically for brown field offshore assets, the risk levels should be assessed based on the actual performance of safety systems or barriers or safety critical elements. How is this done?
Yes. Since the risk levels depend on the safety barrier performance for an operating asset, in order to calculate realistic risk levels, it is logical to assess performance of safety systems. One of the common ways to do this is by using the traffic light system used by UK HSE & NOPSA.
29. What does the terms ICP & IVB stand for from the context of Verification Plan?
Technical Safety FAQ / Sreejith / November 2008
Offshore Technical Safety FAQ
IVB (Independent Verification Body) is appointed by DH (Duty Holder) to verify performance of safety systems or SCEs. The asset integrity verification is an important process that verifies the performance of safety barriers based on their defined performance standards. IVB carries out the verification using WSE (Written Scheme of Examination) through ICP (Independent Competent Person).
Generally the consultants (Bureau Veritas. ABS, DNV, Lloyds, etc.) collaborate with the asset owners to develop the verification scheme which establishes a system of independent and competent scrutiny of safety-critical elements throughout the life cycle of an installation. This written scheme then drives the verification activities. The actual verification is executed through a sampling process, including examination of facilities, review of maintenance and inspection records, and witnessing of tests on safety critical systems. The purpose of this independent verification activity is to satisfy the UK legal requirements to have an Independent Competent Person verify the suitability of the installations Safety Critical Elements (SCEs) thus providing confidence to the operator and the regulator in the suitability of risk management measures.
30. What is traffic light system from the context of SCE assessment?
The asset integrity of the ageing offshore assets in the UK Continental shelf (mainly in the North Sea) was verified through a sampling process (40%) by the Offshore Division of UK HSE using the traffic light system. Green means the performance of the safety critical element is healthy, amber means the performance has deteriorated and red means the SCE has failed or is not performing. For details, the KP 3 inspection report from UK HSE may be referred.
31. Bow Ties are developed for all MAEs and they should be used to demonstrate ALARP. But Bow Ties are qualitative but ALARP (As Low As Reasonably Practical) is about specific numbers. How is this conflict resolved?
As per Shell guidelines, if the performance of all safety systems / barriers is Green as per the traffic light assessment, then the risk levels are in the tolerable region of ALARP. Since Shell introduced Bow Tie technique, generally oil & gas operators follow this criterion which is logical.
32. What are KP (Key Performance) inspections from UK HSE?
Technical Safety FAQ / Sreejith / November 2008
Offshore Technical Safety FAQ
The offshore oil and gas industry on the UK Continental Shelf (UKCS) is a mature production area. Much of the offshore infrastructure is at, or has exceeded, its intended design life. Between 2000 and 2004, HSE’s Offshore Division (OSD) ran a major programme KP1 aimed at reducing hydrocarbon releases and focusing on the integrity of process plant. This resulted in a considerable reduction in the number of major and significant hydrocarbon releases. During this time, however, OSD became increasingly concerned about an apparent general decline in the condition of fabric and plant on installations and responded with Key Programme 3 (KP3) directed more widely at asset integrity, and were conducted between 2004 and 2007.
33. What is UKOOA?
UKOOA stands for United Kingdom Offshore Operators Association. Several safety and asset integrity publications are freely available from their web site, www.ukooa.co.uk .
34. Can MAE Bow Ties be used to identify emergency systems? How?
Yes. The mitigation and recovery barriers that are located on the right side of Bow Tie are logically the emergency systems.
35. Can Bow Ties be used in all FSA (Formal Safety Assessments) studies to demonstrate ‘Safe Operation of Offshore Assets’ as a common thread (HAZID to Operational Safety Case)? How can this be done?
Yes, this can be done. If Bow Ties developed at the HAZID stage are used in all FSA studies, then the demonstrate ion in the safety case would be very visible with a common thread running through the assessments. For details, please contact the author.
36. Can the Bow Ties be developed in a quantitative manner? How can this be done?
Fault tree could be developed on the left side and event tree on the right side and this could be done in a quantitative manner. The probabilities of consequences from various threats can be demonstrated using bow ties. Generally the frequency analysis is carried out using published failure data using various safety gates in event trees.
37. Is there a relation between PFP and escape /evacuation time? How are these linked?
Technical Safety FAQ / Sreejith / November 2008
Offshore Technical Safety FAQ
The escape time calculated in the ETRERA study. Logically, the critical facilities in offshore installation that aid safe escape & evacuation of personnel should survive major fires. Based on the ETRERA and FEA studies, escape routes and ESD valves should be provided with appropriate PFP measures for the escape duration.
38. BDVs (Blow Down Valves) and PSVs (Pressure Safety Valves). Are both these devices intended to cause de-pressurization?
BDV valves are designed to open on confirmed external fire condition to depressurize gas systems to 6.9 barg or to 50% of the operating pressure (whichever is lesser) within 15 minutes as per API 521. PSVs are set to open at a set over pressure value to de- pressurize the process equipment due to process upset conditions. In a way, both are installed to protect equipment from over pressurization but the design objectives are different.
39. What are MOPO & SIMOPS?
MOPO or Matrix Of Permitted Operations is a matrix with SCE failure conditions against safety critical activities. MOPO is normally developed in a facilitated workshop to identify restrictions for critical operations during SCE failure conditions. Some activity may be permitted / not permitted / permitted with restrictions during SCE failure conditions.
SIMOPS or Simultaneous Operations involves concurrent activities such as production and drilling; construction and production, etc. Generally, SIMOPS will generate additional hazards due to the concurrent or simultaneous activities. An example is hydrocarbon venting (production) and welding (construction) which poses a SIMOPS hazard. 40. What is a Verification Scheme and what are its typical contents? Refer FAQ 29.
41. How are Safety Critical Elements (SCEs) identified? SCEs could be identified by developing a matrix between MAEs and all systems on the installation. Then by applying the definition of SCE (safety system that controls /prevents/mitigates / recovers from MAEs), those safety systems can be identified.
42. How are MOPO & SCEs linked?
Technical Safety FAQ / Sreejith / November 2008
Offshore Technical Safety FAQ
As explained in FAQ 39, MOPO is developed to identify restrictions during SCE failure conditions. So SCEs and MOPO are certainly linked.
43. What is included in ‘Case to Operate’ document?
Case to Operate’ document is a logical extension of MOPO, in which the procedures of continuing operations during SCE failure conditions are defined.
44. What do you mean by Dual Safety Performance assurance? How is this achieved?
Ideally safety performance should be measured using both leading (proactive) and lagging (reactive) performance indicators. As part of MHM (Major Hazard Management), safety performance indicators should be focused on process safety. Logically, both the leading & lagging performance indicators could be identified from bow ties and then can be monitored through the HSEMS (HSE Management system).
45. What is the most important safety learning from BP Texas Explosion incident?
BP management measured process safety performance as part of MHM process by measuring LTIs (Lost Time Injuries) which is an occupational safety (OH) issue. Although the OH performance was good, the process safety at BP Texas refinery was on the decline and finally resulted in a major explosion.
46. There are several safety assessments which are performed as part of Operational Safety Case. Is there a suggested logical sequence?
1. HAZID
5. ESSA
9.Verification Scheme
2. Layout Review
6. ETRERA
10. OSC
3. HAZOP
7. NHHA
4. FEA
8. QRA
47. Safety case is a requirement most hazardous industry sectors such as offshore. Which other MAH (Major Accident Hazard) industries require a safety case?
The other MAH industries for which safety case requirement exists include aviation, rail, and nuclear.
Technical Safety FAQ / Sreejith / November 2008
Offshore Technical Safety FAQ
48. What are the typical triggers for safety case update?
As per UK SCR (Safety Case Regulation) 2005, the safety case has to be updated every 5 years. The typical safety case update triggers are: •
Major modifications;
•
Technology change;
•
Regulatory change; and
•
Change in ownership;
49. Is Design Safety Case still a UK HSE requirement?
No. As per ‘The Offshore Installation (Safety Case) Regulations 2005 (SCR05)’, the requirement for a design safety case has been replaced with the new requirement for an (earlier) design notification.
50. UK Safety Case Regulation, 2005 is followed by several countries to safely operate their offshore installations. What is the logic behind this?
Since the UK HSE SCR 2005 is matured and is rather comprehensive, many countries are adopting UK Safety Case Regulation for operating their offshore assets safely.
Compiled by: Pillai Sreejith (
[email protected])
Disclaimer:
The FAQ was generated based on author’s experience in assessing technical safety of offshore installations and based on applicable standards and guidelines. It is possible that there are different views on these answers. The author welcomes frank discussions on the above FAQs.
Technical Safety FAQ / Sreejith / November 2008
