1 | 2015
What is Process Safety
Process Safety is
The proactive identification, analysis, and
evaluation of the releases of hazardous
substances and process accidents.
It applies to the management of hazards
associated with the chemical and physical
properties of the substances handled in our
oil, gas and energy activities.
It aims to:
Minimize the risk of a major accident event
MAE
Ensure that the necessary mitigation and
emergency preparedness mechanisms are
in place
2|
Intolerable
Risk Occupational Safety
Process Safety
Tolerable
Risk
Likelihood of occurrence
3|
What Process Safety is about
Preventing
MAJOR
ACCIDENTS
4|
What is a Major Accident & Major Accident Hazard?
Major Accident (realisation)
This is an accidental event which has major or severe consequences for
people or environment. The definitions of major and severe
consequences in this context, are provided in the risk matrix.
Major Accident Hazard (potential)
Any substance or energy which if not contained could seriously harm
people or the environment, either directly or by initiating events which could
lead to a major accident.
5|
Definition of Major Accident
1 fatality of workforce
> 3 people on-site hospitalised Very severe, persistent
1 person of public hospitalised environmental damage extending
4 Major
1 person of workforce with onset/signs of severe irreversible over large area. Long term
health effect impairment of ecosystem function
>1 person of public with reversible health effect
1 person of workforce >2 days lost
1 person of workforce with onset/signs of moderate irreversible Serious mid-term environmental
3 Moderate
health effect impacts
1 person of public with moderate reversible mid-term health effect
6|
Summary of Process Hazards
7|
Major Accidents
8|
Cyclohexane Release & Explosion 28 fatalities
Flixborough, England June 1, 1974
On June 1, 1974 the Nypro Co. site at Flixborough, England was severely damaged by a
large explosion. Twenty-eight workers were killed and a further 36 suffered injuries. It is
recognized that the number of casualties would have been more if the incident had
occurred on a weekday, as the main office block was not occupied.
9|
Methyl Isocyanate Tank Rupture and Release
Bhopal, India Dec. 2-3, 1984
Source: United Nations Environment Programme Photo Source: Indian state government of Madhya Pradesh
On the night of December 2-3, 1984, a sudden release of about 30 metric tons of methyl isocyanate
(MIC) occurred at the Union Carbide pesticide plant at Bhopal, India. The accident was a result of poor
safety management practices, poor early warning systems, and the lack of community preparedness.
The accident led to the death of over 2,800 people (other estimates put the immediate death toll as
high as 8000) living in the vicinity and caused respiratory damage and eye damage to over 20,000
others. At least 200,000 people fled Bhopal during the week after the accident. Estimates of the
damage vary widely between $350 million to as high as $3 billion.
10 |
Gas Release & Explosion 167 fatalities
Piper Alpha, North Sea July 6, 1988
On the day the disaster occurred, the day shift maintenance crew was working on the condensate
pumps which compressed gas. One of the pumps was removed for routine maintenance and the
condensate pipe was temporarily sealed with a flat metal disk. Because the work could not be
completed before the next shift change-over, the metal disc was left in place as the day shift went off
duty. The shift coming on duty was unaware of this. Later in the evening, when the other condensate
pump stopped working, the pump under maintenance was started up. Gas leaked out at high pressure,
ignited and exploded.
11 |
Condensate Release & Explosion 15 fatalities
BP Texas City Refinery, Texas March 23, 2005
On March 23, 2005, during the startup of an isomerisation unit, the associated raffinate splitter tower
was overfilled and overheated. A substantial volume of hydrocarbon liquid and vapour were forced into
an adjacent blowdown stack, rapidly exceeding its capacity. Ignition of the resulting vapour cloud
caused an explosion that extended to nearby temporary trailers and resulting in 15 deaths, more than
170 injuries, and significant economic losses.
12 |
Deepwater Horizon oil spill
20 April 15 July 2010, Gulf of Mexico, US
Oil Spill (up to 4.9 mln barrels), 11 people died, 17 injured
13 |
Fukushima Daiichi
11 March 2011, Fukushima 1 Nuclear Power Plant, Japan
Release of radioactive materials, 37 injured
14 |
When will the next Major Accident occur?
15 |
PROCESS SAFETY
MANAGEMEMENT
16 |
What must we focus on?
Asset Integrity Management Plan
SCE inspection, testing & maintenance
Deviation analysis and close-out
Design Maintenance
Integrity Integrity
Design reviews: ALARP; engineering
codes; standards Process
SCE Safety Critical Elements (and
Safety
performance standards)
Operating Operate within operating envelope
MOC Management of Change Integrity Alarm management
(with technical authorities)
Process control and procedures
Robust Assurance
(WSE - Written Schemes of
Incident investigation and close-out
Examination) Competencies and Capabilities
17 |
PSM Elements
OSHA PSM Elements (14)
18 |
PSM Elements
CCPS Risk-Based Process Safety Elements (20)
19 |
PROCESS SAFETY
ENGINEERING
20 |
Safety Life Cycle
21 |
Safety Life Cycle
22 |
Safety Life Cycle & Risk Assessment
23 |
Safety Life Cycle & Risk Assessment
24 |
Risk Assessment steps & toolkits
25 |
What should we do about it?
Layers of defence
26 |
Hierarchy of control for Process Safety
27 |
Inherent Safety
28 |
Bow Tie Defence in Depth
29 |
How & Why defences fail
30 |
Key risk control systems classification
31 |
SAFETY CRITICAL ELEMENTS
MANAGEMENT
32 |
What is a Safety Critical Element?
Safety Critical Element any part of the facilities, the failure of which could
cause or contribute substantially to a major accident, or the purpose of
which is to limit the effects of a major accident
33 |
Management systems, people & processes
But:
34 |
Safety Critical Activities
Are management systems, procedures, people/competence safety critical?
Yes, but as safety critical activities, not SCEs
SCEs = hardware (& associated software)
35 |
How SCEs fit into hazards management
Management of major accident consequences is based on a hierarchy
36 |
How SCEs fit to hazards management barriers concept
GAS
37 |
Barrier Concept for Hazards Management
Prevention
Safe
Detection Control &
Operation Mitigation Emergency
Response
Lifesaving
Escalating
Consequences
PROCESS CONTAINMENT
- Pressure vessels
- Heat exchangers DETECTION SYSTEMS SHUTDOWN SYSTEMS LIFESAVING
- Rotating equipment
- Tanks - Fire detection - ESD system - Personal survival
- Pipelines / piping - Gas detection - Depressurisation syst equipment
- Relief system - H 2 S detection - HIPPS - Rescue facilities
- Well containment - Corrosion detection - Well isolation - TEMPSC / lifeboats
- Gas / oil fired heaters - Pipeline isolation - Tertiary escape
- Gas tight floors / walls valves systems
- Tanker loading systems - Process ESDV
- Wireline equipment - SSIVs
- Oily water control - Well control eqpt
- Drilling systems - Haz area HVAC - Deluge system - Temp refuge /muster
- Structural supports for - Non - haz area HVAC - Fire & expl protection - Escape / evac routes
safety critical equipment - Certified electrical - Firewater main & pump - Escape lighting
- Lifting equipment in equipment & instruments - Gas , foam & spray fire - Emergency comms
wellhead /HC process areas - Inert gas blanketing extinguishers - UPS
- WHP jacket & foundations - Earth bonding - Corrosion protection e .g . - Helicopter facilities
- Vessel hull , mooring & - Fuel gas purge system sand filters & chemical - Emergency power
ballasting systems - Ignition control eqpt injection - Hazardous & non -
- Flare tip ignition - Passive fire protection hazardous open drains
system - Navigation aids & collision
avoidance
38 |
What are the benefits?
39 |
How to identify SCEs
System Level Tag Level
SCE Screening
Could
This item is a
failure of this
Yes SAFETY CRITICAL
element cause a
ELEMENT
MAE?
Is the
purpose of this
No Yes
element to prevent
a MAE?
Could
failure of this Yes
No Yes
element contribute
substantially to a
MAE?
Is the
purpose of this
This item is not No element to limit
a Safety Critical the effects of a
Element MAE?
No
40 |
Performance Standard Key requirements
Performance Standards (PSs) are parameters that are measured or set so that the
suitability and effectiveness of SCEs can be assured and verified.
Performance criteria:
The intended purpose The probability that The ability of the Identification of other SCEs
and fundamental the system will work SCE to survive the performance of which
design performance on demand and be loadings from major the SCE is dependent on
requirements of the available when accidents it is
SCE (relative to
required intended to manage
major accidents)
41 |
Generic Performance Standard Structure
43 |
EXERCISE
44 |
SCE Identification Practical
45 |
SCE Identification Practical
Pressure transmitter
instrument
Electrical equipment in
classified hazardous
areas
Main power
generation/distribution
HVAC system
46 |
SCE Identification Practical
Flare System
47 |
SCE Identification Practical
Oil Wellhead
Closed drain
system
Firewater ring-main
isolation valve
Permit to Work
system
48 |
PROCESS SAFETY EVENTS
&
PSPI
53 |
Performance Monitoring System
54 |
Type of indicators
Quantitative
Numbers recorded on scale and tracked over time
Ensure statistically valid interpretation
Most relevant to regularly occurring activities
Qualitative
Descriptions typically inspection and audit observations
Can be quantified using ratings and ladder assessments
(comparative definition of bad to good)
Objective
Independent of assessors personal judgement
Subjective
Influenced by those measuring
55 |
Type of indicators
56 |
Example leading & lagging indicators
57 |
Example leading & lagging indicators
58 |
Example of Key board
59 |
PROCESS SAFETY EVENTS
60 |
Terminology
61 |
Safety Critical Barriers
GAS
62 |
2011 OGP Guidance Report 456
63 |
PSPI & Barriers
Process Safety Performance Indicators
E.g.
Hi-Hi level Tier 1
alarm incidents
LOPC Events of
activated. Greater
Defect below Consequence
minimum wall
thickness Tier 2
LOPC Events of lesser
consequence
E.g.
Relief valve
fails bench Tier 3
test. Challenges to Safety Systems
Loss of
experience in
operations Tier 4
team.
Operating Discipline & Management System
Performance Indicators
64 |
Process Safety Events:
Accidents, Incidents, Near Miss, etc.
A Process Safety Event is:
Incidents
The actual or potential loss of
control or containment of
hazardous materials (flammable,
Accident Near Miss
toxic, corrosive, etc.)
Harm to humans or Just luck that no
Failure or substandard environment, damage of accidental consequences
performance of one or more equipment occurred
65 |
PSPI types of indicators
Tier 1 LOPC exceeding threshold not yet all LOPC without environment
LOPC* events with human harm due LOPC consequences registered
greater consequence asset damage after fire / explosion due LOPC
Tier 2 LOPC exceeding threshold not yet all LOPC without environment
LOPC events with human harm due LOPC consequences registered
lesser consequence asset damage after fire / explosion due LOPC
66 |
Tier 1 & Tier 2
67 |
Decision Logic Tree for Tier 1 & 2
An unplanned or uncontrolled release of any
material, including non-toxic and non-
flammable materials (e.g., steam, hot No An employee, contractor, or subcontractor Yes
Not a Tier 1 or Tier 2 PSE
condensate, nitrogen, compressed CO2, or recordable injury
Tier 2 PSE
compressed air) from a process that results
in one or more of the consequences listed
below: No
Yes
A fire or explosion resulting in greater than or
An employee, contractor or subcontractor
Yes equal to $2,500 of direct cost to the Company
days away from work injury and/or fatality; Tier 1 PSE
or A hospital admission and/or fatality of a
third-party No
No
69 |
Safe Operating Limit Excursion Tier 3
70 |
Primary containment inspection outside acceptable
limits Tier 3
This is a test or inspection where the
result is outside the acceptance criteria
and triggers some form of remedial action
(such as replacement in kind, repair,
modification, increased inspection/ testing
or de-rating of the equipment).
Examples include:
A penetrating corrosion defect beyond
the corrosion allowance of a pipe.
Subsidence of a pressure vessel support
outside acceptable limits.
Excessive vibration of a small bore
instrument tapping on a larger diameter
process pipe.
Missing flange bolts on a process
pipework joint.
71 |
Demands on safety systems - Tier 3
Safety Systems are ones which prevent a LOPC
or detect, control or mitigate the effects of an
LOPC.
Demand means they are activated by a valid
signal from the process. The system does not
have to activate.
Where multiple devices constitute one system
then activation of that system counts as one PSE.
Examples include:
Where a vessel has a number of relief
valves to provide suitable flow, activation of
one or more of these valves constitutes one
PSE as they represent a system.
Activation of a Safety Instrumented System
Activation of Mechanical Shutdown System
The count of Demands on Safety Systems is typically segregated by system type (e.g. SIS,
PRD, and Mechanical Trip).
72 |
Critical operational deviation Tier 3
Examples include:
Operating without adequate
measurement of critical process
parameters.
Operating with inoperable safety
systems.
Operating with uncontrolled
modifications / repairs to the process
plant.
73 |
Tier 4: Operating Discipline & MS Performance
Examples include:
Process Safety Action Item Closure
Training completed on schedule
Safety Critical Equipment Inspection
Management of Change (MoC) Compliance
Completion of Emergency Response Drills
74 |
EXERCISE
PSE CATEGORISATION
75 |
Classification of PS Events
Has a person been injured by a release of hazardous substances?
Event Class Comment
A blow out of a gas well occurred during cement plug. An Tier 1 due to the fact of1hospital treatment; additionally the
Tier 1
operator was hit by mud and gas and needed hospital treatment. release amount may also have resulted in a Tier 1 event
While stealing a piece of pipework the gas released from that Even though the reason 2 for the injuries is a malicious act it
Tier 1
pipe ignited and the thefts suffered severe burns. is counted.
LPG from leaking pipework ignited and blasted the retail service Tier 1 event due to the 3injuries and the asset damage. This
station causing injuries and damage of the building. Tier 1 event will not be included in external reporting since the
retail station is not operated by OMV.
An operator slipped and fell while responding to a small spill of The operator was responding
4 to a LOPC
liquid with a flash point < 23 C spill resulting in a days away Tier 1
from work injury.
A scaffold builder experiences a days away from work injury 5
after falling from a scaffold ladder while evacuating from a LOPC Tier 1
on nearby equipment.
An operator walks past a steam trap that discharges to an Even though the LOPC6 was steam (vs hydrocarbon or
unsafe location. The steam trap releases and the operators chemical), the physical state of the material was such that it
ankle is burned by the steam, resulting in a days away from caused a day away from work injury and it was an
Tier 1
work injury. uncontrolled release (i.e. unsafe location). Nontoxic and
non-flammable materials are within the scope of this
recommended practice.
A contractor enters a vessel and dies because nitrogen Fatality associated with7 an unplanned or uncontrolled
Tier 1
inadvertently leaked into the enclosure. LOPC
A maintenance contractor opens a process valve and gets Unplanned or uncontrolled
8 LOPC that resulted in a days
sprayed with less than the Tier 1 or Tier 2 quantity of sulfuric Tier 1 away from work injury. If this incident had resulted in a
acid resulting in a severe burn and days away from work injury. recordable injury, it would be a Tier 2 PSE.
A PRD release of sour gas less than the Tier 1 threshold Multiple Tier 1 consequences:
9 Human and unsafe PRD
quantity is routed to a flare which exposes two personnel to toxic Tier 1 release
SO2/SO3 vapors resulting in a LWDI.
76 |
Has a person been injured by a release of hazardous substances?
Event Class Comment
There is a 100 kg spill of liquid with a flash point < 23 C (73 F) This is a Tier 1 PSE. The 10 site would record a single event with
that ignites and results in damages to other equipment, a toxic gas multiple consequences (e.g., one fatality, three day away from
release above the reporting threshold, along with three days away Tier 1 work injuries, fire, and threshold quantity of liquid with a flash
from work injuries and one fatality. point < 23 C and toxic gas).
During routine tour an operator suffered burns on his foot by Tier 2 due to the need of 11medical treatment. The release of hot
leaking condensate from a steam tracing which required medical Tier 2 condensate itself would not be a PSE.
treatment.
A short circuit occurred in switchgear panel and caused burns of a Following industry recommendations
12 we consider electrical
Tier 2
contractor requiring medical treatment incidents in internal PSE reporting.
An operator walks through a process unit and slips and falls to the Personal safety slip/trip/fall
13 incidents that are not directly
ground and suffers a days away from work injury. The slip/fall is no PSE associated with evacuating from or responding to a LOPC are
due to weather conditions, chronic oily floors and slippery shoes. specifically excluded from PSE reporting.
An operator slipped and fell on a spill several hours after the Personal safety events 14that are not directly associated with
incident had concluded. This would not be a reportable PSE. onsite response to a LOPC are excluded. Slips/trip/falls after
no PSE the LOPC has concluded (such as after-the-fact clean-up
and remediation) is not directly associated with onsite
response.
A vessel has been intentionally purged with nitrogen. A contractor This is not a PSE because
15 there was no unplanned or
bypasses safety controls, enters the enclosure and dies. no PSE uncontrolled LOPC, but it would be recorded on the
companys injury and illness log.
An operator disconnected a steam hose which was still under The injury required only16
first aid, and the steam is no counted
no PSE
pressure and suffered light burns. as LOPC of hazardous substance.
A maintenance technician is turning a bolt on a process flange with No unplanned or uncontrolled
17 LOPC involved with the injury
a wrench. Due to improper body positioning, the wrench slips and
hits the employee in the mouth, requiring dental surgery and two no PSE
days off work.
An operator takes a sample. On the way he falls, the sample LOPC is from a piece of18ancillary equipment not connected to
container breaks and he suffers injury of the exposure to the no PSE a process is not considered as PSE
product.
An employee suffered burns by a spill of hot coffee. no PSE Office incidents are not19PS related
While cleaning a joint screw a piece of frozen mud broke off and hit This is not a loss of primary
20 containment.
no PSE
the operator causing injury.
77 |
Has a fire or explosion occurred by a release of a hazardous substance?
Event Class Comment
Hot vacuum residue was released from a left open drainage, self- The immediate damage caused by the fire was above 25.000
21
ignited and damaged a pump. Tier 1
An electrical fire impacts the operation of the process resulting in an This is a Tier 1 PSE since the LOPC exceeds the 1000 kg
acute release of 1500kg of light crude. Tier 1 22
reporting threshold for light crude.
A pump lube oil system fire from a leak causes damage greater than
25,000, but does not create a LOPC greater than the threshold Tier 1
23
quantity or cause a fatality or serious injury.
A forklift truck delivering materials inside a process unit knocks off a
bleeder valve leading to the release of (HC) condensate and a
24
Tier 1
subsequent vapor cloud explosion with asset damage greater than
25,000.
A bearing failure of a turbine causes high vibration and eventually Following industry recommendation we consider unplanned
25
leads to damage of the turbine > 100.000. Tier 1 release of mechanical energy under PS in internal reporting.
There is a loss of burner flame in a fired heater resulting in a fuel rich This would be a Tier 1 PSE since after the flameout the
environment and subsequent explosion in the fire box with greater
26
continuing flow of fuel gas is now an uncontrolled release. The
Tier 1
than 25,000 in damages to the internals of the heater. There was intent is for combustion of the fuel gas at the burner and not for
no release outside of the fire box. fuel gas to be contained in the fire box.
There is a tube rupture in a fired heater causing a fire (contained in the The tube failure is a loss of primary containment of the process
heater) resulting in greater than 25,000 in damages to the heater Tier 1
27
fluid and combined with the additional damages greater than
internals (beyond that of replacing the failed tube). 25,000 makes this a Tier 1 PSE.
A third-party truck loaded with a flammable product is traveling on The event will not be included in external reporting since truck
Company premises and experiences a leak and subsequent fire and
28
incidents are excluded except when they are connected to the
property damages of 75,000 (direct costs). Tier 1 process for the purposes of feedstock or product transfer or
being used for temporary onsite storage.
A steam injection well fails with an explosion resulting in release of 10t Unplanned release causing fire and resulting in over 25.000
29
of fluids, a mixture of hydrocarbons and water. The direct cost direct costs. The injury would result into Tier 2 but the higher
Tier 1
replacing and repairing damaged equipment was estimated over consequence counts.
300.000 and a worker was injured, needing medical treatment.
The release of a hot steam from safety valve ignited wooden planks of The immediate damage was higher than 2.500 but lower than
30
Tier 2
scaffolding and damaged the scaffolding. 25.000
Hydrocarbon fumes migrate into the QA/QC laboratory located within This incident is a Tier 2 PSE since the LOPC was from the
the facility and results in a fire with 5000 damage. The source of Tier 2
31
process and resulted in a Tier 2 consequence (a fire which
the hydrocarbon fumes is the oily water sewer system. results in a direct cost greater than 2500).
78 |
Has a fire or explosion occurred by a release of a hazardous substance?
Event Class Comment
A pump seal fails and the resultant loss of containment catches on Only the costs for repair and replacement of the equipment
32
fire. The fire is put out quickly with no personal injuries. However, the damaged by the fire are to be considered. The cost for the repair
fire resulted in the need to repair some damaged instrumentation and Tier 2 of the equipment which led to the fire must not be considered.
replace insulation. The cost of the repairs, replacement, cleanup and
emergency response totaled 20.000.
A vacuum truck outfitted with a carbon canister on the vent is loading This is a Tier 2 PSE since the original spill of hydrocarbons
a spill of hydrocarbons. The carbon canister catches fire which
33
constitutes the LOPC and the response to the LOPC results in
Tier 2
escalates to the point of creating more than 10,000 in damage to the one of the Tier 2 consequences.
vacuum truck.
Product from a small flange leakage dropped on a hot steam pipe Negligible damage from a fire involving LOPC
and started smoldering Tier 3 34
There is a tube rupture in a fired heater. The operator detects the The LOPC did not result in any of the defined Tier 1 or 2
tube cracking with only a small flame from the tube and subsequently
35
consequences. However, it was a fire resulting from an
Tier 3
shuts down the heater with no resultant damage from the tube flame. unplanned LOPC.
During a hot work the sparkles ignited the vapor of an atmospheric The fire does not involve an unplanned, uncontrolled LOPC.
slop inlet. The fire damaged insulation material. no PSE
36
(see above) If the fire threatened the installation it may be
reported as Tier 3 Critical Operational Deviation
A vacuum truck caught fire while standing in the hangar for repair. Fire in offices, shops, warehouses, etc. are not related to PS
no PSE 37
A scaffold board is placed near a high pressure steam pipe and no unplanned or uncontrolled LOPC
subsequently begins to burn, but is quickly extinguished with no
38
if the burning scaffolding threatens the process installation and
further damage. The investigation finds that the board had been no PSE there is an increased risk of LOPC the event should be reported
contaminated by some oil, but there is no indication of an oil leak in under Tier 3 Critical operational deviation (COD)
the area.
An internal deflagration in a vessel causes equipment damage > Does not meet the definition of a Tier 1 or Tier 2 PSE because
25,000, but there was no loss of containment.
no Tier 1 or 39
there was no LOPC involved.
2 PSE
The deflagration had critical potential for a LOPC event and will
Tier 3 COD thus reported under Tier 3 Critical operational deviation (COD)
An electrical fire, loss of electricity, or any other loss of utility may no Tier 1 or Does not meet the definition of a Tier 1 or Tier 2 PSE because
occur that causes a plant shutdown and possibly incidental 2 PSE
40
there was no LOPC involved.
equipment damage greater than $25,000 (e.g. damage to equipment The event needs to be reported under Tier 3 Challenge to Safety
due to inadequate shutdown). Tier 3 CTSS System (CTSS)
There is a boiler fire at the Main Office complex, and direct cost Fire in offices, shops, warehouses, etc. are not related to PS
damages totaled 75,000.
no PSE 41
79 |
Was there an unplanned release of hazardous substances?
Event Class Comment
A gas pipe broke and ~300m3 natural gas with 10% H2S was released For mixtures the highest category counts. From given data
42
Tier 1 ~45kg H2S have been released. The amount of natural gas
would classify as a Tier 2 event.
Ten bbl of gasoline (1400 kg) leak from piping onto concrete and the LOPC of 7 bbl (1000 kg) or more of liquid with a flash point < 23
gasoline doesn't reach soil or water. Site personnel estimate that the
43
C in any one-hour period.
Tier 1
leak occurred within one hour. If the spill had been less than 1000kg, but equal to or greater
than 100kg, it would be a Tier 2 PSE.
A faulty tank gauge results in the overfilling of a product tank Release of 1000kg or more within any one-hour period,
containing liquid with a flash point < 23 C. Approximately 50 bbl (7000
44
regardless of secondary containment.
Tier 1
kg) of liquid overflows into the tanks diked area. This incident is a Tier
1 PSE since it is a
An operator is draining water off a flammable crude oil tank with a flash Release of crude oil is unplanned or uncontrolled and it is
point of 60 C or less into a drainage system designed for that
45
greater than the release criteria of 14 bbl. If the drainage system
purpose. The operator leaves the site and forgets to close the valve. Tier 1 goes to an API separator and the oil is recovered (secondary
Twenty bbl of crude oil are released into the drainage system within an containment), this would still be a Tier 1 event because the
hour. crude oil was released from primary containment.
A process vessel low level cutout fails to close a valve allowing 550kg Unplanned release above the Tier 1 threshold.
of a flammable gas to a floating roof tank resulting in a minor damage Tier 1
46
to the tank roof.
An operator discovers an approximate 10 bbl liquid spill of aromatic Since the actual release duration is unknown, a best estimate
solvent (e.g. benzene, toluene) near a process exchanger that was not
47
should be used to determine if the TQ rate has been exceeded
there during his last inspection round two hours earlier. (it is preferred to err on the side of inclusion rather than
Tier 1 exclusion). This incident is a Tier 1 PSE because the solvents
involved are Packing Group II materials and the threshold
quantity of 7 bbl is exceeded if the time period is estimated to be
less than one hour.
A leak on a high pressure hydrochloric acid line results in a spill of Tier 1 The 860kg release of hydrochloric acid would not a reportable
860kg of hydrochloric acid. Flash calculations indicate that greater than
48
Tier 1 PSE since this liquid is categorized as a Packing Group
100kg of hydrogen chloride would be released as a vapor. II corrosive liquid with a 1000kg reporting threshold. However,
since the liquid flashed or was sprayed out as an aerosol,
producing more than 100kg of hydrogen chloride, the event is be
a reportable Tier 1 PSE due to exceeding the 100kg or more of
toxic chemical within 1 hour.
A pipe fitting in a specialty chemicals plant fails, releasing 1800kg of a Tier 1 This mixture is not classified by the UN Dangerous Goods/U.S.
mixture of 30% formaldehyde, 45% methanol, and 25% water in less
49
DOT protocols; therefore, the threshold quantity mixture
than one hour. calculation is applied. The pure component reporting threshold
Calculations show that 450kg formaldehyde and 850kg methanol is of formaldehyde is 2000kg and methanol is 1000kg. For the
released. current release formaldehyde is 27% of the Tier 1 threshold and
80 | methanol corresponds 85% of the Tier 1 threshold. In total 112%
of Tier 1 is achieved
Was there an unplanned release of hazardous substances?
While drilling a well, a shallow gas pocket was stuck, causing a loss of
well control. Mud, cuttings, and 100 barrels of oil wer released to the
58
environment and over 64.000kg of gas were discharged to Tier 1
atmosphere.
81 |
Was there an unplanned release of hazardous substances?
82 |
Was there an unplanned release of hazardous substances?
83 |
Was there a release of a pressure relief device to atmosphere?
Event Class Comment
There is a unit upset and the PRD fails to open, resulting in
overpressure of the equipment and a 10-minute release of 900kg of Tier 1
77
butane from a leaking flange before it can be blocked in.
A relief valve operates and vents 250kg of a flammable gas directly to The total mass exceeded the thresholds and there was a small
atmosphere with a small liquid carry over estimated at 10kg Tier 1 liquid carryover 78
hydrocarbons
The flare system is not functioning properly due to inactive pilots on the The volume of the vapor through the PRD is greater than the
flare tip. During this time, a vapor load is sent to the flare due to an Tier 1 79
Tier 1 threshold and it results in the formation of a flammable
overpressure in a process unit. mixture at grade to be considered as unsafe release.
A PRD activates resulting a substantial release exceeding Tier 1 This is equivalent to an onshore situation resulting in an onsite
thresholds on an offshore platform causing precautionary down- shelter in place.
80
Tier 1
manning or platform abandonment.
100 bbl of naphtha liquid are inadvertently routed to the flare system This is a Tier 1 PSE since the volume released from the PRD to
through a PRD. The flare knockout drum contains most of the release;
81
a downstream destructive device does exceed the threshold
Tier 1
however, there is minimal naphtha rainout from the flare. quantity in Table 1 and resulted in one of the four listed
consequences (i.e. liquid carryover).
During a routine procedure of bleeding off of casing pressure the well Unplanned release of a category 5 substance (see Table 2)
operators accidentally fully opened the valves. The bleeding off release Tier 2
82
was estimated higher than 500kg.
There is a unit upset and the PRD opens to an atmospheric vent that This is a Tier 2 PSE because it both exceeded the threshold
has been designed for that scenario, resulting in a release of 150 of Tier 2
83
quantity and resulted in one of the defined negative
propane to the atmosphere requiring on-site shelter in place. consequences.
A process upset caused a low pressure safety valve to open to blow off is on a safe location, steam not considered as
atmosphere no PSE 84
hazardous substance unless nobody is injured
A sour gas vessel has a PRD that was identified in a recent PHA to be This would not be a Tier 1 or Tier 2, regardless of the HAZOP
undersized. In the process of making a transfer, the vessel
85
finding, so long as it did not result in a liquid carryover, on-site
overpressures. A release of 30kg sour gas (TIH Zone B material) shelter-in-place, public protective measure or other indication of
occurs through this PRD to a safe location over a period of 25 minutes. no PSE discharge to an unsafe location. It is not counted as a Tier 1
LOPC since the system the overpressure opening is included in
normal operations design (although it is not a recommended
design).
84 |
Was there a need of community evacuation or shelter in place due to the release of
hazardous substances?
85 |
Have the safe operations limit of a process installation exceeded?
Event Class Comment
A sealing of the pump was damaged after the pump pressure The shut off head of the pump is obviously higher than the
increased due to a blocked valve downstream of the pump Tier 3 91
design pressure of the sealing
A nozzle rated 16bar was accidentally installed at a 60bar pipeline. It The 60bar is well above the safe operating limit of the nozzle.
was found out during testing. No release created. Tier 3 92
Overfilling of a fuel tank but not creating a spill.
Tier 3 93
In the overhead section of a process installation product stared to
freeze because of very cold winter. Tier 3 94
A faulty pump bearing was identified by a temperature high alarm. The If the operation could have been continued with a spare pump it
system was shut down to avoid further damage to pump and process. Tier 3 95
will not be counted as PSE.
While drilling a well there was a loss of hydraulic overbalance resulted The release is planned and does not count under LOPC PSE.
in a well kick. The standard procedure to reestablish the well resulted
96
The event counts under demand of safety system.
Tier 3
in a planned venting of the kick through the rig's choke and kill system
and de-gasser.
The car wash needs to be stopped because of lack of cleaning Not relevant for safe process.
97
substance. no PSE
86 |
Was there an unplanned shutdown of a process installation or of its subsystems?
Event Class Comment
A technical failure of the LNG compressor causes the unit to shut-
down. Tier 3 102
Customer forgot the fuel hose in the car after filling and drove away. T3 Challenge to safety system: demands on safety systems
The hose broke and the dispenser shut down automatically. Tier 3 103
designed to prevent or mitigate a LOPC event.
A propane tank over-pressures through a PRD to the flare system. The Even though the PRD release exceeded the Tier 1 threshold
pilots on the flare system are not working properly, and the flare does
104
quantity, this is not a Tier 1 PSE since the discharge was routed
not combust the vapors. The event transpires over a period of 45 to a downstream destructive device with no consequence listed
Tier 3
minutes. The volume of propane release was estimated to be 600kg under Tier 1 PRD.
and the release dissipated into the atmosphere above grade and
above any working platforms.
An upset causes a PRD to open and release fuel gas to the facility This is not a Tier 1 or Tier 2 PSE since the PRD release was
flare system. The flare system works properly and combusts the vapor
105
routed to a downstream destructive device that functioned as
Tier 3
release which came from the PRD. intended (i.e. did not cause one of the four listed
consequences).
A short circuit stopped power supply of the station. The shut-down is not cause for safety reasons.
no PSE 106
A faulty flame detector triggered fire alarm. Firefighting checked the No shut-down of the system.
situation and confirmed faulty alarm. no PSE 107
Was there an event within the process area which has no immediate PS consequence
but had critical potential for a PS event?
Event Class Comment
On a hot, dry summer day bushes close to a well site caught fire. The fire threatened the installation and had thus the potential for
108
Firefighting services could prevent flash over to the installation. Tier 3 a severe process accident.
While refueling a customer car caught fire. Tier 3 The fire threatened the retail station.
109
A sewer pit exploded due to electrostatic ignition of the hydro-carbons The explosion does not involve an unplanned, uncontrolled
contained in the waste water. The sewer cover flew several meters Tier 3
110
LOPC. Acc. definition Tier 1 & 2 explosions and fires need to
and damaged windows. result from LOPC.
A theft was stealing cables from the cathodic protection system. Tier 3 111
A truck damaged the support structure of a pipe rack. Tier 3 112
An internal leakage of a water cooler was identified by increased HC in
Tier 3 113
Marginal release. The unmanaged leak could have ended in
backflow cooling water. The unit had to shut down for repair. more severe consequences.
87 |crashed into the shop window.
A car not PS No risk to end up in a PS event.
114
Does the finding or hazard indicate an increased likelihood of a PS event?
Event Class Comment
Earthing cables found loosened / degraded / missing during inspection. Tier 4 115
Critical operating parameters changed without proper management of
change (e.g. increased H2S content) Tier 4 116
Slippery / icy paving. not PS Not relevant for PS
117
88 |
INTRODUCTION TO
OFFSHORE SAFETY CASE
89 |
Offshore regulatory regime
90 |
Offshore regulatory regime
Operational parameters
91 |
Offshore regulatory regime
92 |
Hazard and Risk
HAZARD
A situation which poses a
threat to life, health,
property or environment
93 |
Hazard and Risk
94 |
Risk Assessment General Tolerability Criteria
95 |
Risk Assessment Individual Risk
96 |
Safety Case Hazard Identification
The Safety Case has to consider the hazards that can occur in the
field, from both external and internal origin:
Internal
Loss of Containment:
Fire, Explosion
Gas and Smoke Dispersion
Process Hazards (HAZOP Review)
Workplace hazards
Transportation hazards (Helicopter)
External
Marine Hazard (impacts)
Dropped Objects
97 |
Safety Case Study Structure
HAZID
SIL Analysis QRA
HAZOP MAE SCEs
Performance Standards
Escape, Evacuation and Rescue Analysis
98 |
Safety Case Activities
HAZOP Review
Safety Integrity Level (SIL) Review
Marine Hazard Analysis
Dropped Object Study
Fire and Explosion Analysis
Gas and Smoke Dispersion Analysis
Emergency Systems Survivability Analysis (ESSA)
Escape, Evacuation and Rescue (EER) Study
Performance Standards & Verification Scheme for SCE
QRA Report
HSE Management System Review Report
Operational Safety Case
99 |
Safety Case Engineering studies Marine Hazards
Purpose:
to assess quantitatively the incidental collision frequencies between ships
passing in the vicinity of the field facilities, shuttle tankers visiting the field,
supply vessels and fishing vessels in the area.
Collision Scenarios:
Passing vessels (commercial, passenger, recreational boat) powered
and drifting;
Shuttle tankers;
Supply vessels (powered and drifting);
Fishing ships.
100 |
Safety Case Engineering studies Marine Hazards
101 |
Safety Case Engineering studies Marine Hazards
Damage:
Ships with tonnage higher than 5000 DWT are considered to cause major
damage to the impacted installation
Results
102 |
Safety Case Engineering studies Marine Hazards
DWT <1500
DWT>15000
103 |
Safety Case Engineering studies Marine Hazards
104 |
Safety Case Engineering studies Dropped Objects
Purpose:
To evaluate quantitatively the dropped objects hit frequency on decks,
jackets and on oil and gas sealines.
The analysis covers the operation, drilling and work-over working
phases performed on the platforms and the storage barge.
Scenario:
dropped objects from monorails impacting on main deck;
dropped objects from cranes impacting on main deck;
dropped objects from cranes impacting on the jacket structure;
dropped objects from cranes impacting on the sealines.
105 |
Safety Case Engineering studies Dropped Objects
106 |
Safety Case EER Analysis
Purpose:
Objective of the Escape, Evacuation and Rescue (EER) study is to
assess if successful evacuation from the manned facilities of the field
can be achieved.
Steps:
The EER study is a qualitative assessment of the performance of the
EER systems in response to the major accident events, which may or
may not require personnel to evacuate the platform in an emergency.
107 |
Safety Case Fire & Gas explosion
108 |
Safety Case Fire & Gas explosion
109 |
Safety Case Fire & Gas explosion
Frequency result
Release Initial event Frequency consequences [event/year]
diameter frequency
[mm] [event/year] Jet Fire Explosion Flash-Fire Dispersion
7 5.90E-05 5.66E-08 0 2.36E-09 5.89E-05
25 8.86E-05 5.41E-07 0 2.98E-08 8.80E-05
100 2.95E-05 7.38E-07 1.33E-08 1.19E-07 2.86E-05
Consequences result
Pool fire Location Equipment
Hole Pool Distance to Heat Radiation
diameter diameter [m]
37.5 12.5 5
[mm] [m] 2 2
kW/m kW/m kW/m2
7 3 3.5 5.4 7.8
- - 25
6 5 11 15.6
100
110 |
Safety Case QRA
Targets
The above values are calculated for the groups of people in the facilities:
Group 1: personnel in the living quarter / offices most of the time;
Group 2: personnel in the control rooms (or other technical rooms)
most of the time;
Group 3: personnel in the process areas (maintenance, etc.).
111 |
Safety Case QRA
The QRA SUMS all the risks deriving from each of the hazards assessed
individually in the Engineering Safety Studies.
In formula:
112 |
Safety Case QRA
113 |
Safety Case QRA
Total IRPA
P1 IRPA
P2 IRPA
P3 IRPA
114 |
Safety Case QRA
115 |