Safety Engineering

At CREA, the Resistance to Accidental and Extreme Loads goes hand in hand with the Probability Based Risk Assessment. This Integrated Risk and Resistance Approach adopted by CREA differs from that normally associated with the industry in that the assessment provides a good balance between engineering solutions and judgement based on long industry experience, and both probabilistic and deterministic mathematical modelling. A successful optimum solution is normally achieved by combination of both the probability of loss being within acceptance criteria and a corresponding plant resistance.

Risk Assessment Projects to date included:

• Concept Safety Evaluation
• Formal Safety Assessment and Safety Case Preparation

• Technology Based Project Risk Assessment
• Preparation of Safety Management Systems

• HAZOP, HAZID and HAZAN
• Qualitative and Quantitative Risk Assessment
• Development of QRA Rule Sets
• Fire and Explosion Safety Studies
• Assessment of Prevention of Fire and Explosion, and Emergency Response
• Escape, Evacuation and Rescue Analysis

• Determination of Design Accidental Loads
• Response Analysis of Equipment and Structures Using Ultimate Strength Approach
• Establishment of Performance Standards
• Development of Risk Reducing Measures

• Risk Based Design
• Determination of Design Accidental Loads
• Analysis and Design of Resistance of Offshore and Onshore Facilities to Accidental Loads
• Optimisation of Fire and Explosion Protection
• Plant Availability Studies and Assessment of Regularity of Hydrocarbon Production

• Working Knowledge of Safety Legislation in the United Kingdom, Norway, the Netherlands, Australia and Malaysia.
• Third Party Verification
• Technical Audits

RISK ASSESSMENT

CREA's engineers have carried out risk assessment in various parts of the world responding to the requirements of the respective legislation. Although there are some differences in the approaches used, the following is a brief summary of the methodology involved.

Corporate Goals and Risk Criteria

The starting point of assessment of risk is to establish an understanding of company or project overall goals and risk criteria that concern the operating company's activities as a whole, although they may reflect country specific legislative requirements. The design and operation should achieve the goals and criteria by a combination of appropriate resistance of the facility to accidental events, operational procedures and a realistic likelihood of accidents materialising based on statistics.

Hazard Identification

The next step is identification of hazards and potential hazardous events. Formal approaches are used to identify hazards and top events, e.g. Hazard Identification (HAZID), Hazard and Operability Studies (HAZOP) and Failure Mode and Effect Analysis (FMEA). HAZID and HAZOP are structured, systematic and auditable approaches, which address process and non-process events and cover all parts of the facility. This requires a suitable combination of involvement of operations personnel, design engineers and safety specialists.

Qualitative versus Quantitative Risk Assessment

Once hazards and hazardous events have been identified, their causes, consequence and probability can be estimated and the risk determined. Risk assessment may be on a qualitative, semi-quantitative or quantitative basis. All involve the same steps.

A qualitative approach may be adequate for risk assessments of simple facilities or operations where the exposure of the workforce, public, environment or the asset is low.

A semi-quantitative method such as Risk Matrix is useful to assess low, medium and high risks as it gives meaningful, although approximate risk levels of fatalities, monetary values of asset impairment, loss of business or environmental impairment. The risks may be screened and the medium and high risks carried forward for further assessment.

Quantitative Risk Assessment provides a structured approach to assessing the potential for incidents and expressing this potential numerically. In QRA, statistical values are derived for potential loss of life and damage to resources and environment. These values are used as a yardstick to measure safety, to raise awareness for the potential of accidents and thereby developing measures to prevent them. QRA is a tool, which assists management in deciding upon the best safety approach and shows ways and means, (e.g. improved engineering, procedures, supervision, etc), to prevent the potential incidents from occurring.

The application of QRA is considered to be desirable when

• several risk reduction options have been identified whose relative effectiveness needs to be determined;
• the exposure of the workforce, public, environment or the strategic value of the asset is high, and reduction measures are to be evaluated;
• equipment layout allows significant risk of escalation of the accidental event;
• novel technology is resulting in a perceived high level of risk for which no historical data is available;
• demonstration of relative risk levels and their causes to the workforce is needed to become more conscious of the risks;
• demonstration that risks are as low as reasonably practicable (ALARP) is required within the operating company and by third parties, including the regulating authorities.

Hazardous events do not necessarily cause loss of life or damage. The development of a hazardous event into a serious incident depends on the effects of mitigating factors; e.g. gas detectors activating a shutdown system can sense un-ignited hydrocarbon release. If immediate ignition occurs, the signal from fire detectors must be received by operating personnel and the signal can activate shutdown and deluge systems prior to further escalation.

Estimation of Likelihood of Events

The formal technique used to project the development of events into incidents is Event Tree Analysis. The estimation of frequencies and probabilities of events in Event Trees is based either directly on statistical analysis of historical data, or derived by using Fault Trees. Historical data should ideally include the number of successful events recorded with the number of failures.

Assessment of Consequences of the Incident Scenarios

An assessment of the consequence of incident is required for those scenarios in which the failure of safety systems and the absence of mitigating factors lead to potential escalation (e.g. escalation of initially controllable releases of hydrocarbons into major fires and explosions). Physical effects from releases of hydrocarbons or toxic material such as dispersion, explosion overpressures and heat radiation from fire are evaluated. This includes the response of equipment and structures to the overpressure, fire, impact, etc. which is simulated to assess whether escalation is a realistic possibility and the extent of damage following the escalation.

Physical Effects Modelling is key to all safety critical systems that provide

• detection of the hazardous event developing,
• communication of the detected event,
• control of the event,
• prevention of escalation,
• suppression of the incident, and
• escape, evacuation and rescue of personnel,

since the systems must be designed to survive the incident and remain functional for a specific period of time. An important input to these calculations is the leakage rate and its time dependence, the time dependent behaviour of fire and its effects on equipment and structures. A safety critical system may be damaged and render inoperative once it has fulfilled it's desired function. This is taken into account in the simulations of the thermal or structural response.

Calculation of the Potential Loss from Incident Scenarios

Having assessed the frequency and consequence for each of the incident scenarios of the Event Tree, it is possible to calculate the statistically expected loss for each scenario. The total statistically expected loss could then be calculated by summation of the loss over all scenarios.

Several forms are available to express risks. Fatal Accident Rate (FAR); which is often used in the earlier phases of a project; gives the number of expected fatalities during 100 million working hours. FAR is used to describe the work-related risk that personnel are exposed to. It does not distinguish, however, between the nature of incidents or their magnitude.

Risks for entire operation or development considering all major incidents are normally described by means of Potential Loss of Life (PLL) which gives the expected number of fatalities in one year.

Individual risk is usually expressed as risk of fatality per annum (IRPA) for a named type of worker.

A commonly used presentation form for risk to the public is the so-called risk contour. The number at a contour represents the frequency at which a person, assumed to be permanently present at the location of the contour, sustains a given level of harm.

Another frequently used method to represent risks to workforce personnel or the surrounding community is a probability/consequence diagram also called an F/N plot where 'F' denotes the frequency of a potential event and 'N' the number of associated fatalities.

RISK BASED DESIGN

In today's economic climate designers are required to develop facilities on minimum budgets and on fast track development programmes. Added to this, the facility often has to operate unattended and achieve an overall availability in the region of 99% and, for good measure the risk to life, the environment and business interruption shall be ALARP. Traditionally, major hazards and risks have generally been addressed once a firm concept and design has been established. Typically 80 to 90% of a project costs are fixed at the feasibility stage and unless risk assessment is brought into the project at an early stage, the project development may be disastrous. A risk-based design facilitates minimisation of risk from major hazards, whereby the design is developed based on an understanding of the potential risks posed by the development.

The overall risk based design approach requires early studies and activities to be performed with the general objective being

• the appropriate concept options are reviewed to ensure that the requirements for the management of the major hazards have been included, and
• the preferred option is designed to prevent, control and mitigate major hazards.

The basis of the approach is to use hazard identification and other risk assessment techniques to ensure that the best facility option is chosen and further that the preferred option is developed using the risk assessment techniques to support design decisions. Typically risk based design is carried out in the following steps:

Step 1 - Determination of Acceptance Criteria

These are facility-specific criteria for the design based on the corporate risk criteria of the operating company.

Step 2 - Determination of Accidental Loads

Based on process flow diagrams, process and instrument diagrams and generic hazard lists, preliminary consequence modelling is performed to determine the most important accident loads, e.g. fire and explosion loads.

For fires it is possible to determine the sizes and duration which are used for, for example, for riser layouts, number and location of emergency shutdown valves, determination of separation distances, fire protection, etc.

For explosions, it is possible to carry out modelling for a range of layout options, equipment configurations, decks and walls.

Step 3 - Development of General Facility Arrangements

Once the preferred option has been chosen, the risk and safety discipline works with the layout designers to identify that various layout options available for locations of pipelines, risers, high pressure systems, muster areas, etc. The input from fire and explosion modelling provides a valuable input. As this stage, a great deal of inherent safety is achieved. The design is not fixed yet so that moving equipment around does not have much effect on the design process as no drawings have been issued.

Step 4 - Hazard Identification and Design Development

Once a general arrangement has been made with respect to the general design philosophy and the first layouts have been produced, a HAZID workshop should be undertaken with the contribution by designers, discipline engineers and operations personnel.

This exercise requires an assessment of the potential major hazards associated with the facility and requires the workshop group to identify

• the consequences of the major hazard on the facility,
• the credibility of such an event,
• the design (hazard management) measures in place to prevent, control and mitigate the hazard,
• where no design measure has been provided, the hazard management options available, and
• the functional design specification performance standard for the design measure.

This stage goes a long way towards building a design with a deep foundation of inherent safety. System based performance standards are established related to the principal safety measures and safety critical systems for

• detection,
• communication of the detected event,
• control,
• prevention of escalation,
• suppression, and
• escape, evacuation and rescue.

The performance standards address the aspects of

• system functionality,
• reliability and availability,
• survivability, and
• dependency/interactions between systems.

Step 5 - Risk Quantification

Some decisions require a higher degree of support, therefore the use of Quantitative Risk Assessment and Cost Benefit Analysis is recommended. At this stage, QRA helps to support decisions in making comparisons between either total facility options or whether the selection of one type of equipment against another has benefits.

Step 6 - Safety Discipline Support to Detailed Design

Further detailed design development is supported by safety studies so that a final detailed QRA is confirmatory rather than time consuming design iteration.

Resistance to Accidental Loads

The resistance to accidental and extreme loads is analysed in Steps 3, 4, 5 and 6. The high level nature of data available in Steps 3 and 4 justifies the used of approximate models whilst Steps 5 and 6 progressively involve more complex models as the requirement for accuracy increases. This includes temperature time histories of equipment and structures, deterioration of strength due to elevated temperatures, resistance against impact, etc. QRA normally has simple rule sets that are often over-conservative. Realistic rule sets can be developed based on the analysis of response to accidental loads.

As for example, requirements for fire protection of equipment are conceptually determined based on simplified heat-up calculations in Steps 3, 4 and 5. The fire protection should be optimised in Step 6 based on

• effects of fire water on reduction of heat flux and cooling of pressure vessels,
• depressurising/rupture calculations,
• evaluation of failure modes,
• consideration of passive versus active fire protection, and
• interaction between fire and explosion protection.

System resistance should be taken into account rather than making decisions on the basis of failures at component level. Supporting structures, for example, are redundant systems with a considerable resistance beyond first yield. They normally provide adequate support even if some individual members attain very high temperatures. The behaviour of equipment and structures beyond first yield can be simulated with confidence using ultimate strength techniques.

COMBINED EXPERIENCE

In addition to the Risk Assessment experience, the advantage of CREA is that its engineers are experts in the quantification of ultimate strength capacities of plant and structures subjected to the following hazards:

• extreme environmental loads
• explosions
• impact of projectiles resulting from explosions
• fires
• dropped objects
• ship impact, collisions and grounding, and
• earthquakes.