- Email: [email protected]
Quantitative risk analysis in the design of offshore installations
Reliability Engineering 6 (1983) 1-12
Quantitative Risk Analysis in the Design of Offshore Installations
Jan Erik Vinnem Division of Machine Design, The Norwegian Institute of Technology, University of Trondheim, Trondheim, Norway (Received: 26 June, 1982)
A BSTRA C T This paper briefly reviews trends in accident statisticsfrom the North Sea Operations. Risk acceptance viewed JJ'om both the Governmental Authority and Operating Companies' standpoint is discussed. The Norwegian Petroleum Directorate has recently issued Guidelines Jbr Conceptual Safety Evaluations. These are important because the), require a risk analysis and evaluation process to be carried out in offshore development projects. The principles of the Guidelines as well as the implications for the total risk analysis process are discussed in this paper.
1.
INTRODUCTION
Accident statistics from offshore platform operations show that there are great risks for personnel and structures. Therefore, accident prevention needs considerable attention in a systematic way, in order to reduce the risk levels. The steps that the Norwegian Petroleum Directorate ( N P D ) recently have taken in order to systemise the risk analysis and evaluation process are therefore very important. N P D have issued 'Guidelines for Safety Evaluation of Platform Conceptual Design'. In this paper these Guidelines as well as the total risk evaluation process will be considered. 1
Reliability Engineering 0143-8174/83/$03.00 ~t5Applied Science Publishers Ltd, England, 1983. Printed in Great Britain
2
Jan Erik Vmnem
The concept of risk to personnel introduces a two-dimensional space for management of safety in offshore operations. These two dimensions are the probability of accidents and the consequence of accidents. This principle is undebatable as long as only estimated risk is discussed. When the subjective, experienced risk is discussed this principle is more debatable, as many experts will say that the subjective risk is only dependent on the extent of the consequences, when these are beyond a certain limit. Risk and reliability analyses should for this reason not be used as synonymous terms. Reliability analysis is concerned with the probability of successful operation at certain times or intervals (of course the most commonly used method is analysis of all system failure modes). Risk analysis starts with analysis of hazardous system failure modes, then effects on other systems are analysed, and the result will be the consequences on people and hardware along with corresponding probabilities, This is definitely more than a reliability analysis, and correspondingly the problems of risk analysis are more complex and difficult to solve satisfactorily. This suggests the need for keeping risk and reliability analysis as two disciplines, with to a great extent c o m m o n analytical tools. The reliability of safety systems and safety barriers is of course extremely important for keeping an acceptable risk level on platforms. Therefore, reliability studies will be important parts of a risk analysis. Only system failure modes that may increase risk will be analysed in these studies. One of the most important aspects of the N P D Guidelines is that a framework is introduced for the total process of safety activities in a platform development project. The process of developing the concept requirements into detailed safety and emergency requirements for detailed engineering should ensure that the total safety of the final platform design is controlled. This is in contrast to the situation before such risk evaluations were started. Safety measures were then applied to what were believed to be important aspects, but without knowing what the total effect would be. Experience over the last year has shown that this process is not easy to perform. Therefore, the principles to be used in the evaluation process should be discussed in order to achieve maximum conformity in these evaluations.
Quantitatice risk analysis in the design oJ off,khore installations
2.
3
T R E N D S IN ACCIDENT STATISTICS
The accident statistics from the North Sea operations show that zero accident occurrence never has been achievable, and never will be as long as the operations continue. Figure 1 presents the accident trends for mobile and fixed installations and transportation on the Norwegian Continental Shelf (NCS). A detailed discussion of the differences in the ;tatistics is beyond the scope of this paper. We will only note the falling trends during the last years. The authorities in the UK and in Norway have their respective differences, although the overall goal is identical on both shelves: to reduce the accident occurrence. These differences are important, and have Cumulative fatality Fates (per I000 manyears)
.
Af /\ / .
-.
"
"-....
~'~" T r a n s p o r t
%
Mobile installations
~ . ~. // " ~ ' - ~ _
70
]966
Fig. I.
75
Estimated cumulative fatality rates.
80
Year
4
Jan Erik Vinnem
been studied in order to find the most effective way of legislating for safety. This subject is however also beyond the scope of this paper. However, we will use the statistics in order to project the future risk picture, and thus make some conclusions as to what are important areas for risk reduction priorities. We will use the best available statistics, primarily from NCS, to estimate accident frequencies for the total operation period of one assumed field. The assumed field has the following characteristics: Oil field with small amount of associated gas Number of exploration and development wells: 20 drilled in 5 rigyears Production to be developed from two production platforms Water depth 160m, north North Sea conditions Integration production, drilling and quarters platforms Production capacity of each platform: 300 000 BPD 40 wells to be drilled from each platform 10 years lifetime of each well Helicopter flight distance to platforms: 200 km Average number of personnel on each production platform: 250 over total lifetime, 25 years each Note that only those characteristics that are needed for the projection are listed above. We will concentrate the projection on three main hazards: (1) Fatalities (2) Blowouts (3) Helicopter accidents Tables 1 and 2 present the risk projections for exploration and production activities, respectively. The conclusions for the total field operation period will thus be: (I) Expected number of fatalities: 11 (2) Probability of fatal helicopter accident: 64 ~o (3) Probability of blowout: 38 ~o Now, each of these numbers indicate high risk areas. Note that the average number of fatalities per fatal helicopter accident is approximately 8-10 persons. Note also that production blowouts have the dominating probability contribution. These blowouts also have the highest potential for large oil spills.
Quantitatit,e risk analysis in the design of @ h o r e installations TABLE 1
Exploration and Development Risks R&k
Estimated frequency
Field activi O,
Estimated risk level Jot field
Fatalities
1.5 fatalities per 1000 manyears
20 wells in 5 rigyears: 190 manyears per rigyear Total 950 manyears
1.4 fatalities
Blowouts
1 blowout per 503 wells 1 fatal accident per 103 flight hours
20 wells
Probability of blowout 4 °o Probability of fatal accident 3 ~;
Helicopter accidents
3 flight hours per manyear; 2 850 flight hours
A n o t h e r aspect is also i m p o r t a n t . T h e so-called c o n c e p t u a l related risks are not reflected in the fatality estimates above. It is n o r m a l l y said that for a fixed p l a t f o r m , the f r e q u e n c y o f m a j o r c a t a s t r o p h e s is a p p r o x i m a t e l y 1 in 1000 p l a t f o r m y e a r s . T h e f r e q u e n c y o f all c o n c e p t u a l related accidents will certainly be higher. T h e c o n c e p t u a l related risks are also i m p o r t a n t because they might e x p o s e a large n u m b e r o f people. T h e Alex Keilland accident has d e m o n s t r a t e d this aspect, a l t h o u g h this was not a fixed p l a t f o r m . TABLE 2
Production Risks Risk
Estimated frequency
Fatalities
0.32 fatalities per 1000 manyears
Drilling blowouts Production blowouts
1 blowout per 503 wells 0.26 blowouts per 1000 wellyears
Helicopter accidents
I fatal accident per 105 flight hours
Field activity
250 x 2.5 manyears per platformyear (on average); 2 platforms in 25 years: Total 31 250 manyears 40 wells per platform Estimated well lifetime 10 years; Total 800 wellyears 3 flight hours per manyear; Total 93 750 flight hours
Estimated risk lerel Jor .field
10 fatalities
Probability of drilling blowout 1 5 o, Probability of production blowout 19 7;; Probability of fatal accident 61 °/;
6
Jan Erik Vinnem
However, conceptual related risks are also important for mobile platforms. For example, the statistical accident frequency for mobile platform catastrophes is approximately 10 times higher than for fixed platforms. In conclusion, the four hazards described above all call for dedicated efforts for risk reduction, in each of the technical areas.
3.
RISK ACCEPTANCE
In the process of influencing safety related decisions there are some main tools that can be used: (1) Risk analysis (2) Risk acceptance criteria (3) Risk evaluations The relationship between these elements, and the relationship to design process is illustrated in Fig. 2. It can be seen that the process constitutes something like a control loop. The figure also is illustrating the iterative process of risk analysis and evaluation in the design project.
PLATFORM
l
DES ON
1I
1" ANALYSIS
J
RISK ACCEPTANCE CRITERIA
OTHER SAFETY REQUIREMENTS
UNACCEPTABLE RISK
OES,GN
ACCEPTABLE RISK
FURTHER I PLATFORM DESIGN, i I L
Fig. 2.
I
IMPROVEMENTS1
Risk acceptance process.
Quantitatire risk analysis in the design ~[ ~[]~s'hore installations
7
Now all this presupposes that quantitative risk acceptance criteria exist. Up till this day such criteria have primarily been developed in other industries, like the nuclear industry and the onshore process industries. Recently the process of developing quantitative criteria has been initiated ih Norway. The 'Guidelines for Safety Evaluation of Platform Conceptual Designs' from the Norwegian Petroleum Directorate (N PD) are important as a first official step in the direction of quantifying risk acceptance.
4.
NPD
GUIDELINES
FOR CONCEPTUAL
SAFETY
EVALUATIONS The guidelines were issued in 1981, but they had been in process for more than one year, and subsequently some five projects have tried to follow the principles of these guidelines in the past two years. Within the offshore field these guidelines constitute the first attempt to use quantitative risk analysis in offshore developments. The N P D guidelines require that a risk analysis shall be carried out for every proposed production installation at the conceptual stage of development. This analysis must in its essence be quantitative, as both the accidental situations to be studied shall be selected according to the probability of occurrence, and the accident effects shall be quantified as the basis for design. 4.1 Principles for the safety evaluation
The principles on which the evaluation is based are: (1) The platform concept is analysed in order to identify possible accident scenarios, taking into account: - possible initiating events - possible failures of safety systems - environmental conditions Based on this analysis, a number of possible accident events are defined. (2) Based on evaluation of probabilities the design accident events shall be selected from amongst the possible accident events. This selection shall be based both on evaluation of probabilities and on
8
Jan Erik Vinnem
(3)
quantified accident effects. The process for this selection will be discussed in detail later. For the design accident events (DAE) the platform concept shall be compared with qualitative acceptance criteria in order to verify that the platform concept has an acceptable safety level. These criteria are all based on the principle that the DAEs should not impose danger to personnel outside the immediate vicinity of the accident. The scope of these criteria is essentially limited to requirements for passive safety protection, and only to a limited extent active safety systems. However, indirectly there must be a strong coupling between active and passive systems. This will be discussed later.
4.2 Acceptance criteria As outlined in the previous section, the primary criterion is that the concept in a design accident situation shall limit the damages to personnel in the immediate vicinity of the accident. This general criterion has also been spelled out into three requirements for passive protection: '(a) At least one escape way from central positions which may be subjected to an accident shall normally be intact for at least one hour during a design accident event. (b) Shelter areas shall be intact during a calculated accident event until safe evacuation is possible. (c) Depending on the platform type, function and location, when exposed to the design accident event, the main support structure must maintain its load carrying capacity for a specified time." The two latter requirements will lead to establishment of accidental design loads for the protective walls (and roof) of shelter areas, as well as for the main support structure. These are, however, the only platform elements that will be designed to accidental loads according to the guidelines. The former requirement will only lead to a check of escape way layout which will be qualitative. Therefore, it seems necessary to emphasise that other platform elements should also be designed against accidental loads.
Quantitatice risk analysLs" in the design o/ q[]~s'hore installations
9
4.3 Risk analysis process The probability criterion for selection of DAEs has been focused on in depth and has been discussed at length. Obviously, using a probability number is very crucial, and this number is attacked from various angles. However, it must be stressed that the process of quantifying risk is the most important. Representatives from N P D have stated on a number of occasions that one should focus on the process, and not on this single number. If the analysis is properly performed, it will lead to requirements for accidental loads for structures and equipments as well as reliability requirements for safety systems. However, the guidelines should be rewritten in order to stimulate a more logical process of risk analysis. The cut-off criterion for selection of DAEs in a frequency of 10-4 per year for selected categories of events. Based on some assumptions regarding the number of DAEs and non-design basis events, and the average consequences for these two types of events, the corresponding risk level can be estimated. This will be in the order of 0.1 fatalities per platform per year. It must though be remembered that this is only concerned with conceptual related risks. According to experience, the work accidents are in the same order of magnitude. In Table 3 the estimated risk level is compared to other risk estimates both for the Norwegian Shelf and average onshore industries. TABLE 3 Comparison of Risk Estimates for Fixed Platforms
Risk estimate
Estimated in this paper Used as background for 10 --4 criterion N PD official statistics (only work accidents) Fixed platforms, all fatalities Fixed platforms, excluding Alex Kielland Average onshore industries " FAR = Fatal Accident Rate.
Value
0.1 fatalities per platforms per year 0.32 per 1 000 manyears 3.1 per 1 000 manyears 0-42 per 1 000 manyears 0"05 per 1 000 manyears
Corresponding FAR" 10 1 18 177 24 3
10
Jan Erik Vinm'm
It can be concluded from the table that the implied risk level of the new guidelines is at a sensible level compared to what the accident level has been on the Norwegian Continental Shelf'. If working accidents are included, one would expect that the total risk level would be approximately FAR = 20. However, the acceptability of these numbers will not be discussed in this paper. It has been argued that the new guidelines imply drastic requirements for reducing the risk level. This cannot be substantiated, based on the numbers in Table 3. On the other hand, the numbers show that the offshore risk level still will be higher than the average onshore risk level. Thus, the new requirements are not extremely rigid. Another important aspect which is discussed in relation to the new guidelines is the quality of data and the uncertainties that will result from poor data quality. 5.
RISK ANALYSIS IN DESIGN PROCESS
It is important to stress that from a safety management point of view the risk quantification process is the most important aspect of the N P D guidelines. The 10-4 criterion is therefore not the most important point. The process that the guidelines is meant to initiate is the same as was indicated in Fig. 2. Therefore the work definition of a conceptual safety evaluation should be planned and specified in a way which makes it possible to carry out this process. This has not been carried out successfully in the studies performed so far in Norway, which indicates that this iterative process is not easy to work out. The process will start with a rough analysis at the feasibility phase. This analysis will create important background for the selection of field development plan. But it is acknowledged that the selection primarily will be based on technical and economical factors. At the same time, the assumptions and conditions used in this rough analysis will be important input for the design work in the conceptual phase. In the conceptual risk analysis, the objectives are to (1) Compare the risk of different layout concepts studied (2) Verify that the selected platform concept satisfies the qualitative acceptance criteria of the N P D guidelines (3) Assess the accidental effects which the platform shall be designed to withstand
Quantitatite risk analysis in the design of off;s'hore installations
11
(4) Specify the assumptions and conditions used in the analysis, which again will be important for the design of process, utility and safety systems in the pre-engineering phase. Now, in the pre-engineering phase a risk analysis should be performed tO:
(l)
Verify that the design accidental loads from the conceptual analysis have been adequately designed for (2) Assess the residual risk of the platform concept, including reliability analysis of important safety systems (3) State the assumptions and conditions used in the analysis which will be important input for the design in the detailed engineering phase. In the detailed engineering phase the only risk analysis activity is to finalise the preliminary analysis of residual risk performed in the preengineering phase. Note that this corresponds to the 'assumed risks' of the MORT (Management Oversight and Risk Tree) concept.
6.
CONCLUSIONS
We have defined safety in a way to make it achievable, and have developed a safety management philosophy that satisfies this definition of safety. In practical terms the following points are vital in order to achieve an optimum safety level: (1) The safety level is decided at an early design stage. Traditionally safety involved the design of safety systems. Recently the focus has been on system saJeo', which is the philosophy underlying this paper. In this philosophy the influence on decisions in the early project phases is extremely important. The conceptual safety evaluations required by NPD should be utilised not only to satisfy the authorities, but also to form an integrated part of a risk quantification process. (2) Improving the technical safety systems is also important for the total safety. These systems must be subjected to improvements by research, as well as improvements by analysis of the potential accident conditions in which the safety systems will have to operate. (3) Safety must be managed like any other technical discipline. This implies that the line management must also be responsible for safety, but
12
Jan Erik Vinnem
will have to employ specialists in order to carry out the various functions. Staff specialists will also have to be employed in order to secure an administrative redundancy consisting of the line management and the staff specialists. It has been said that risks that are never identified cannot be managed at all. In other words, management of risk requires: (1) Identification of hazards (2) Analysis and evaluation of risks (3) Acceptance of residual risks at an appropriate management level. This is now the definition of the assumed risks in the MORT concept. This concept is therefore very useful in order to achieve an optimum safety level. (4) In order to improve the safety of mobile platforms the design process of these platforms should be carried out in the same way as for fixed platforms. In Norway this will require different attitudes by authorities, by owners and by operators if a corresponding process shall be achieved. Large expenditure, especially on the administrative functions, will be one of the consequences. It is however, necessary if a corresponding safety level for mobile platforms shall be achieved compared to the level for fixed platforms.
Quantitative Risk Analysis in the Design of Offshore Installations
Jan Erik Vinnem Division of Machine Design, The Norwegian Institute of Technology, University of Trondheim, Trondheim, Norway (Received: 26 June, 1982)
A BSTRA C T This paper briefly reviews trends in accident statisticsfrom the North Sea Operations. Risk acceptance viewed JJ'om both the Governmental Authority and Operating Companies' standpoint is discussed. The Norwegian Petroleum Directorate has recently issued Guidelines Jbr Conceptual Safety Evaluations. These are important because the), require a risk analysis and evaluation process to be carried out in offshore development projects. The principles of the Guidelines as well as the implications for the total risk analysis process are discussed in this paper.
1.
INTRODUCTION
Accident statistics from offshore platform operations show that there are great risks for personnel and structures. Therefore, accident prevention needs considerable attention in a systematic way, in order to reduce the risk levels. The steps that the Norwegian Petroleum Directorate ( N P D ) recently have taken in order to systemise the risk analysis and evaluation process are therefore very important. N P D have issued 'Guidelines for Safety Evaluation of Platform Conceptual Design'. In this paper these Guidelines as well as the total risk evaluation process will be considered. 1
Reliability Engineering 0143-8174/83/$03.00 ~t5Applied Science Publishers Ltd, England, 1983. Printed in Great Britain
2
Jan Erik Vmnem
The concept of risk to personnel introduces a two-dimensional space for management of safety in offshore operations. These two dimensions are the probability of accidents and the consequence of accidents. This principle is undebatable as long as only estimated risk is discussed. When the subjective, experienced risk is discussed this principle is more debatable, as many experts will say that the subjective risk is only dependent on the extent of the consequences, when these are beyond a certain limit. Risk and reliability analyses should for this reason not be used as synonymous terms. Reliability analysis is concerned with the probability of successful operation at certain times or intervals (of course the most commonly used method is analysis of all system failure modes). Risk analysis starts with analysis of hazardous system failure modes, then effects on other systems are analysed, and the result will be the consequences on people and hardware along with corresponding probabilities, This is definitely more than a reliability analysis, and correspondingly the problems of risk analysis are more complex and difficult to solve satisfactorily. This suggests the need for keeping risk and reliability analysis as two disciplines, with to a great extent c o m m o n analytical tools. The reliability of safety systems and safety barriers is of course extremely important for keeping an acceptable risk level on platforms. Therefore, reliability studies will be important parts of a risk analysis. Only system failure modes that may increase risk will be analysed in these studies. One of the most important aspects of the N P D Guidelines is that a framework is introduced for the total process of safety activities in a platform development project. The process of developing the concept requirements into detailed safety and emergency requirements for detailed engineering should ensure that the total safety of the final platform design is controlled. This is in contrast to the situation before such risk evaluations were started. Safety measures were then applied to what were believed to be important aspects, but without knowing what the total effect would be. Experience over the last year has shown that this process is not easy to perform. Therefore, the principles to be used in the evaluation process should be discussed in order to achieve maximum conformity in these evaluations.
Quantitatice risk analysis in the design oJ off,khore installations
2.
3
T R E N D S IN ACCIDENT STATISTICS
The accident statistics from the North Sea operations show that zero accident occurrence never has been achievable, and never will be as long as the operations continue. Figure 1 presents the accident trends for mobile and fixed installations and transportation on the Norwegian Continental Shelf (NCS). A detailed discussion of the differences in the ;tatistics is beyond the scope of this paper. We will only note the falling trends during the last years. The authorities in the UK and in Norway have their respective differences, although the overall goal is identical on both shelves: to reduce the accident occurrence. These differences are important, and have Cumulative fatality Fates (per I000 manyears)
.
Af /\ / .
-.
"
"-....
~'~" T r a n s p o r t
%
Mobile installations
~ . ~. // " ~ ' - ~ _
70
]966
Fig. I.
75
Estimated cumulative fatality rates.
80
Year
4
Jan Erik Vinnem
been studied in order to find the most effective way of legislating for safety. This subject is however also beyond the scope of this paper. However, we will use the statistics in order to project the future risk picture, and thus make some conclusions as to what are important areas for risk reduction priorities. We will use the best available statistics, primarily from NCS, to estimate accident frequencies for the total operation period of one assumed field. The assumed field has the following characteristics: Oil field with small amount of associated gas Number of exploration and development wells: 20 drilled in 5 rigyears Production to be developed from two production platforms Water depth 160m, north North Sea conditions Integration production, drilling and quarters platforms Production capacity of each platform: 300 000 BPD 40 wells to be drilled from each platform 10 years lifetime of each well Helicopter flight distance to platforms: 200 km Average number of personnel on each production platform: 250 over total lifetime, 25 years each Note that only those characteristics that are needed for the projection are listed above. We will concentrate the projection on three main hazards: (1) Fatalities (2) Blowouts (3) Helicopter accidents Tables 1 and 2 present the risk projections for exploration and production activities, respectively. The conclusions for the total field operation period will thus be: (I) Expected number of fatalities: 11 (2) Probability of fatal helicopter accident: 64 ~o (3) Probability of blowout: 38 ~o Now, each of these numbers indicate high risk areas. Note that the average number of fatalities per fatal helicopter accident is approximately 8-10 persons. Note also that production blowouts have the dominating probability contribution. These blowouts also have the highest potential for large oil spills.
Quantitatit,e risk analysis in the design of @ h o r e installations TABLE 1
Exploration and Development Risks R&k
Estimated frequency
Field activi O,
Estimated risk level Jot field
Fatalities
1.5 fatalities per 1000 manyears
20 wells in 5 rigyears: 190 manyears per rigyear Total 950 manyears
1.4 fatalities
Blowouts
1 blowout per 503 wells 1 fatal accident per 103 flight hours
20 wells
Probability of blowout 4 °o Probability of fatal accident 3 ~;
Helicopter accidents
3 flight hours per manyear; 2 850 flight hours
A n o t h e r aspect is also i m p o r t a n t . T h e so-called c o n c e p t u a l related risks are not reflected in the fatality estimates above. It is n o r m a l l y said that for a fixed p l a t f o r m , the f r e q u e n c y o f m a j o r c a t a s t r o p h e s is a p p r o x i m a t e l y 1 in 1000 p l a t f o r m y e a r s . T h e f r e q u e n c y o f all c o n c e p t u a l related accidents will certainly be higher. T h e c o n c e p t u a l related risks are also i m p o r t a n t because they might e x p o s e a large n u m b e r o f people. T h e Alex Keilland accident has d e m o n s t r a t e d this aspect, a l t h o u g h this was not a fixed p l a t f o r m . TABLE 2
Production Risks Risk
Estimated frequency
Fatalities
0.32 fatalities per 1000 manyears
Drilling blowouts Production blowouts
1 blowout per 503 wells 0.26 blowouts per 1000 wellyears
Helicopter accidents
I fatal accident per 105 flight hours
Field activity
250 x 2.5 manyears per platformyear (on average); 2 platforms in 25 years: Total 31 250 manyears 40 wells per platform Estimated well lifetime 10 years; Total 800 wellyears 3 flight hours per manyear; Total 93 750 flight hours
Estimated risk lerel Jor .field
10 fatalities
Probability of drilling blowout 1 5 o, Probability of production blowout 19 7;; Probability of fatal accident 61 °/;
6
Jan Erik Vinnem
However, conceptual related risks are also important for mobile platforms. For example, the statistical accident frequency for mobile platform catastrophes is approximately 10 times higher than for fixed platforms. In conclusion, the four hazards described above all call for dedicated efforts for risk reduction, in each of the technical areas.
3.
RISK ACCEPTANCE
In the process of influencing safety related decisions there are some main tools that can be used: (1) Risk analysis (2) Risk acceptance criteria (3) Risk evaluations The relationship between these elements, and the relationship to design process is illustrated in Fig. 2. It can be seen that the process constitutes something like a control loop. The figure also is illustrating the iterative process of risk analysis and evaluation in the design project.
PLATFORM
l
DES ON
1I
1" ANALYSIS
J
RISK ACCEPTANCE CRITERIA
OTHER SAFETY REQUIREMENTS
UNACCEPTABLE RISK
OES,GN
ACCEPTABLE RISK
FURTHER I PLATFORM DESIGN, i I L
Fig. 2.
I
IMPROVEMENTS1
Risk acceptance process.
Quantitatire risk analysis in the design ~[ ~[]~s'hore installations
7
Now all this presupposes that quantitative risk acceptance criteria exist. Up till this day such criteria have primarily been developed in other industries, like the nuclear industry and the onshore process industries. Recently the process of developing quantitative criteria has been initiated ih Norway. The 'Guidelines for Safety Evaluation of Platform Conceptual Designs' from the Norwegian Petroleum Directorate (N PD) are important as a first official step in the direction of quantifying risk acceptance.
4.
NPD
GUIDELINES
FOR CONCEPTUAL
SAFETY
EVALUATIONS The guidelines were issued in 1981, but they had been in process for more than one year, and subsequently some five projects have tried to follow the principles of these guidelines in the past two years. Within the offshore field these guidelines constitute the first attempt to use quantitative risk analysis in offshore developments. The N P D guidelines require that a risk analysis shall be carried out for every proposed production installation at the conceptual stage of development. This analysis must in its essence be quantitative, as both the accidental situations to be studied shall be selected according to the probability of occurrence, and the accident effects shall be quantified as the basis for design. 4.1 Principles for the safety evaluation
The principles on which the evaluation is based are: (1) The platform concept is analysed in order to identify possible accident scenarios, taking into account: - possible initiating events - possible failures of safety systems - environmental conditions Based on this analysis, a number of possible accident events are defined. (2) Based on evaluation of probabilities the design accident events shall be selected from amongst the possible accident events. This selection shall be based both on evaluation of probabilities and on
8
Jan Erik Vinnem
(3)
quantified accident effects. The process for this selection will be discussed in detail later. For the design accident events (DAE) the platform concept shall be compared with qualitative acceptance criteria in order to verify that the platform concept has an acceptable safety level. These criteria are all based on the principle that the DAEs should not impose danger to personnel outside the immediate vicinity of the accident. The scope of these criteria is essentially limited to requirements for passive safety protection, and only to a limited extent active safety systems. However, indirectly there must be a strong coupling between active and passive systems. This will be discussed later.
4.2 Acceptance criteria As outlined in the previous section, the primary criterion is that the concept in a design accident situation shall limit the damages to personnel in the immediate vicinity of the accident. This general criterion has also been spelled out into three requirements for passive protection: '(a) At least one escape way from central positions which may be subjected to an accident shall normally be intact for at least one hour during a design accident event. (b) Shelter areas shall be intact during a calculated accident event until safe evacuation is possible. (c) Depending on the platform type, function and location, when exposed to the design accident event, the main support structure must maintain its load carrying capacity for a specified time." The two latter requirements will lead to establishment of accidental design loads for the protective walls (and roof) of shelter areas, as well as for the main support structure. These are, however, the only platform elements that will be designed to accidental loads according to the guidelines. The former requirement will only lead to a check of escape way layout which will be qualitative. Therefore, it seems necessary to emphasise that other platform elements should also be designed against accidental loads.
Quantitatice risk analysLs" in the design o/ q[]~s'hore installations
9
4.3 Risk analysis process The probability criterion for selection of DAEs has been focused on in depth and has been discussed at length. Obviously, using a probability number is very crucial, and this number is attacked from various angles. However, it must be stressed that the process of quantifying risk is the most important. Representatives from N P D have stated on a number of occasions that one should focus on the process, and not on this single number. If the analysis is properly performed, it will lead to requirements for accidental loads for structures and equipments as well as reliability requirements for safety systems. However, the guidelines should be rewritten in order to stimulate a more logical process of risk analysis. The cut-off criterion for selection of DAEs in a frequency of 10-4 per year for selected categories of events. Based on some assumptions regarding the number of DAEs and non-design basis events, and the average consequences for these two types of events, the corresponding risk level can be estimated. This will be in the order of 0.1 fatalities per platform per year. It must though be remembered that this is only concerned with conceptual related risks. According to experience, the work accidents are in the same order of magnitude. In Table 3 the estimated risk level is compared to other risk estimates both for the Norwegian Shelf and average onshore industries. TABLE 3 Comparison of Risk Estimates for Fixed Platforms
Risk estimate
Estimated in this paper Used as background for 10 --4 criterion N PD official statistics (only work accidents) Fixed platforms, all fatalities Fixed platforms, excluding Alex Kielland Average onshore industries " FAR = Fatal Accident Rate.
Value
0.1 fatalities per platforms per year 0.32 per 1 000 manyears 3.1 per 1 000 manyears 0-42 per 1 000 manyears 0"05 per 1 000 manyears
Corresponding FAR" 10 1 18 177 24 3
10
Jan Erik Vinm'm
It can be concluded from the table that the implied risk level of the new guidelines is at a sensible level compared to what the accident level has been on the Norwegian Continental Shelf'. If working accidents are included, one would expect that the total risk level would be approximately FAR = 20. However, the acceptability of these numbers will not be discussed in this paper. It has been argued that the new guidelines imply drastic requirements for reducing the risk level. This cannot be substantiated, based on the numbers in Table 3. On the other hand, the numbers show that the offshore risk level still will be higher than the average onshore risk level. Thus, the new requirements are not extremely rigid. Another important aspect which is discussed in relation to the new guidelines is the quality of data and the uncertainties that will result from poor data quality. 5.
RISK ANALYSIS IN DESIGN PROCESS
It is important to stress that from a safety management point of view the risk quantification process is the most important aspect of the N P D guidelines. The 10-4 criterion is therefore not the most important point. The process that the guidelines is meant to initiate is the same as was indicated in Fig. 2. Therefore the work definition of a conceptual safety evaluation should be planned and specified in a way which makes it possible to carry out this process. This has not been carried out successfully in the studies performed so far in Norway, which indicates that this iterative process is not easy to work out. The process will start with a rough analysis at the feasibility phase. This analysis will create important background for the selection of field development plan. But it is acknowledged that the selection primarily will be based on technical and economical factors. At the same time, the assumptions and conditions used in this rough analysis will be important input for the design work in the conceptual phase. In the conceptual risk analysis, the objectives are to (1) Compare the risk of different layout concepts studied (2) Verify that the selected platform concept satisfies the qualitative acceptance criteria of the N P D guidelines (3) Assess the accidental effects which the platform shall be designed to withstand
Quantitatite risk analysis in the design of off;s'hore installations
11
(4) Specify the assumptions and conditions used in the analysis, which again will be important for the design of process, utility and safety systems in the pre-engineering phase. Now, in the pre-engineering phase a risk analysis should be performed tO:
(l)
Verify that the design accidental loads from the conceptual analysis have been adequately designed for (2) Assess the residual risk of the platform concept, including reliability analysis of important safety systems (3) State the assumptions and conditions used in the analysis which will be important input for the design in the detailed engineering phase. In the detailed engineering phase the only risk analysis activity is to finalise the preliminary analysis of residual risk performed in the preengineering phase. Note that this corresponds to the 'assumed risks' of the MORT (Management Oversight and Risk Tree) concept.
6.
CONCLUSIONS
We have defined safety in a way to make it achievable, and have developed a safety management philosophy that satisfies this definition of safety. In practical terms the following points are vital in order to achieve an optimum safety level: (1) The safety level is decided at an early design stage. Traditionally safety involved the design of safety systems. Recently the focus has been on system saJeo', which is the philosophy underlying this paper. In this philosophy the influence on decisions in the early project phases is extremely important. The conceptual safety evaluations required by NPD should be utilised not only to satisfy the authorities, but also to form an integrated part of a risk quantification process. (2) Improving the technical safety systems is also important for the total safety. These systems must be subjected to improvements by research, as well as improvements by analysis of the potential accident conditions in which the safety systems will have to operate. (3) Safety must be managed like any other technical discipline. This implies that the line management must also be responsible for safety, but
12
Jan Erik Vinnem
will have to employ specialists in order to carry out the various functions. Staff specialists will also have to be employed in order to secure an administrative redundancy consisting of the line management and the staff specialists. It has been said that risks that are never identified cannot be managed at all. In other words, management of risk requires: (1) Identification of hazards (2) Analysis and evaluation of risks (3) Acceptance of residual risks at an appropriate management level. This is now the definition of the assumed risks in the MORT concept. This concept is therefore very useful in order to achieve an optimum safety level. (4) In order to improve the safety of mobile platforms the design process of these platforms should be carried out in the same way as for fixed platforms. In Norway this will require different attitudes by authorities, by owners and by operators if a corresponding process shall be achieved. Large expenditure, especially on the administrative functions, will be one of the consequences. It is however, necessary if a corresponding safety level for mobile platforms shall be achieved compared to the level for fixed platforms.