Safety in Offshore Platforms—Use of QRA in the Norwegian Offshore Industry

CHAPTER TWO

Safety in Offshore Platforms—Use of QRA in the Norwegian Offshore Industry Stein Haugen1 Department of Marine Technology, Norwegian University of Science and Technology (NTNU), Trondheim, Norway 1 Corresponding author: e-mail address: [email protected]

Contents 1. Introduction 2. Brief Overview Over History of QRA in Norway 3. General Requirements 3.1 Hazard Identification 3.2 Analysis of Initiating Events 3.3 Analysis of Potential Consequences 3.4 Establishing the Risk Picture 4. Release of Hydrocarbons From the Process Plant 4.1 Causal Analysis/Initiating Event Analysis 4.2 Modeling and Analysis of Event Scenarios 4.3 Calculation of Physical Effects of Releases 4.4 Calculation of Impact on Personnel and MSFs 5. Results Presentation 5.1 Fatality Risk 5.2 Main Safety Functions 5.3 QRA Summaries 6. Releases From Pipelines and Risers 6.1 Causal Analysis/Initiating Event Analysis 6.2 Modeling and Analysis of Event Scenarios 6.3 Calculation of Physical Effects of Releases 6.4 Calculation of Impact on Personnel and MSFs 7. Blowout 7.1 Causal Analysis/Initiating Event Analysis 7.2 Modeling and Analysis of Event Scenarios 7.3 Calculation of Physical Effects of Releases 7.4 Calculation of Impact on Personnel and MSFs 8. Ship Collision 8.1 Causal Analysis/Initiating Event Analysis 8.2 Offshore Supply Vessels

Methods in Chemical Process Safety, Volume 2 ISSN 2468-6514 https://doi.org/10.1016/bs.mcps.2018.05.001

100 101 106 106 108 108 109 110 110 113 117 119 121 121 122 123 124 124 125 125 125 125 126 127 128 128 128 128 129

#

2018 Elsevier Inc. All rights reserved.

99

100

Stein Haugen

8.3 Shuttle Tankers During Loading 8.4 Passing Merchant Vessels 8.5 Consequence Analysis 9. Other Hazards 9.1 Dropped Objects 9.2 Structural Failure Due to Extreme Environmental Loads or Design Errors 9.3 Helicopter Accidents 9.4 Occupational Accidents 10. Comparison of QRA Results Against Actual Risk Level 11. Use of QRA for Decision Making 12. Future Developments 12.1 Simplification 12.2 Analysis for Operations 12.3 Barrier Management 13. Conclusions References

130 130 132 133 133 134 135 135 136 137 140 140 141 141 142 143

1. INTRODUCTION “Safety in offshore platforms” indicates a very wide scope of this chapter, and it is clearly not possible to cover all aspects of this within the limitations of a book chapter. Rather than giving a very brief overview over this, the focus will therefore be on one particular aspect of how safety is being managed in the offshore industry, namely the use of Quantitative Risk Assessment (QRA), in particular in the Norwegian offshore industry. Since the introduction of QRA in the Norwegian offshore industry around 1980 and in the United Kingdom after Piper Alpha around 1990, an impressive development has taken place. In this chapter, a brief summary of some of the most important development and trends over these decades is given. This will be followed by an overview over status, with main focus on methods and application areas. Toward the end of the chapter, an attempt is made at looking into the future, trying say something about where current development trends may take us in the coming years. In this chapter, we will use the terms major accident risk and occupational accident risk. This is different from the process industry, where the terms process accidents and personal accidents are more commonly used. In practice, we can assume that the use of these two terms corresponds to each other, except of course that there will be additional hazards that are

Use of QRA in the Norwegian Offshore Industry

101

relevant for offshore facilities. A number of definitions of major accidents exist (Okoh & Haugen, 2013), most of them from various legislative bodies or international organizations. The events are described as adverse or unplanned and acute or sudden. The main reason why the term “major” is being used is of course the scale of the consequences or potential consequences. It is noted that some definitions require actual consequences to have occurred for an event to classified as a “major accident,” while others (including the Petroleum Safety Authority of Norway) state that as long as the event had a potential for causing severe consequences, this is sufficient. For this purpose, we can assume the following definition: “an unexpected event that causes or has the potential to cause serious consequences such as several serious casualties, extensive environmental or asset damage, with immediate or delayed effects experienced, within or outside the incident facility.” The chapter provides some details on risk modeling, but it is clearly not possible to go into a lot of detail within the framework of a book chapter. A comprehensive and detailed discussion of the topic can be found in the book “Offshore Risk Assessment—Principles, Modelling and Applications” by Professor Jan Erik Vinnem (Vinnem, 2014).

2. BRIEF OVERVIEW OVER HISTORY OF QRA IN NORWAY In Norway, the blowout at Ekofisk A in 1977 was the first eye-opener to the Norwegian government and the public that the offshore industry could represent a large potential for serious accidents. The blowout occurred on April 22, 1977, on the Ekofisk 2/4A platform, during workover on a well. The Xmas tree had been removed and the barriers that were in place were a DHSV that most likely was not adequately secured and mud in the well. There was a slow flow of mud from the well for a considerable period of time, indicating that the well was not completely under control, until the flow started increasing and then rapidly grew to a full-scale blowout. The accident is comprehensively described in the published investigation report (NOU, 1977). The commission investigating the accident stated that “…the accident […] was the result of such a series of unfortunate circumstances and wrong judgements that this would be have been considered unlikely in advance.” The main causes were concluded to be human error, although the commission interestingly notes that (translated from Norwegian) “It is not automatically correct to talk about human error even if all technical components functioned without error. Any system should be designed to be operated by people and to allow for the possibility that

102

Stein Haugen

humans can make errors. The term ‘human error’ should be reserved for those human actions that are outside the limits of tolerance that are reasonable to expect.” This is a very forward-looking statement which shows a much more nuanced interpretation of human errors than what was common in those days. Another interesting aspect of this blowout is how the causes are echoed in the Macondo Blowout (National Commission, 2011). Changes in the planned work program, inadequate change management, and wrong interpretation of signals from the well are all common aspects of the two accidents. The consequences of the accident in terms of human and environmental damage were limited. All personnel were safely evacuated, the blowout was stopped after 8 days, and the oil spill was estimated at 9000 tons (compared to Macondo with around 700,000 tons). However, the accident had profound implications for safety on the Norwegian Continental Shelf. The commission stated the “Approaches and safety measures that from experience have turned out to be satisfactory within traditional oil exploration and production cannot unconditionally be accepted in the North Sea.” This pointed toward needs for developing both new methods and new technologies. One of the outcomes of the accident and the subsequent report was the large research program called Safety Offshore (Ka˚rstad & Wulff, 1983). The research program was kicked off in 1978 and lasted until 1983. One of the focus areas of this program was risk analysis and safety management. During the period when the program was being performed, the Alexander L. Kielland accident occurred (NOU, 1981). This was an accommodation platform that capsized in bad weather and 123 people were killed. This of course strengthened the focus on risk and the urgency of developing new knowledge to operate safely in the North Sea. When the Bravo blowout occurred, there were a set of “Safety Regulations” (Norsk Lovtidend, 1976) in force, but there was not mention of risk analysis in these regulations. The first regulatory document mentioning this was the so-called CSE Guidelines (NPD, 1981) that were published by the Norwegian Petroleum Directorate in 1981. These were not regulations as such, but were still adhered to by the offshore industry. The CSE Guidelines introduced risk analysis as a tool for designing safe offshore installations. In the guidelines, the concept of Main Safety Functions (MSFs) was also introduced. This is described in more detail in Section 5.2. The first attempts at quantitative risk analysis were very much influenced by the work done in the nuclear industry and in process/chemical industry. The methods were similar to the nuclear industry (e.g., use of event trees and

Use of QRA in the Norwegian Offshore Industry

103

fault trees) and the data that were applied were taken from a variety of industries and applications, including nuclear, process, and military/aerospace. The studies were criticized for being “paper exercises” focusing too much on numbers and not enough on real-world safety. However, they did contribute to raise the awareness of safety issues and had an impact on design issues like layout, need for passive fire protection, location and protection of ESD valves, escape routes, lifeboat location, and protection of the living quarter as a temporary shelter during emergencies. A comparison between the first platform on the Statfjord field in the North Sea, Statfjord A, and the Gullfaks platforms (also in the North Sea) among others shows a significant development in layout. On Gullfaks, the hazardous areas and the living quarter are separated as much as possible, using distance to improve safety. Statfjord started production in 1979 and Gullfaks in 1986. In 1992, the next step in the regulatory regime followed when a new set of regulations were introduced, among them risk analysis regulations. These regulations were based on the principle of risk-based risk management or risk-informed risk management. Risk analysis should always be part of the decision basis when making decisions that could influence risk. Another underlying principle for the regulations was that they contained primarily functional requirements rather than specific requirements. Another important principle underpinning the Norwegian regulations is the internal control principle. In practice, this means that the operators have full responsibility for ensuring that all relevant legislation and regulations are met. The Petroleum Safety Authority (PSA) will not perform detailed audits and inspections of all aspects of the regulations. Instead, they only do spot checks and do not formally approve technical solutions or risk assessments. In 2002, the regulations were simplified from a total of 13 regulations to only 5. Among the new regulations were the Management Regulations (PSA, 2002), which contained requirements to risk analysis. A further simplification was made in 2010, although the overall principle and structure remain the same. These management regulations still remain in force at the time of writing (2018), although minor amendments have been made to the regulations and typically are made every year. A key change in recent years is that the definition of risk has been modified. In the most recent regulations, uncertainty is introduced in the definition instead of probability and risk is defined as “the consequences of an activity with the associated uncertainty.” The management regulations are functional rather than specific, and there is a separate chapter in the regulations dedicated to HSE-related

104

Stein Haugen

analysis, including a separate paragraph called risk and emergency preparedness assessments (§17). The requirements are however typically high level. An example is the first sentence, stating that “The responsible party shall ensure that analyses are carried out that provide the necessary basis for making decisions to safeguard health, safety, and the environment.” Other examples are that risk analysis shall provide a “balanced and most comprehensive possible picture of the risk” and that the analyses shall be “appropriate as regards providing support for decisions.” Using terms like “appropriate” clearly leaves a lot of room for interpretation. It should however also be mentioned that the regulations are accompanied by some guidance that elaborates on the different requirements. In most cases, this is however not very detailed. In parallel with the development of the regulations for risk analysis, a separate NORSOK standard, Z-013, was also developed and revised. The standard is called Risk and Emergency Preparedness Assessment and was first published in 1998. Later revisions have followed the development in the regulations, with revision 2 coming in 2001 and revision 3 in 2010. The standard is discussed in more detail in Section 3. The purpose of this is to act as guidance for operators about what will be regarded as meeting the regulatory requirements, although following the standard is not necessarily the only way that this can be achieved. In practice, the standard is however followed in most cases, and it provides a very detailed and specific description of how QRA should be performed. The development in other parts of the world will not be covered here, although the UK regime may be briefly mentioned since this has had a significant influence on the regulations also in other countries, e.g., Australia. In the United Kingdom, the Piper Alpha disaster in 1988 triggered a major overhaul of their regulations, from a prescriptive regime based on approval by the authorities, to a Safety Case regime where the responsibility for ensuring safety is more clearly placed on the operators themselves (Cullen, 1990). Several regulations were introduced following Piper Alpha, among which the most relevant one to mention here is the Safety Case Regulations (HMSO, 1992), which required the operators to prepare a Safety Case for all the offshore installations, including an assessment of the risks associated with the operations. In the years after the disaster, a quantitative risk analysis was extensively used although more recently focus has turned more toward qualitative analysis, with less emphasis on numbers. A final comment related to this is also the introduction by EU of the Safety of offshore oil and gas operations directive in 2013 (European Parliament, 2013).

Use of QRA in the Norwegian Offshore Industry

105

The directive was introduced in response to the Macondo blowout in the Gulf of Mexico. This directive also emphasizes the use of risk assessment as a tool to understand and manage risks. In the years since the QRAs were introduced, there has been significant developments in methods, tools, and data applied to do risk analysis. The requirements and practice with regard to QRA today are in practice governed by the NORSOK standard Z-013 Risk and Emergency Preparedness Assessment (NORSOK, 2010). The standard has been revised several times, and the most recent version of the standard came as a result of revisions to the regulations. The expectation from PSA is that this standard is followed. The standard is essentially divided into three main parts. The first part, the first four sections, is introduction, references, and definitions, followed by a section describing the role of assessments in risk management. This is followed by two parts describing requirements to risk assessment (Sections 5–8) and emergency preparedness assessment (Sections 9–12), respectively. The two final parts are both divided into one chapter covering general requirements, followed by chapters describing additional requirements for the different project phases from concept selection through operation. The scope and limitations of the standard can briefly be summarized as follows: – It covers offshore and onshore facilities for production of oil and gas, but it may also be used for mobile offshore drilling units. – It covers the risk assessment process only, not methods and processes for risk treatment. – It covers major accidents only, although the risk contribution from occupational fatalities normally is included in the risk calculations. – It covers quantitative analysis only. Emergency preparedness assessment is not a topic of this chapter and is therefore not elaborated on any further. In the following, a summary of key requirements for risk assessments is provided, structured in the same way as in the NORSOK standard. After the drop in oil prices in 2014, there has been a strong pressure to cut costs in the offshore industry, including costs for safety-related studies. Because of this, the NORSOK standard and the methods prescribed by the standard have been put under pressure, and at the time of writing this, there is a strong move toward less use of quantitative risk analysis, although the requirements and expectations from the authorities have not changed.

106

Stein Haugen

In the following sections, the requirements and the practical performance of QRA are described. General requirements for QRA from the NORSOK standard (NORSOK, 2010) are described, followed by detailed descriptions of how the analysis is performed for some of the types of accidents that are major contributors to the total risk.

3. GENERAL REQUIREMENTS The general requirements are not surprisingly high level and, general, and do not go into a lot of details on exactly how the analysis should be performed. The overall requirements are that the risk assessment always should (NORSOK, 2010): a) b) c) d) e)

“identify hazardous situations and potential accidental events, identify initiating events and describe their potential causes, analyse accidental sequences and their possible consequences, identify and assess risk-reducing measures, provide a nuanced and overall picture of the risk, presented in a way suitable for the various target groups/users and their specific needs and use.”

The exact scope of the analysis can vary, but it may cover risk to people, the environment, and assets, as well as the frequency of losing MSFs (see explanation in Section 5.2). In the following, an overview over the general requirements to the main steps of the analysis process is provided. This is followed by a more specific and detailed discussion of how the analysis is done for some of the key accident categories that contribute significantly to risk on offshore installations in the North Sea.

3.1 Hazard Identification The standard underlines the importance of the hazard identification phase of the risk assessment and suggests that checklists, experience from earlier analyses, inspections, audits, and incident reports can be used as a basis. It is also mentioned that methods like HAZOP and FMEA may be relevant to use (see, e.g., Rausand, 2013). The HAZID should not just identify hazards and sources of accidents but also do a rough ranking of the hazards into critical and noncritical, and identify potential risk measures. In practice a comprehensive hazard identification workshop is normally conducted very

Use of QRA in the Norwegian Offshore Industry

107

early and this is typically repeated several times during the project phases. Specific hazard identification meetings covering parts of the installations, specific operations, etc. are also performed as and when needed. In Annex C of NORSOK Z-013 (NORSOK, 2010), there is a comprehensive checklist that can form the basis for hazard identification. The checklist refers to ISO 17776, Annex C (ISO, 2002), for a list of hazards, and in addition the annex contains lists of Accident categories, Inherently safe design, Utility systems, Marine hazards, Safety systems, Activities and phases, Human and Organizational failures, Occupational hazards, and Environmental risk. This can thus form a basis for identifying hazards, specific failures, and resulting accidents, it can be used to identify existing and suggested safety features, and it can be used to address occupational and environmental risk in addition to major accident risk. The hazard identification workshop will normally include a variety of attendants from all key disciplines in the project and also from operations. An independent chairperson usually chairs the workshop, accompanied by a secretary that records the findings. Even if the hazard identification is the basis for the risk analysis, the standard also specifies that certain hazards as a minimum shall be analyzed further and quantified, provided they are relevant (adapted from NORSOK Z-013): 2 Release of hydrocarbons from the process plant, risers, and pipelines and from storage 2 Release of hydrocarbons during loading/offloading 2 Blowouts and well releases 2 Accidents in utility systems, e.g., leaks of chemicals, fires, and explosion of transformers 2 Accidents caused by external impact and environmental loads, e.g., collision, falling/swinging loads, helicopter crash, earthquake, and waves 2 Structural failure 2 Loss of stability and/or buoyancy (including failure of marine systems) In the concept selection phase, the hazard identification should particularly focus on hazards that will influence the overall features of the installation, such as separation distances and main dimensioning loads. Further, there is also a requirement to cover installation and construction risks, since there may be large differences between alternative concepts in this respect. In the detailed engineering phase, the HAZID is reviewed and updated and it will also become more detailed in areas where insufficient information has been available earlier.

108

Stein Haugen

In the operational phase, the focus becomes somewhat different and involves applying experience from operation of the installation to obtain a better understanding of what hazards are relevant to consider, taking into account the technical and operational status of the installation.

3.2 Analysis of Initiating Events The second main step in the QRA process is analysis of the (identified) initiating events. The detailed approach to this is very different from one accident category to another and this will be discussed in some detail in the following sections. Initially, we will however look at some of the general requirements for the analysis. By “initiating events,” we mean the hazard types listed in the previous section, e.g., process release and blowout. In most cases, more specific events than the very generic terms in the checklist are however defined. This is described in more details later in this chapter. First of all, the objective of this step is to analyze and identify the causes of the initiating events and to assess the frequency (or the probability) of the initiating events. Two alternatives for quantification are described. First, use of failure data is described, with due consideration given to the applicability of data. A comprehensive set of factors that may impair the applicability of existing data is listed, including the type of installation, weather conditions, design standards, developments in technology, maintenance programs, and operational standards. Changes in both design and operation may thus render existing datasets unsuitable for use in quantification. If existing data are considered to be unsuitable or insufficient, explicit analysis of causes of initiating events is required to be performed. It is noted that even if one of the objectives of this step is to “analyze and identify the causes,” it is not explicitly required that this is done, as long as there are existing failure data sources that are suitable for the purpose. As we shall see in the discussion of the individual hazard types, the analysis of causes is generally quite limited in practice in many cases.

3.3 Analysis of Potential Consequences “Analysis of potential consequences” will for this purpose cover the entire process of modeling/describing potential event sequences from the initiating event until the negative consequences have occurred or the accident development has stopped. There are therefore both a probabilistic element in this, describing the probability of different sequences and outcomes, and a description/calculation of the physical effects of the event sequence.

Use of QRA in the Norwegian Offshore Industry

109

The physical effects may be related to loss of health and life for personnel, negative impact on the environment, or physical damage to assets. Specifically, the objectives are therefore described as: – Assessing the outcomes of initiating events – Analyzing potential event sequences that may develop There are no general requirements, except for requirements that are general to any risk analysis (e.g., doing the analysis at a level of detail suitable for the context).

3.4 Establishing the Risk Picture The next main step is to establish the risk picture, based on the hazard identification and the analysis of initiating events and potential consequences. Increasing focus has been placed on this in recent years and more specific requirements were included on this in the most recent revision of the NORSOK standard. Some of the requirements are of a general nature and cover aspects that would be expected of any analysis. This includes a description of the objectives and the scope of the analysis, the methods, data and tools used, and the acceptance criteria. In addition, a comprehensive description of the risk contributors is provided, from different areas, different types of hazards, and with particular emphasis on the most important contributors. An interesting side to the standard is a requirement to discuss uncertainties in the analysis, including the following: i. “the perspective on risk used in the assessment, e.g., classical, statistical, probability of frequency, combined classical and Bayesian, Bayesian, Predictive approach; ii. the effect and level of uncertainty given the adopted perspective and the context for the assessment (including the ‘system boundaries’ and ‘system basis’) compared to the ‘actual’ or ‘real’ systems and/or activities of interest; iii. possible implications for the main results; iv. occurrence of unexpected outcomes, as a result of invalid assumptions and premises, or insufficient knowledge.”

This is quite an extensive requirement, aimed at reflecting some of the scientific discussion over the last decade or so about how risk should be defined. In this context it is also worth noting that PSA relatively recently have changed their definition of risk, to “risk means the consequences of the activities, with associated uncertainty.” In this definition, associated uncertainty means uncertainty related to the potential consequences of the activities. This includes uncertainty related to which incidents can occur, how often they will occur, and what consequences may result.

110

Stein Haugen

There are also requirements to define and discuss concepts such as probability, frequency, mean value, and conservative approach. Uncertainty related to knowledge (e.g., different models, limitations of models, and disagreements among experts) should be highlighted and the robustness of the conclusions should be evaluated. Related to assumptions and presuppositions in the analysis, these should be explicitly described, they should be grouped into analytical, technical, and organizational/operational assumptions, their effect on operations should be described, and the background for choosing them should be given. In total, we can summarize many of the requirement mentioned here into an overall goal of providing decision makers with a much more comprehensive description of not just the results of the analysis but also the uncertainty in the results and the conclusions that can be drawn from the analysis. This is clearly beneficial, although it also introduces new challenges. Presenting this in a format and in a way that improves understanding and clarifies the situation for the decision maker is clearly a challenge.

4. RELEASE OF HYDROCARBONS FROM THE PROCESS PLANT Process releases is typically one of the main contributors to total risk on oil and gas installations, together with blowouts where this is relevant and ship collision. Process releases is typically also the accident type where the largest effort is put into quantification, both in terms of probabilities and in terms of consequences. A fairly detailed description of how this is analyzed is therefore given. This is divided as follows: – Causal analysis/initiating event analysis – Modeling and analysis of event scenarios – Calculation of physical effects of releases – Calculation of impact on personnel and MSFs

4.1 Causal Analysis/Initiating Event Analysis 4.1.1 Analysis Method The first part of the analysis is to define specific release events (initiating events). This is done as follows: 1. The first step is to set the limits for what constitutes process releases. The limitations of the process system are usually set at the inlet ESDVs (Emergency shutdown valves). These may be on a platform well

Use of QRA in the Norwegian Offshore Industry

111

manifold or on flow lines from subsea manifolds depending on the concept chosen. Further, the process system is usually limited to the ESDV on the export risers or on the lines to storage. 2. Second, the system is broken down into segments according to the location of the ESD valves. Each part of the system that can be isolated by ESDVs is defined as one process segment. Normally, there will be numerous other valves, both automatic and manual, that can be used to isolate parts of the system, but these are normally not taken into account in the analysis. The size of the segment forms the basis for calculating maximum released amount of hydrocarbons, implying that this normally will be conservative since other isolation opportunities usually exist. 3. For each process segment, the content of the segment is determined and in most analyses a distinction will only be made between liquid and gaseous hydrocarbons. In some segments, only liquid releases are relevant, in others only gas is present, while in some (e.g., separators) both liquid and gas are present. In some cases, a two-phase release may also be considered. 4. The specific release events that will be analyzed further are then defined. For each segment and for each release type (liquid/gas), at least four release scenarios are defined, according to hole size or release rate. A typical example can be made to define release sizes 0.1–1, 1–5, 5–20, and >20 kg/s. Since there are at least four release sizes and there may be both liquid and gas in a segment, each segment may have up to eight release events defined. The number of segments will obviously depend on the complexity of the process, but it is not uncommon to end up with more than 100 release events in total. Next comes the quantification of frequencies of the release events: 1. Equipment count. The quantification is not based on the specific analysis of causes of releases, only on the quantity of equipment that can leak. For each segment, the equipment that may leak therefore has to be counted. This includes all types of process vessels, valves, instrument connections, flanges, heat exchangers, and pumps. The counting will also be split on size of the equipment (e.g., size of valves and flanges) and also more specifically on types of equipment (e.g., distinguishing between different types of valves). The counting of equipment will be based on P&IDs. 2. Selection of failure database. The calculation of frequencies is based on historical failure data for process equipment. NORSOK Z-013 recommends use of the HSE Leak and ignition database for offshore hydrocarbon releases (HSE, 2008). This contains information on all

112

Stein Haugen

leaks reported to HSE since 1992. The database enables the calculation of failure rates for different types of equipment and also broken down on leak size. 3. Calculation of frequencies. By combining the equipment count with the failure database, it is possible to calculate release frequencies for different release sizes. The frequencies are calculated as a total value per event per segment, i.e., there is no split on equipment types in the calculated frequencies. However, the size of the equipment is taken into account, in that small diameter equipment typically never can reach the highest release categories due to too small release size being physically possible (e.g., for small bore instrument connections). The outcome of this step in the analysis is thus a set of initiating release events, distinguishing between where in the process plant the release occurs and distinguishing between different leak sizes. Further, each initiating event has a frequency associated with it. 4.1.2 Discussion As can be seen from the above presentation, no explicit causal analysis is performed. By using failure rate data from offshore applications, it is implicitly assumed that all relevant causes are reflected in the data and that we do not need to take into account any specific causes. The obvious weakness of this is that installation-specific causes will not be reflected at all, and that differences between installations only are reflected in the quantity of equipment. Studies of leaks on Norwegian offshore installations (Vinnem & Røed, 2015) have shown that maintenance activities are a key cause of leaks and that the correlation with equipment quantity not necessarily is good. There are thus clearly differences between installations that are not accounted for in the way the risk analyses are done. An important cause of leaks is intervention in the process plant, typically to perform maintenance on equipment, replace equipment, or perform testing and recertification. Some studies have shown that as much as 50%–67% of the leaks can be attributed to this, with only a relatively small proportion being related to technical causes such as corrosion, erosion, and fatigue. This is an indication that relying only on equipment counts may not be sufficient. It may be argued that the number of operations on the equipment is more or less proportional to the number of equipment units and that the historical data will include both leaks due to technical failures and operational errors/human error. This may be reasonable as an average, but it is also noted that studies have been performed that show a significant difference

Use of QRA in the Norwegian Offshore Industry

113

in the proportion of leaks caused by operational errors on the UK continental shelf compared to Norway. Since the most commonly used basis for calculating leak frequencies is UK data, it may be questioned if the results are reasonable. There may also be reasons why there are differences between installations with regard to number of interventions. The need for maintenance may vary due to differences in design and differences in the composition of the process flow in the system. There may also be differences in maintainability, e.g., facilities for bypass of equipment. This may influence how much intervention is required to perform maintenance. On the other hand, there are good arguments for focusing more on relative differences than on absolute values. As long as the same basis is used for all QRAs on the Norwegian continental shelf, it may be the relative differences that are important and not so much the absolute risk level that is calculated.

4.2 Modeling and Analysis of Event Scenarios 4.2.1 Analysis Method The initiating events identified in the previous step form the starting point for development of a set of event trees. Typically, the event tree structure is standardized to a large degree, although different trees usually are used for oil and gas releases. The event trees are usually developed with two objectives in mind: – To enable calculation of fatality risk – To enable calculation of frequency of loss of the MSFs Typical examples of nodes that will go into the event trees are: – Ignition—Whether ignition of the release takes place or not is obviously an important factor, both for fatalities and for loss of MSFs. For gas releases, a distinction may be made between immediate ignition and delayed ignition. The purpose of this is to distinguish between cases where no or very little gas has been released before ignition occurs and those cases where a potentially large gas cloud has built up. – Gas detection—This is typically the first barrier system that is considered because gas detection often triggers other automatic actions, such as isolation. Early gas detection is therefore crucial in ensuring proper and early reaction to any release. The probability of detection commonly takes into account both automatic detection and manual detection by personnel that are present and can see, smell, or hear the release.

114

Stein Haugen

– Isolation of release—Above, it was mentioned that the process plant is divided into segments according to where the ESDVs are located. Failure of isolation (failure of ESDVs) will imply that the quantities of hydrocarbons available to feed the release become bigger, potentially extending the duration and the magnitude of the event. – Other key barrier systems that are considered are deluge/firewater and blowdown/pressure relief. Deluge can fill several functions, for cooling equipment, to limit extent of radiation and heat loads and to extinguish fires in the best case. Blowdown primarily removes hydrocarbons, thus reducing the feed to the release. – A third type of nodes in the event tree that is often included is escalation of the initial event to other equipment or to other areas. Escalation to other equipment can also imply escalation to another process segment, potentially increasing the duration and magnitude of the event. “Prevention of escalation” is one of the MSFs that are considered in the analysis and distinguishing between situations where escalation to another area takes place or not therefore provides direct input to the calculation of frequency of loss of this MSF. Other nodes may also be included in the event tree, but this gives an impression of the type of factors that are taken into account. The second step in the modeling of event scenarios is to assign probabilities to the nodes in the event tree. The sources of information vary, depending on the type of nodes. The NORSOK standard (NORSOK, 2010) gives some guidance on how to determine the probabilities. For barrier systems (isolation, deluge, blowdown, etc.), it is recommended to use specifications, SIL (Safety integrity level) requirements, or actual experience data as far as possible. Explicit modeling of the reliability of the systems (using fault tree analysis) is not required. The probabilities will not only take into account the technical reliability of the systems as such, but also other aspects that will influence the likelihood of successful function of the barrier systems: – Functionality—to what degree the systems are able to fulfill the functions they are intended to fill. An example is the gas detection system which usually will not have 100% coverage and also will not be able to detect gas clouds unless they are of a certain size. This may imply that the system is unable to detect small leaks in certain areas. This needs to be taken into account when determining the probability of detection. – Survivability—to what degree the systems are protected against the physical effects of the accidents that they are intended to function in.

Use of QRA in the Norwegian Offshore Industry

115

An example of this may be the deluge system, which among others may have a cooling effect in fires. If the system is damaged by the fire itself, it will obviously not be able to fill this function and the probability of successful application of deluge is reduced. This also needs to be taken into account. – Availability—this is the planned outage of the systems, e.g., will fire detectors typically be overridden in connection with hot work. At the same time, hot work is an activity that may lead to fire and thus where fire detectors are important. Other examples of planned outage may be during testing of systems. This is also a factor that reduces the probability of success of a barrier. The last point, about overriding fire detectors, also brings us to another important point to mention. During hot work, a fire guard will normally be assigned to the work location, to compensate for the fact that the fire detectors are not functional. This will also be taken into account when determining the probability. Ignition probabilities going into the event tree will usually be based on the following aspects: – Gas dispersion modeling describing where the gas will be located when it is released. This is described in some more detail below. – Location of ignition sources. Specific sources (such as hot surfaces) are identified and in addition it is assumed that there will be minor ignition sources (such as light fittings, electrical connections, and cables) randomly located in the area. – The intensity of the ignition sources is then expressed through a probability of ignition, given that gas with flammable concentrations reaches the ignition source. A common ignition model has been developed and is being used for calculating ignition probabilities (DNV model). Escalation is the third type of nodes commonly used in the event trees. The probabilities are here also based on the calculation of physical effects. Escalation due to explosion overpressure will be based on calculations of expected overpressures for the given release size and location (and also taking into account environmental conditions and ventilation conditions). This is then compared with the design criteria for the blast protection. 4.2.2 Discussion The event tree nodes described earlier are not the only nodes that may be relevant to include.

116

Stein Haugen

NORSOK Z-013 does not specify which factors to take into account, but generally states that the nodes shall reflect important barriers and other factors that influence the outcome of event. Importantly, it is not a requirement that all barriers and factors should be modeled explicitly although it is required that the most important ones should. Explicit modeling is advantageous since it is more straightforward to do sensitivity analysis on effects of changes in the performance of the barrier systems and influence of other factors. The main disadvantage is that the event trees will tend to become very large with a large number of nodes explicitly modeled. This should however not be an important argument with available computer tools although it may make the analysis more difficult to understand and interpret, unless the computer tools give good guidance. It is notable that the probabilities in the event trees reflect the barrier function rather than just the technical barrier systems. Barrier functions are high-level definitions of the function of a barrier (e.g., “detect gas”) and this function may be achieved through a number of systems (e.g., the gas detection system, portable gas detectors, or by people). This distinction is reflected in the fact that we take into account detection of fires both automatically (through the detectors) and manually (by personnel that are present). The same also applies to gas detection and also isolation. Isolation can be triggered automatically (e.g., upon detection of gas or fire) or manually, either from the control room or from manual call points located around the platform. Clearly, this gives a more realistic reflection of the barrier performance compared to if we only look at the technical systems. The technical reliability of the barrier systems is based on standard, requirements, etc. rather than explicit modeling of the reliability. This is common today, but if we look back at how QRAs were done before the turn of the century, it was common to apply fault tree analysis to model the reliability of the systems. There is no doubt that this gives a more detailed description of the reliability and in particular a better understanding of what the drivers are in the unreliability. High-reliability designs may thus not be properly reflected in the risk analysis. The arguments against doing more detailed modeling are however also relevant to mention: – First of all, sensitivity analysis often shows that the results are fairly insensitive to changes in the input probabilities. A more detailed calculation of the probability will therefore often not have much impact on the end results. – Second, since the probability of failure will be a combination of contributions from technical reliability, functionality, survivability, and availability,

Use of QRA in the Norwegian Offshore Industry

117

it is not necessarily the technical reliability that is the biggest contributor. Detailed modeling of one of four aspects is not necessarily very useful as long as the other three are not modeled in the same detail (which they usually are not). – Third, the effort required to do detailed fault tree is much higher than the approach commonly applied today.

4.3 Calculation of Physical Effects of Releases The next step in the analysis is to look at the physical effect of releases. This is usually the biggest part of the analysis in terms of effort and resources required. Calculation of physical effects comprises several aspects: – Release calculations—this covers calculation of transient release rates and release durations. – Dispersion calculations—dispersion of gas under the influence of physical and environmental parameters. This covers dispersion of flammable gas, but also toxic gas and smoke from fires. – Explosion calculations—calculation of explosion overpressures, drag forces, etc., resulting from ignited gas clouds. – Fire calculations—calculation of fire characteristics, including magnitudes, durations, heat radiation, temperatures, and smoke production. Some comments are provided to these steps in the following. The release calculations are based on the properties of the process segment where the release takes place. This includes fluid properties, volume, pressure, temperature, and other relevant factors. Calculations of transients are performed, as an input to dispersion calculations and also to determine the duration of the leak. According to NORSOK Z-013, the duration is the time until the release rate has diminished to 0.1 kg/s. This is regarded as a suitable cutoff leak rate, and in general, leaks below this level are considered negligible contributors to risk and are therefore not included in the risk calculations. Dispersion, explosion, and fire calculations are normally performed using CFD (computational fluid dynamics) tools such as FLACS and KFX. This implies detailed modeling of the geometry of the installation first, to enable simulations with a realistic geometry to be performed. It is common practice to perform the calculations using a probabilistic procedure (NORSOK, 2010, Annex F). In practice this will require that a large number of simulations are performed, varying parameters such as: – Leak location and leak direction. Leaks in various locations are simulated, representing leaks from different equipment. Further different directions

118

Stein Haugen

of the leak will also be simulated to take into account that leaks may occur in different places on the equipment. Leak from a flange will typically occur perpendicularly to the direction of the line the flange is mounted on, but can have any direction in the perpendicular plane (up, down, left, right). Gas dispersion can be strongly influenced by these factors and thus also explosion overpressures. Probabilities are assigned to different leak locations and leak directions. – Wind direction and wind strength. This can strongly influence gas dispersion, gas cloud buildup, and dispersion of smoke in a fire. Probabilities of occurrence of different conditions can be assigned based on environmental data. – Ignition point. This can have a significant impact on among others explosion overpressures. By repeating the explosion and fire simulations with varying values for these parameters, it is possible to establish a spectrum of resulting physical effects (expressed in terms of explosion overpressures, drag loads, heat loads, etc.) in varying locations around the installation. If we use the explosion simulations as an example, we can then order the simulation results according to explosion overpressure, from highest to lowest. Since we have assigned probabilities to each individual simulation, we can order the probabilities accordingly and can establish cumulative frequencies for exceeding decreasing levels of overpressure. If we say that we want to design for overpressures that have a probability of occurrence of more than 10 4 per year, we can move down the list of decreasing overpressures, adding together the probabilities for all the scenarios until we reach the overpressure where the probability sum exceeds 10 4 per year. This overpressure becomes our design level. This is a simplified description, but in principle, this is how the probabilistic analysis is done. This use of the results is for design purposes, and this can give input to design of structures, protection of escape ways, and protection of accommodation safe area. In addition, this can also be used as input to fatality calculations, if we know the tolerance limits of personnel. 4.3.1 Discussion If we look at how the different elements of the risk analysis are being done today compared to in the early days of QRA in the North Sea, there is no doubt that the development has been far greater in the area of calculation of physical effects than in the probabilistic modeling. In particular, the causal analysis is basically done in the same way as it was 20–30 years ago. In some

Use of QRA in the Norwegian Offshore Industry

119

respects, e.g., in relation to determining the failure probabilities for barrier systems for use in the event trees, the analysis has actually been simplified. This may trigger some reflections on whether the level of detail in the way the analysis is done today is reasonable. If some aspects of the calculations are very uncertain, the end results will still be very uncertain even if we apply detailed models and put a lot of effort into other parts. If we are concerned about uncertainty in results from risk analysis, there is clearly a need to look more closely at where we can achieve the greatest benefits and where it may actually be possible to save time and resources without any significant increase in uncertainty. One aspect of the extensive use of CFD combined with probabilistic analysis is that the calculations may become a “black box” that requires deep expertise to verify that the results are reasonable and physically possible. This is clearly a risk and can of course lead to errors both in terms of overestimation and in terms of underestimation of the risk.

4.4 Calculation of Impact on Personnel and MSFs The final step in the analysis of process accidents is to convert the results from the physical effect calculations into resulting impacts on personnel and MSFs. In practice, what is done is that we determine probabilities of fatalities and loss of MSFs, given varying physical effects such as overpressures and heat loads. To be able to do this, we need information about the tolerance limits of people and the MSFs. Tolerance limits for people are normally based on the report “Human resistance against thermal effects, explosion effects, toxic effects, and obscuration of vision” (DNV Technica/Scandpower, 2001). This report gives guidance on exposure times to varying heat loads that will lead to 100% fatalities. Similarly, effects of explosion overpressures, fragments, etc. are also discussed. By comparing the tolerance limits with the calculated physical effects, probabilities of fatalities can be determined. For the MSFs, the tolerance limits are determined in somewhat different ways, depending on the nature of the MSF. For several, it is the ability of structures and equipment to survive the physical effects that determine the tolerance limits. Prevention of escalation is related to escalation to other areas, and it will therefore be determined by the design of the area divisions (blast wall, fire walls) as the key factor. The same applies to the main structure. For safe area and emergency rooms, the functional requirements will be related to personnel being able to survive and behave rationally in these areas

120

Stein Haugen

for sufficiently long (until the platform has been evacuated). Requirements will thus typically specify that the areas should remain intact, free of gas and smoke and with acceptably low temperature for a specified period of time. The time is often taken as 60 min although the analysis will give input to determine this time. Loss of escape ways is directly related to whether personnel can use them for escaping or not. Heat loads and smoke (in particular obscuration of vision) will therefore be determining factors. The final consideration before being able to determine the probability of fatality is the location of personnel. As a basis for this, a personnel distribution is established. This is a prediction of the average manning that can be expected in different areas of the installation. Often, this is divided on day and night. There is a requirement that risk should be considered for the “most exposed group,” implying that the personnel need to be divided into several groups, usually according to their occupation (e.g., drilling crew, operations/maintenance personnel, and admin personnel). The average manning per group then needs to be established. The assumption is often that the personnel are randomly distributed in the area and that the fatality probability is determined based on that. With random distribution, the fatality probability will in practice be determined based on geometrical considerations, where the proportion of the relevant area that is exposed to fatal physical effects is determined and this is taken directly as the fatality probability. In some cases, other assumptions about personnel distribution are also used. In some cases, it is taken into account that human intervention in the process systems is a major cause of releases and it can thus be expected that one or a few people are close to where the release occurs, with the rest being randomly distributed. Another assumption sometimes applied also is that there may be personnel who approach the area and the location of the release, to investigate the situation. This will increase the number of people exposed and thus the fatality risk. 4.4.1 Discussion This part of the analysis is fairly straightforward, but some comments can be added to the discussion about assumptions for where personnel are located in release scenarios. The impression may be that the different assumptions applied will not make much difference since it is only a matter of one to two persons that are exposed to more risk or that are added to the number of people exposed. However, the number of people that on average are

Use of QRA in the Norwegian Offshore Industry

121

present in a process area on an offshore installation is low. Depending on the size of the area and the complexity of the equipment, it is not uncommon that it is estimated that there are less than two to three persons per area (on average). If we then add one to two more, the percentage increase is large. Further, when we know that immediate fatalities, i.e., the fatality contribution associated with being directly exposed to the initial fire/explosion, normally are the largest contributors to total fatality risk, we can see that the results are quite sensitive to the assumptions that we make.

5. RESULTS PRESENTATION 5.1 Fatality Risk The main focus of QRAs is risk to personnel, and specifically fatality risk. The fatality risk is calculated based on a number of components: – Transportation fatalities—in most cases, this will be risk associated with helicopter transport. This is not directly related to the facility as such, but it is still a requirement to include this component of risk. This should also include risk associated with shuttling between installations if this is relevant. – Immediate fatalities—this is the immediate effects of the accident, e.g., due to explosion overpressure or impacts. This is usually relevant only for those in the immediate vicinity of where the accident occurs. – Escape fatalities—this is related to escape from the area of the installation where personnel are located when the accident occurs to the safe area (usually the accommodation). A key factor in the analysis here is whether the accidental effects may block escape ways, thereby trapping people. It is commonly assumed that if people are trapped and there are no evacuation means that they can reach, they will be killed. – Evacuation and rescue fatalities—while escape was about getting to the safe area, evacuation and rescue are about the process of getting away from the installation and being picked up from the sea. Fatalities during this process, e.g., due to failures when launching lifeboats, will be included in this component. This breakdown will of course give a better understanding of where the weak points in the design are and thus where improvements should be made. Further, the fatality risk should be presented per area (often a fatal accident rate (FAR) value is calculated based on 100% occupancy) and also divided on different groups of personnel. As mentioned earlier, there is a

122

Stein Haugen

requirement in the regulations that risk should be calculated for the most exposed groups and the crew is therefore split into smaller groups. Experience is that the transportation risk and the immediate fatality risk are the two most important contributors to total fatality risk. Both of these are very much proportional to how many individuals are directly exposed to risk (either through transport or by working in areas where an accident may occur) and in reality we can only reduce these contributions significantly by reducing the number of people exposed or by reducing the probability of accidents. Fatality risk can be expressed in different ways and it is common to use different measures of risk: – Risk acceptance criteria for fatality risk are commonly expressed in terms of either FAR or individual risk per annum (IRPA). Both can be regarded as risk measures that express risk to individuals, although in different ways. – Risk in an area can be expressed in different ways, based either on calculation of FAR or IRPA. In both cases, the assumption is that a person is exposed to the risk in the area 100% of the time. This is different from ordinary IRPA/FAR calculations, where the proportion of time that persons are present in an area is taken into account. – Fatality risk is also commonly expressed as PLL values (Probable Loss of Life). This is a group risk measure, expressing the total risk for a group of people (in this case, all employees, contractors, and visitors at the installation). PLL is typically used to evaluate the effect of risk-reducing measures, by comparing PLL with and without the risk-reducing measure in place. It is not well suited to express acceptance criteria since it depends on the size of the group being considered, i.e., the size of the crew on the platform.

5.2 Main Safety Functions A particular aspect of the Norwegian regulations is the introduction of the MSFs as a way of measuring risk exposure. The MSFs are a set of key functions that are essential for maintaining the safety of the personnel onboard and the installation as such. The MSFs are defined as follows (from the Facilities Regulations by PSA): – Prevent escalation: preventing escalation of accident situations so that personnel outside the immediate accident area are not injured. – Escape ways: at least one escape route from every area where personnel are found until evacuation to the facility’s safe areas and rescue of personnel have been completed.

Use of QRA in the Norwegian Offshore Industry

123

– Safe area: protecting the facility’s safe areas so that they remain intact until the facility has been evacuated. – Structural integrity: the capacity of main load-bearing structures until the facility has been evacuated. – Emergency rooms: protecting rooms of significance to combatting accidents so that they remain operative until the facility has been evacuated. It is possible to see the logic in how this contributes to protect people from being killed. Prevent escalation will avoid that a large number of people are killed by the immediate effects, by limiting the extent of the initial effects. Provided escape ways are available to a safe area, they can also get to a safe location and stay safe, as long as the structural integrity of the installation is intact. Finally, if emergency rooms are available, effective management of the incident can also take place. From a designers point of view, this is often an easier way to ensure a safe design than by using measures of fatalities directly. Requirements to “Prevent escalation” can be turned into requirements for passive fire protection, blast protection, requirements for deluge, etc. Requirements to provide “Escape ways” will be converted into requirements to the layout of the installation and to protection of the escape ways against fire and blast loads. In the QRA, the MSFs are evaluated by calculating the annual frequency of loss of the MSFs. For a given type of accidents, e.g., fires, the total annual frequency is calculated (considering all fires that can make the escape ways unusable) per area. It is thus the frequency of not being able to escape per area and per accident type which is calculated. Similar calculations are being done for all the MSF. NORSOK Z-013 (NORSOK, 2010) contains a separate annex B that elaborates on the interpretation and calculation of loss of the main safety functions. The general requirements for QRA also contain requirements for sensitivity analysis and establishment of input to design accidental loads. Examples of parameters that should be considered in sensitivity analysis are manning and personnel distribution, leaks frequencies, ignition probabilities, performance of barrier functions, and activity levels.

5.3 QRA Summaries A returning issue related to the QRA has been that the studies were not used very much to support decision making in operations. Decisions in operations are typically related to what activities can take place safely, need for maintenance, can we continue operating even if some equipment has failed, etc.

124

Stein Haugen

To improve the situation, efforts have been made to extract relevant results from QRAs and present these in a simplified manner. The underlying assumption has been that the reports were too technical and made for QRA experts rather than for operational staff on offshore installations and that it was too difficult to extract relevant information from all the models and data presented. To a certain extent, this is correct, but it is also clear that the models applied in QRAs not necessarily are designed to provide decision support for operations. This has made it quite difficult to extract results that can be truly useful for decision making in an operational context. The result of this has therefore also been that the QRA summaries have been used to some extent, but not nearly as much as the operators would have liked to do.

6. RELEASES FROM PIPELINES AND RISERS There are many similarities between the way that the analysis of process releases and riser and pipeline releases are performed and only a short summary of the main differences is therefore provided.

6.1 Causal Analysis/Initiating Event Analysis For process releases, the plant was divided into segments according to where the ESDVs are located and several leak sizes were defined for each segment. Risers/pipelines are usually defined to end at the last ESDV before the process plant, i.e., where the process plant starts and releases are classified as process releases. This means that there are usually no further isolation means on the riser/pipeline and it is meaningless to divide it into segments as we do for the process plant. Instead, different release points are often defined according to how the riser is routed: – Release on platform, “outside” riser ESDV (if relevant) – Release in air, below the platform – Release in splash zone – Release below splash zone – Release on seabed, inside 500 m safety zone The subdivision may be different, but the main purpose is that the subdivision is done to reflect where the hydrocarbons are released since this will impact on the physical effects. Releases below the platform will primarily give fires on sea and releases below the sea surface will have lower release rates and also be more diluted before they reach the surface, reducing the

Use of QRA in the Norwegian Offshore Industry

125

probability of ignition. Releases that occur outside the safety zone are normally considered to be too far away to impact the platform, although there clearly may be implications for the environment. Different leak sizes are also used for risers and pipelines, in much the same way as for process releases. The basis for determining leak frequencies are historical data from offshore pipelines. One recommended source from NORSOK Z-013 is the Parloc reports (Energy Institute, 2015). No detailed causal analysis is usually performed although if the risers are particularly exposed (or particularly well protected), specific analysis of some causes, e.g., impact, may be performed.

6.2 Modeling and Analysis of Event Scenarios Event trees are applied also for riser releases, but these are usually much simpler than the event trees for process releases. There are few barrier systems in place to modify the effects of riser/pipeline releases and therefore fewer nodes are required to model. Ignition is obviously still a relevant factor, but the ignition probabilities will normally be much smaller.

6.3 Calculation of Physical Effects of Releases This step is similar as for process releases, with the additional element of fire on sea. This may also occur for process releases, although normally the quantities spilled to sea will not be large enough to cause significant fires on the sea surface.

6.4 Calculation of Impact on Personnel and MSFs The principles are again very much the same as for process releases. The main concerns are usually heat that may endanger the structure of the installation and smoke/heat that may impact on escape ways and in particular evacuation means.

7. BLOWOUT Blowout, or uncontrolled release of hydrocarbons from the reservoir, is another large contributor to risk on installations where this is relevant. Not all installations have platform wells but import produced hydrocarbons through flow lines (which is covered under riser and pipeline releases) from subsea manifolds or from dedicated drilling/wellhead platforms. The following discussion will be mainly relevant for platforms that have wellheads on

126

Stein Haugen

the platform, although elements are relevant also for installations where the wellheads are located on the seabed below the platform. The overall principles of modeling are similar to process releases and only the key differences are therefore pointed out in the description.

7.1 Causal Analysis/Initiating Event Analysis 7.1.1 Analysis Method Specific initiating events for blowout are defined first based on the well operations taking place. Exactly how this is done may vary, but some typical examples are: – Producing wells: This is the normal situation, where no intervention is taking place and the well is in a steady-state production. – Well intervention: A large variety of well interventions may take place, from very simple operations leaving all barriers intact, to operations where the whole configuration of the well barriers has to be changed. – Well construction: This can be regarded as another type of well intervention, but often this is also considered part of drilling. – Well drilling: Drilling of wells is considered separately. It is also common to distinguish between drilling of exploration wells and drilling of production wells. The reason for this is that when production wells are being drilled, the geology and thus the pressure in the reservoir are usually much better known compared to when drilling exploration wells. This also affects the probability of a blowout during the operation. A specific consideration during drilling is the possibility that shallow gas blowouts may occur. This may occur if there are (usually small) pockets of gas above the main reservoir where the well is planned for. In addition to type of operation, it is also common to distinguish between different types of well, i.e., whether it is an oil or gas producing well, whether it is a gas injection well, or either it is a well for injecting water, CO2, or other nonflammable materials. This is primarily relevant for the consequences should a blowout occur. Further, the location of the release is also considered. The exact subdivision will depend on the layout of the platform and the wells. To illustrate, typical scenarios may be subsea blowout (outside tubing or casing), blowout from wellhead, and blowout on drill floor. Finally, it is also common to define scenarios depending on the release size. It is then distinguished between well releases and blowouts. A well

Use of QRA in the Norwegian Offshore Industry

127

release is defined as a release where the barriers are shut in within a short time, effectively isolating the reservoir and thereby limiting the duration of the release. A blowout is those situations where all barriers have failed and the release is being continuously fed from the reservoir. For all these scenarios, occurrence frequencies are based on historical data (SINTEF, 2018). Generic frequencies are available to support determination of frequencies per well or per operation. Platform-specific frequencies are calculated by multiplying with the number of producing wells, number of planned well operations, etc. 7.1.2 Discussion It may be noted that it is not common to perform causal analysis in this case either (as for process releases). More detailed tools are available (Arild, Ford, Loberg, & Baringbing, 2009), but these are nor commonly used in QRAs, but rather for planning of specific wells. This implies that the detailed design of the wells, specific aspects of the reservoir, etc. normally not are reflected in the QRA. There are thus also limits on what recommendations related to blowout risk that can come out of a QRA. In practice, the only changes that will affect the risk is the number of wells/number of operations and the measures that are introduced to reduce the consequences of blowouts (in practice this will mainly be passive fire protection and fire/blast walls to separate drilling/well areas from the rest of the installation).

7.2 Modeling and Analysis of Event Scenarios Event trees are used also for modeling of blowouts. The event trees are fairly simple compared to those that are used for process releases. Factors that typically are taken into account are whether ignition occurs or not and whether the release flows to sea, causing a fire on sea in addition to on the platform. In addition, escalation to other areas may also be relevant to include. The reason for the simpler structure of the event trees for blowout is that there are fewer technical systems that influence the development of the scenario after the blowout has occurred. Isolation, detection, fire water, and pressure relief will not really influence the development of this scenario to any significant extent. Isolation is not possible if a blowout has occurred, automatic detection is of limited relevance since the release will be manually detected in any case, pressure relief is not relevant, and firewater will have limited or no effect on a blowout due to the size of the release.

128

Stein Haugen

7.3 Calculation of Physical Effects of Releases Calculation of physical effects of releases and calculation of impact on personnel and MSFs are for all practical purposes performed in the same way as for process releases. Similar methods and tools are being used and the same types of results are calculated. The only exception is the release size and the duration of the release. The release size is determined based on reservoir characteristics (pressure, well flow rate, well geometry), and for a blowout, the duration will be defined as at least as long as it takes to evacuate the platform.

7.4 Calculation of Impact on Personnel and MSFs Calculation of physical effects of releases and calculation of impact on personnel and MSFs are performed very much in the same way as for process releases.

8. SHIP COLLISION A third large contributor to risk in many cases, together with process releases and blowout, is ship collision. This is normally grouped into one category, although it covers a set of scenarios that are very different with respect to how the probability of the events is modeled. The discussion will be structured as follows: – Definition of initiating events – Calculation of collision frequencies – Modeling of consequences

8.1 Causal Analysis/Initiating Event Analysis Many users of the sea may come close to an offshore installation and thus represent a risk of collision. The different groups of vessels behave differently and have different motivations for getting close and this is reflected in the modeling. The following are the main groups of vessel that may be covered by a QRA: – Visiting offshore supply vessels (OSVs)—split on voyage from shore/ previous location, approach, loading/unloading, and departure – Other visiting vessels (diving support, work vessels, anchor handlers, etc.) – Flotels, drilling rigs located in field, other permanently located moored vessels (Floating Storage Units) – Shuttle tankers (most common for Floating Production and Storage vessels)

Use of QRA in the Norwegian Offshore Industry

129

– Passing merchant vessels – Others Historically, it is not surprising that vessels operating close to the offshore installations have caused the largest number of collisions. The large majority of these collisions are however minor impacts, often causing no or very little damage to both the offshore installation and the ship. Typically, this is the case for OSVs, which have to come in close during loading/offloading. In particular in rough weather conditions, minor impacts may occur. In the following, we will elaborate on the following types of collisions: – OSVs – Shuttle tankers during loading – Passing merchant vessels The operation modes the vessels are in are quite different, requiring different models to calculate the collision probability. For OSVs and shuttle tankers, the analysis is often to a large degree based on historical data, with limited modeling and analysis. The discussion below is therefore primarily qualitative. For merchant vessels, more comprehensive analysis is normally done and this is explained in some detail.

8.2 Offshore Supply Vessels The operation of OSVs and relevant hazards can be described as follows, from leaving port and until they leave the platform to return to port or to go to another installation: – First is the transit phase, when they go from port toward their destination. The relevant risk in this period arises when they approach the platform. There have been cases when the OSV has hit the platform because the crew of the OSV has not slowed down and changed course in time. This is a situation quite comparable to the passing merchant vessels scenario, and the modeling of the event is done in a similar manner. – Entering the safety zone around the platform and approaching the platform to take up position for loading/offloading. This requires careful maneuvering, and especially in situations with current, wind, and waves (often acting in different directions), collisions may occur. Typically, these will however be low-speed impacts. – Collisions during loading/offloading, when the OSV is located close to the platform. It is common that the vessels are on DP (Dynamic Positioning) during this operation and several collisions have occurred because the DP systems gets “confused,” either because it loses or gets the wrong

130

Stein Haugen

position information, because of unexpected/quickly changing loads on the ship (due to gusts or waves) causing the DP system to overcompensate or because it comes outside the specified range and uses too much power to move back to the right position. Again, the speed will usually be low and the impact energy limited. Damage to installations has however occurred because of this, although no cases of severe damage leading to loss of installations are known. – Collisions may potentially also occur when loading is completed and the vessel is due to leave the position close to the installation although this is far less likely.

8.3 Shuttle Tankers During Loading An operation of a similar nature as OSV operations is loading of shuttle tankers. In the North Sea, tandem loading with the shuttle tanker moored with the bow toward the aft of the FPSO is the most common solution. Several accidents have occurred during this type of operation, also in recent years. In the period 2000–15, there were a total of nine incidents involving drive-off and collisions on the Norwegian continental shelf (Dong, Rokseth, Vinnem, & Utne, 2016). Five of these occurred during tandem loading, and of these, two resulted in collision. In all the cases, the shuttle tanker was on DP. During tandem loading, the distance between the FPSO and the shuttle tanker is typically 80–150 m. In some cases, the two ships are connected with a hawser, in addition to the loading hose. Accidents can occur (and have occurred) during all phases of the operation: – During connection – During loading – During disconnection/departure During loading, one may experience the same problems as mentioned earlier for OSVs that the DP system ends up overreacting to deviations or errors in position information. The time for operators to react to this is very small, and even if the distance between the two ships is relatively small, the shuttle tanker will still have time to build up sufficient speed to potentially cause extensive damage to the FPSO.

8.4 Passing Merchant Vessels Passing merchant vessels have been of concern to the offshore industry for a long time, mainly because the impact energy of large vessels will be so large that it can have catastrophic consequences if the installation is hit

Use of QRA in the Norwegian Offshore Industry

131

(Haugen, 1998). The main issue is that the cause of collision normally will be that the ship is unaware of the installation and therefore can hit the installation at service speed. The analysis of the probability of collision is performed in the following steps: 1. The ship traffic in the area around the installation is described. An underlying assumption is normally that the merchant ship traffic follows fairly well-defined routes between ports (as defined by the shortest route taking into account any obstructions). This has been confirmed by observations of traffic. The basis for identification of traffic is today normally AIS data, which gives comprehensive information about the number of vessels, types of vessels, size, speed, etc. Based on this, ship traffic lanes are established, characterized by a mean distance from the platform, a course, and a standard deviation describing the variance in the exact route followed by the ships in the lane. Further, the standard assumption is that the traffic is normal distributed. 2. Based on the statistical description of the traffic lane, the probability of a ship traveling in this lane being on course toward the platform is calculated. This is often termed the geometrical collision probability. By multiplying this with the number of ships traveling the lane (normally split on vessel size), the annual geometrical frequency of collision between a ship and the platform can be calculated. A particular issue related to this factor is the use of autopilot. Some years back, it was common practice for supply vessels traveling from shore to an installation to set their target exactly on the installation. This meant that the geometrical collision probability would be very close to 1, because the autopilot would ensure that the ship was on a collision course. After an accident occurred, where the autopilot was not turned off in time and the supply vessel collided with the platform, procedures were changed and it became mandatory to set the course 1 nm to the side of the installation. 3. The geometrical probability is calculated on the basis that no actions to avoid collision are taken by the ship. In most cases, the ship will of course change its course and travel to the side of the platform, typically with a minimum distance of 1–2 nautical miles (nm). This is in some models called Probability of Ship-Initiated Recovery. Different models take into account different factors, but this probability is typically influenced by the size of the ship, the flag of the ship, and the vessel type.

132

Stein Haugen

4. Even if the ship fails to take action because the bridge crew has fallen asleep or is occupied with other tasks, there may still be a possibility that the platform (or other external parties) may be successful in warning the ship and thus initiating actions to be taken. This is called Probability of Platform-Initiated Recovery. The most common way of doing this is to contact the vessel by radio. It may be noted that most of the platforms on the Norwegian continental shelf now are under surveillance from shore-based facilities that have as their primary task to detect ships that are on collision course and contact this by radio to verify that they are aware of the situation and that they are planning to change their course. Since the collision probability is dependent on the ship traffic in the area, very large variations in the risk can be seen from one installation to another. The results from these studies will influence operations if the risk is high. Additional operational measures to reduce risk may be implemented in some cases, the design loads for installations may also be increased, and there have also been cases where the location of an installation (in particular drilling rigs) has been moved to reduce risk.

8.5 Consequence Analysis The consequence analysis is based on a simple comparison of the kinetic energy of the ship (including added mass) and the design criteria of the installation. It has been common practice to design for supply vessel collisions, with 11/14 MJ as the collapse criterion. Ships with higher impact energy than this are commonly assumed to cause collapse of the platform, although experience is that most installations can tolerate significantly higher impact energies than this without global collapse. Examples are concrete platforms and also FPSOs. The calculations are therefore in many cases very conservative. The fatality risk is calculated based on the collapse probability. Simplified analysis is usually applied, assuming that 50% of the crew onboard will be killed if collapse occurs. In addition to collapse of the platform, there may also be cases where risers are exposed to impacts and these will typically tolerate far smaller impact energies than the main structure. In such cases, the design loads of the risers will be applied as a limit criterion and the ensuring release from the risers will be considered in the same way as other riser releases, although often with a higher ignition probability because the impact itself may generate sparks which can ignite the release.

Use of QRA in the Norwegian Offshore Industry

133

9. OTHER HAZARDS The previous sections describe the analysis process for some of the most important accident types for offshore installations. A number of other accident types are also considered and in the following some brief comments are given on some of these.

9.1 Dropped Objects Dropped objects is an important contributor to risk and separate dropped object studies are normally performed, considering detailed lifting patterns, laydown areas and types, size and mass of objects that typically are lifted. The purpose of these studies is usually to provide input to design of dropped object protection and dimensioning of structures and equipment against impact. The purpose is thus to achieve a specified safety level through design rather than to calculate a risk level. Because of this, dropped objects are often treated in a simplified manner in QRAs. The two main effects that may cause fatalities are if equipment/ structures are hit or if people are hit directly. It is commonly assumed that dropped objects only can lead to local damage of equipment or structures, not major collapse. There are some exceptions from this, notably for floating installations where dropped objects may fall into the sea and penetrate buoyancy tanks. In general, damage to structures is however not considered critical and will therefore not contribute to major accident risk as calculated in the QRA. Damage to equipment may cause release of hydrocarbons and this may in turn lead to a major accident if the release is large and ignition takes place. It is however common to assume that no lifting will take place over (unprotected) hydrocarbon containing equipment. The risk related to this is therefore negligible. Further, since historical data are used for process leaks, these are also considered to contain leaks due to impact. It is therefore often assumed that a contribution from dropped objects already is included implicitly in the data that we are using and that it should not be calculated separately and added on top. These are simplifications that do not take into account local variations in lifting activity, equipment, and equipment protection. The second contributor to fatality risk, that people are hit directly, is often also assumed to be included in the historical data that we are using. Occupational accidents are included in the risk picture calculated in QRAs

134

Stein Haugen

(see later), and this is normally based on historical data (fatality risk per worked hour or similar measures). The historical data will also typically include fatalities due to dropped objects and the contribution is therefore considered to be included without separate analysis of the probability of people being hit. Again, this is a simplification since no local specifics are taken into account, except for the number of exposure hours.

9.2 Structural Failure Due to Extreme Environmental Loads or Design Errors Structural failure leading to collapse of offshore installations is also a significant contributor to risk. The best known example from the Norwegian offshore industry is the Alexander L. Kielland capsizing (NOU, 1981), which was caused by fatigue of a weld, leading to breakage of a key structural element followed by loss of a leg. The Norwegian regulations have for long time specified probabilistic criteria for design against accidental loads. These criteria specify that structures should be able to survive accidental loads with an annual frequency higher than 10 4 per year. Based on this, it has been argued that the probability of complete loss of an installation due to structural failure, whether it is due to loads in excess of what the structure is designed for or due to strength lower than the regulations require, should be less than 10 4 per year. It has therefore been quite common to include a contribution of 10 4 per year to account for this type of accidents. Sometimes, it is also argued that since 10 4 is the upper limit, the actual frequency of collapse is likely to be lower than this. A lower value is therefore sometimes also used although the basis for choosing this is somewhat arbitrary. The fatality risk is also calculated in a very crude manner. No detailed analysis is usually performed, but it may be assumed that on average 50% of the personnel on the installation will be killed if a structural collapse occurs. This is clearly an extremely simplified approach, but it can be argued that with probabilistic design criteria, the risk associated with this type of accidents is being controlled through the design process and a separate risk analysis will not really add much to this process. On the other hand, since one of the purposes of the analysis also is to verify whether the total risk level is acceptable or not, it may be argued that this very simplified approach exaggerates the risk level. In practice, these results from the risk analysis are not used for decision making in any case.

Use of QRA in the Norwegian Offshore Industry

135

9.3 Helicopter Accidents According to NORSOK (NORSOK, 2010), transport to and from the installation should also be included in the risk picture for an offshore installation and is thus quantified in the QRA. Two scenarios are usually considered: – Accidents during take-off/landing. This includes accidents that may happen both at the installation and at the onshore base. – Accidents during flight. The basis for the quantification is historical data for helicopter accidents. HSE (2004) have collected data for UK operations and these also form the basis for risk analyses performed in Norway. In addition, several studies of helicopter safety have been performed in Norway (SINTEF, 2010). The models take into account the following: – The number of take-offs/landing and the number of flight hours. – The probability that a person in a helicopter experience an accident will be killed. This is also split on accidents during take-off/landing and during flight. – The average number of persons in the helicopter. By combining this with helicopter accident frequency data, FAR and PLL can be calculated. It is noted that local variations in weather conditions, approach to the platform, and availability of resources to rescue personnel are not taken into account in the analysis. In practice, the results from the analysis of helicopter accidents will also have a very limited impact on design and operations. In practice, there is very little that can be done to change the number of take-offs and landings or the flight hours (location of helicopter bases is often also influenced by political decisions rather than safety aspects). There may be certain procedural measures and emergency response measures that can be taken, although this is usually not informed by the risk analysis. The analysis is in any case too coarse to be able to reflect the effect of this type of measures.

9.4 Occupational Accidents A final element of fatality risk that is also included in the QRA is occupational accidents or personal accidents. The QRA is primarily aimed at quantifying major accident risk, and as such, this is outside the scope of the analysis. However, it is still common practice (and a requirement in the standard) that this contribution also should be included.

136

Stein Haugen

Similar to several of the accident types mentioned earlier, this is however done in a very simplified manner and acts more to ensure that a contribution from this type of accidents also is included rather than aiming to reflect a detailed or very specific risk picture. Historical data for occupational accidents per worked hour are used as a basis for the calculation. Frequently, this is split on different personnel groups, such as operator/maintenance personnel, drilling personnel, and catering/admin personnel. Different groups have different historical accident rates. Historical data for offshore personnel are being collected by PSA (PSA, 2017a). The historical data are then combined with the number of hours worked per year for each group and a total PLL contribution is calculated. Similarly, FAR values can also be calculated for the different groups or for the installation crew as a whole. In effect, no local factors related to the installation are taken into account except the number of people in each group of personnel. The results therefore have no practical implications for risk management.

10. COMPARISON OF QRA RESULTS AGAINST ACTUAL RISK LEVEL A detailed comparison of results from QRAs against the actual risk level is an extensive task and requires access to all QRAs performed for offshore installations on the Norwegian continental shelf. This is not feasible, among others because the studies are not publicly available. However, some simple comparisons based on experience may be possible. This has been done for two cases, complete loss of installation and fatality risk. For the Norwegian offshore activity, there has been only one case where a complete loss of an installation has occurred, with a significant number of fatalities. This was the Alexander L. Kielland accident which occurred in 1980. There have been other significant cases also, including a ship collision where the platform was so extensively damaged that it later had to be removed. However, it did not collapse as a result of the accident. Accidental collapse is therefore considered to have occurred only once. Alexander L. Kielland was a floating accommodation platform, not a production/drilling installation, but is still relevant to include. If we look at the total period of offshore drilling and production in Norway, this started in 1966 and has continued since this. Calculating the average number of installations operating in the North Sea during this period requires extensive data collection, but as a coarse estimate, we can use 100 installations on average over this 52-year

Use of QRA in the Norwegian Offshore Industry

137

period. Roughly, we can say that this corresponds to 5000 installation years. The average probability of global collapse thus can be calculated as 1 in 5000, i.e., 2  10 4 per year. This is of course an extremely simple calculation, but still is an indication that the number typically used in QRAs, 1  10 4 per year, is not very far off the mark compared to what we have experienced so far. Comparing fatality risk is also possible. According to the PSA (PSA, 2017a), the number of fatalities in the Norwegian oil and gas activity has been 283 over the period 1967–2016. The average number of fatalities per year is thus about 5.5. The calculated fatality risk in QRAs will vary a lot, depending among others on the manning levels, but as a very coarse average estimate, the calculated PLL will be of the order 0.1–0.5 fatalities per year per installation. If we assume 100 installations operating in any given year, this gives an estimate of between 10 and 50 fatalities per year, i.e., between factors 2 and 9 higher than the experienced risk level. It should also be mentioned that the observed number of fatalities has declined steadily over the period. The fatality calculations indicate that the calculated risk is higher than what experience indicates. When considering that the risk level is decreasing and that the risk estimates are based on historical data, this should not come as a surprise. Another factor is also that the QRAs usually apply conservative assumptions, in the sense that there is a tendency to choose models and data that tend to overestimate the risk rather than use expected values. This will also give higher risk estimates. The implication of overestimating the risk may be that more resources are spent on reducing risk than actually expected by society or required. On the other hand, the performance of QRAs has been standardized to the extent that the results from QRAs from different installations are comparable on a relative scale. It may therefore be argued that the practice that has been developed with regard to protection levels corresponds to the risk level that we consider to be acceptable, regardless of what the numbers say or what the “correct” risk level is.

11. USE OF QRA FOR DECISION MAKING The QRA practice that has developed over the last 30–40 years and that is reflected in the NORSOK standard has been driven by the needs of design projects. The first requirements for performing QRA were related to design of installations and the development that has taken place since then

138

Stein Haugen

has continued to build on this foundation. This raises some issues related to the basic principles and assumptions that underpin the methodology that is being used. In particular, this is relevant when the use of QRA has moved from supporting design related to decisions to operational decisions. Risk analysis is primarily a tool for supporting decisions about risk. Choosing the right tool obviously therefore requires a good understanding of the decision that we are going to support. The question may then be asked if design decisions and operational decisions are similar in nature or whether they require different information to inform the decisions? To develop a better understanding of the problem, we need to look at the types of decisions that may be relevant to support. Yang and Haugen (2015) have proposed a structure for decisions that may be useful to consider. First, decisions are grouped into planning decisions and execution decisions. The main difference between these two groups is the time available for making the decision. For planning decisions, there will be time for a systematic identification and evaluation of alternatives. This is the type of decisions where traditional risk analysis may play a role. Execution decisions are decisions that are much quicker and which are taken based on preplanning and/or experience and pattern matching. For this purpose, it is the planning decisions that are the most interesting, and these are further subdivided into strategic decisions and operational decisions. Examples of decisions are execution of an intervention and reacting upon deviations. Planning decisions are further divided into two categories: strategic decisions and operational decisions. Long planning horizon (with time to consider risks and benefits of choices carefully), low decision frequency, and long-term effects characterize strategic decisions. The disadvantage is that few details often are available, limiting the available information or making it uncertain. Blunt-end decision makers make these decisions. Examples are approval of major projects, choosing from alternative designs/ technology, and deciding on maintenance strategy before operation starts. Operational decisions are related to actions that will be taken and implemented within a shorter period. The planning period is relatively short, however, long enough to carry out formal risk assessments. Middle-level decision makers, such as operational managers, typically make these decisions. Approval of mediumterm operational plans for a 1- to 3-month period, approval for initiating projects, and approval of shorter term operational plans (1–2 weeks) are examples of operational decisions which require risk assessment to understand both short-term and long-term effects on risk. Another type of operational decisions is made on a daily basis, such as approving work permits and daily plans.

Use of QRA in the Norwegian Offshore Industry

139

In many of the decisions, different personnel groups will provide important input to the decision process and may in fact also be directly involved in the decision. In operational decisions where technical issues are involved (as is very often the case), engineering support personnel will provide input. Often, sharp end personnel from operations will also be involved. The total picture of how decisions are made is therefore more complex than indicated by the figure. Planning decisions is a typical arena for rational choice decision making, with bounded rationality. For the decision situations we are considering, risk is an important dimension of the decision in rational decision making (Rausand, 2013). The results from risk assessment are used as direct or indirect input to decisions. Risk acts as one of the decision rules (through use of ALARP principle and societal risk criteria) to assist evaluating alternatives. On the other hand, formal risk assessment may also be translated into rule compliance for decision makers. This can range from safety-related regulations to rules that are expected to be followed by sharp-end workers (Hopkins, 2011). Execution decisions are made by sharp-end personnel with minimal or no planning, typically during the implementation/execution of different work activities. These may well have been planned in advance, but not necessarily in all detail and not necessarily to cover all situations which may arise during performance of the work. This is an arena where decision making best can be described by naturalistic decision-making theory. Sharpend operators need to make rapid decisions. It is common to use their mental model to simulate and imagine what might happen next, to look for the first workable option, instead of the best option (Klein, 2011). In naturalistic decision making, risk assessment is normally invisible during the decision-making process and an informal assessment process is concealed in the mental models and the experience of professionals (Hopkins, 2011). Depending on the degree of urgency of the situation that the sharp-end personnel are facing, we divide execution decisions into instantaneous decisions and emergency decisions. Instantaneous decisions are taken spontaneously by sharp-end operators, e.g., to follow or deviate from procedures; ignore or react upon deviations in normal working conditions. The decision making emphasizes situation assessment and pattern matching, and “when action is the central focus, interpretation, not choice, is the core phenomenon” (Weick, Sutcliffe, & Obstfeld, 2005). Decisions are typically taken quickly, although not necessarily because there is a need to do so. Emergency decisions are the decisions taken in emergencies to avoid or adapt to hazardous situations. Time dynamic is often so fast that pattern matching may not catch the development of the situation. The risk that we consider when we are

140

Stein Haugen

making planning decisions will not be the same as the risk we consider for execution decisions. Different characteristics of strategic decisions and operational decisions result in different risk expressions that are required as input to make rational choice. Furthermore, risk information that is required by sharp-end personnel under different levels of urgency to make execution decisions also varies. Different decisions are made by different people and require different information to make the decisions (Yang & Haugen, 2016). This also indicates that different analyses may be required (Vatn & Haugen, 2013).

12. FUTURE DEVELOPMENTS QRAs have been quite widely criticized in recent years, in particular after the drop in the oil price in 2014. The criticism has been mainly related to the cost of doing the studies and that the benefit does not outweigh the cost. The reality of this claim will not be discussed here, but there are some development trends that can be anticipated based on this criticism and more general developments in QRA methodology.

12.1 Simplification One trend that is strongly advocated by those who want to cut costs is to simplify and standardize the studies. As it is today, large efforts are put into particularly two aspects of the risk assessments: – Calculating frequencies of leaks from process equipment – Calculating consequences of fires and explosions in general With regard to the consequence calculations, the argument is that there have been built so many installations in the North Sea over the last years, and so many fire and explosion simulations have been performed that we will not learn very more from repeating this for another (similar) installation. It is also argued that the outcome in terms of requirements for protection against fires and explosions to a large extent is similar regardless of the installation. It is therefore argued that rather than doing QRA, requirements for fire and explosion protection can be standardized. There is undoubtedly a lot of work going into QRAs today that provides a very limited added value. A thorough review of the way that QRA is done today is therefore considered to be useful and the end result may well be that changes to the approach should be made. However, criticizing the QRAs is really starting at the wrong end. We should first make sure that we understand what decisions we need to make about risk, in design, construction,

Use of QRA in the Norwegian Offshore Industry

141

and operation. From this, we can identify the need for decision support, in particular related to risk. The conclusion may then be that some decisions require quantitative input, while other decisions do not require this. Only with this as a basis can be determined whether QRA is a useful tool or not, and how QRAs should be performed. In this, one should also take into account all the qualitative information (e.g., scenario descriptions) that is contained in QRAs. One should take care to avoid that this information is not available any more because it will reduce the understanding of what may happen on the installation and can impact emergency response and emergency training. The way the situation looks at the time of writing this, it is expected that there will be a move toward simpler QRAs in the future. However, at present, it looks as if this is driven more by cost cutting and then by a careful consideration of what is useful and not.

12.2 Analysis for Operations Another development that can be expected is that QRA better suited for operational support is developed. Significant effort has been put into developing dynamic QRAs (Paltrinieri & Khan, 2016), although it is the opinion of the author that rethinking the way QRAs are modeled is necessary to be successful. QRAs are traditionally modeled to reflect details in the design, while activities and operations are modeled implicitly or taken into account only through generic data. In operations, the design is for all practical purposes fixed and the changes in the risk level from day to day are largely due to changes in ongoing activities. One approach to this has been proposed by Haugen and Edwin (2017). In this approach, the modeling techniques are fairy traditional, although a hybrid approach using combinations of event trees, fault trees, and Bayesian belief networks is proposed. However, key factors that change during operations are modeled explicitly, while more static aspects (like layout and passive fire protection) are modeled in a simpler manner.

12.3 Barrier Management In recent years, the PSA have emphasized the importance of barrier management in their follow-up of the oil and gas industry (PSA, 2017b). Expectations from PSA include that the industry establish overviews over which barriers they have in place to protect against major accidents, what the function of the barriers are, and what the status of the barriers are at any time

142

Stein Haugen

(whether they are fully functional, partly functional, or out of operation). Most operating companies have conducted extensive projects in recent years to comply with this. A weakness in many cases has been that the link between QRA, risk management in general, and barrier management has not been very clear in many cases. The barrier management projects have been run as separate projects and most operators have established various forms of “barrier panels” that shall help them to keep an overview of the status of the barriers. From an operational risk analysis point of view, the barrier panels provide an important input to determine the “living” risk level for an installation. It is expected that these links between barrier management and updated risk analysis will be utilized in the future and that new risk analysis models will be built based on this.

13. CONCLUSIONS Quantitative risk analysis has been extensively used by the Norwegian offshore industry for the last 30–40 years. In this period, there has also been a significant reduction in risk related to the offshore industry. This can of course not be attributed only to the use of QRA, since a large variety of improvements aimed at reducing risk have been introduced over this period. However, it is not unreasonable to assume that QRA has contributed to the risk reduction, in particular in terms of improving layout, technical safety systems, and other design features of installations. It may be more questionable to what extent QRA has contributed to improve operations. Risk analysis as such has undoubtedly contributed also in this area, but it is probably fair to say that this is more related to systematic qualitative analysis, even if we can see examples of QRA contributing also. In recent years, questions have been asked about the value of continuing this work, the argument being that we have learned as much as we can learn from QRAs, and that the added value from continuing this is limited. In the opinion of this author, this is a move in the wrong direction. There are certainly aspects of QRAs that add a very little value, but rather than concluding that the whole concept of QRA has failed, one should examine the way that we do QRA, to either remove or modify the parts that do not add value. I am also convinced that there are areas where QRAs still can contribute very much, and also can strengthen decision making in situations where it is today not being used.

Use of QRA in the Norwegian Offshore Industry

143

To achieve this, we need to be more precise about what we want from QRAs, including what decisions we need support for and whether QRA or other means is the best approach to providing that decision support. Experience from talking to operations personnel is that they see a great need for improved decision support and it is my belief that QRA can provide some of the answers that they are looking for, realizing of course that this never will be more than one aspect of the input required to these decisions.

REFERENCES Arild, O., Ford, E. P., Loberg, T., & Baringbing, J. W. T. (2009). KickRisk—A well specific approach to the quantification of well control risks. Society of Petroleum Engineers. Cullen, W. D. (1990). Report of the official inquiry into the Piper Alpha disaster. London, UK: HMSO. DNV Technica/Scandpower. (2001). Human resistance against thermal effects, explosion effects, toxic effects and obscuration of vision, 20 March 2001. Dong, Y., Rokseth, B., Vinnem, J. E., & Utne, I. B. (2016). In Analysis of dynamic positioning system accidents and incidents with emphasis on root causes and barrier failures.Risk, reliability and safety: Innovating theory and Practice: Proceedings of ESREL 2016 (Glasgow, Scotland, 25–29 September 2016). 166. Energy Institute. (2015). The update of loss of containment data for offshore pipelines. Oil and Gas UK/Energy Institute [March 2015]. European Parliament. (2013). Directive 2013/30/EU of the European Parliament and of the Council of 12 June 2013 on safety of offshore oil and gas operations. Haugen, S. (1998). An overview over ship-platform collision risk modeling. In C. G. Soares (Ed.), Risk and reliability in marine technology: A. A. Balkema. Haugen, S., & Edwin, N. J. (2017). Dynamic risk analysis for operational decision support. EURO Journal on Decision Processes, 5(1–4), 41–63. HMSO. (1992). The offshore installations (safety case) regulations. London, UK: HMSO. Hopkins, A. (2011). Risk-management and rule-compliance: Decision-making in hazardous industries. Safety Science, 49(2), 110–120. HSE. (2004). UK offshore public transport helicopter safety record (1976–2002), Prepared by John Burt Associates Limited/BOMEL Limited for the Health and Safety Executive. HSE. (2008). HSE Leak and ignition database for offshore hydrocarbon releases, RR672, prepared by Health and Safety Laboratory. ISO. (2002). EN ISO 17776: 2002 petroleum and natural gas industries—Offshore production installations—Guidelines on tools and techniques for hazard identification and risk assessment. Ka˚rstad, O., & Wulff, E. (1983). Sikkerhet pa˚ sokkelen. Universitetsforlaget. in Norwegian. Klein, G. A. (2011). Streetlights and shadows: Searching for the keys to adaptive decision making. MIT Press. National Commission on the BP Deepwater Horizon Oil Spill. (2011). Deep water: The Gulf oil disaster and the future of offshore drilling (p.398). Perseus Distribution Digital. Norsk Lovtidend. (1976). Sikkerhetsforskrifter for produksjon m.v. av undersjøiske petroleumsforekomster. Kgl. res. av 9.7.1976 (in Norwegian). NORSOK. (2010). Z-013 risk and emergency preparedness assessment. Oslo, Norway: Standard Norge, Revision 3. NOU. (1977). Uncontrolled blowout at Bravo 22. April 1977, NOU 1977:47 (in Norwegian). NOU. (1981). The “Alexander L. Kielland” Accident. NOU 1981: 11, Oslo 1981. Norwegian, Summary in English.

144

Stein Haugen

NPD. (1981). Guidelines for safety evaluation of platform conceptual design. Stavanger, Norway: Norwegian Petroleum Directorate. Okoh, P., & Haugen, S. (2013). Maintenance-related major accidents: Classification of causes and case study. Journal of Loss Prevention in the Process Industries, 26(6), 1060–1070. Paltrinieri, N., & Khan, F. (2016). Dynamic risk analysis in the chemical and petroleum industry: Evolution and interaction with parallel disciplines in the perspective of industrial application. Butterworth-Heinemann. PSA. (2002). Regulations relating to management and the duty to provide information in the petroleum activities and at certain onshore facilities (The Management Regulations), Last amended 18 December 2017. PSA. (2017a). RNNP—Trends in risk level in the petroleum activity—Summary report 2016—The Norwegian Continental Shelf, Petroleum Safety Authority, 27 April 2017. PSA. (2017b). Principles for barrier management in the petroleum industry—Barrier Memorandum 2017. Rausand, M. (2013). Risk assessment: Theory, methods, and applications. John Wiley & Sons. SINTEF. (22 March 2010). Helicopter Safety Study 3, SINTEF report A15753. Trondheim, Norway: SINTEF. SINTEF. (2018). Offshore blowout database. https://www.sintef.no/en/projects/sintef-offshoreblowout-database/accessed April 2018. Vatn, J., & Haugen, S. (2013). On the usefulness of risk analysis in the light of deepwater horizon and Gullfaks C. In Oil and gas, technology and humans: Risk assessment methods in organizational change (pp. 71–89): Ashgate. Vinnem, J. E. (2014). Offshore risk assessment—Principles, modelling and applications of QRA studies. London: Springer. Vinnem, J. E., & Røed, W. (2015). Root causes of hydrocarbon leaks on offshore petroleum installations. Journal of Loss Prevention in the Process Industries, 36, 54–62. Weick, K. E., Sutcliffe, K. M., & Obstfeld, D. (2005). Organizing and the process of sensemaking. Organization Science, 16(4), 409–421. Yang, X., & Haugen, S. (2015). Classification of risk to support decision-making in hazardous processes. Safety Science, 80, 115–126. Yang, X., & Haugen, S. (2016). Risk information for operational decision-making in the offshore oil and gas industry. Safety Science, 86, 98–109.