Authors:
Khama Matiti, MES International
Randalls Road, Leatherhead, Surrey
In general it is better to incorporate safety into design earlier, i.e. during design development, than later, when the design is finalised. The demonstration of safe design adopts the basic principles of inherently safe design and risk reduction measures.
In the United Kingdom Continental Shelf, the ALARP principle has been adopted. This principle requires that risks to health and safety of personnel are As Low As Reasonably Practicable. The principle involves reducing risk to a level where further risk reduction only can be performed with unreasonable cost.
To ensure Inherent Safety and the ALARP principle is effectively implemented, a mechanism to ensure that all possible inherent safe design measures are introduced early into any projects and are demonstrated to be ALARP is required. The mechanism described in this paper is termed “The Continuous ALARP” methodology and is used for this stated purpose.
The methodology leaves a clear and auditable trail of design considerations and the reasoning behind design decisions and therefore demonstrating ALARP. The technique also establishes a system and structure to capture all further design changes and considerations. It demonstrates the continuous application of inherent safety and As Low As Reasonably Practicable (ALARP) principles.
This paper discusses how the methodology can be applied to a conceptual design stage of a Wellhead Platform (WHP) facility in the United Kingdom Continental Shelf. The example facility is comprised of a WHP with production, drilling and quarters facilities producing well fluids via a dedicated multiphase production pipeline to a nearby moored FPSO vessel. The technique will demonstrate how to ensure a concept design where risks were demonstrated to be ALARP through the incorporation of inherent safety principles.
Keywords: Inherent Safety, Industry Application, ALARP, wqSystematic Approach, Qualitative Risk Analysis, Conceptual Design Stage
Introduction
Generally offshore installations require operation in difficult and often harsh environments. Problems arise due to the complex processing and structures that are required for operation. Since the Piper Alpha incident in 1988 and the subsequent report from Lord Cullen (Cullen,1990), it has been established that safety and loss prevention issues are significant in offshore operations.
Within British waters and the United Kingdom Continental Shelf (UKCS), the United Kingdom Health and Safety Executive (UK HSE) regulations apply. The UK HSE generally utilise the demonstration of As Low As Reasonably Practicable (ALARP) in design as an indication of acceptable practice.
This paper details a methodology that aids in identifying, controlling and managing risks at an early stage of the design of an offshore facility and leaving an auditable trail for regulators. The methodology ensures that ALARP can be demonstrated by duty-holders to regulators utilising the principles of inherent safety set out by the UK HSE publication “Improving Inherent Safety” (Mansfield, D., Poulter, L., 1996) and “A Handbook for Inherently Safer Design” (Kletz, T., Amyotte, P, 2010). Over recent years, there has been much theoretical debate about the application of inherent safety to process design, This paper contributes to the debate by demonstrating how the principles have been effectively utilised and documented within industry.
In order to illustrate how the methodology has been used in industry, this paper details a worked example from a facility located within the UKCS. This facility is comprised of a Wellhead Platform (WHP) with production, drilling and quarters facilities, producing well fluids via a dedicated multiphase production pipeline to a nearby moored Floating Production Storage Offloading (FPSO) vessel.
Background Principles
ALARP Principle
The concept of “reasonably practicable” is the basis of the British health and safety system. It forms an integral part of the UK Health and Safety at Work Act etc 1974 (United Kingdom Health and Safety Executive, 2013).
The ALARP principle asserts that risks should be “As Low As Reasonably Practicable”. The UK HSE states that “reasonably practicable involves weighing a risk, in terms of safety, against the trouble, time and money needed to control it. Thus, ALARP describes the level to which we expect to see workplace risks controlled” (Health and Safety Executive, 2013). The principle is generally that the risk is reduced to below an intolerable level and risk reduction measures are implemented unless the costs are disproportionate to the benefit.
The ALARP principle allows the regulators such as the UK HSE to avoid setting prescriptive standards, but rather set goals for duty- holders. The principle encourages innovation by allowing duty-holders to target specific installations and choose the best and most appropriate method for risk reduction.
Inherent Safety Principle
Process risk management is a term used to describe four techniques applied to effectively reduce safety risks. The techniques can be grouped into inherent, passive engineered, active engineered and procedural safety (Kletz, T., Amyotte, P, 2010). Safety risks are reduced by minimising the potential harm that the design can cause and also reducing the likelihood of an accident.
Inherent safety is described as a “concept, an approach to safety that focuses on eliminating or reducing the hazards associated with a set of conditions” (Centre for Chemical Process Safety, 2009). Inherently safety philosophies can be applied to all four risk management techniques to reduce risks to ALARP.
A hazard is described as “a physical or chemical characteristic with the potential to cause harm to people, environment or property” (Centre for Chemical Process Safety, 2009). Hazards can be due to the intrinsic properties of the materials used, or the nature of the process conditions.
Risk itself is described as the “probability that harm will occur” (Kletz, T., Amyotte, P, 2010)
Inherent safety principles favour the elimination of hazards over simply reducing the hazard. Within the oil and gas industry, the main hazard is typically from the product itself, i.e. potential fires and explosions from the produced oil or gas, therefore elimination of the hazards is not typically feasible. In these instances a philosophy of reducing the hazards is employed by following strategies that can either reduce its likelihood and/or the severity. Fig. 1 illustrates a hierarchy of controls for a systematic approach to loss prevention suggested by (Kletz, T., Amyotte, P, 2010). This hierarchy of controls is used as the framework for the inherent safety review methodology detailed in this paper. Note: Inherent principles specifically apply to avoiding hazards, reducing severity and reducing likelihood.
Inherent safety should be utilised throughout the lifecycle of a project. Utilising inherent safety principles challenges the process design team to eliminate/reduce hazards instead of accepting them and subsequently having to design elaborate safety systems. The principles are generally more cost effective when employed earlier during a project (United Kingdom Health and Safety Executive, 2006). This is due to the greater level of freedom to change between raw materials or basic design in the earlier phases of design with minimal financial impact.
The application of inherent safety on an offshore installation can be complex. With a combination of process, weight, fabrication and spacing issues, an inherently safer solution for one scenario may be to the detriment of another. To ensure the optimum solution has been found all relevant disciplines should be involved. These issues are generally discussed in the HSE publication “Improving Inherent Safety” (Mansfield, D., Poulter, L., 1996).
Fig. 1 – A Systematic Approach to Loss Prevention (Hierarchy of controls) (sourced from Kletz, T., Amyotte, P, 2010)
Worked Example Study
The following section illustrates how inherent safety principles were incorporated at the concept phase of a UKCS facility to demonstrate ALARP to the UK HSE.
Project Description
The example facility is comprised of a WHP with production, drilling and quarters facilities, producing well fluids via a dedicated multiphase production pipeline to a nearby moored FPSO vessel (see Fig. 2).
Fig. 2 Facility Configuration
ALARP Demonstration
To operate in British waters and within the UKCS, an approved safety case is required for all installations by the UK HSE. This is a requirement of the overarching Offshore Safety Regulations (OSCR) 2005. A safety case is a “document that gives confidence to both the duty holder and HSE that the duty holder has the ability and means to control major accident risks effectively” (United Kingdom Health and Safety Executive, 2006). No standards for the control of major accidents are set by the OSCR 2005, however standards are set by the following relevant regulations:
Offshore Installations (Prevention of Fire and Explosion, and Emergency Response) Regulations 1995 (PFEER).
Offshore Installations and Wells (Design and Construction, etc) Regulations 1996 (DCR).
Pipelines Safety Regulations 1996 (SI 1996/825) (PSR).
In terms of practical application of the regulations stated above, they are predominantly non-prescriptive. The 2005 OSCR requires that a submitted safety cases “demonstrate that major hazard risks are identified and evaluated and that, in respect of these risks, the ‘relevant statutory provisions’ will be complied with” (United Kingdom Health and Safety Executive, 2006). The ALARP standard is typically the benchmark for acceptance except where the law requires a stronger standard. This therefore highlights the need to demonstrate ALARP.
Prior to submission of the safety case, a design notification is required as a means of initiating a dialogue between the UK HSE and the Duty Holder. The design cannot be finalised until UK HSE comments are received and addressed. The design notification is required to demonstrate to the UK HSE that major hazards have been properly addressed with regards to the design of the production installations. To satisfy Schedule 1 of OSCR 2005, the design notification is required to contain a “description of the design process from an initial concept to the submitted design and the design philosophy used to guide the process” (United Kingdom Health and Safety Executive, 2006). The notification should also describe how the preferred design option has used relevant criteria and codes of practice to reduce risks to as low as is reasonably practicable (ALARP). This paper establishes an effective way of demonstrating and documenting that this requirement has been met.
The UK HSE recognise that deciding whether a risk is ALARP can be challenging as it requires duty holders to exercise judgement. In most cases reference to ‘good practice’ such as proven operator guidelines is sufficient.
For well understood design issues indications of compliance with ALARP principles can be achieved by implementation of well defined corporate design requirements, e.g. BP ETPs, Statoil TRs, Shell DEPs , international standards, recommended practices and regulatory authority requirements.
The methodology for demonstrating ALARP generally tends from qualitative to quantitative the further developed the design is or the more novel the design.
An ALARP register was created to keep track of the identification and evaluation of decisions regarding risk reducing measures during the project lifecycle.
The Inherent Safety Review is one input into this ALARP register along with other studies such as any future Hazard and Operability studies and Risk Analysis.
The risk reduction measures included on the ALARP register are then actively tracked to support ongoing ALARP demonstration as advised by the UK HSE regulator in later design phases.
The following section illustrates an effective way of documenting the application of Inherent Safety principles in the design as required for inclusion in the design notification. It uses a worked example to show how an auditable trail describing how the preferred design option has utilised inherent safety principles to demonstrate application of ALARP principles.
Inherent Safety Design Review Methodology
The Inherent Safety Design Review was used to determine whether the considered design options were ALARP. After discussions, the various disciplines identified and chose appropriate designs to achieve the project aims. The methodology was based on the decision making process suggested by Aven as cited in (Aven, A., Vinnem, J.E., 2010) (See Figure 3). The methodology involves the generation of alternative design options by the relevant discipline, the analysis and evaluation of the design options based on inherent safety principles by the safety team and a review and assessment to confirm whether design is ALARP by relevant stakeholders which may include the safety team, project manager, and other relevant disciplines.
Figure 3 Model of Decision Making Process (Source: (Aven, 2003) as sited in (Aven, A., Vinnem, J.E., 2010)
Stake holder values, Goals Criteria and Preferences
Design principles and performance standard requirements for the development of the safe design of offshore installations were described in operator technical standards and were used as an initial benchmark for the design. Compliance with these benchmark guidelines was generally accepted as ALARP, although in some instances these were challenged or were not applicable and further assessment was required using engineering judgement to ensure an optimised design solution.
Decision Alternatives
Primary concept stage design decisions were stated by the operator and were required to be undertaken by the respective disciplines at the process design consultancy. These design decisions included process configurations or selection of equipment types e.g. assessing the most suitable location of for the test separator either on the FPSO or the WHP. Table 1 shows some examples of the design decisions required on this project.
Table 1 Design Decisions Required for the Project
All alternatives for a specific design decision were systematically reviewed to identify the impact on installation safety. Table 2 shows the alternative locations for the test separator considered for Decision Number 1 (see Table 1).
In this paper, Decision Number 1 has been used to illustrate the application and structured method of documentation of inherent safety principles on a design decision and is an example of this paper’s methodology. Note: this decision was restricted to FPSO and WHP; other decisions were more open and required the generation of alternatives by the relevant department e.g. the selection of the appropriate type of heaters for the test separator would require input from the mechanical department. Fig. 3 shows the two designs alternatives that have been assessed. At this stage all the considered alternatives are documented.
Table 2 Design Decisions Required for the Project
Figure 3 – Alternate Process Flow Schemes Required for Locating test Separator at WHP or FPSO
Analysis and Evaluation
An analysis and evaluation of the various alternatives was undertaken to determine their impact on safety performance.
At the concept optimisation phase, due to limited data, quantified assessment of risks is not always possible and therefore a qualitative assessment was undertaken. Hazard identification guidewords similar to those used in certain operator and international standards can be used to prompt discussion.
A qualitative implementation of inherent safety principles was used as the primary driver to demonstrate ALARP. Table 3 utilises the framework highlighted in Figure 1 (A Systematic Approach to Loss Prevention) and follows the principles set out by (Mansfield, D., Poulter, L., 1996). It is used to systematically assess and document all design decisions made at the concept stage. The assessment takes on a hierarchical approach with more weighting given to assessments nearer the top of the table. The analysis can take the form of a series of discussions between disciplines or a workshop guided by the safety discipline. All relevant departments should state their preferred choice according to their concerns e.g. production issues, weight issues, fabrication issues etc. Areas where preferences differ lead to further more detailed analysis.
Table 3 Analysis of Design Decisions
Review and Judgement
The Inherent Safety Design Review was used to determine whether the considered design options are ALARP. All justification for the design decisions were summarised (see Table 4) and presented to the operators and project managers to make a final decision on the selected designs ALARP status. The justifications were subsequently used within the design notification.
Table 4 – Summarised Inherent Safety Review Assessment
Conclusion
Inherent safety principles should be applied throughout the project lifecycle. The principles are most effective at the early stages of the design process and are likely to result in a safer overall design. The methodology illustrated in this paper enables duty holders to apply and document the identification, control and management of risks at the early stages of designing an offshore facility. This leaves an auditable trail for regulators.
Involving all relevant disciplines in the process ensured that all significant factors were considered. This resulted in a robust ALARP argument to both the stakeholders and the regulators.
The well documented findings from the inherent safety review were used as input into the ALARP register and aided in demonstrating that the duty holder has the ability means to control major accident risks. The methodology also satisfied the need to describe how the preferred design was chosen with consideration of ALARP as required for a UK HSE design notification.
References
Aven, A., Vinnem, J.E., 2010. Risk Management – With Application from the Offshore Petroleum Industry. Springer-Verlag London Limited, London
Centre for Chemical Process Safety, 2009. Inherently Safer Practices – A Lifecycle Approach. Centre for Chemical Process Safety of the American Institute of Chemical Engineers and John Wiley and Sons Inc., New Jersey.
Cullen, The Honourable Lord, 1990.The Public Inquiry into the Piper Alpha Disaster. Her Majesties Stationery Office, London.
Kletz, T., Amyotte, P, 2010. Process Plants – A Handbook for inherently Safer Design. Taylor and Francis Group LLC, United States of America
Mansfield, D, Poulter, L., 1996, Health and Safety Executive – Offshore Technology Report – Improving Inherent Safety – OTH 96 521, Her Majesties Stationery Office, London
United Kingdom Health and Safety Executive, 2006. A Guide to the Offshore Installations (Safety Case) Regulations 2005. Stationery Office publications, Norwich
United Kingdom Health and Safety Executive, 2013. ALARP at a Glance. https://www.hse.gov.uk/risk/theory/alarpglance.htm
