- Email: [email protected]
Decisions on risk
Fire Safety Journal, 13 (1988) 125 - 136
125
Decisions on Risk F. S. ASHMORE Safety and Fire Consultants, 47 Lower Teddington Road, Hampton Wick, Kingston, Surrey KT1 4HQ (U.K.) Y. SHAMA Bechtel Limited, 245 Hammersmith Road, Hammersmith, London W6 8DP (U.K.) (Received February 24, 1987; in revised form September 3, 1987)
SUMMARY
This paper describes some o f the methods used to resolve decisions affecting plant safety in design. Traditional approaches such as codes and standards leave gaps. An alternative approach is to define safety goals for an overall design in terms o f the effects of potential incidents and their estimated probability. An example is taken from recent design work. A retrospective analysis was carried out of the potential effects and probability o f a fire involving the separation train designed for a floating oil-processing unit. It showed that previous design decisions had been satisfactory but that minor engineering changes would greatly reduce the risk. The design decisions during the project involved significant discussion and could have been accelerated using the techniques which are discussed. 1. INTRODUCTION This paper discusses the use of rapid ranking techniques to help make decisions on risk in engineering design work. The rapid ranking technique is a powerful tool for the practising engineer and risk analyst, with potential for improving the accuracy and speed of decisions. It is particularly useful for decisions involving fire systems. This is because fire codes do n o t generally specify where fixed fire protection systems are required. Codes specify the engineering of systems which are to be installed, but the decision on whether to install or n o t is usually a matter of judgement on what risks are acceptable. Other risk-related decisions will also arise, and can be made easier by using the rapid 0379-7112/88/$3.50
ranking technique. Risks may be associated with potential for explosion, toxic releases, transport incidents, lifting operations, design of pressure plant and m a n y other aspects of engineering design. The example which is discussed in this paper involves engineering design of relief systems for a series of separator vessels and the way in which the risk of a failure and ensuing major fire can be reduced to an acceptable level.
2. A P P R O A C H E S
TO DECISIONS
How do we gauge whether a risk is accepttable or n o t ? There are three main ways: • codes and standards, plus judgement; • precedent and authority; • risk criteria. Codes and standards are preferred by engineers. They give a blend of accepted practice and engineering science, and are a summary of precedent and authority. Their advantage is that the engineer can define his source and know that it is generally accepted. There is always the element of judgement to be applied in using codes, but this is what engineers are trained to do and t h e y feel comfortable doing it. Even when engineers disagree over interpretation, they can see the issues clearly. Most codes contain decisions on risk, either explicitly or implicitly, and this does help avoid conflicts. For example, the standards for sprinkler fire protection say t h a t certain fire risks can be adequately handled by a given engineering system. Once a manager decides he wants to protect the risk, the engineer's decisions are reduced to those of design. © Elsevier Sequoia/Printed in The Netherlands
126 T h e second a p p r o a c h is used where t h e r e are no standards available or where t h e y do n o t cover the decision o n risk. A good example is the absence o f seat belts o n coaches. T h e y might save injuries or lives, b u t t h e r e is no c o d e or standard which w o u l d be relevant. T h e e x p e r i e n c e o f c o a c h o p e r a t o r s tells t h e m t h a t the risks are n o t severe e n o u g h to call f o r this safety f e a t u r e and it is n o t provided. A u t h o r i t i e s are p e r s u a d e d b y the observations o f the o p e r a t o r s and the p r e c e d e n t o f nonprovision is f o l l o w e d t h r o u g h o u t the industry. T h e third a p p r o a c h is to use risk criteria as an alternative t o p r e c e d e n t and a u t h o r i t y . It is particularly useful w h e r e there is n o b o d y o f e x p e r i e n c e with a given c o m b i n a t i o n o f design features, b u t t h e r e is scope for assessing t h e causes and c o n s e q u e n c e s o f accidents. It is usual to define such criteria in t e r m s o f severity and p r o b a b i l i t y . T h e best e x a m p l e in curr e n t use is p r o b a b l y the Norwegian P e t r o l e u m Directorate's "Guidelines for Conceptual S a f e t y E v a l u a t i o n " [1]. This contains a req u i r e m e n t t h a t the e s t i m a t e d p r o b a b i l i t y o f a m a j o r o c c u r r e n c e is less t h a n 10 -4 per year. T h e severity is n o t d e f i n e d very closely, b u t a w o r k a b l e d e f i n i t i o n is p r o v i d e d b y describing the t y p e s o f incidents (fire, blow-out, explosion, a b n o r m a l l y severe w e a t h e r , etc.). A good set o f risk criteria is a great help to the engineer and designer. T h e y define a target for risk, which is n o t a m a t t e r which an engineer should be asked to judge. It is an objective to b e set b y managers and politicians. S o m e o n e m u s t d e c i d e the safety goals o f an organization or of a p r o j e c t , and a different person is usually responsible for implem e n t i n g t h e objectives. This p o i n t lies at the heart o f m a n y a r g u m e n t s a b o u t safety. O f t e n design arguments b e t w e e n engineers really t u r n o n w h e t h e r a design is safe e n o u g h or not; if the meaning o f 'safe e n o u g h ' is clearly defined beforehand, the argument becomes one of methods. L e t us imagine t h a t an engineer is charged with designing a plant to t r e a t effluent. His design objective is to t r e a t say 10 million gallons per year of e f f l u e n t t o a stated standard o f BOD and particulates. T h e y will allow the engineer to assess likely costs, size of plant, etc. But h o w safe should this plant b e ? - - I f y o u tell him to m a k e t h a t plant as safe as is r e a s o n a b l y practicable, he will have to r e t u r n for f u r t h e r decisions and approvals
f o r his design, because he has n o t been given usable targets. -- If y o u tell him t h a t the plant must be in a c c o r d a n c e with all legal and s t a t u t o r y req u i r e m e n t s and c o n f o r m to codes and standards, he will o n c e again have to c o m e back f o r decisions at some stage or o t h e r . These sources will n o t cover all the various decisions o n risk. - - I f y o u tell him t h a t the plant m u s t be designed so t h a t t h e r e are no p o t e n t i a l losses b y fire greater t h a n £10 000 000 which could o c c u r with a chance greater t h a n 10 '5 per year, he can do this. So far we have seen t h r e e possible ways o f describing acceptable risks: • r e a s o n a b l y practicable; • in a c c o r d a n c e with codes and standards; • p r o b a b i l i t y and severity. T h e m o s t usual situation we e n c o u n t e r is a mix o f the first two. These ideas are familiar. It w o u l d help safety specialists if we acquired t h e habit o f setting risk criteria in t e r m s of p r o b a b i l i t y and severity as part of a job description. 3. SETTING GOALS BY EFFECTS Most o f the w o r k i n g codes are c o u c h e d in t e r m s o f incidents -- fire, explosions, release o r whatever. But a n y o f us will say t h a t m o r e e f f o r t is n e e d e d t o w a r d s controlling a fire which could cause £ 1 0 0 0 0 0 0 0 o f loss t h a n f o r a fire with a p o t e n t i a l £ 1 0 0 000 loss, even if the actual design standards used are the same in each case. We are interested in the effects w h e n we decide what needs to be done. So w h a t o t h e r effects might be o f interest t o t h e p e o p l e w h o will set safety goals? T h e short list will certainly include p r o p e r t y damage, business o p e r a t i o n s , p e r s o n n e l injury, and e n v i r o n m e n t a l impact. In addition, it appears sensible for an organization t o t h i n k about media reaction. We need to t h i n k a b o u t the way in which the effects o f an incident are t o be described, and it is necessary w h e n doing this to consider b o t h the effects inside a site and the effects outside. T h e list o f effects and m e t h o d o f d e s c r i p t i o n are shown in Table 1. 4. PROBABILITY AND SEVERITY As well as t h e severity o f effects which might arise f r o m an accident, it is usual t o
127 TABLE 1 Parameters to define effects of accidental events Type of effect
Describe effects in terms of
Property damage
-- plant site Business operations -- plant site -- offsite Employee Public -- people -- property Environment -- soil -
-
-
-
air water Media reaction
£ or % of reinstatement value £ or % of reinstatement value Interruption time, % shortfall Interruption time, % shortfall Interruption time, % shortfall Death or injury (% Industry rates for fatality or lost time) Death or injury £ or % of reinstatement value Costs of incineration or disposal Loss of agricultural or other use Extent and duration of releases which exceed toxic or other limit Nuisance effect and corrosion effects both inside and outside plant boundaries Extent and duration of contamination of potable aquifers Extent and duration of toxic effects leading to death of water life National or local attention, duration
c o n s i d e r p r o b a b i l i t y o f t h e i n c i d e n t occurring. An e v e n t w i t h a p r o b a b i l i t y o f 10 -6 o f occurring in a n y y e a r is o b v i o u s l y going t o cause us less c o n c e r n t h a n o n e w h i c h has a p r o b a b i l i t y o f 10 -2 . H o w severe an i n c i d e n t c o u l d we live w i t h at a n y given p r o b a b i l i t y level? W h a t we w a n t is a set o f guide values. This c o n c e p t is discussed in refs. 2 a n d 3 as p a r t o f t h e t e c h n i q u e or r a p i d r a n k i n g . W h a t is t h e n a t u r e o f a guide v a l u e ? First o f all, it is not a d e f i n i t i o n o f an a c c e p t a b l e risk f o r t h e public a n d f o r p e r s o n n e l . T h a t is something which only the person exposed to t h e risk can decide. H o w e v e r , a l t h o u g h w e d o o u r u t m o s t t o avoid a c c i d e n t s we r e c o g n i z e t h a t t h e y m a y o c c u r ; we believe t h a t t h e public p e r c e p t i o n o f risk is s u c h t h a t t h e y w o u l d agree t h a t t h e s e guide values d o n o t e x c e e d t h e level or risk w h i c h t h e y are exp o s e d t o f r o m o t h e r sources. S o m e risks a f f e c t an o r g a n i z a t i o n r a t h e r t h a n individuals or t h e public; f o r e x a m p l e , loss o f p r o d u c t i o n or p h y s i c a l d a m a g e t o a p l a n t . H e r e t h e guide values m a y b e c o n s i d e r e d to d e s c r i b e a c c e p t able risk. T h e o r g a n i z a t i o n ' s m a n a g e r s can l e g i t i m a t e l y say t h a t t h e y c o n s i d e r p r o b a b i l i t y a n d severity c o m b i n a t i o n s a c c e p t a b l e f o r t h e o r g a n i z a t i o n . A f u r t h e r discussion o f a c c e p t ability criteria a n d t h e i r a p p l i c a t i o n t o decis i o n - m a k i n g is c o n t a i n e d in ref. 4. I t is c o n v e n i e n t t o d e f i n e d i f f e r e n t guide values t o b e a p p l i e d at d i f f e r e n t levels o f im-
p a c t , t h a t is t o say f o r u n i t , site a n d offsite. A full m a t r i x o f e f f e c t s a n d guide values f o r probability/severity of plant-related accidents is s h o w n in T a b l e 2. An e x a m p l e o f a c o m p l e t e d m a t r i x is given in T a b l e 3. T h i s was used f o r a r a p i d r a n k i n g exercise in a s t u d y f o r a c o r n wet-milling p l a n t . T h e s t u d y established w h i c h o f t h e v a r i o u s risks i d e n t i f i e d f o r t h e various units were potentially catastrophic and which were less severe a n d t h e r e f o r e r a t e d less high priority for attention. The matrix does not cover all t h e possible e f f e c t s w h i c h are s h o w n a b o v e , a n d is s o m e w h a t loose in d e f i n i n g t h e environm e n t a l effects. H o w e v e r , it p r o v e d o f v e r y great value in guiding a d i f f i c u l t exercise.
5. CASE STUDY W h y go t o t h e t r o u b l e o f defining a c o m p l e x m a t r i x ? T h e m a i n r e a s o n o u t l i n e d earlier is t o s i m p l i f y d i f f i c u l t design decisions involving risks. We c a n give an e x a m p l e f r o m a r e c e n t design f o r a f l o a t i n g oil p r o d u c t i o n vessel w i t h a series o f f o u r separators. A n y m a j o r leakage w o u l d lead t o a risk o f a m a j o r fire. I t s h o u l d be n o t e d t h a t t h e risk criteria a p p r o a c h was n o t used o n this p r o j e c t . T h e decisions o n risk w e r e t a k e n in t h e usual w a y , t h a t is t o say b y a series o f discussions w h i c h
128 TABLE 2 Guide values for acceptable probability/severity Effect
Level
Probability 10-4/yr
Property damage
Plant Site
Business operations
Plant Site Of f site
Employee injury
Onsite
Public -- people -- property
Offsite Offsite
Environment soil -
-
-
-
-
-
water
Media reaction
10-:/yr
10-1/yr
10°/yr
The Table contains a set of guide values against each type of effect and probability level
Onsite Of f site Onsite Of f site Onsite Of f site
air
10-3/yr
Environmental effects may require a separate listing because of their variety
Offsite
TABLE 3 Example of a table of guide values Effect
Level
Probability lO-a/yr
lO-a/yr
10-2/7¢
lO-1/yr
lO°/yr
Property damage
Plant Site
100% £100MM
£10MM £20MM
£1MM £2MM
£100K £200K
£10K £20K
Business operations
Plant Site
100%, 2 yrs 100%, 1 yr
100%, 2 yrs 100%, 1 ruth
100%, 1 yr 100%, 1 wk
100%, 1 ruth 100%, 4 days
100%, 1 wk 100%, any
Employee injury
Onsite
Multiple deaths
Death
0.1 Death Multiple injuries
Hospital treatment
First aid
Public -- people
Of f site
Death
Hospital
First aid
None
Offsite
Severe Wide
Severe injuries Severe Local
Slight
Any
None
Air
Major release
Widespread effect
Nuisance severe
Nuisance temporary
Complain
Water
Major effect
Extensive effect
Nuisance severe
Nuisance temporary
Complain
Soil
Major effect
Extensive effect
Nuisance severe
Nuisance temporary
Complain
National Strong
National Brief
Local Strong
Local Brief
None
-- property Environment
Media reaction
eventually converged on a solution which was considered by all parties to give a satisfactory level o f safety. The l~rocedure was timeconsuming for a number o f senior staff.
5.1. Description of system The vessel concerned was designed to process wellstreams of a w a x y crude oil. Flowing pressure of the streams at design conditions
129
was 65 barg and shut-in pressure was 220 barg. To allow isolation and cleaning/maintenance of the separator vessels, without needing to shut-in the wells, with all the attendant difficulties from solidification in the flowlines, the operating c o m p a n y wanted a facility to bypass each separator. Each of the separators was therefore designed to be used, apart from its normal d u t y , as back-up vessel for the bypassed stage of separation and thus allow production to continue at a normal level. Figure 1 shows the arrangement of the crude oil stabilization strain. The wellstream enters the high high pressure (HHP) separator (V-l) where gas/liquid phase separation occurs at 62 barg. The oil/ water liquid phase then cascades to two further stages of separation, high (V-2) and low (V-3) pressure at 14 barg and 2.7 barg, respectively. The oil/water leaving the low pressure (LP) separator is heated prior to entering the low low pressure degassing stage (V-4) operating at just above atmospheric pressure. The liquid stream from the low low pressure (LLP) separator enters an atmospheric pressure dehydration system. The bypasses finally engineered are shown in Fig. 1. The various bypasses around V-3 are to allow the oil/water phase to be heated prior to final degassing in V-3 when V-4 is o u t o f service. Table 4 shows the various operating pressures of the separators when each separator is being bypassed. The unusual requirement for bypasses around the separators posed question marks over the relief rate approach to be applied to the downstream separators and to the downstream atmospheric dehydration tanks. Additionally, the pressure rating of the piping between the separators, n o t protected b y pressure safety valves, may have been
required to satisfy full wellhead shut-in pressure depending upon the scheme used. The installation of bypasses with a single valve could, under various scenarios of valve positions, subject the LP and LLP separators to full wellstream flow and pressure unless these vessels were suitably protected. A decision was made to devise a scheme to prevent the wellstream flow reaching these separators rather than relieve the flow, should it reach the separator. The tubeside of the crude heater, E-I, is designed to 60 barg for full protection b y the relief valves on V-1 or V-2 when V-3 or V-4 is being bypassed. The governing relief rate philosophy applied was as shown in Table 5. The schemes considered for bypassing the separators were as shown in Fig. 2 and are described below. Scheme 1 -- Spool piece
The key feature of this scheme is that it completely avoids more than one bypass being open at any one time. Each bypass is designed to accommodate an identical spool piece, b u t only one spool piece is provided. It will be noted that the bypass arrangement around V-3 did not reach the full development stage of the other schemes. Piping pressure ratings for this scheme are the same as TABLE
5
Upset conditions for vesselreliefvalves Vessel
U p s e t condition
HHP separator HP s e p a r a t o r LP s e p a r a t o r LLP separator Dehydration tank
Full w e l l s t r e a m flow Full w e l l s t r e a m flow U p s t r e a m c o n t r o l valve failure Blocked outlet Fire
TABLE 4 Vessel o p e r a t i n g pressures u n d e r b y p a s s c o n d i t i o n s (see Fig. 1)
N o r m a l o p e r a t i n g (barg) H H P o n b y p a s s (barg) HP o n b y p a s s (barg) LP o n b y p a s s (barg) LLP o n b y p a s s (barg) Design/relief (barg)
HHP pressure
HP pressure
LP pressure
LLP pressure
62 -62 62 62 69
14 62 -8 8 69
2.7 2.7 2.7 -0.03 4.4
0.03 0.03 0.03 0.03 -3.5
FLAN6E. RATJN~5 L~//N z
I5O0, 6oo, / 50
Fig. 1. Crude oil stabilization train.
AIOTE.5 ~. ONLy ~'VE VES*SEL TO ~£. ~yP~&5~D AT A,~y O,'~E TIME
LOCK-OPEN, LOCK-CLC~E..
~-0---,
|
LO, L C
LEGEND
I ,.o ,so,to
69
6Z
l~ef_.~RE E ~ ~
DE~/a#
HoRNIAL OPEPJ~DNr" PRE.~uRE BA~ ~
## P -NEI~RATOR
V-!
~
V-2
. ~'~
_
( v-4 ~yPA.SS)
V-3 BYPASS
/50 t L o 600
FLARE
___J
V-zi B y ~ 5 5
Lo
~-3 ~ ,
6o0
FLARE
i
2_,7
V-2 ~yPA55
~loo
69
4.4
G~ 14
E- I
~LO
,so t
E-I
CRUDE IIEATE-I~
v-__~_~ LP .'~£pARATDR
v- z kip .,~F'AItATOn~
__
v-._44
LC
u
V-4
3-5 0.05
_J
L~P JFP~,£AToR
E~JDV
T'O TRE~TMSNT
~<}.~. pRo~CF-DVVATER
TO
,,.~1 _ CRUJ~E OIL E~v~fv"~"j)EHyDRATIOIw TA~I~
0
131
r,~= ~ ~ ~.,)
BYPA~5/~o~#A7 . . . . . . . .
E BYPASS
I
6"00 p
ESDV l
~..~i~wDEHY~gATIO~
V-$ ~.YPA55 V-4 BYPass WELL-.
£ 5~v .~J.
~C~EME 2
(V-4ByPA55") ~'
Vot I~YP.a.$5
v., )
.
.
V-5 BYPA~3 ( V-4 ByP.q..u~ E.SDv
~
J
]
J
ESDV [~_ . CRUDEolc
DE,9YD£ATION TANK
E-!
V-4 B'i'P~5
V~ JCNE~E ZA
~1~o V-Z C~A55
C$¢
v3 )
150 t500
v.3 ,syPo.~s ( v-4 8yPm.~s) ESDV
(v-4 8YPPI,~5) ~
I
8ym~55
v'4
~1~ ~'Q
V-I 8YP.~55 L'C
J.
~.
V-2
I I
a~p*-.)
|
V'4 LO. LC csc
Z0CK-OJ'E,V, LOO<-CLO~ ,,rER-~OC~ C~OSE
LCx
]
~
fSoo,6oo,/S0 rLa~, eAn,~c~ ,,/,,j, V'3
8yPA~5
( v-4 8ypas.~)
Fig. 2. Bypass schemes.
ESD,/
~ t "-~I
V'4 gYPA.$$
132 those for Scheme 3 and are the lowest ratings that can be applied for a bypass scheme. This proposal was discarded at the Hazard and Operability (HAZOP) Review on the basis th at it would be t i m e ~ o n s u m i n g and impractical to install and remove the spool piece. The client stated that the separator may require to be taken out of service for short periods at f r e que nt intervals for instrum e n t maintenance and wax removal. The HAZOP team specified that hard piped bypasses with suitable p r o t e c t i o n should be installed. Scheme 2 --Single valve bypass This is the most basic bypass scheme. It can be seen w i t h o u t applying a risk-criteria approach that there is a possibility of lining up the valves such that full wellhead flow and pressure can reach the d e h y d r a t i o n tank. Accordingly, full flow rehef would be required on all the separators, the d e h y d r a t i o n tank and the crude heater. The crude heater could alternatively be designed to full wellhead pressure. Piping up to the d e h y d r a t i o n tank requires to be to 1500 lb rating. Scheme 2A --Single valve bypass with in terlock ing This scheme is similar to Scheme 2 except that a valve interlocking system will prevent more than one bypass being open. As with Scheme 2, piping up to the d e h y d r a t i o n tank requires to be to 1500 lb rating because of the possibility o f pressuring via valve leakage. Additionally, the crude heater requires pressure protection. Scheme 3 - - D o u b l e block and bleed arrangem en t This scheme is similar in principle to Scheme I in th at it reduces the hkelihood of full wellhead pressure reaching the LP and LLP separators. 5.2. Risk criteria analysis Table 6 is a representation of the acceptability o f mo r e than one bypass being open simultaneously. The acceptability (A) or otherwise is based on the predetermined controlling flow relief philosophy described above. Non-acceptability (NA) means that the system is n o t designed t o accept the possible rise in pressure resulting f r om the open-
TABLE 6 Acceptability of combinations* of open bypass valves Two bypasses simultaneously
HHP bypass
HP bypass
LP bypass
LLP bypass
HHP bypass HP bypass LP bypass LLP bypass
---.
A ---
A NA --
A A NA
.
.
.
*Three bypasses simultaneously: all combinations of three bypasses being open simultaneously are not acceptable. Four bypasses simultaneously: this combination is not acceptable. It would require a design which could relieve the full wellstream flow to the atmospheric vent via the dehydration tank. None of the schemes cater for this relief rate. ing of the specified valves and accordingly the consequences m ay be severe. 5.3. Guide values applied For the purposes of this paper we have used the simplified set of guide values shown in Table 7. These guide values, we must at once point out, are n o t provided by or endorsed by the operating company. As engineers, we consider that t h e y are reasonable. If the project had started with a full set of risk criteria, the Table would have included o t h e r potential effects including those on soil and air, pubhc damage and media reaction. We have n o t defined t hem for this exercise since the consequence assessments showed negligible effects of these types from incidents involving the separators. We note that the facility was designed for offshore service in an area where public risk would not be a major factor, and where the media would be under restraint. 5.4. Consequence assessment The consequences of rupturing one o f the LP or LLP separators would be fairly similar. An initial release of up to 10 t onnes of w a x y crude would result and there would be an a t t e n d a n t release of associated vapour. We would anticipate immediate ignition of the released gas due to mechanically generated sparks and h o t fragments, leading t o ignition of the crude. A furt her consequence of the incident would be severe damage to pipework around the vessels, including deluge water spray pipe-
133 TABLE 7 Suggested guide values for risk assessment example Effect
Probability 10-4/yr
10-3/yr
10-2/yr
10-1/yr
10°/yr
100%
$100MM
$10MM
$1MM
$100K
Loss of production operations
2 years
26 weeks
8 weeks
2 weeks
1 week
Employee injury
Death
0.1 death
Multiple injuries
Severe injury
Lost time
Environmental damage to ocean*
A cciden tal spill size
1 tank
1000 t
100 t
10 t
Property damage
100% inventory
*Air/soil not considered.
work. It is considered that there would be no effective response by automatic firefighting systems; indeed, it is likely that t h e y would actually complicate matters because of the very large amounts of water which would be released from the broken pipework once the automatic-starting fire pumps came on line. Fixed fire protection equipment is considered to be ineffective for the purposes of assessing the consequences of the postulated incident. The separator train Emergency ShutDown (ESD) system would react rapidly and block in the ESD valves upstream and downstream and either manual or automatic response would introduce a shutdown of the flowlines from the wells. The separators are arranged in stacked pairs, and as can be seen from the diagrams t h e y have ESD isolation for the whole train, as required by the client, rather than for individual vessels. Residual vapour pressure in the vessels and the effects of gravity would tend to allow liquids from upstream separators to add to the total volume released from the LP or LLP separator. It is possible that the entire inventory of the separators train would be available to fuel the fire. A rupture of the atmospheric dehydration tank would also lead to a severe and rapidly developing fire. Exact assessment of the size of such a fire is difficult, but with several tonnes of crude oil to fuel it the incident can be taken as major. We assume that the dimensions of the pool of burning oil would be well over ten metres square and t h a t all the separator vessels would be engulfed at an early stage. They would be exposed to the direct effects
of a hydrocarbon fire, with t i m e - t e m p e r a t u r e curves similar to those used for simulating hydrocarbon fires [5]. Manual firefighters would therefore face a well-developed fire by the time that t h e y had mustered teams, reached the scene of the incident (this vessel is some 235 m long and the accommodation and control area is about 90 m from the process area) and started to take firefighting action using fixed monitors and hand hose-lines with foam. The effectiveness of the firefighting action would depend very much on the training standard of the teams and on the prevailing weather conditions at the time of the incident. Shortage of water would not be expected to be a problem, because of the generous capacity of the fire pumps. It is considered that the fire would lead to an effective total loss of the separator train and its instrumentation. A n y pressure equipm e n t which was not obviously affected would necessarily have to be recertified as fit for service. Since this is an offshore facility, the alternatives would be to tow the whole vessel to a dock with suitable facilities or to remove the vessels and ship t h e m away for retesting. Either procedure would be extremely timeconsuming. The view of specialist vessel engineers was that it would be easier, quicker and probably cheaper to fabricate new vessels. The cost of replacing the equipment is estimated at $7 000 000, and it is estimated t h a t it would take at least three months to produce separator vessels and instrumentation using the original design and specification documentation. A further m o n t h would be
134 needed to commission the whole system. If damage extended b e y o n d the immediate area o f the separator train, which could well be the case, replacement would take even longer. The interruption of pr oduc t i on would therefore a m o u n t to: 107 m3/h X 24 h /d a y X 120 days = 308 000 m 3 which is ab o u t 1 9 4 0 0 0 0 barrels of w a xy crude. At an assumed price of $15/barrel, the loss o f revenue would be: 1 9 4 0 0 0 0 X $15 = $ 3 0 0 0 0 0 0 0 The question of personnel injury is more difficult. The probability assessment gives negligible probabilities for mechanical failures which would lead to the t y p e of incident which is envisaged, but concludes that the most likely cause by far is maloperation of one o f the bypass trains during shutdown of one of the vessels. Since the mishap would take place before maintenance staff were actually working in the area, it is our view that at most two or three people would be exposed to the direct effects of the incident. We assess chances of their suffering severe injury or death as being high. 5.5. Probability assessment 5.5.1. Failure modes We evaluated the possible ways in which a mechanical failure in the bypass equipment could lead to development of full flow unintentionally, and concluded that with the use o f ball valves this probability was insignificant. Leakage could occur leading to overpressure o f the system, but would n o t endanger vessels provided with relief valves. The o th er ty p e of event is human error. This could be during maintenance or in the course of operations. The only maintenance errors which could lead to full flow t hr ough a bypass are misassembly of a valve during maintenance or replacement. The design of these valves will be such that assembly in other than the correct orientation is impossible, and we do not perceive ot her errors which could lead to development of major hazard conditions (but plenty with less major accident potential). Operator errors have more potential for mishap. The bypass operations will involve an o p e rato r opening the necessary valves at a manifold, and there is clear scope for error. The particular errors which cause concern are:
(a) opening a valve which should be closed, rather than closing a valve which is already open {error of operation); (b) selecting the wrong bypass (error of intention). Either could lead to a hazardous condition, depending on exactly which mistakes are made. 5.5.2. F r e q u e n c y The frequency with which these vessels will need to be isolated for cleaning and maintenance is relatively high, and can be taken as once a m o n t h for each of the vessels, that is t o say one operation per week. 5.5.3. A ssessmen t o f design schemes S c h e m e 1 -- Design using spool pieces
NEGLIGIBLE CHANCE OF MISHAP This is the design using spool pieces to make the bypasses. Although the design requirement specified that only one spool piece would be provided, it is not b e y o n d the bounds of possibility for workers to t r y to get hold of a spare, and to use it improperly. We considered this possibility and concluded that given normal standards of management for a facility of this t y p e the chance o f this wilful error could be neglected. S c h e m e 2 -- Single valve bypass w i t h o u t interlock
INCIDENT EVERY FIFTEEN MONTHS If the bypasses have single valves w i t h o u t an interlock system, we have a rather different picture. The chance of an operat or making a mistake in carrying o u t a standard operation is taken as a typical q u o t e d figure of about once every 100 operations [6 - 8]. We see the bypassing operation as non-standard because each time a bypass is operated it would be on a different vessel. It requires onl y an error in c o m m u n i c a t i o n between operators and management for a second bypass to be operated. Other incident-shaping factors will include the level of experience and training of the operators, their physical condition and t he prevailing conditions on an offshore facility. We assess the probability of severe error as being about once in every 20 operations in the early stages of operations, dropping off as experience was gained on the vessel.
135 In two-thirds o f the possible combinations o f two bypasses open, there is no hazard as n o t e d elsewhere. In the o t h e r case, where HP and LP bypasses are open simultaneously or LP and LLP bypasses are open simultaneously, the effects will be a r u p t u r e of a vessel with the consequences described above. This means t h a t one third o f the possible oper a t or errors leading to two bypasses being open at the same time will lead to a major incident. Putting these assessments together, we have the following: 50 o per atio n s /y ear × 0.05 errors/operations × 1/3 severe = 0.8 incidents per year Scheme in terlock
2A
--Single
valve bypass with
NEGLIGIBLE CHANCE OF MISHAP This is an interlocking system which requires a single k ey to be used to operate any o f the bypass valves. The ke y is retained in the valve lock once it has been used t o open the valve. It is customized and c a nnot readily be replicated. We assess the chances of maloperation using this system as being negligible also. S c h e m e 3 -- Double block and bleed s y s t e m with manual operation: locked valves
INCIDENT EVERY THIRTEEN YEARS The basic t y p e of error which would lead to a severe incident is similar to that considered under Scheme 2, that is to say, o p e r a t o r error when carrying o u t a non-standard operation. However we see this as being less probable simply because o f the n u m b e r of operations required to open a bypass. This needs two ball valves to be ope ne d and the intermediate bleed valve closed before hazardous conditions can be generated. We see the chances of the o p e r a t o r realizing that he has made a mistake during the operation as being very much higher since a n u m b e r of physical signs, in particular the difference in noise quality when the valve was o p ene d, would tell him that all was n o t well. In addition, the normal locks used to secure the valves would make possible b e t t e r c o n t r o l against misoperation. The error probability is set at once in every 200 operations, and th e overall probability would be:
50 operations/year × 0.005 errors/operation × 1/3 severe = 0.08 incidents per year 5.6. Confidence levels These assessments are n o t absolute predictions. T h e y are informed guesses. The next question to answer is how confident we feel a b o u t the value indicated and the range of variation which could be expected. The variation of the severity is different for the different effects (we see the usefulness of talking in terms of effects). The p r o p e r t y damage variation would be between +500% and --50% of t he figure given; t hat is, with p o o r response b y firefighters the damage could easily be five times m ore severe than suggested, and with excellent response the damage could be as little as half t hat suggested. The interruption figure is considered to be good for +67% to --32%. Even with e x t r e m e efficiency it is felt unlikely t hat the repair time could be less than three months. With a few slips on the p r o c u r e m e n t or installation schedule, the d o w n t i m e could easily e x t e n d from four t o six months. The personnel injury effects are t he most variable, and could be zero (no injuries at all) or multiple deaths as indicated in the original assessment. The probability of the incident is considered to be m ore Variable. For the worst case the figure chosen would be 0.8 incident per year under Scheme 2, 0.08 incident per year under Scheme 3. However, with good managem e n t and training of t he operators these figures could be reduced dramatically. If we take the figure of i m p r o v e m e n t as 20 times at best, the overall ranges of severity and probability is as shown in Table 8. 5.7. Conclusions -- Case study • Based on the estimates of p r o d u c t i o n loss following a vessel rupt ure and major fire, t he target rate for probability of occurrence needs t o be a b o u t 0.001 per year. Other effects are judged n o t to require a lower probability. • No system which relies on people not committing one simple mistake is reliable enough t o meet this requirement. Scheme 2 is n o t going t o be acceptable. Scheme 3 is acceptable if favourable assumptions are made about
136 TABLE 8 Variation of assessed severity/probability
Severity
Probability
Property loss Operations People Scheme 1 Scheme 2 Scheme 2A Scheme 3
error rates. Schemes 1 and 2A are acceptable, based on this assessment. $ Hardware assistance to people is needed to achieve the level of integrity required. • An interlocking key system or mechanism of similar resistance to tampering is needed. With this, either Scheme 2A or a hypothetical Scheme 3A would be satisfactory. $ The best solution of all would be to find an option without bypasses. No bypasses means no problems of this particular kind.
Best case
Worst case
$3750000 3 months No injury Negligible 0.04 per year Negligible 0.004 per year
$37500000 6 months Multiple death Negligible 0.8 per year Negligible 0.08 per year
is assessed and shown not to exceed the postulated acceptability criteria. This type of assessment based on decision criteria is a satisfactory way to demonstrate that a design is acceptably safe.
ACKNOWLEDGEMENTS
We would like to acknowledge the library and secretarial facilities given by Bechtel Limited, in the preparation of this paper.
6. CONCLUSIONS
This paper has reviewed the ideas of defining safety goals as a key responsibility of management in making decisions on risk. For ease of application in engineering design and for risk assessments, it is considered that goals should be expressed in terms of the acceptable effects of potential incidents, with the effects defined by severity and probability over a wide range of possible types of effect. The approach is similar to that used for rapid ranking studies. An analysis of the effects of a hypothetical fire on an offshore oil-treating facility is used to show that the recommended approach does help decisions on risk. The as-designed facility could suffer severe loss of production if there was a low-probability process upset and ensuing fire. The probability of this incident
REFERENCES 1 Norwegian Petroleum Directorate, Guidelines for Safety Evaluations o f Platform Conceptual Design, Law stipulated on September 1, 1981. 2 J. Gillett, Rapid ranking of hazards, Process Eng., 66 (2) (1985) 19. 3 D. Lihou and C. J. Mumford, Rapid ranking of hazards, Loss Prey. Bull,, 59 (1984) 7. 4 D. J. Rasbash, Fire Safety J., 8 (1985) 141. 5 M. Shipp, A Hydrocarbon Fire Standard -- A n Assessment of Existing Information, OT R 8204, Fire Research Station, HMSO, London, 1983. 6 F. P. Lees, Loss Prevention in the Process Industries, Butterworths, London, 1980. 7 D. Smith, Reliability and Maintainability in Perspective, Macmillan, London, 2nd edn., 1985. 8 A. D. Swain and H. E. Guttmann, Handbook o f Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications, Report NUREG/CR-1278, Nuclear Regulatory Committee, Washington, DC, 1980.
125
Decisions on Risk F. S. ASHMORE Safety and Fire Consultants, 47 Lower Teddington Road, Hampton Wick, Kingston, Surrey KT1 4HQ (U.K.) Y. SHAMA Bechtel Limited, 245 Hammersmith Road, Hammersmith, London W6 8DP (U.K.) (Received February 24, 1987; in revised form September 3, 1987)
SUMMARY
This paper describes some o f the methods used to resolve decisions affecting plant safety in design. Traditional approaches such as codes and standards leave gaps. An alternative approach is to define safety goals for an overall design in terms o f the effects of potential incidents and their estimated probability. An example is taken from recent design work. A retrospective analysis was carried out of the potential effects and probability o f a fire involving the separation train designed for a floating oil-processing unit. It showed that previous design decisions had been satisfactory but that minor engineering changes would greatly reduce the risk. The design decisions during the project involved significant discussion and could have been accelerated using the techniques which are discussed. 1. INTRODUCTION This paper discusses the use of rapid ranking techniques to help make decisions on risk in engineering design work. The rapid ranking technique is a powerful tool for the practising engineer and risk analyst, with potential for improving the accuracy and speed of decisions. It is particularly useful for decisions involving fire systems. This is because fire codes do n o t generally specify where fixed fire protection systems are required. Codes specify the engineering of systems which are to be installed, but the decision on whether to install or n o t is usually a matter of judgement on what risks are acceptable. Other risk-related decisions will also arise, and can be made easier by using the rapid 0379-7112/88/$3.50
ranking technique. Risks may be associated with potential for explosion, toxic releases, transport incidents, lifting operations, design of pressure plant and m a n y other aspects of engineering design. The example which is discussed in this paper involves engineering design of relief systems for a series of separator vessels and the way in which the risk of a failure and ensuing major fire can be reduced to an acceptable level.
2. A P P R O A C H E S
TO DECISIONS
How do we gauge whether a risk is accepttable or n o t ? There are three main ways: • codes and standards, plus judgement; • precedent and authority; • risk criteria. Codes and standards are preferred by engineers. They give a blend of accepted practice and engineering science, and are a summary of precedent and authority. Their advantage is that the engineer can define his source and know that it is generally accepted. There is always the element of judgement to be applied in using codes, but this is what engineers are trained to do and t h e y feel comfortable doing it. Even when engineers disagree over interpretation, they can see the issues clearly. Most codes contain decisions on risk, either explicitly or implicitly, and this does help avoid conflicts. For example, the standards for sprinkler fire protection say t h a t certain fire risks can be adequately handled by a given engineering system. Once a manager decides he wants to protect the risk, the engineer's decisions are reduced to those of design. © Elsevier Sequoia/Printed in The Netherlands
126 T h e second a p p r o a c h is used where t h e r e are no standards available or where t h e y do n o t cover the decision o n risk. A good example is the absence o f seat belts o n coaches. T h e y might save injuries or lives, b u t t h e r e is no c o d e or standard which w o u l d be relevant. T h e e x p e r i e n c e o f c o a c h o p e r a t o r s tells t h e m t h a t the risks are n o t severe e n o u g h to call f o r this safety f e a t u r e and it is n o t provided. A u t h o r i t i e s are p e r s u a d e d b y the observations o f the o p e r a t o r s and the p r e c e d e n t o f nonprovision is f o l l o w e d t h r o u g h o u t the industry. T h e third a p p r o a c h is to use risk criteria as an alternative t o p r e c e d e n t and a u t h o r i t y . It is particularly useful w h e r e there is n o b o d y o f e x p e r i e n c e with a given c o m b i n a t i o n o f design features, b u t t h e r e is scope for assessing t h e causes and c o n s e q u e n c e s o f accidents. It is usual to define such criteria in t e r m s o f severity and p r o b a b i l i t y . T h e best e x a m p l e in curr e n t use is p r o b a b l y the Norwegian P e t r o l e u m Directorate's "Guidelines for Conceptual S a f e t y E v a l u a t i o n " [1]. This contains a req u i r e m e n t t h a t the e s t i m a t e d p r o b a b i l i t y o f a m a j o r o c c u r r e n c e is less t h a n 10 -4 per year. T h e severity is n o t d e f i n e d very closely, b u t a w o r k a b l e d e f i n i t i o n is p r o v i d e d b y describing the t y p e s o f incidents (fire, blow-out, explosion, a b n o r m a l l y severe w e a t h e r , etc.). A good set o f risk criteria is a great help to the engineer and designer. T h e y define a target for risk, which is n o t a m a t t e r which an engineer should be asked to judge. It is an objective to b e set b y managers and politicians. S o m e o n e m u s t d e c i d e the safety goals o f an organization or of a p r o j e c t , and a different person is usually responsible for implem e n t i n g t h e objectives. This p o i n t lies at the heart o f m a n y a r g u m e n t s a b o u t safety. O f t e n design arguments b e t w e e n engineers really t u r n o n w h e t h e r a design is safe e n o u g h or not; if the meaning o f 'safe e n o u g h ' is clearly defined beforehand, the argument becomes one of methods. L e t us imagine t h a t an engineer is charged with designing a plant to t r e a t effluent. His design objective is to t r e a t say 10 million gallons per year of e f f l u e n t t o a stated standard o f BOD and particulates. T h e y will allow the engineer to assess likely costs, size of plant, etc. But h o w safe should this plant b e ? - - I f y o u tell him to m a k e t h a t plant as safe as is r e a s o n a b l y practicable, he will have to r e t u r n for f u r t h e r decisions and approvals
f o r his design, because he has n o t been given usable targets. -- If y o u tell him t h a t the plant must be in a c c o r d a n c e with all legal and s t a t u t o r y req u i r e m e n t s and c o n f o r m to codes and standards, he will o n c e again have to c o m e back f o r decisions at some stage or o t h e r . These sources will n o t cover all the various decisions o n risk. - - I f y o u tell him t h a t the plant m u s t be designed so t h a t t h e r e are no p o t e n t i a l losses b y fire greater t h a n £10 000 000 which could o c c u r with a chance greater t h a n 10 '5 per year, he can do this. So far we have seen t h r e e possible ways o f describing acceptable risks: • r e a s o n a b l y practicable; • in a c c o r d a n c e with codes and standards; • p r o b a b i l i t y and severity. T h e m o s t usual situation we e n c o u n t e r is a mix o f the first two. These ideas are familiar. It w o u l d help safety specialists if we acquired t h e habit o f setting risk criteria in t e r m s of p r o b a b i l i t y and severity as part of a job description. 3. SETTING GOALS BY EFFECTS Most o f the w o r k i n g codes are c o u c h e d in t e r m s o f incidents -- fire, explosions, release o r whatever. But a n y o f us will say t h a t m o r e e f f o r t is n e e d e d t o w a r d s controlling a fire which could cause £ 1 0 0 0 0 0 0 0 o f loss t h a n f o r a fire with a p o t e n t i a l £ 1 0 0 000 loss, even if the actual design standards used are the same in each case. We are interested in the effects w h e n we decide what needs to be done. So w h a t o t h e r effects might be o f interest t o t h e p e o p l e w h o will set safety goals? T h e short list will certainly include p r o p e r t y damage, business o p e r a t i o n s , p e r s o n n e l injury, and e n v i r o n m e n t a l impact. In addition, it appears sensible for an organization t o t h i n k about media reaction. We need to t h i n k a b o u t the way in which the effects o f an incident are t o be described, and it is necessary w h e n doing this to consider b o t h the effects inside a site and the effects outside. T h e list o f effects and m e t h o d o f d e s c r i p t i o n are shown in Table 1. 4. PROBABILITY AND SEVERITY As well as t h e severity o f effects which might arise f r o m an accident, it is usual t o
127 TABLE 1 Parameters to define effects of accidental events Type of effect
Describe effects in terms of
Property damage
-- plant site Business operations -- plant site -- offsite Employee Public -- people -- property Environment -- soil -
-
-
-
air water Media reaction
£ or % of reinstatement value £ or % of reinstatement value Interruption time, % shortfall Interruption time, % shortfall Interruption time, % shortfall Death or injury (% Industry rates for fatality or lost time) Death or injury £ or % of reinstatement value Costs of incineration or disposal Loss of agricultural or other use Extent and duration of releases which exceed toxic or other limit Nuisance effect and corrosion effects both inside and outside plant boundaries Extent and duration of contamination of potable aquifers Extent and duration of toxic effects leading to death of water life National or local attention, duration
c o n s i d e r p r o b a b i l i t y o f t h e i n c i d e n t occurring. An e v e n t w i t h a p r o b a b i l i t y o f 10 -6 o f occurring in a n y y e a r is o b v i o u s l y going t o cause us less c o n c e r n t h a n o n e w h i c h has a p r o b a b i l i t y o f 10 -2 . H o w severe an i n c i d e n t c o u l d we live w i t h at a n y given p r o b a b i l i t y level? W h a t we w a n t is a set o f guide values. This c o n c e p t is discussed in refs. 2 a n d 3 as p a r t o f t h e t e c h n i q u e or r a p i d r a n k i n g . W h a t is t h e n a t u r e o f a guide v a l u e ? First o f all, it is not a d e f i n i t i o n o f an a c c e p t a b l e risk f o r t h e public a n d f o r p e r s o n n e l . T h a t is something which only the person exposed to t h e risk can decide. H o w e v e r , a l t h o u g h w e d o o u r u t m o s t t o avoid a c c i d e n t s we r e c o g n i z e t h a t t h e y m a y o c c u r ; we believe t h a t t h e public p e r c e p t i o n o f risk is s u c h t h a t t h e y w o u l d agree t h a t t h e s e guide values d o n o t e x c e e d t h e level or risk w h i c h t h e y are exp o s e d t o f r o m o t h e r sources. S o m e risks a f f e c t an o r g a n i z a t i o n r a t h e r t h a n individuals or t h e public; f o r e x a m p l e , loss o f p r o d u c t i o n or p h y s i c a l d a m a g e t o a p l a n t . H e r e t h e guide values m a y b e c o n s i d e r e d to d e s c r i b e a c c e p t able risk. T h e o r g a n i z a t i o n ' s m a n a g e r s can l e g i t i m a t e l y say t h a t t h e y c o n s i d e r p r o b a b i l i t y a n d severity c o m b i n a t i o n s a c c e p t a b l e f o r t h e o r g a n i z a t i o n . A f u r t h e r discussion o f a c c e p t ability criteria a n d t h e i r a p p l i c a t i o n t o decis i o n - m a k i n g is c o n t a i n e d in ref. 4. I t is c o n v e n i e n t t o d e f i n e d i f f e r e n t guide values t o b e a p p l i e d at d i f f e r e n t levels o f im-
p a c t , t h a t is t o say f o r u n i t , site a n d offsite. A full m a t r i x o f e f f e c t s a n d guide values f o r probability/severity of plant-related accidents is s h o w n in T a b l e 2. An e x a m p l e o f a c o m p l e t e d m a t r i x is given in T a b l e 3. T h i s was used f o r a r a p i d r a n k i n g exercise in a s t u d y f o r a c o r n wet-milling p l a n t . T h e s t u d y established w h i c h o f t h e v a r i o u s risks i d e n t i f i e d f o r t h e various units were potentially catastrophic and which were less severe a n d t h e r e f o r e r a t e d less high priority for attention. The matrix does not cover all t h e possible e f f e c t s w h i c h are s h o w n a b o v e , a n d is s o m e w h a t loose in d e f i n i n g t h e environm e n t a l effects. H o w e v e r , it p r o v e d o f v e r y great value in guiding a d i f f i c u l t exercise.
5. CASE STUDY W h y go t o t h e t r o u b l e o f defining a c o m p l e x m a t r i x ? T h e m a i n r e a s o n o u t l i n e d earlier is t o s i m p l i f y d i f f i c u l t design decisions involving risks. We c a n give an e x a m p l e f r o m a r e c e n t design f o r a f l o a t i n g oil p r o d u c t i o n vessel w i t h a series o f f o u r separators. A n y m a j o r leakage w o u l d lead t o a risk o f a m a j o r fire. I t s h o u l d be n o t e d t h a t t h e risk criteria a p p r o a c h was n o t used o n this p r o j e c t . T h e decisions o n risk w e r e t a k e n in t h e usual w a y , t h a t is t o say b y a series o f discussions w h i c h
128 TABLE 2 Guide values for acceptable probability/severity Effect
Level
Probability 10-4/yr
Property damage
Plant Site
Business operations
Plant Site Of f site
Employee injury
Onsite
Public -- people -- property
Offsite Offsite
Environment soil -
-
-
-
-
-
water
Media reaction
10-:/yr
10-1/yr
10°/yr
The Table contains a set of guide values against each type of effect and probability level
Onsite Of f site Onsite Of f site Onsite Of f site
air
10-3/yr
Environmental effects may require a separate listing because of their variety
Offsite
TABLE 3 Example of a table of guide values Effect
Level
Probability lO-a/yr
lO-a/yr
10-2/7¢
lO-1/yr
lO°/yr
Property damage
Plant Site
100% £100MM
£10MM £20MM
£1MM £2MM
£100K £200K
£10K £20K
Business operations
Plant Site
100%, 2 yrs 100%, 1 yr
100%, 2 yrs 100%, 1 ruth
100%, 1 yr 100%, 1 wk
100%, 1 ruth 100%, 4 days
100%, 1 wk 100%, any
Employee injury
Onsite
Multiple deaths
Death
0.1 Death Multiple injuries
Hospital treatment
First aid
Public -- people
Of f site
Death
Hospital
First aid
None
Offsite
Severe Wide
Severe injuries Severe Local
Slight
Any
None
Air
Major release
Widespread effect
Nuisance severe
Nuisance temporary
Complain
Water
Major effect
Extensive effect
Nuisance severe
Nuisance temporary
Complain
Soil
Major effect
Extensive effect
Nuisance severe
Nuisance temporary
Complain
National Strong
National Brief
Local Strong
Local Brief
None
-- property Environment
Media reaction
eventually converged on a solution which was considered by all parties to give a satisfactory level o f safety. The l~rocedure was timeconsuming for a number o f senior staff.
5.1. Description of system The vessel concerned was designed to process wellstreams of a w a x y crude oil. Flowing pressure of the streams at design conditions
129
was 65 barg and shut-in pressure was 220 barg. To allow isolation and cleaning/maintenance of the separator vessels, without needing to shut-in the wells, with all the attendant difficulties from solidification in the flowlines, the operating c o m p a n y wanted a facility to bypass each separator. Each of the separators was therefore designed to be used, apart from its normal d u t y , as back-up vessel for the bypassed stage of separation and thus allow production to continue at a normal level. Figure 1 shows the arrangement of the crude oil stabilization strain. The wellstream enters the high high pressure (HHP) separator (V-l) where gas/liquid phase separation occurs at 62 barg. The oil/ water liquid phase then cascades to two further stages of separation, high (V-2) and low (V-3) pressure at 14 barg and 2.7 barg, respectively. The oil/water leaving the low pressure (LP) separator is heated prior to entering the low low pressure degassing stage (V-4) operating at just above atmospheric pressure. The liquid stream from the low low pressure (LLP) separator enters an atmospheric pressure dehydration system. The bypasses finally engineered are shown in Fig. 1. The various bypasses around V-3 are to allow the oil/water phase to be heated prior to final degassing in V-3 when V-4 is o u t o f service. Table 4 shows the various operating pressures of the separators when each separator is being bypassed. The unusual requirement for bypasses around the separators posed question marks over the relief rate approach to be applied to the downstream separators and to the downstream atmospheric dehydration tanks. Additionally, the pressure rating of the piping between the separators, n o t protected b y pressure safety valves, may have been
required to satisfy full wellhead shut-in pressure depending upon the scheme used. The installation of bypasses with a single valve could, under various scenarios of valve positions, subject the LP and LLP separators to full wellstream flow and pressure unless these vessels were suitably protected. A decision was made to devise a scheme to prevent the wellstream flow reaching these separators rather than relieve the flow, should it reach the separator. The tubeside of the crude heater, E-I, is designed to 60 barg for full protection b y the relief valves on V-1 or V-2 when V-3 or V-4 is being bypassed. The governing relief rate philosophy applied was as shown in Table 5. The schemes considered for bypassing the separators were as shown in Fig. 2 and are described below. Scheme 1 -- Spool piece
The key feature of this scheme is that it completely avoids more than one bypass being open at any one time. Each bypass is designed to accommodate an identical spool piece, b u t only one spool piece is provided. It will be noted that the bypass arrangement around V-3 did not reach the full development stage of the other schemes. Piping pressure ratings for this scheme are the same as TABLE
5
Upset conditions for vesselreliefvalves Vessel
U p s e t condition
HHP separator HP s e p a r a t o r LP s e p a r a t o r LLP separator Dehydration tank
Full w e l l s t r e a m flow Full w e l l s t r e a m flow U p s t r e a m c o n t r o l valve failure Blocked outlet Fire
TABLE 4 Vessel o p e r a t i n g pressures u n d e r b y p a s s c o n d i t i o n s (see Fig. 1)
N o r m a l o p e r a t i n g (barg) H H P o n b y p a s s (barg) HP o n b y p a s s (barg) LP o n b y p a s s (barg) LLP o n b y p a s s (barg) Design/relief (barg)
HHP pressure
HP pressure
LP pressure
LLP pressure
62 -62 62 62 69
14 62 -8 8 69
2.7 2.7 2.7 -0.03 4.4
0.03 0.03 0.03 0.03 -3.5
FLAN6E. RATJN~5 L~//N z
I5O0, 6oo, / 50
Fig. 1. Crude oil stabilization train.
AIOTE.5 ~. ONLy ~'VE VES*SEL TO ~£. ~yP~&5~D AT A,~y O,'~E TIME
LOCK-OPEN, LOCK-CLC~E..
~-0---,
|
LO, L C
LEGEND
I ,.o ,so,to
69
6Z
l~ef_.~RE E ~ ~
DE~/a#
HoRNIAL OPEPJ~DNr" PRE.~uRE BA~ ~
## P -NEI~RATOR
V-!
~
V-2
. ~'~
_
( v-4 ~yPA.SS)
V-3 BYPASS
/50 t L o 600
FLARE
___J
V-zi B y ~ 5 5
Lo
~-3 ~ ,
6o0
FLARE
i
2_,7
V-2 ~yPA55
~loo
69
4.4
G~ 14
E- I
~LO
,so t
E-I
CRUDE IIEATE-I~
v-__~_~ LP .'~£pARATDR
v- z kip .,~F'AItATOn~
__
v-._44
LC
u
V-4
3-5 0.05
_J
L~P JFP~,£AToR
E~JDV
T'O TRE~TMSNT
~<}.~. pRo~CF-DVVATER
TO
,,.~1 _ CRUJ~E OIL E~v~fv"~"j)EHyDRATIOIw TA~I~
0
131
r,~= ~ ~ ~.,)
BYPA~5/~o~#A7 . . . . . . . .
E BYPASS
I
6"00 p
ESDV l
~..~i~wDEHY~gATIO~
V-$ ~.YPA55 V-4 BYPass WELL-.
£ 5~v .~J.
~C~EME 2
(V-4ByPA55") ~'
Vot I~YP.a.$5
v., )
.
.
V-5 BYPA~3 ( V-4 ByP.q..u~ E.SDv
~
J
]
J
ESDV [~_ . CRUDEolc
DE,9YD£ATION TANK
E-!
V-4 B'i'P~5
V~ JCNE~E ZA
~1~o V-Z C~A55
C$¢
v3 )
150 t500
v.3 ,syPo.~s ( v-4 8yPm.~s) ESDV
(v-4 8YPPI,~5) ~
I
8ym~55
v'4
~1~ ~'Q
V-I 8YP.~55 L'C
J.
~.
V-2
I I
a~p*-.)
|
V'4 LO. LC csc
Z0CK-OJ'E,V, LOO<-CLO~ ,,rER-~OC~ C~OSE
LCx
]
~
fSoo,6oo,/S0 rLa~, eAn,~c~ ,,/,,j, V'3
8yPA~5
( v-4 8ypas.~)
Fig. 2. Bypass schemes.
ESD,/
~ t "-~I
V'4 gYPA.$$
132 those for Scheme 3 and are the lowest ratings that can be applied for a bypass scheme. This proposal was discarded at the Hazard and Operability (HAZOP) Review on the basis th at it would be t i m e ~ o n s u m i n g and impractical to install and remove the spool piece. The client stated that the separator may require to be taken out of service for short periods at f r e que nt intervals for instrum e n t maintenance and wax removal. The HAZOP team specified that hard piped bypasses with suitable p r o t e c t i o n should be installed. Scheme 2 --Single valve bypass This is the most basic bypass scheme. It can be seen w i t h o u t applying a risk-criteria approach that there is a possibility of lining up the valves such that full wellhead flow and pressure can reach the d e h y d r a t i o n tank. Accordingly, full flow rehef would be required on all the separators, the d e h y d r a t i o n tank and the crude heater. The crude heater could alternatively be designed to full wellhead pressure. Piping up to the d e h y d r a t i o n tank requires to be to 1500 lb rating. Scheme 2A --Single valve bypass with in terlock ing This scheme is similar to Scheme 2 except that a valve interlocking system will prevent more than one bypass being open. As with Scheme 2, piping up to the d e h y d r a t i o n tank requires to be to 1500 lb rating because of the possibility o f pressuring via valve leakage. Additionally, the crude heater requires pressure protection. Scheme 3 - - D o u b l e block and bleed arrangem en t This scheme is similar in principle to Scheme I in th at it reduces the hkelihood of full wellhead pressure reaching the LP and LLP separators. 5.2. Risk criteria analysis Table 6 is a representation of the acceptability o f mo r e than one bypass being open simultaneously. The acceptability (A) or otherwise is based on the predetermined controlling flow relief philosophy described above. Non-acceptability (NA) means that the system is n o t designed t o accept the possible rise in pressure resulting f r om the open-
TABLE 6 Acceptability of combinations* of open bypass valves Two bypasses simultaneously
HHP bypass
HP bypass
LP bypass
LLP bypass
HHP bypass HP bypass LP bypass LLP bypass
---.
A ---
A NA --
A A NA
.
.
.
*Three bypasses simultaneously: all combinations of three bypasses being open simultaneously are not acceptable. Four bypasses simultaneously: this combination is not acceptable. It would require a design which could relieve the full wellstream flow to the atmospheric vent via the dehydration tank. None of the schemes cater for this relief rate. ing of the specified valves and accordingly the consequences m ay be severe. 5.3. Guide values applied For the purposes of this paper we have used the simplified set of guide values shown in Table 7. These guide values, we must at once point out, are n o t provided by or endorsed by the operating company. As engineers, we consider that t h e y are reasonable. If the project had started with a full set of risk criteria, the Table would have included o t h e r potential effects including those on soil and air, pubhc damage and media reaction. We have n o t defined t hem for this exercise since the consequence assessments showed negligible effects of these types from incidents involving the separators. We note that the facility was designed for offshore service in an area where public risk would not be a major factor, and where the media would be under restraint. 5.4. Consequence assessment The consequences of rupturing one o f the LP or LLP separators would be fairly similar. An initial release of up to 10 t onnes of w a x y crude would result and there would be an a t t e n d a n t release of associated vapour. We would anticipate immediate ignition of the released gas due to mechanically generated sparks and h o t fragments, leading t o ignition of the crude. A furt her consequence of the incident would be severe damage to pipework around the vessels, including deluge water spray pipe-
133 TABLE 7 Suggested guide values for risk assessment example Effect
Probability 10-4/yr
10-3/yr
10-2/yr
10-1/yr
10°/yr
100%
$100MM
$10MM
$1MM
$100K
Loss of production operations
2 years
26 weeks
8 weeks
2 weeks
1 week
Employee injury
Death
0.1 death
Multiple injuries
Severe injury
Lost time
Environmental damage to ocean*
A cciden tal spill size
1 tank
1000 t
100 t
10 t
Property damage
100% inventory
*Air/soil not considered.
work. It is considered that there would be no effective response by automatic firefighting systems; indeed, it is likely that t h e y would actually complicate matters because of the very large amounts of water which would be released from the broken pipework once the automatic-starting fire pumps came on line. Fixed fire protection equipment is considered to be ineffective for the purposes of assessing the consequences of the postulated incident. The separator train Emergency ShutDown (ESD) system would react rapidly and block in the ESD valves upstream and downstream and either manual or automatic response would introduce a shutdown of the flowlines from the wells. The separators are arranged in stacked pairs, and as can be seen from the diagrams t h e y have ESD isolation for the whole train, as required by the client, rather than for individual vessels. Residual vapour pressure in the vessels and the effects of gravity would tend to allow liquids from upstream separators to add to the total volume released from the LP or LLP separator. It is possible that the entire inventory of the separators train would be available to fuel the fire. A rupture of the atmospheric dehydration tank would also lead to a severe and rapidly developing fire. Exact assessment of the size of such a fire is difficult, but with several tonnes of crude oil to fuel it the incident can be taken as major. We assume that the dimensions of the pool of burning oil would be well over ten metres square and t h a t all the separator vessels would be engulfed at an early stage. They would be exposed to the direct effects
of a hydrocarbon fire, with t i m e - t e m p e r a t u r e curves similar to those used for simulating hydrocarbon fires [5]. Manual firefighters would therefore face a well-developed fire by the time that t h e y had mustered teams, reached the scene of the incident (this vessel is some 235 m long and the accommodation and control area is about 90 m from the process area) and started to take firefighting action using fixed monitors and hand hose-lines with foam. The effectiveness of the firefighting action would depend very much on the training standard of the teams and on the prevailing weather conditions at the time of the incident. Shortage of water would not be expected to be a problem, because of the generous capacity of the fire pumps. It is considered that the fire would lead to an effective total loss of the separator train and its instrumentation. A n y pressure equipm e n t which was not obviously affected would necessarily have to be recertified as fit for service. Since this is an offshore facility, the alternatives would be to tow the whole vessel to a dock with suitable facilities or to remove the vessels and ship t h e m away for retesting. Either procedure would be extremely timeconsuming. The view of specialist vessel engineers was that it would be easier, quicker and probably cheaper to fabricate new vessels. The cost of replacing the equipment is estimated at $7 000 000, and it is estimated t h a t it would take at least three months to produce separator vessels and instrumentation using the original design and specification documentation. A further m o n t h would be
134 needed to commission the whole system. If damage extended b e y o n d the immediate area o f the separator train, which could well be the case, replacement would take even longer. The interruption of pr oduc t i on would therefore a m o u n t to: 107 m3/h X 24 h /d a y X 120 days = 308 000 m 3 which is ab o u t 1 9 4 0 0 0 0 barrels of w a xy crude. At an assumed price of $15/barrel, the loss o f revenue would be: 1 9 4 0 0 0 0 X $15 = $ 3 0 0 0 0 0 0 0 The question of personnel injury is more difficult. The probability assessment gives negligible probabilities for mechanical failures which would lead to the t y p e of incident which is envisaged, but concludes that the most likely cause by far is maloperation of one o f the bypass trains during shutdown of one of the vessels. Since the mishap would take place before maintenance staff were actually working in the area, it is our view that at most two or three people would be exposed to the direct effects of the incident. We assess chances of their suffering severe injury or death as being high. 5.5. Probability assessment 5.5.1. Failure modes We evaluated the possible ways in which a mechanical failure in the bypass equipment could lead to development of full flow unintentionally, and concluded that with the use o f ball valves this probability was insignificant. Leakage could occur leading to overpressure o f the system, but would n o t endanger vessels provided with relief valves. The o th er ty p e of event is human error. This could be during maintenance or in the course of operations. The only maintenance errors which could lead to full flow t hr ough a bypass are misassembly of a valve during maintenance or replacement. The design of these valves will be such that assembly in other than the correct orientation is impossible, and we do not perceive ot her errors which could lead to development of major hazard conditions (but plenty with less major accident potential). Operator errors have more potential for mishap. The bypass operations will involve an o p e rato r opening the necessary valves at a manifold, and there is clear scope for error. The particular errors which cause concern are:
(a) opening a valve which should be closed, rather than closing a valve which is already open {error of operation); (b) selecting the wrong bypass (error of intention). Either could lead to a hazardous condition, depending on exactly which mistakes are made. 5.5.2. F r e q u e n c y The frequency with which these vessels will need to be isolated for cleaning and maintenance is relatively high, and can be taken as once a m o n t h for each of the vessels, that is t o say one operation per week. 5.5.3. A ssessmen t o f design schemes S c h e m e 1 -- Design using spool pieces
NEGLIGIBLE CHANCE OF MISHAP This is the design using spool pieces to make the bypasses. Although the design requirement specified that only one spool piece would be provided, it is not b e y o n d the bounds of possibility for workers to t r y to get hold of a spare, and to use it improperly. We considered this possibility and concluded that given normal standards of management for a facility of this t y p e the chance o f this wilful error could be neglected. S c h e m e 2 -- Single valve bypass w i t h o u t interlock
INCIDENT EVERY FIFTEEN MONTHS If the bypasses have single valves w i t h o u t an interlock system, we have a rather different picture. The chance of an operat or making a mistake in carrying o u t a standard operation is taken as a typical q u o t e d figure of about once every 100 operations [6 - 8]. We see the bypassing operation as non-standard because each time a bypass is operated it would be on a different vessel. It requires onl y an error in c o m m u n i c a t i o n between operators and management for a second bypass to be operated. Other incident-shaping factors will include the level of experience and training of the operators, their physical condition and t he prevailing conditions on an offshore facility. We assess the probability of severe error as being about once in every 20 operations in the early stages of operations, dropping off as experience was gained on the vessel.
135 In two-thirds o f the possible combinations o f two bypasses open, there is no hazard as n o t e d elsewhere. In the o t h e r case, where HP and LP bypasses are open simultaneously or LP and LLP bypasses are open simultaneously, the effects will be a r u p t u r e of a vessel with the consequences described above. This means t h a t one third o f the possible oper a t or errors leading to two bypasses being open at the same time will lead to a major incident. Putting these assessments together, we have the following: 50 o per atio n s /y ear × 0.05 errors/operations × 1/3 severe = 0.8 incidents per year Scheme in terlock
2A
--Single
valve bypass with
NEGLIGIBLE CHANCE OF MISHAP This is an interlocking system which requires a single k ey to be used to operate any o f the bypass valves. The ke y is retained in the valve lock once it has been used t o open the valve. It is customized and c a nnot readily be replicated. We assess the chances of maloperation using this system as being negligible also. S c h e m e 3 -- Double block and bleed s y s t e m with manual operation: locked valves
INCIDENT EVERY THIRTEEN YEARS The basic t y p e of error which would lead to a severe incident is similar to that considered under Scheme 2, that is to say, o p e r a t o r error when carrying o u t a non-standard operation. However we see this as being less probable simply because o f the n u m b e r of operations required to open a bypass. This needs two ball valves to be ope ne d and the intermediate bleed valve closed before hazardous conditions can be generated. We see the chances of the o p e r a t o r realizing that he has made a mistake during the operation as being very much higher since a n u m b e r of physical signs, in particular the difference in noise quality when the valve was o p ene d, would tell him that all was n o t well. In addition, the normal locks used to secure the valves would make possible b e t t e r c o n t r o l against misoperation. The error probability is set at once in every 200 operations, and th e overall probability would be:
50 operations/year × 0.005 errors/operation × 1/3 severe = 0.08 incidents per year 5.6. Confidence levels These assessments are n o t absolute predictions. T h e y are informed guesses. The next question to answer is how confident we feel a b o u t the value indicated and the range of variation which could be expected. The variation of the severity is different for the different effects (we see the usefulness of talking in terms of effects). The p r o p e r t y damage variation would be between +500% and --50% of t he figure given; t hat is, with p o o r response b y firefighters the damage could easily be five times m ore severe than suggested, and with excellent response the damage could be as little as half t hat suggested. The interruption figure is considered to be good for +67% to --32%. Even with e x t r e m e efficiency it is felt unlikely t hat the repair time could be less than three months. With a few slips on the p r o c u r e m e n t or installation schedule, the d o w n t i m e could easily e x t e n d from four t o six months. The personnel injury effects are t he most variable, and could be zero (no injuries at all) or multiple deaths as indicated in the original assessment. The probability of the incident is considered to be m ore Variable. For the worst case the figure chosen would be 0.8 incident per year under Scheme 2, 0.08 incident per year under Scheme 3. However, with good managem e n t and training of t he operators these figures could be reduced dramatically. If we take the figure of i m p r o v e m e n t as 20 times at best, the overall ranges of severity and probability is as shown in Table 8. 5.7. Conclusions -- Case study • Based on the estimates of p r o d u c t i o n loss following a vessel rupt ure and major fire, t he target rate for probability of occurrence needs t o be a b o u t 0.001 per year. Other effects are judged n o t to require a lower probability. • No system which relies on people not committing one simple mistake is reliable enough t o meet this requirement. Scheme 2 is n o t going t o be acceptable. Scheme 3 is acceptable if favourable assumptions are made about
136 TABLE 8 Variation of assessed severity/probability
Severity
Probability
Property loss Operations People Scheme 1 Scheme 2 Scheme 2A Scheme 3
error rates. Schemes 1 and 2A are acceptable, based on this assessment. $ Hardware assistance to people is needed to achieve the level of integrity required. • An interlocking key system or mechanism of similar resistance to tampering is needed. With this, either Scheme 2A or a hypothetical Scheme 3A would be satisfactory. $ The best solution of all would be to find an option without bypasses. No bypasses means no problems of this particular kind.
Best case
Worst case
$3750000 3 months No injury Negligible 0.04 per year Negligible 0.004 per year
$37500000 6 months Multiple death Negligible 0.8 per year Negligible 0.08 per year
is assessed and shown not to exceed the postulated acceptability criteria. This type of assessment based on decision criteria is a satisfactory way to demonstrate that a design is acceptably safe.
ACKNOWLEDGEMENTS
We would like to acknowledge the library and secretarial facilities given by Bechtel Limited, in the preparation of this paper.
6. CONCLUSIONS
This paper has reviewed the ideas of defining safety goals as a key responsibility of management in making decisions on risk. For ease of application in engineering design and for risk assessments, it is considered that goals should be expressed in terms of the acceptable effects of potential incidents, with the effects defined by severity and probability over a wide range of possible types of effect. The approach is similar to that used for rapid ranking studies. An analysis of the effects of a hypothetical fire on an offshore oil-treating facility is used to show that the recommended approach does help decisions on risk. The as-designed facility could suffer severe loss of production if there was a low-probability process upset and ensuing fire. The probability of this incident
REFERENCES 1 Norwegian Petroleum Directorate, Guidelines for Safety Evaluations o f Platform Conceptual Design, Law stipulated on September 1, 1981. 2 J. Gillett, Rapid ranking of hazards, Process Eng., 66 (2) (1985) 19. 3 D. Lihou and C. J. Mumford, Rapid ranking of hazards, Loss Prey. Bull,, 59 (1984) 7. 4 D. J. Rasbash, Fire Safety J., 8 (1985) 141. 5 M. Shipp, A Hydrocarbon Fire Standard -- A n Assessment of Existing Information, OT R 8204, Fire Research Station, HMSO, London, 1983. 6 F. P. Lees, Loss Prevention in the Process Industries, Butterworths, London, 1980. 7 D. Smith, Reliability and Maintainability in Perspective, Macmillan, London, 2nd edn., 1985. 8 A. D. Swain and H. E. Guttmann, Handbook o f Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications, Report NUREG/CR-1278, Nuclear Regulatory Committee, Washington, DC, 1980.