Edward M. Marszal
President and CEO
Kenexis
Due to events in the past year, the safety performance of the offshore oil and gas industry has been called into question. This is unfortunate, since the industry has had an exemplary safety record, specifically with regard to the design, installation, and maintenance of safety instrumented systems (SIS). It is important that industry participants understand how and why the offshore industry’s SIS performance record has been so exemplary, and ensure that the practices that have generated this good performance are not watered down by proposed alternatives that may not be any better.
In order to understand how the offshore oil industry designs and implements SIS, a bit of a history lesson is helpful. In the pioneering stages of the development of any technology, there is large focus on making things work. In the mad rush to produce product, rarely did anyone consider what happens when the system components fail.
For instance, at the beginning of the industrial revolution, engineers were very focused on how to make a steam engine work reliably. An unfortunate result of the early stages of use of the steam engine was a large number of boiler explosions that injured and killed large numbers of workers, engineers, managers, and even members of the general public that were nearby. The designers of the system did not foresee the incidents that caused the harm.
As technology progresses, lessons learned from previous incidents are collected, and measures are put into place as part of “standard” designs that will prevent these same incidents from occurring in the future. Again in the case of the steam engine, these lessons learned were collected into the Boiler and Pressure Vessel Code of the American Society of Mechanical Engineers.
In the offshore oil and gas production industry, the lessons related to SIS design are compiled into the API 14C standard, which includes a systematic and prescriptive process of analyzing a production facility on a component-by-components basis to identify which safety instrumented functions (SIF) are required to make the facility safe.
The problem with the aforementioned standards that are prescriptive and based on historical experience is that they are not predictive of new hazards that are being generated by unexpected combinations of equipment, novel equipment and processes, and more intensive and severe operating conditions. In the current technological environment, we can no longer afford to wait for accidents to happen because the consequences are becoming too large. No longer are industrial accident consequences limited to those in the immediate vicinity of an exploding boiler; now accidents can easily result in dozens of fatalities and millions of gallons of spilled oil. As a result, there is a strong drive to predict what can go wrong, instead correcting designs after an accident evidences a design weakness.
Predictive hazard analysis is fairly new to industry, mainly being pioneered by chemical industries in the aftermath of the Flixborough accident in the 1970s. These approaches use systematic and structured brainstorming to attempt to foresee what can go wrong in a process plant and assess the resulting risk, resulting in such techniques as Hazards and Operability Studies (HAZOP) and Layer of Protection Analysis (LOPA). The risk assessment is subsequently used to determine not only what SIS equipment is required, but also yields a quantitative performance target that the equipment should achieve. In the safety instrumentation community, there have been many accusations that the use of API 14C’s prescriptive approach to SIS design has resulted in inferior designs, and that API 14C should be abandoned in favor of the “performance based” approaches in the generic SIS standards (such as ISA84/IEC1508). While these accusations are not completely without merit, dismissing API 14C as unnecessary is foolish. Instead, this author recommends a combined approach for the offshore oil production industry.
The “predictive” methods that are currently in vogue also have their weaknesses. In practice, the performance-based predictive methods yield results are very often incomplete and inconsistent. For instance, the author was recently involved in an SIS study for several Gulf of Mexico platforms, where the predictive HAZOP/LOPA approach was employed to identify the required SIF. This study, which was performed by a well-respected, high-profile consulting organization, only identified between 50-60% of the SIF that were already shown on the P&IDs, and the requirements in terms of testing and design were substantially less rigorous than what API-14C and BOEMRE regulation require. Essentially, the predictive study approach yielded the result that the facilities’ existing SIS was grossly under-designed in comparison to current practice.
Using a predictive risk study to obtain a perfect analysis of risk is an intractable problem, as performing a study so thoroughly that all hazards are identified would require an infinite amount of time. Tools used to limit discussion in hazard studies in order to allow completion in a reasonable amount of time (such as the double-jeopardy rule) can prevent a comprehensive analysis. Furthermore, the scenarios that can be envisioned by risk study participants are just as limited to the experience of the team members as the experiential design techniques are. It is difficult for a team member to envision a scenario that has not occurred in the industry.
There are camps that are firmly entrenched on both sides of this semi-religious either-or debate, but the choice is a false one, as the most prudent path (and the one that is most often employed in the offshore production industry) is to use both. The design of safety critical systems should begin with using experience (through standards such as API 14C) to come up with a good first-pass design. This good design should then be subjected to a second predictive and performance-based study whose objective is to identify novel or unique situations that “fell through the cracks” of the prescriptive standard, and identify higher risk situations where the equipment requirements of the prescriptive standard may not be sufficient to completely mitigate the elevated level of risk.
The following philosophy should serve the industry well: start with semi-prescriptive standards that are based on generic equipment items. Then, employ formal risk-based studies to identify any novel or unanticipated hazards, and address them prior to implementation.
Offshore Articles Archives
View Oil and Gas Articles on PennEnergy.com