risiko-/barrierestyring og standarder for - · pdf filebased on s-001 “technical...

Gjermund Våge

7.-8.3.2012

Risiko-/barrierestyring og standarder for funksjonell sikkerhet

Eksempler på risiko- og barrierestyring sammen med

IEC61508/IEC61511/OLF070s i livsløpsfasene

© Det Norske Veritas AS. All rights reserved.

Risiko/barrierestyring og standarder for funksjonell sikkerhet

7.-8.3.2012

Innhold

Risikoanalyse og barrierestyring

SIL i design

SIL i drift

Konklusjon

2



7.-8.3.2012

Setting the scene- Major accident

History has taught us that major accidents are controlled by other mechanisms compared to the

ones controlling occupational accidents



7.-8.3.2012

Personal safety management Prosess safety management

Setting the scene- Major accident

History has taught us that major accidents are controlled by other mechanisms compared to the

ones controlling occupational accidents



7.-8.3.2012

What the O&G & Process Industry both has and has not achieved

O&G industry has attained a step change

improvement in occupational safety

- But: Process Safety is not the same as Occupational Safety

USA and EU Process Industry

- Neither EU nor USA has demonstrated significant

improvements for onshore major accidents

- (EU = MARS database, USA = RMP* database)

North Sea major accident safety has improved

- No major disaster since introduction of Safety

Case legislation in UK / risk based in Norway

- (leaks have occurred, but none escalated)

- However, recent performance may suggest a floor

has been reached

5

Different oil

and chemical

operating

companies

Trendline

10x improvement

In past 13 years

Graph shows factor of 3 better in last 10 years

Reducing trend in major hydrocarbon leaks



7.-8.3.2012

Vision – Step Change Improvement for Major Accidents

The Industry HAS already attained 10x improvement in Occupational Health

DNV believes major accidents can also be reduced 10x – but with different tools

1. Revised regulatory regime:

Blend of Prescriptive and Performance-based regulations

2. Address technical, human and organizational factors:

Key lessons from past accidents

3. Enhanced risk management approach:

Addressing Risks, Controls and Conditions

4. Clear roles and responsibilities:

Defined and clear to all

5. Shared performance monitoring:

Information is readily available and shared to all

This is practically and economically feasible

- Methods described are in use with O&G companies somewhere – but

not fully integrated

- North Sea further down the path, but not there yet either, maybe x3

improvement

6



7.-8.3.2012

Major Accident Risk Management (ISO 31000)

Managing major accident with focus on

- Management Commitment

- Safety barrier management

- Organisational learning

- individual risk understanding

- Incident and accident investigation

- Safety culture

- Risk treatment and ALARP

…..as an integrated part of corporate governance !



7.-8.3.2012

As Low As Reasonably Practicable (ALARP)

Regulations,

requirements, etc

ALARP region

Risk acceptable

Risk unacceptable

Risk accepted only if further risk

reducing measures is impracticle

to implement or the costs are

grossly disproportionate to the

benefit

NB! Operator

must

demonstrate

ALARP



7.-8.3.2012

Swiss Cheese Model

Major Accident

Emergency response E.g. escape, evacuation

Mitigate E.g. drainage, fire protection

Detect E.g. fire & gas detection, control systems

Prevent

E.g. design, maintenance, procedures, competence HAZARD



7.-8.3.2012

10



7.-8.3.2012

Examples of performance standards

Layout and arrangement

Structural integrity

Fire and Gas detection System

Emergency Shutdown System

Ignition Source Control

Ventilation

Control of spills (Open drain system)

Active fire protection

Passive fire protection

Emergency Power / Emergency

Lighting

PA, alarm & emergency communication

systems

Escape and evacuation

Blowdown System

Process safety

Barrier to prevent loss of Containment

Barrier to prevent Ship collisions

Rescue and safety equipment

Non-physical barriers

11



7.-8.3.2012

Example: bow-tie model and performance standards

12 -



7.-8.3.2012

Accidents Occur when Barriers become Degraded

13

Texas City event explained in

barrier failure format

Macondo event explained in

barrier failure format

The causes of barrier degradation

can be complex:

• Technical

• Human

• Organizational



7.-8.3.2012

Performance Standards Content

14

The specific requirements for each Barrier Function will be described in a Performance Standard (PS). The PSs are

developed and structured based on the guidance given in driven by the need to maintain reliable safety barriers and meet

the operational requirements. The main elements of a PS include the following:

Function - The functional criteria will include appropriate definition of requirements to the relevant functional parameters

of the particular barrier; i.e. the essential duties that the system/function is expected to perform (ref. ISO 13702).

Integrity - The integrity criteria will include appropriate definition of and requirements to the relevant reliability and

availability parameters of the particular barrier; e.g. probability of failure on demand, failure rates, demand rates, test

frequencies, deterioration of system components, environmental impairment etc. (ref. ISO 13702).

Survivability - Criteria determining how a barrier will remain functional after a major incident, i.e. under the emergency

conditions that may be present when it is required to operate (ref. ISO 13702)

Management – Criteria for checking if the systems are adequately maintained operated and managed. I.e. verifying that

competence and training are adequate and that the procedures are relevant and cover the necessary subjects.



7.-8.3.2012

Barrier elements

15

Technical barrier elements Organizational barrier elements Operational barrier elements

Containment Competence Design and arrangement

Fire detection Communication Maintenance

Ventilation/HVAC Work practice Operations and activities

Gas detection Procedures/ Routines Modifications

ESD Work environment Changes/ MOC

Ignition Source control Man / machine Deviation handling

Drainage Control, check and verify Work processes

Flare and relief Documentation

Emergency power Resources, Capacity

Inergen/ water mist/ foam/

deluge

Work load / Time

Passive fire protection



7.-8.3.2012

Barrier Management Framework (Strategy)

16

DESIGN

Barrier Management Process

Define Barriers Safety

Strategy

Risk Analysis/Safety Studies

QRA BowTie HAZID

Context Regulations/

Best practice/

Requirements

Specify Performance Requirements

Define Performance Indicators

Establish Test & Verification Programme

OPERATION

Maintenance, Test

and Inspection

Performance Indicators

Test Results

Control and Monitor

Updated Risk Picture

Daily Operations

WP meetings

Competence

Non-Conformity Communicate

Management

of Changes

Administration

Communication HSE Directives,

Work Instructions

and procedures

Continuous Improvement

Other risk

assessments

Based on S-001 “Technical Safety” and PSA Presentation

Risk Management

Procedure



7.-8.3.2012

Safety Lifecycle Concept

Slide 17

1-5

ANALYSIS

– Safety Requirement Specification (SRS)

6-13

REALIZATION

SIL Allocation

Required SIL

14-16

OPERATION

SIL requirements

during operation



7.-8.3.2012

Barrier Management Strategy

18

Link to Risk Analysis: Hazards identified for each installation (that could escalate to Major Accidents) must be managed in order

to minimise the risk to personnel, environment and assets to a level “As low as reasonable practicable” (ALARP). This is done

through implementation of barriers, and by following the structured risk management process described in this document;

establish performance standards for the identified important barrier functions.

Design: The barriers are to be designed, commissioned, used and maintained to ensure that the barrier function will safeguard

personnel, environment and the asset in a lifecycle perspective.

Communication: The Performance Standards and current barrier status must be communicated to all involved parties, giving the

necessary understanding as to why barrier functions have been established and which performance requirements that are

covered by the barrier systems.

Modifications and Change Management: For new projects and major modifications, the choice of safety strategy should be

made at an early stage when it is still possible to optimise the design, to minimise the hazards and take due credit for these

features. This approach will achieve full integration of prevention, protection and mitigation of all hazards.

Monitor and Control: Throughout the lifetime of the installation, a process will be in place to monitor the status and condition of

the barriers. The results will be communicated to the relevant personnel to ensure (……….)

“At any given time, the condition, functionality and importance of the barriers should be known by

relevant personnel. In addition, continuous improvement and identified actions should be

implemented with the purpose of ensuring necessary barrier functionality, integrity and

survivability.”

This is achieved through:



7.-8.3.2012

Performance Standard Example

19

Technical Operational/Organizational

F1.2The fire main pressure shall in no place be less than 7 bar

at the greatest calculated consumption

NMD 227/84, 6.3CP F1.2.1

Valve and pressure test shall be performed annually.

- This activity is not peformed today. COSL is considering to hire in a 3rd party to perform the

testing. N/A Yearly Testing

Technical

department - Engine

room operator

FW pumps shall be triggered

automatically at demand

(loss of pressure). In

addition, sufficient

indications on whether the

FW pumps are activated or

not should be delivered to

all relevant areas.

NMD 227/84, 6F1.3

Duty pump shall start automatically during the following

events:

- F&G system confirmation of a fire

- Loss of pressure in the ring main (set point of 4.5 bar)

Indications on whether the FW pumps are activated or

not shall be delivered to all relevant areas.

AWONO 83433, 6.1

AWONO 17580, 4.1.1CP F1.3.1

- Test shall be performed for the pressure control valve (frequency).

- Tests of the electric pressure transmitters connected to the FW pumps (one transmitter for each

pump) shall be performed annually.

- Test of logic between F&G system and FW pumps shall be performed annually.

- This is not in place today and need to be established.

- Indications on whether the FW pumps are activated or not shall be inspected for all relevant

areas.

N/A Yearly Testing and inspection.

IX011

(transmitters)

IRUV (Flame

detectors)

BE011 (F&G)

Technical

department -

Electrician

Shall be possible to

manually activate FW pumpsF1.4

Manual activation of FW pumps ahall be possible from

the following locations:

- The F&G operator station

- Wheel house, ECR, Drillers cabin and Tool pusher

- Vicinity of FW pumps

AWONO 83433, 6.1

AWONO 17580, 4.1.1CP F1.4.1

- Test of manual release shall be performed for all station/locations every 3 months.

Locations/stations include:

F&G operator station

Four matrix panels

Locally at FW pump

Helideck and lifeboat station

OJT/procedure need to be

established/identified for this

function by the fire teams.

Potential ref. doc. (from BowTie):

OJT

DM#65041

DM#33267

DM#19508

DM#33281

DM#35108

Every 3 months Testing and training. Marine department

FW supply system shall

meet the worst case FW

demand identified for the

DSHAs

N/A

Each fire pump system shall have the capacity to

individually deliver 270m3/h @ 13.1 barg, for three

monitors at the bridge/helideck (scenario 6 in AWONO

2779).

AWONO 2779, 4.1

NMD 227/84, 6.3

- Flow and pressure tests shall be performed annually for both pumps.

Today there is now flow test. COSL is considering to bring in 3rd party for doing flow and pressure

tests annually.

- Running tests for the pumps and electrical motors shall be performed at regular intervals ( identify

frequency)

The following planned maintenance activities shall be performed for the pumps:

- Bi-weekly testing of pressure in operational mode (starting up of pumps) and checking of pressure

on PC (reading on the Kongsberg central).

- Checking the condition of the pump filters (3 month interval suggested).

- 5-yearly overhaul (opening and inspection) of the pumps (external requirement, needs to be

implemented).

The following planned maintenance activities shall be performed for the motors:

- Planned maintenance on the motors every 3 months.

- Yearly lubrication of bearings and general PM routines for the motor.

- A condition evaluation by a 3rd party need to be implemented for the motors (frequency need to

be determined).

Motor: DE013 &

DE015

Pumps: PA021

Technical

department - Engine

room operator

CP F 1.1.1

Function

F1 – Fire water (FW) supply - Pumps

F1.1

Bi-weekly

Every 3 months

Yearly

Every 5 years

Testing and inspection.

NMD 227/84,

6.3

Performance Standard for Active fire fightingPerformance standard Checklist

Performance RequirementRegulation

Reference

Requirement

Reference No.Requirement (detailed)

Codes, standards and

internal requirementsFrequency Activity type

COSL reference

for activity Responsible unitActivity Id

Acceptance

criteria

Activity description



7.-8.3.2012

Monitoring Barriers

Knowledge of the status of Barriers is key:

Formal focused in-depth reviews – excellent,

but infrequent

- TTS (e.g. Statoil) − 5 yearly

- Audits − 3 yearly

- Planned Inspections − 1 year

Lessons learned from Incident investigations −

excellent AND high frequency

- BSCAT approach − every incident / near miss

means some barriers failed / degraded

- For many facilities this is 100+ events / year

- Collect statistics and root causes

20

Barrier Status – a to f

Barrier Failure

Root Causes

Cause Barriers



7.-8.3.2012

Operational Risk – “Barrier Management and

Communication”

Clear demonstration of a sufficient range and diversity of barriers

- Bow Ties show number and quality of barriers: prevention and mitigation

- Use for regular training and special operations

- Adaptive – barrier status changes dynamically – need to know current status

- Safety Plan improvement actions closed – barriers stronger

- Incidents / near misses – some barriers failed in use

- Maintenance / Inspection – some barriers are degraded or out of service

21

Clear Visual Model Updated, Live, Communicated



7.-8.3.2012

Konklusjoner

Introduksjon av IEC61508, IEC 61511,

OLF gl. 070 og PDS forum har

dreid industriens fokus fra komponenter

til sikkerhetsfunksjoner

bedret pålitelighet av sikkerhets-

funksjoner som gjerne leveres av flere

underleverandører

i noen grad bidratt til bedre design

løsninger

Nye utfordringer for IEC61508, IEC

61511, OLF gl. 070 og PDS forum

ta en klarere posisjon innen barriere

styring

klargjøre og utdype forholdet melding

risikoanalyse (QRA) og funksjonell

sikkerhet

bidra til at antagelser som gjøres i RA

og SIL analyser i design fasen følges

opp i driftsfasen.

bidra til at SIL krav som etableres for

sikkerhetsfunksjoner i design fasen

følges opp i driftsfasen gjennom en

innretnings levetid

22



7.-8.3.2012

Safeguarding life, property

and the environment

www.dnv.com

23

risiko-/barrierestyring og standarder for - · pdf filebased on s-001 “technical...

Documents