Login
Andrew Taylor of SHEilds talks us through procedures for minimising risk, from the original conception and design of an installation, through to maintaining safety once a site is operational.
Legal context
Offshore Installations (Safety Case) Regulations require, among other matters, a demonstration by duty holders that:
• All hazards with the potential to cause a major accident have been identified
• All major accident risks have been evaluated
• Measures have been, or will be taken to control the major accident risks to ensure compliance with the relevant statutory provisions, e.g. a compliance demonstration
Many of the requirements within the relevant statutory provisions are qualified by phrases such as ‘so far as it is reasonably practicable’ (SFAIRP), ‘as low as reasonably practical’ (ALARP) or even ‘appropriate with a view to’. Where legal duties use these qualifying phrases, they call for similar tests to be applied. Wherever such wording is used this means a duty holder has to show, through reasoned and supported arguments, that there is nothing else that could reasonably be done to reduce risks further.
The risk assessment methodology applied should be efficient, cost effective and of sufficient detail to enable the ranking of risks in order, for subsequent consideration of risk reduction. The rigour of assessment should be proportionate to the complexity of the problem and the magnitude of risk.
It is expected that assessment would progress through the following stages?to provide an appropriate demonstration:
• Qualitative (Q), in which frequency and severity are determined purely qualitatively
• Semi-quantitative (SQ), in which frequency and severity are approximately quantified within ranges
• Quantified risk assessment (QRA), in which full quantification occurs
These approaches to risk assessment reflect a range of detail of assessment from Q (lowest) to full QRA (highest).
The choice of approach should take into account the following dimensions:
• The level of estimated risk and its proximity to the limits of tolerability
• The complexity of the problem and/or difficulty in answering the question of whether more needs to be done to reduce the risk
Proportionate risk assessment
In the risk dimension, the level of risk assessment used should be proportionate to the magnitude of risk. However, this may be modified according to the complexity of the decision that risk assessment is being used to inform. For example, it may occasionally be possible to use qualitative risk assessment in extremely high risk situations, where it is obvious that the risk is so high that risk reduction is essential. Great care must also be taken when attempting to justify something that is a significant deviation from existing codes, standards or good practice.
One approach to deciding the appropriate level of detail would be to start with a qualitative approach and to elect for more detail whenever it becomes apparent that the current level is unable to offer:
• The required understandingof the risks
• Discrimination between the risks of different events
• Assistance in deciding whether more needs to be done (making compliance judgements)
Before looking at risk mitigation during the process element of the hydrocarbon cycle, it is important to identify the hazards to a specific location.
HAZOP’s (Hazardous Operability and Study), HAZAN’s (Hazard Analysis) and HAZID’s (Hazard Identification) are used for this purpose.
HAZAN – Quantitative data based on past experience are the most important means of identifying hazards and assessing potential frequency. Audits conducted by experienced assessors, who consider past experience, near misses and procedures for dealing with emergencies and abnormal events, will identify hazards effectively and produce a useful future record.
Checklists can also be useful but can result in limiting enquiries unless open questions are used such as ‘how is the system protected against’ rather than ‘is the system protected against’.
HAZOP – Is a structured technique, which may be applied typically to a hydrocarbon production process, identifying hazards resulting from potential malfunctions in the process. It is essentially a qualitative process.
A HAZOP study would typically be undertaken by a multi-disciplinary team involving engineers, production mangers, designers and safety specialists, asking a series of ‘what if’ questions, using guide words. Identification of hazards may often spark ideas about potential risk reduction and these should be captured. Similarly, the risk estimation can help identify possible additional risk measures because it entails a thought process about the way in which the hazard scenarios would unfold, and about the interaction with elements such as the physical layout of the installation. It can be particularly helpful to consider which stage(s) of the scenario dominates its risk, e.g. whether fatalities would be immediate, due to escalation or during escape, evacuation and rescue (EER).
The ranking of risks prioritises them for systematic consideration. A risk reduction measures study is best carried out by a multi-disciplinary brainstorming team with adequate experience, knowledge and qualifications. It will take each risk in turn and identify potential risk reduction measures, including any identified during the risk assessment, but also seeking to extend this by further brainstorming. Ideally, this should be done by personnel from the duty holder who have extensive knowledge of the installation and its operation.
Measures to manage major accident hazards
There is a hierarchical approach to managing major accident hazards which includes:
• Elimination and minimisation of hazards by design – inherently safer design
• Prevention – reduction of likelihood
• Detection – transmission of information to control point
• Control – limitation of scale, intensity and duration
• Mitigation of consequences – protection from effects
• Has the highest priority been given to inherently safer design and measures to prevent and control major accident hazards?
In the design process
• Is due consideration given to inherent safety?
• Are fire and explosion risks addressed?
• Are such risks reduced ALARP through sound engineering design (primarily) and management controls?
• For existing installations, does the Safety Case address the scope for improving inherent safety and the measures to prevent and control major hazards??
Plant design safety considerations
Process safety should be considered during all phases of plant design. During the design process, the operations and maintenance departments contribute to process safety by informing the designers of the potential hazards that may be encountered during manufacturing.
The design and engineering groups need to understand how the plant will be operated and maintained. When the knowledge and experience of the manufacturing personnel are integrated into the design, the resulting plant will not only be safer, but also easier and more efficient to operate and maintain.
Designer’s obligations
• Design in safety features – containment, blast zones, fire protection
• Design out hazards and high risk situations – risk based design concept
• Plant design – safety considerations
• Design – human engineering
• Design – maintenance
• Modifications, demolition, upgrade, expansion
Plant design can be divided into three phases Phase I – Conceptual Engineering: involves the technical and economic evaluation of a project’s feasibility, including the process chemistry, process hazards, flow schematics, the fundamental design basis for the equipment, instruments and controls, and safety systems.
Phase II – Basic Engineering: involves process simulation calculations (mass and energy balances) and process flow design, concluding with preliminary piping and instrumentation diagrams (P&IDs), and equipment data sheets issued for design.
Phase III – Detail Design: involves vessel thickness calculations, heat exchanger rating, final P&IDs, line sizing and piping design, and isometric drawings, concluding with specifications and drawings issued for construction.
Not all projects will require all three design phases. For example, a new process will begin with Design Phase I and continue through Phase III. The design for a processing project would typically start with Phase II and continue through Phase III. A small project such as the relocation of equipment may require only
Phase III design. In all cases, the operations and maintenance departments should convey their process safety concerns to the project team as early in the project as possible.
Permit to Work
A Permit to Work is a formal documented system to provide additional safeguards in high risk situations.
A competent person, appointed in writing on behalf of the company/contractor can issue a Permit to Work.
A competent employee or a nominated competent employee of a contractor can receive a Permit to Work.
A permit issuer cannot be the receiver of a Permit to Work
Protocol
• Determine if a Permit to Work is required by Risk Assessment
• Competent person requests a Permit to Work from permit issuer
• Brief those involved on the requirements/restrictions of the Permit to Work
• Adhere to the Safe Systems of Work described on the Permit to Work
• On task completion or time expiry, return Permit to Work to permit issuer
• Nominated permit issuer ensures Permit to Work is required
• Issuer checks that a Permit to Work can be issued
• When Safe Systems of Work are established, permit issuer issues permit to competent receiver
• Permit to Work procedures are followed for recording issue, details of Permit to Work, location and unique reference number, for example
Control of ignition sources
There are many potential ignition sources in a refinery or a petrochemical plant, including hot work, stationary, mobile and vehicular internal combustion engines, as well as improperly maintained lighting or electrical equipment.
These are typically controlled via measures such as traffic control, hot work permits for welding and burning, vehicle entry permit requirements to operate diesel engines in the posted areas, proper maintenance of electrical equipment and programmes to prevent and detect the release of flammable materials.
These measures are a good first step; however, due to human involvement at each step, complex processes do not ensure a safe environment. In the case of hydrocarbon release, a running diesel engine will be the first one to consume large amounts of hydrocarbon vapours, quickly enter runway condition and become a dangerous ignition source.
Purging
Purging or inerting is done when a vessel containing hydrocarbons must be made safe. Alberta Workplace Health and Safety defines the terms as follows:
Purging – displacing or flushing out hydrocarbons by introducing substances such as an inert gas, steam, water or air.
Inerting – completely displacing or diluting the hydrocarbons in the vessel, tank or piping system with an inert (non-flammable and non-reactive) gas such as nitrogen or carbon dioxide, or a compatible inert liquid such as water.
Comparision: procedures and guidelines
A comparison of procedures and guidelines from a number of different upstream oil and gas companies revealed the following similarities:
• All companies considered began by isolating the system to be purged, and monitoring for hazardous areas
• All suggested purging at a slow speed to avoid mixing the hydrocarbon and the purge gas. For purging with light mediums, a volume 2.5 times the containment vessel was to be used, injected from the top down. For purging with heavy mediums a volume of 1.5 times the containment volume was to be used, introduced from the bottom up
Although there were discrepancies between purging pressures, all indicated that the pressure should be kept low. The most common pressure applied was atmospheric pressure.
Safe atmospheric levels after purging
The main difference between the guidelines reviewed was the atmospheric levels used to signal that it was safe to stop purging. Some companies based this decision on what medium was used, and whether it was heavier or lighter than the hydrocarbon being purged. Most companies based the decision on the oxygen, LEL, or H2S levels in the vessel.
An enclosed or partially enclosed space having restricted access and egress and which, due to its design, construction, location, atmosphere, the materials or substances in it or other conditions, is or may become hazardous to a worker entering it or does not have an easy means of escape for or rescue of a worker entering it.
Before entering the confined space companies advised that:
• Atmospheric testing must show safe levels
• Equipment must be properly grounded and bonded
• Workers entering must be equipped with proper PPE
• A standby must be stationed at the entrance, remain in continuous communication with the worker inside, and be prepared to initiate emergency procedures
Hazards due to flammable atmospheres
Mixtures of flammable substances with air and ignition sources are two of the principal hazards associated with the operation of vent collection systems.
Risks to safety are created when these hazards are not kept apart. This can occur within the vent system and in the upstream or downstream equipment connected to it. A fundamental principle of the appropriate design and operation of a suitable vent collection system should be that flammable mixtures and sufficiently energetic sources of ignition are not allowed to be present together.
When assessing fire and explosion hazards you should consider the venting arrangements as part of a fully integrated system in conjunction with the upstream and downstream plants and processes, and not in isolation.
The basis of the safe operation of the vent system relies heavily on preventing the requirements for combustion – fuel, oxygen and ignition source – from occurring together at inappropriate times or places within the equipment.
A sound understanding of the principles of combustion will help you to assess the risks associated with the operation of vent systems and the associated plant. The important features of the three essentials for fire to occur and the different forms it can take are discussed below.
Chemicals with flashpoints below 55°C are among those classes of materials called dangerous substances under The Dangerous Substances and ExplosiveAtmospheres Regulations 2002 (DSEAR).
These regulations describe the legal requirements associated with the storage and use of dangerous substances. Substances with a flashpoint below 21°C are more hazardous and these are classified as highly flammable. The lower the flashpoint of a substance the more hazardous it is likely to be. Chemicals with a flashpoint lower than the ambient temperature are more likely to produce a flammable vapour when released or spilled than those with a flashpoint higher than the ambient temperature.
Not all possible mixtures of a flammable substance with air will ignite or explode. The lowest concentration that will ignite is called its lower explosion limit (LEL); the highest concentration is the upper explosion limit (UEL). The range of concentrations between the LEL and the UEL that will ignite and burn is called the flammable range and this varies greatly between different flammable substances. Some have very narrow ranges while others have wide ranges.
Explosion
The ignition of a fuel/air mixture in a confined space, such as inside a vent or duct, is very different to when a fuel burns in the open air. When a flammable mixture contained within a duct is ignited, combustion takes place rapidly and the pressure rises sharply. We would say that an explosion had occurred.
Explosions can be grouped into two main categories: deflagrations and detonations. The more common of these is deflagrations. Here the flame moves through the flammable mixture at less than the speed of sound. A deflagration is the more common result when a flammable mixture ignites inside a duct. The pressure produced inside the vent system can be up to 10 times greater than the pressure before ignition.
Detonations are much less likely to occur but the consequences can be more severe. In this type of explosion the flame travels through the flammable mixture at supersonic speed. The pressure produced by a detonation can be several times greater than that produced by a deflagration.
Most explosions in vent systems start as deflagrations and remain as such. In some cases, however, the deflagration may develop into a detonation as the flame travels along the duct. This is known as deflagration to detonation transition.
It results from the flame accelerating as it travels through the flammable mixture. If the rate of acceleration is sufficient the speed of the flame will become supersonic and the deflagration will become a detonation. Bends, changes in diameter, obstacles in the duct, for example, will all increase turbulence and cause the flame to accelerate more quickly, increasing the likelihood of deflagration to detonation transition.
The acceleration of the flame front during deflagration to detonation transition can produce very high peak pressures indeed – up to 100 times the initial pressure.
Explosion mitigation
Risk is the product of the likelihood and the consequences of an unwanted event. The likelihood of a sufficiently energetic ignition source occurring within the vent system can be minimised but it cannot be assumed to be zero. Consequently, even the transitory presence of a flammable atmosphere inside the system will give rise to a significant risk from fire and explosion.
The consequences of a deflagration or detonation can be very severe, resulting in catastrophic rupture of equipment and possible domino effects. For these reasons it may be difficult to design and operate a vent system that handles particularly hazardous streams that has a sufficiently low frequency of explosion to result in an acceptable risk.
In these situations some form of explosion prevention, suppression, protection or mitigation measures will be necessary to achieve an acceptable risk. ?
Author
Andrew Taylor is currently a Chartered Safety Practitioner working with SHEilds Ltd as a support tutor on the NEBOSH National Diploma Course. He has extensive experience in Health, Safety and Environmental Management, most recently in consultancy and construction environments.
The new NEBOSH International Technical Certificate in Oil and Gas Operational Safety has been written by SHEilds in association with leading oil and gas companies. It is designed for those working in or intending to have a career in the oil and gas sector.
The course is available for both class based tuition and via e-Learing. The benefit of the e-Learning programme is that participants can fit study requirements around work and home commitments.
Both forms of study are available to participants on an international basis and at competitive prices. For more information visit the SHEilds’ website at www.sheilds.org
www.osedirectory.com/health-and-safety.php
Published: 01st Aug 2011 in Health and Safety Middle East
