Upload
ngohanh
View
215
Download
1
Embed Size (px)
Citation preview
Gjermund Våge
7.-8.3.2012
Risiko-/barrierestyring og standarder for funksjonell sikkerhet
Eksempler på risiko- og barrierestyring sammen med
IEC61508/IEC61511/OLF070s i livsløpsfasene
© Det Norske Veritas AS. All rights reserved.
Risiko/barrierestyring og standarder for funksjonell sikkerhet
7.-8.3.2012
Innhold
Risikoanalyse og barrierestyring
SIL i design
SIL i drift
Konklusjon
2
© Det Norske Veritas AS. All rights reserved.
Risiko/barrierestyring og standarder for funksjonell sikkerhet
7.-8.3.2012
Setting the scene- Major accident
History has taught us that major accidents are controlled by other mechanisms compared to the
ones controlling occupational accidents
© Det Norske Veritas AS. All rights reserved.
Risiko/barrierestyring og standarder for funksjonell sikkerhet
7.-8.3.2012
Personal safety management Prosess safety management
Setting the scene- Major accident
History has taught us that major accidents are controlled by other mechanisms compared to the
ones controlling occupational accidents
© Det Norske Veritas AS. All rights reserved.
Risiko/barrierestyring og standarder for funksjonell sikkerhet
7.-8.3.2012
What the O&G & Process Industry both has and has not achieved
O&G industry has attained a step change
improvement in occupational safety
- But: Process Safety is not the same as Occupational Safety
USA and EU Process Industry
- Neither EU nor USA has demonstrated significant
improvements for onshore major accidents
- (EU = MARS database, USA = RMP* database)
North Sea major accident safety has improved
- No major disaster since introduction of Safety
Case legislation in UK / risk based in Norway
- (leaks have occurred, but none escalated)
- However, recent performance may suggest a floor
has been reached
5
Different oil
and chemical
operating
companies
Trendline
10x improvement
In past 13 years
Graph shows factor of 3 better in last 10 years
Reducing trend in major hydrocarbon leaks
© Det Norske Veritas AS. All rights reserved.
Risiko/barrierestyring og standarder for funksjonell sikkerhet
7.-8.3.2012
Vision – Step Change Improvement for Major Accidents
The Industry HAS already attained 10x improvement in Occupational Health
DNV believes major accidents can also be reduced 10x – but with different tools
1. Revised regulatory regime:
Blend of Prescriptive and Performance-based regulations
2. Address technical, human and organizational factors:
Key lessons from past accidents
3. Enhanced risk management approach:
Addressing Risks, Controls and Conditions
4. Clear roles and responsibilities:
Defined and clear to all
5. Shared performance monitoring:
Information is readily available and shared to all
This is practically and economically feasible
- Methods described are in use with O&G companies somewhere – but
not fully integrated
- North Sea further down the path, but not there yet either, maybe x3
improvement
6
© Det Norske Veritas AS. All rights reserved.
Risiko/barrierestyring og standarder for funksjonell sikkerhet
7.-8.3.2012
Major Accident Risk Management (ISO 31000)
Managing major accident with focus on
- Management Commitment
- Safety barrier management
- Organisational learning
- individual risk understanding
- Incident and accident investigation
- Safety culture
- Risk treatment and ALARP
…..as an integrated part of corporate governance !
© Det Norske Veritas AS. All rights reserved.
Risiko/barrierestyring og standarder for funksjonell sikkerhet
7.-8.3.2012
As Low As Reasonably Practicable (ALARP)
Regulations,
requirements, etc
ALARP region
Risk acceptable
Risk unacceptable
Risk accepted only if further risk
reducing measures is impracticle
to implement or the costs are
grossly disproportionate to the
benefit
NB! Operator
must
demonstrate
ALARP
© Det Norske Veritas AS. All rights reserved.
Risiko/barrierestyring og standarder for funksjonell sikkerhet
7.-8.3.2012
Swiss Cheese Model
Major Accident
Emergency response E.g. escape, evacuation
Mitigate E.g. drainage, fire protection
Detect E.g. fire & gas detection, control systems
Prevent
E.g. design, maintenance, procedures, competence HAZARD
© Det Norske Veritas AS. All rights reserved.
Risiko/barrierestyring og standarder for funksjonell sikkerhet
7.-8.3.2012
10
© Det Norske Veritas AS. All rights reserved.
Risiko/barrierestyring og standarder for funksjonell sikkerhet
7.-8.3.2012
Examples of performance standards
Layout and arrangement
Structural integrity
Fire and Gas detection System
Emergency Shutdown System
Ignition Source Control
Ventilation
Control of spills (Open drain system)
Active fire protection
Passive fire protection
Emergency Power / Emergency
Lighting
PA, alarm & emergency communication
systems
Escape and evacuation
Blowdown System
Process safety
Barrier to prevent loss of Containment
Barrier to prevent Ship collisions
Rescue and safety equipment
Non-physical barriers
11
© Det Norske Veritas AS. All rights reserved.
Risiko/barrierestyring og standarder for funksjonell sikkerhet
7.-8.3.2012
Example: bow-tie model and performance standards
12 -
© Det Norske Veritas AS. All rights reserved.
Risiko/barrierestyring og standarder for funksjonell sikkerhet
7.-8.3.2012
Accidents Occur when Barriers become Degraded
13
Texas City event explained in
barrier failure format
Macondo event explained in
barrier failure format
The causes of barrier degradation
can be complex:
• Technical
• Human
• Organizational
© Det Norske Veritas AS. All rights reserved.
Risiko/barrierestyring og standarder for funksjonell sikkerhet
7.-8.3.2012
Performance Standards Content
14
The specific requirements for each Barrier Function will be described in a Performance Standard (PS). The PSs are
developed and structured based on the guidance given in driven by the need to maintain reliable safety barriers and meet
the operational requirements. The main elements of a PS include the following:
Function - The functional criteria will include appropriate definition of requirements to the relevant functional parameters
of the particular barrier; i.e. the essential duties that the system/function is expected to perform (ref. ISO 13702).
Integrity - The integrity criteria will include appropriate definition of and requirements to the relevant reliability and
availability parameters of the particular barrier; e.g. probability of failure on demand, failure rates, demand rates, test
frequencies, deterioration of system components, environmental impairment etc. (ref. ISO 13702).
Survivability - Criteria determining how a barrier will remain functional after a major incident, i.e. under the emergency
conditions that may be present when it is required to operate (ref. ISO 13702)
Management – Criteria for checking if the systems are adequately maintained operated and managed. I.e. verifying that
competence and training are adequate and that the procedures are relevant and cover the necessary subjects.
© Det Norske Veritas AS. All rights reserved.
Risiko/barrierestyring og standarder for funksjonell sikkerhet
7.-8.3.2012
Barrier elements
15
Technical barrier elements Organizational barrier elements Operational barrier elements
Containment Competence Design and arrangement
Fire detection Communication Maintenance
Ventilation/HVAC Work practice Operations and activities
Gas detection Procedures/ Routines Modifications
ESD Work environment Changes/ MOC
Ignition Source control Man / machine Deviation handling
Drainage Control, check and verify Work processes
Flare and relief Documentation
Emergency power Resources, Capacity
Inergen/ water mist/ foam/
deluge
Work load / Time
Passive fire protection
© Det Norske Veritas AS. All rights reserved.
Risiko/barrierestyring og standarder for funksjonell sikkerhet
7.-8.3.2012
Barrier Management Framework (Strategy)
16
DESIGN
Barrier Management Process
Define Barriers Safety
Strategy
Risk Analysis/Safety Studies
QRA BowTie HAZID
Context Regulations/
Best practice/
Requirements
Specify Performance Requirements
Define Performance Indicators
Establish Test & Verification Programme
OPERATION
Maintenance, Test
and Inspection
Performance Indicators
Test Results
Control and Monitor
Updated Risk Picture
Daily Operations
WP meetings
Competence
Non-Conformity Communicate
Management
of Changes
Administration
Communication HSE Directives,
Work Instructions
and procedures
Continuous Improvement
Other risk
assessments
Based on S-001 “Technical Safety” and PSA Presentation
Risk Management
Procedure
© Det Norske Veritas AS. All rights reserved.
Risiko/barrierestyring og standarder for funksjonell sikkerhet
7.-8.3.2012
Safety Lifecycle Concept
Slide 17
1-5
ANALYSIS
– Safety Requirement Specification (SRS)
6-13
REALIZATION
SIL Allocation
Required SIL
14-16
OPERATION
SIL requirements
during operation
© Det Norske Veritas AS. All rights reserved.
Risiko/barrierestyring og standarder for funksjonell sikkerhet
7.-8.3.2012
Barrier Management Strategy
18
Link to Risk Analysis: Hazards identified for each installation (that could escalate to Major Accidents) must be managed in order
to minimise the risk to personnel, environment and assets to a level “As low as reasonable practicable” (ALARP). This is done
through implementation of barriers, and by following the structured risk management process described in this document;
establish performance standards for the identified important barrier functions.
Design: The barriers are to be designed, commissioned, used and maintained to ensure that the barrier function will safeguard
personnel, environment and the asset in a lifecycle perspective.
Communication: The Performance Standards and current barrier status must be communicated to all involved parties, giving the
necessary understanding as to why barrier functions have been established and which performance requirements that are
covered by the barrier systems.
Modifications and Change Management: For new projects and major modifications, the choice of safety strategy should be
made at an early stage when it is still possible to optimise the design, to minimise the hazards and take due credit for these
features. This approach will achieve full integration of prevention, protection and mitigation of all hazards.
Monitor and Control: Throughout the lifetime of the installation, a process will be in place to monitor the status and condition of
the barriers. The results will be communicated to the relevant personnel to ensure (……….)
“At any given time, the condition, functionality and importance of the barriers should be known by
relevant personnel. In addition, continuous improvement and identified actions should be
implemented with the purpose of ensuring necessary barrier functionality, integrity and
survivability.”
This is achieved through:
© Det Norske Veritas AS. All rights reserved.
Risiko/barrierestyring og standarder for funksjonell sikkerhet
7.-8.3.2012
Performance Standard Example
19
Technical Operational/Organizational
F1.2The fire main pressure shall in no place be less than 7 bar
at the greatest calculated consumption
NMD 227/84, 6.3CP F1.2.1
Valve and pressure test shall be performed annually.
- This activity is not peformed today. COSL is considering to hire in a 3rd party to perform the
testing. N/A Yearly Testing
Technical
department - Engine
room operator
FW pumps shall be triggered
automatically at demand
(loss of pressure). In
addition, sufficient
indications on whether the
FW pumps are activated or
not should be delivered to
all relevant areas.
NMD 227/84, 6F1.3
Duty pump shall start automatically during the following
events:
- F&G system confirmation of a fire
- Loss of pressure in the ring main (set point of 4.5 bar)
Indications on whether the FW pumps are activated or
not shall be delivered to all relevant areas.
AWONO 83433, 6.1
AWONO 17580, 4.1.1CP F1.3.1
- Test shall be performed for the pressure control valve (frequency).
- Tests of the electric pressure transmitters connected to the FW pumps (one transmitter for each
pump) shall be performed annually.
- Test of logic between F&G system and FW pumps shall be performed annually.
- This is not in place today and need to be established.
- Indications on whether the FW pumps are activated or not shall be inspected for all relevant
areas.
N/A Yearly Testing and inspection.
IX011
(transmitters)
IRUV (Flame
detectors)
BE011 (F&G)
Technical
department -
Electrician
Shall be possible to
manually activate FW pumpsF1.4
Manual activation of FW pumps ahall be possible from
the following locations:
- The F&G operator station
- Wheel house, ECR, Drillers cabin and Tool pusher
- Vicinity of FW pumps
AWONO 83433, 6.1
AWONO 17580, 4.1.1CP F1.4.1
- Test of manual release shall be performed for all station/locations every 3 months.
Locations/stations include:
F&G operator station
Four matrix panels
Locally at FW pump
Helideck and lifeboat station
OJT/procedure need to be
established/identified for this
function by the fire teams.
Potential ref. doc. (from BowTie):
OJT
DM#65041
DM#33267
DM#19508
DM#33281
DM#35108
Every 3 months Testing and training. Marine department
FW supply system shall
meet the worst case FW
demand identified for the
DSHAs
N/A
Each fire pump system shall have the capacity to
individually deliver 270m3/h @ 13.1 barg, for three
monitors at the bridge/helideck (scenario 6 in AWONO
2779).
AWONO 2779, 4.1
NMD 227/84, 6.3
- Flow and pressure tests shall be performed annually for both pumps.
Today there is now flow test. COSL is considering to bring in 3rd party for doing flow and pressure
tests annually.
- Running tests for the pumps and electrical motors shall be performed at regular intervals ( identify
frequency)
The following planned maintenance activities shall be performed for the pumps:
- Bi-weekly testing of pressure in operational mode (starting up of pumps) and checking of pressure
on PC (reading on the Kongsberg central).
- Checking the condition of the pump filters (3 month interval suggested).
- 5-yearly overhaul (opening and inspection) of the pumps (external requirement, needs to be
implemented).
The following planned maintenance activities shall be performed for the motors:
- Planned maintenance on the motors every 3 months.
- Yearly lubrication of bearings and general PM routines for the motor.
- A condition evaluation by a 3rd party need to be implemented for the motors (frequency need to
be determined).
Motor: DE013 &
DE015
Pumps: PA021
Technical
department - Engine
room operator
CP F 1.1.1
Function
F1 – Fire water (FW) supply - Pumps
F1.1
Bi-weekly
Every 3 months
Yearly
Every 5 years
Testing and inspection.
NMD 227/84,
6.3
Performance Standard for Active fire fightingPerformance standard Checklist
Performance RequirementRegulation
Reference
Requirement
Reference No.Requirement (detailed)
Codes, standards and
internal requirementsFrequency Activity type
COSL reference
for activity Responsible unitActivity Id
Acceptance
criteria
Activity description
© Det Norske Veritas AS. All rights reserved.
Risiko/barrierestyring og standarder for funksjonell sikkerhet
7.-8.3.2012
Monitoring Barriers
Knowledge of the status of Barriers is key:
Formal focused in-depth reviews – excellent,
but infrequent
- TTS (e.g. Statoil) − 5 yearly
- Audits − 3 yearly
- Planned Inspections − 1 year
Lessons learned from Incident investigations −
excellent AND high frequency
- BSCAT approach − every incident / near miss
means some barriers failed / degraded
- For many facilities this is 100+ events / year
- Collect statistics and root causes
20
Barrier Status – a to f
Barrier Failure
Root Causes
Cause Barriers
© Det Norske Veritas AS. All rights reserved.
Risiko/barrierestyring og standarder for funksjonell sikkerhet
7.-8.3.2012
Operational Risk – “Barrier Management and
Communication”
Clear demonstration of a sufficient range and diversity of barriers
- Bow Ties show number and quality of barriers: prevention and mitigation
- Use for regular training and special operations
- Adaptive – barrier status changes dynamically – need to know current status
- Safety Plan improvement actions closed – barriers stronger
- Incidents / near misses – some barriers failed in use
- Maintenance / Inspection – some barriers are degraded or out of service
21
Clear Visual Model Updated, Live, Communicated
© Det Norske Veritas AS. All rights reserved.
Risiko/barrierestyring og standarder for funksjonell sikkerhet
7.-8.3.2012
Konklusjoner
Introduksjon av IEC61508, IEC 61511,
OLF gl. 070 og PDS forum har
dreid industriens fokus fra komponenter
til sikkerhetsfunksjoner
bedret pålitelighet av sikkerhets-
funksjoner som gjerne leveres av flere
underleverandører
i noen grad bidratt til bedre design
løsninger
Nye utfordringer for IEC61508, IEC
61511, OLF gl. 070 og PDS forum
ta en klarere posisjon innen barriere
styring
klargjøre og utdype forholdet melding
risikoanalyse (QRA) og funksjonell
sikkerhet
bidra til at antagelser som gjøres i RA
og SIL analyser i design fasen følges
opp i driftsfasen.
bidra til at SIL krav som etableres for
sikkerhetsfunksjoner i design fasen
følges opp i driftsfasen gjennom en
innretnings levetid
22
© Det Norske Veritas AS. All rights reserved.
Risiko/barrierestyring og standarder for funksjonell sikkerhet
7.-8.3.2012
Safeguarding life, property
and the environment
www.dnv.com
23