Risiko-/barrierestyring og standarder for funksjonell sikkerhet Eksempler på risiko- og barrierestyring sammen med IEC61508/IEC61511/OLF070s i livsløpsfasene Gjermund Våge
Innhold Risikoanalyse og barrierestyring SIL i design SIL i drift Konklusjon 2
Setting the scene- Major accident History has taught us that major accidents are controlled by other mechanisms compared to the ones controlling occupational accidents
Setting the scene- Major accident History has taught us that major accidents are controlled by other mechanisms compared to the ones controlling occupational accidents Personal safety management Prosess safety management
What the O&G & Process Industry both has and has not achieved O&G industry has attained a step change improvement in occupational safety Graph shows factor of 3 better in last 10 years - But: Process Safety is not the same as Occupational Safety USA and EU Process Industry - Neither EU nor USA has demonstrated significant improvements for onshore major accidents - (EU = MARS database, USA = RMP* database) Different oil and chemical operating companies Trendline North Sea major accident safety has improved - No major disaster since introduction of Safety Case legislation in UK / risk based in Norway - (leaks have occurred, but none escalated) Reducing trend in major hydrocarbon leaks - However, recent performance may suggest a floor has been reached 10x improvement In past 13 years 5
Vision Step Change Improvement for Major Accidents The Industry HAS already attained 10x improvement in Occupational Health DNV believes major accidents can also be reduced 10x but with different tools 1. Revised regulatory regime: Blend of Prescriptive and Performance-based regulations 2. Address technical, human and organizational factors: Key lessons from past accidents 3. Enhanced risk management approach: Addressing Risks, Controls and Conditions 4. Clear roles and responsibilities: Defined and clear to all 5. Shared performance monitoring: Information is readily available and shared to all This is practically and economically feasible - Methods described are in use with O&G companies somewhere but not fully integrated - North Sea further down the path, but not there yet either, maybe x3 improvement 6
Major Accident Risk Management (ISO 31000) Managing major accident with focus on - Management Commitment - Safety barrier management - Organisational learning - individual risk understanding - Incident and accident investigation - Safety culture - Risk treatment and ALARP..as an integrated part of corporate governance!
As Low As Reasonably Practicable (ALARP) Regulations, requirements, etc ALARP region NB! Operator must demonstrate ALARP Risk unacceptable Risk accepted only if further risk reducing measures is impracticle to implement or the costs are grossly disproportionate to the benefit Risk acceptable
Swiss Cheese Model Major Accident Emergency response E.g. escape, evacuation HAZARD Mitigate E.g. drainage, fire protection Detect E.g. fire & gas detection, control systems Prevent E.g. design, maintenance, procedures, competence
10
Examples of performance standards Layout and arrangement Structural integrity Fire and Gas detection System Emergency Shutdown System Ignition Source Control Ventilation Control of spills (Open drain system) Active fire protection Passive fire protection PA, alarm & emergency communication systems Escape and evacuation Blowdown System Process safety Barrier to prevent loss of Containment Barrier to prevent Ship collisions Rescue and safety equipment Non-physical barriers Emergency Power / Emergency Lighting 11
Example: bow-tie model and performance standards 12 -
Accidents Occur when Barriers become Degraded Texas City event explained in barrier failure format Macondo event explained in barrier failure format The causes of barrier degradation can be complex: Technical Human Organizational 13
Performance Standards Content The specific requirements for each Barrier Function will be described in a Performance Standard (PS). The PSs are developed and structured based on the guidance given in driven by the need to maintain reliable safety barriers and meet the operational requirements. The main elements of a PS include the following: Function - The functional criteria will include appropriate definition of requirements to the relevant functional parameters of the particular barrier; i.e. the essential duties that the system/function is expected to perform (ref. ISO 13702). Integrity - The integrity criteria will include appropriate definition of and requirements to the relevant reliability and availability parameters of the particular barrier; e.g. probability of failure on demand, failure rates, demand rates, test frequencies, deterioration of system components, environmental impairment etc. (ref. ISO 13702). Survivability - Criteria determining how a barrier will remain functional after a major incident, i.e. under the emergency conditions that may be present when it is required to operate (ref. ISO 13702) Management Criteria for checking if the systems are adequately maintained operated and managed. I.e. verifying that competence and training are adequate and that the procedures are relevant and cover the necessary subjects. 14
Barrier elements Technical barrier elements Organizational barrier elements Operational barrier elements Containment Competence Design and arrangement Fire detection Communication Maintenance Ventilation/HVAC Work practice Operations and activities Gas detection Procedures/ Routines Modifications ESD Work environment Changes/ MOC Ignition Source control Man / machine Deviation handling Drainage Control, check and verify Work processes Flare and relief Emergency power Inergen/ water mist/ foam/ deluge Passive fire protection Documentation Resources, Capacity Work load / Time 15
Barrier Management Framework (Strategy) Context Regulations/ Best practice/ Requirements Safety Strategy isk Management Procedure HAZID DESIGN Risk Analysis/Safety Studies QRA Other risk assessments Barrier Management Process Define Barriers Specify Performance Requirements Define Performance Indicators BowTie Establish Test & Verification Programme Daily Operations WP meetings HSE Directives, Work Instructions and procedures Updated Risk Picture OPERATION Control and Monitor Maintenance, Test and Inspection Test Results Performance Indicators Non-Conformity Continuous Improvement Administration Management of Changes Communication Competence Communicate Based on S-001 Technical Safety and PSA Presentation 16
Safety Lifecycle Concept 1-5 ANALYSIS Safety Requirement Specification (SRS) SIL Allocation Required SIL 6-13 REALIZATION 14-16 OPERATION SIL requirements during operation Slide 17
Barrier Management Strategy At any given time, the condition, functionality and importance of the barriers should be known by relevant personnel. In addition, continuous improvement and identified actions should be implemented with the purpose of ensuring necessary barrier functionality, integrity and survivability. This is achieved through: Link to Risk Analysis: Hazards identified for each installation (that could escalate to Major Accidents) must be managed in order to minimise the risk to personnel, environment and assets to a level As low as reasonable practicable (ALARP). This is done through implementation of barriers, and by following the structured risk management process described in this document; establish performance standards for the identified important barrier functions. Design: The barriers are to be designed, commissioned, used and maintained to ensure that the barrier function will safeguard personnel, environment and the asset in a lifecycle perspective. Communication: The Performance Standards and current barrier status must be communicated to all involved parties, giving the necessary understanding as to why barrier functions have been established and which performance requirements that are covered by the barrier systems. Modifications and Change Management: For new projects and major modifications, the choice of safety strategy should be made at an early stage when it is still possible to optimise the design, to minimise the hazards and take due credit for these features. This approach will achieve full integration of prevention, protection and mitigation of all hazards. Monitor and Control: Throughout the lifetime of the installation, a process will be in place to monitor the status and condition of the barriers. The results will be communicated to the relevant personnel to ensure (.) 18
Performance Standard Example Performance Standard for Active fire fighting Performance standard Regulation Performance Requirement Reference Function F1 Fire water (FW) supply - Pumps Requirement Reference No. Requirement (detailed) Codes, standards and internal requirements Checklist Activity Id Activity description Technical Operational/Organizational Frequency Acceptance criteria Activity type COSL reference for activity Responsible unit FW supply system shall meet the worst case FW demand identified for the DSHAs NMD 227/84, 6.3 F1.1 Each fire pump system shall have the capacity to individually deliver 270m3/h @ 13.1 barg, for three monitors at the bridge/helideck (scenario 6 in AWONO 2779). AWONO 2779, 4.1 NMD 227/84, 6.3 CP F 1.1.1 - Flow and pressure tests shall be performed annually for both pumps. Today there is now flow test. COSL is considering to bring in 3rd party for doing flow and pressure tests annually. - Running tests for the pumps and electrical motors shall be performed at regular intervals (identify frequency) The following planned maintenance activities shall be performed for the pumps: - Bi-weekly testing of pressure in operational mode (starting up of pumps) and checking of pressure on PC (reading on the Kongsberg central). - Checking the condition of the pump filters (3 month interval suggested). - 5-yearly overhaul (opening and inspection) of the pumps (external requirement, needs to be implemented). The following planned maintenance activities shall be performed for the motors: - Planned maintenance on the motors every 3 months. - Yearly lubrication of bearings and general PM routines for the motor. - A condition evaluation by a 3rd party need to be implemented for the motors (frequency need to be determined). N/A Bi-weekly Every 3 months Yearly Every 5 years Testing and inspection. Motor: DE013 & DE015 Pumps: PA021 Technical department - Engine room operator F1.2 The fire main pressure shall in no place be less than 7 bar at the greatest calculated consumption NMD 227/84, 6.3 CP F1.2.1 Valve and pressure test shall be performed annually. - This activity is not peformed today. COSL is considering to hire in a 3rd party to perform the testing. N/A Yearly Testing Technical department - Engine room operator FW pumps shall be triggered automatically at demand (loss of pressure). In addition, sufficient NMD 227/84, 6 F1.3 indications on whether the FW pumps are activated or not should be delivered to all relevant areas. Duty pump shall start automatically during the following events: - F&G system confirmation of a fire - Loss of pressure in the ring main (set point of 4.5 bar) Indications on whether the FW pumps are activated or not shall be delivered to all relevant areas. AWONO 83433, 6.1 AWONO 17580, 4.1.1 CP F1.3.1 - Test shall be performed for the pressure control valve (frequency). - Tests of the electric pressure transmitters connected to the FW pumps (one transmitter for each pump) shall be performed annually. - Test of logic between F&G system and FW pumps shall be performed annually. - This is not in place today and need to be established. - Indications on whether the FW pumps are activated or not shall be inspected for all relevant areas. N/A Yearly Testing and inspection. IX011 (transmitters) IRUV (Flame detectors) BE011 (F&G) Technical department - Electrician Shall be possible to manually activate FW pumps F1.4 Manual activation of FW pumps ahall be possible from the following locations: - The F&G operator station - Wheel house, ECR, Drillers cabin and Tool pusher - Vicinity of FW pumps AWONO 83433, 6.1 AWONO 17580, 4.1.1 CP F1.4.1 - Test of manual release shall be performed for all station/locations every 3 months. Locations/stations include: F&G operator station Four matrix panels Locally at FW pump Helideck and lifeboat station OJT/procedure need to be established/identified for this function by the fire teams. Potential ref. doc. (from BowTie): OJT DM#65041 DM#33267 DM#19508 DM#33281 DM#35108 Every 3 months Testing and training. Marine department 19
Monitoring Barriers Knowledge of the status of Barriers is key: Formal focused in-depth reviews excellent, but infrequent - TTS (e.g. Statoil) 5 yearly - Audits 3 yearly - Planned Inspections 1 year Barrier Status a to f Lessons learned from Incident investigations excellent AND high frequency - BSCAT approach every incident / near miss means some barriers failed / degraded - For many facilities this is 100+ events / year - Collect statistics and root causes Cause Barriers Barrier Failure Root Causes 20
Operational Risk Barrier Management and Communication Clear demonstration of a sufficient range and diversity of barriers - Bow Ties show number and quality of barriers: prevention and mitigation - Use for regular training and special operations - Adaptive barrier status changes dynamically need to know current status - Safety Plan improvement actions closed barriers stronger - Incidents / near misses some barriers failed in use - Maintenance / Inspection some barriers are degraded or out of service Clear Visual Model Updated, Live, Communicated 21
Konklusjoner Introduksjon av IEC61508, IEC 61511, OLF gl. 070 og PDS forum har dreid industriens fokus fra komponenter til sikkerhetsfunksjoner bedret pålitelighet av sikkerhetsfunksjoner som gjerne leveres av flere underleverandører i noen grad bidratt til bedre design løsninger Nye utfordringer for IEC61508, IEC 61511, OLF gl. 070 og PDS forum ta en klarere posisjon innen barriere styring klargjøre og utdype forholdet melding risikoanalyse (QRA) og funksjonell sikkerhet bidra til at antagelser som gjøres i RA og SIL analyser i design fasen følges opp i driftsfasen. bidra til at SIL krav som etableres for sikkerhetsfunksjoner i design fasen følges opp i driftsfasen gjennom en innretnings levetid 22
Safeguarding life, property and the environment www.dnv.com 23