Designing for Safety

7/29/2019 Designing for Safety

http://slidepdf.com/reader/full/designing-for-safety 1/12

SPE

SPE 23485

Designing for SafetyE.F. Brandie, Chevron U.K. Ltd.SPE Member

Copyright 1991, Society of Petroleum Engineers, Inc.

This paper was prepared for presentation at the First International Conlerence on Health, Salety and Environment held in The Hague, The Netherlands. 10-14 November 1991.

This paper was selected lor presentation by an SPE Program Committee lollowing review 01 inlormation contained in an abstract submitted by the author(s). Contents 01 the paper,as presented. have not been reviewed by the Society of Petroleum Engineers and are subject to correction by the author(s). The material. as presented, does not necessarily reflectany position 01 the Society 01 Petroleum Engineers. its officers, or members. Papars presented at SPE meetings areSUbjectto publication review by Editorial Committees 01 the Society01 PetroleumEngineers. Permission to copy Is restricted to an abstrect 01 not morethan 300words. Illustrationsmay notbe copied. The abstractshould contain conspicuousacknOWledgment01 where and by whom the papar is prasented. Write Librarian, SPE, P.O. Box833836, Richardson, TJ( 75083-3836 U.S.A. Telex, 730989 SPEDAL.

DESIGN PHILOSOPHY

The importance of good design criteria cannot beover-emphasised. With a complete understanding of

requirements, designs can be optimised and minimalproblems will be encountered.

As Lord Cullen's Report emphasises, however,major hazard plant design requires more than goodprofessional engineering standards.

An essential feature of optimal design for newinstallations or processes is the experience atoperating level which has been integrated into thedesign team. A good management system should beable to demonstrate that the major hazard plantwhich i t is operating has been designed with thebenefit of such operating experience input.

All projects should have a detailed safety planof

studies and activities from the earliest concept stage.The contents of the safety plan will be mirrored inmuch greater detail within respective sections of theFSA. The elements of the safety plan must beinteractive with the development of the design, andsafety must not be considered as a "bolt on extra"at the end of the design.

References and illustrations at end of paper.

681

The safety plan presents a structured approach tosafety management through all design phases,construction and subsequent modification. Theplanning, timing and purpose of quantifiable orlogically justifiable techniques are incorporated inthe safety plan which can then be referenced as theguiding document for a particular project design.

I t cannot be stressed too highly that integrity of

containment is a key parameter for the safemanagement of major hazards.

The obvious problem of loss of containment iscentral to loss prevention and we should remainaware of the fact that major failure of a properlydesigned, fabricated, constructed, tested andinspected, pressurised system is a very rare event.

Clearly, the design organisation plays a major part

in ensuring the integrityof

the equipment, but it ismy belief that the operating management has a moreimportant role to play than is normally realised.Without doubt management attitudes, companysafety culture and total quality management arecrucial factors and are a fundamental aspect of theconcept of FSA also.

What does the term "safety culture" mean? I viewthe main principles involved in the establishing of astrong safety culture as:



2 DESIGNING FOR SAFETY SPE 023485

the acceptance of responsibility at and from thetop, exercised through a clear chain of

command, seen to be actual and felt throughoutthe organisation

a conviction that high standards are achievablethrough proper management

setting and monitoring of relevant objectivesand targets, based upon satisfactory internalinformation systems

systematic identifications and assessment of

hazards and the devising and exercising of

preventative systems which are subject to auditand review

immediate rectification of deficiencies

promotion and reward of enthusiasm and goodresults

Safety and loss prevention must be a specificmanagement objective. This implies thatmanagement are given definite goals in this area andare assessed on their performance in achievingthem.

All projects should have a strong operations input toboth design and the FSA as it will commit thefuture Operator to a certain style and depth of

management control.

The discharge of management's duty to exercise duecare and attention for the safety of its employeesand others, requires that we create a fairlycomprehensive and formal system and that we areactive in adapting, operating and maintaining sucha system. Hence one of the important reasons forthe FSA to be designed as a "living" document.

Elements of the management system which areparticularly relevant to loss prevention via gooddesign are:

management attitudemanagement organisationavailability of competent peoplesystems and proceduresstandards and codes of practicedocumentation

682

system auditsindependent checkspressure system integrity

Each of these elements will be addressed in moredetail later.

The safety of plant is, of course, determinedprimarily by the quality of the basic design ratherthan by the addition of specific safety features.Nevertheless, it is necessary to build into the designprocess some quite specific checks on safety and to

carry out certain hazard identification andassessment studies.

HAZARD IDENTIFICA nO N

Safe design and indeed operation requires an abilityto predict hazard consequences reliably, and it isclearly essential to have a set of hazardidentification techniques which are matched to therelevant stages of project design.

I t is equally important, however, that the utilisationof such techniques should not in any way weakenthe resolve, and indeed responsibility, of thedesigner to get the design right first time. This isone of the critical areas where culture and

management control require to be applied andmaintained.

Should the discovery of fundamental design errorsoccur frequently within context of such hazardidentification studies, for example during hazardand operability study, then clearly there issomething wrong within the design team capability,and indeed the management controls being applied.

I t is in fact already normal practice to carry outsystematic hazard studies during the design of

processes and plant handling hazardous substances.A significant part of such study is a detailed, criticalexamination based on posing such questions as"what if?", in order to identify what might gowrong.

A prime objective under the safety case or FormalSafety Assessment philosophy is a demonstrationthat adequate plant has been provided and that it hasbeen well designed and that appropriatemanagement systems and procedures have been



SPE 023485

implemented to prevent things going wrong.

E F BRANDlE

DESIGN PRINCIPLES

3

Whilst prevention must undoubtedly be the primeobjective, some means of mitigating the affects of

accidents, should they occur, has to be provided.FSA must consider these also. In short, the FSAneeds to address:

"What could happen?""Why it won't""But what if it did?"

Such an exercise, inclusive of all necessary designconsiderations, should be driven by a member of themanagement team responsible for the project, eventhough specialist assistance from outside may berequired for certain aspects.

After all, i t is the management team who areresponsible for the safety of the installation underdesign. They must therefore own the FSA and bein a position to substantiate all that is containedwithin it.

I t is my belief that most accidents could beprevented by better inanagement - sometimes bybetter design or methods of work, sometimes bybetter training or instruction, and sometimes bybetter enforcement of the instructions.

Cumulatively, these may be termed "changing thework situation".

Safety by design should, of course, always be ouraim, but sometimes re-design is not possible, or istoo expensive if we have to modify procedures.

I f we can say in fact that an accident can beprevented by better design, or by better training, orinstructions, or by better auditing or inspection,then we can take action that may preventrecurrence.

In this respect, I believe it is better to say that anaccident can be better prevented by design,instruction, etc, than to say i t was caused by baddesign, poor instruction, etc. This assumption isbased on the background that cause implies blameand we naturally become defensive. None of uslike to admit that we did something badly, but arewilling to admit that we could do better.

The best way of dealing with a hazard is of courseto remove it. The provision of a means to controlthe hazard is very much the second best solution.The overall aim should be to render the processinherently safe.

One of the principle historic approaches to makinga process inherently safe is to limit the inventory.I t is, in fact, a normal objective in design tominimise the volume of process vessels as this saveson the cost of both the vessels themselves and of

their supporting structures. I t has to be recognised,however, that the reduction of hold up, thoughrecognised as a generally desirable aim from asafety viewpoint, has not been particularly

emphasised as a specific design criteria.

DESIGN RESPONSilllLITY

Process system design is invariably carried out bya team of people from different disciplines. Theresponsibility of individuals on the team should beclearly defined, the nature of their work should nottake them outside their sphere of competence andindividual workloads should be monitored to ensurethey are not excessive. There must be propersystems and procedures in place and all necessary

documentation to support them.

The occurrence of errors in design, as in all otherhuman activities, should be expressly recognisedand measures taken to minimise the potentialcreated. One is reminded of theMark Twain quote,"Man is a creature made at the end of the week . .when God was tired". There must be a system forthe verification, approval and cross-checking of

designs.

I t is very difficult for engineers to attempt to changehuman nature and, therefore, instead of trying topersuade people not to make mistakes, we shouldaccept people as we find them and try to removeopportunities for error by changing the worksituation. That is, the plant or equipment design orthe method of work. Alternatively, we can mitigatethe consequences of error or provide opportunitiesfor recovery.

Just as we attempt to prevent some accidents bychanging the work situation, so we should also try

683




to prevent other accidents by changing the designsituation: that is, we should tr y to find ways of

changing the design process, so as to produce betterdesigns. This approach should include coveringimportant points in standards or design codes andmaking designers fully aware of the reasons forthese safety points by telling them about theaccidents that have occurred because such factorswere ignored. I t must also include the carrying outof Hazop studies on the designs. In addition to thenormal Hazops on the line diagrams, an earliercoarse type series of hazops on the flowsheets andlayout drawings may allow designers to avoidhazards by a change in design instead of controllingthem by adding protective equipment.

We should recognise, however, that there is oftenno reasonably practicable or economic way of

improving design and we have to rely onimprovements to the software. We cannot buy ourway out of every problem.

The design of plant, just as for the compilation andmaintenance of FSA, is an iterative process. I t canonly be properly and safely undertaken if there isadequate and correct. design information - thisshould include as absolute minimum:

the physical and chemical properties of the

productthe potential reaction and processingcharacteristics, including mechanism, kineticand thermal data and support facilities

fire, explosion and toxic hazards

the potential affect of plant upsets,environmental factors, etc

DESIGN MODIFICA nON

The design process is one of flux in which changesare continuously being made at all levels. I t isnecessary therefore to have a system in place for thecontrol of modifications during the design.

produced a few years back, illustrate very clearlythe pitfalls of poor communications.

OVER-DESIGN

At this point, just a brief reference to over-design.Over-design in engineering is often equivalent to theincorporation of an extra factor of safety but this isby no means always so. In some instances, overdesign can reduce safety.

I believe there is an inherent tendency to overdesign in a project as the various individuals in thechain introduce such safety factors. In this context,over-design would encompass purchasing in additionto the design decisions. Quality control is of courseof utmost importance. What, in effect, mattersmost is the item which is finally installed.

The ultimate responsibility for the safe design of aplant lies with the design team and the operatingcompany. I t should implement the appropriatemeasures to ensure that the processes designed andthe equipment supplied by other parties are safe andfit for their purpose.

COST OF LOSS PREVENTION IN DESIGN

All aspects of project design have safety

implications. Such areas as management, researchand design effort, the process route, operationalconstraints, plant layout, safety margins inequipment, process instrumentation, fire protectionand inspection, are examples where additional costsattributable to loss prevention are likely to occur.

Loss prevention undoubtedly requires additionalmanagement effort generally, and in research andhazard identification, process and mechanicaldesigns, plant inspection and emergency planning.

The safety considerations may well determine theprocess route and define the operating limits for theprocess parameters such as pressure andtemperature ratings.

Obviously a layout which requires fairly largeElements of such a system include, the declaration, separation distances will be extremely expensive.checking, authorisation and probably mostimportantly, the communication of such changes. The various safety factors which are incorporated inCommunication throughout the various stages of the plant design greatly increase costs. These maydesign is very important. A series of cartoons include designs with thicker walls, use of more

684



SPE 023485 EFBRANDIE 5

Suffice to say that fail safe design is now a commonobjective for operational and emergency controlequipment - the most recent example of this being

685

costly materials of construction, selection of moreexpensive high specification equipment andduplication of items.

Such aspects as additional instrumentation and fireprotection systems and applications will constitutefurther costs.

Whilst expenditure in all these areas is unavoidable,it is the aim of loss prevention to get value formoney in this expenditure.

A question often posed is, "How much can youafford to spend on making a design or installationsafe without pricing yourself out of the market?" .

On the other hand, how can you afford not to make

your design safe enough to avoid the draconianpenalties associated with loss of human life and/ordestruction of the environment?

It's a delicate balance and one which loss preventionspecialists have been studying for someconsiderabletime.

In the same way that we can scientifically design apiece of equipment for optimal performance, so therisks inherent with any advanced or noveltechnology can be assessed and analysed. The

results of such risk analysis may be used to checkthe effectiveness of existing safety management andto recommend commercially available, viable andenhanced safety policies for future application to

project designs.

In other words, use of risk assessment techniquescan in fact produce benefits far beyond theimmediate evaluation of the adequacy of primarysafety measures in design.

FAIL SAFE DESIGN

The concept of fail safe design is now very wellestablished and o f course refers to design of

equipment such as control and solenoid valves,which in the event of failure of a utility such as

hydraulics, electricity, or instrument air, will failclose.

the retrofitting of totally fail safe concept actuatormechanisms to existing topside riser valves. Whowould have predicted two or three years ago thatsuch actuators would have been available for retrofitto large 24" and 36" valves?

MANAGEMENT SYSTEMS

To briefly return to the essential elements of themanagement system referenced earlier in thepaper:-

"Attitude" - Safety and loss prevention in anorganisation stand or fall by the attitude of

management. I t is not always easy to create properattitudes to safety. One effective approach is to

emphasise safety as a matter of professionalism.All engineers tend to consider themselves

professional in their approach to design work.

"Organisation" - There should be a job descriptionfor each of the positions shown on the design teamorganigram, as once a job has been defined itbecomes possible to select a competent person to fillit.

"Availability of competent people" - Design of

hazardous processes requires competent people:academic qualification, practical experience, recentrelevant experience and personal qualities are all

important factors.

"Systems and procedures" - I t is fundamental thatthe responsibility for safety in design and lossprevention should be shared by all concerned on theproject. Some key systems essential to support thecompetent people are: the identification of hazards,assessment of hazards, the proposed methodologyfor operation of the plant, the control of access, etc.

"Standards and codes of practice" - An importantaspect of the procedures is the use of standards andcodes of practice - they are representative of

industry's experience and should not be disregarded.

"Documentation" - Any design project invariablyinvolves a large amount of documentation, thecontrol and access to such documentation being of

most importance. Some of the documentation willbe general in nature but most will be specific to theproject design. I t will be essential to cross refersuch documentation in the project FSA.




"System audits" - I t is essential that a mechanism isin place to monitor the system as a whole and verifythat it is working properly. This will undoubtedlydemand system audits.

"Independent checks" - The principle of independentverification is extremely important in ensuringreliability. Examples of independent checks arehazard assessment, reliability analysis and indeedauditing. In accord with the principle of selfregulation, it must be remembered that it is theresponsibility of line management to carry out selfaudit and that it should not rely on an outsideindependent enforcement agency to do this - this isan inherent principle of the FSA approach also.

"Pressure system integrity" - The managementsystem for the design of pressure systems iscrucially important. The design team must definethe parameters within which the system is to beoperated, should specify the design codes, shouldexecute the actual detailed designs, should identifyand assess the hazards, should specify fabricationstandards and should prescribe the documentationrequired on all these aspects. In essence, all criticalelements of the management system should be verymuch in place.

Some basic design considerations .relate to:-

a) "siting" - local conditions, adjacent risks,storage/process quantities, utilities, regulatoryrequirements

b) "spacing & layout" - one of the most importantdesign considerations, as careful segregation isoften a major .line of defence in loss limitation

important aspects.

NEW DESIGN TRENDS & INTERFACE WITH

FSA

The last year or two has seen a great number of

new ideas or the new applications of proventechnology and equipment. Some of the technologyis itself radically new - much of it is evolution of

existing ideas. Some examples are:-

Platform Configuration

increased use of open moduleselimination of high/low pressure interfacesminimisation of leak paths throughsimplificationsafe haven concepts including control functionuse of lightweight composite materials

Detection and Control

distributed fire & gas detection systemsdistributed ESD systemsopen path beam detectors

Damage Control

blastwalls

protected escape routes and embarkation pointswater curtained escape routestwin bridges on complexesbarrier valves on risers (topside and subseasystems)rapid escape mechanisms

Environmental Concerns

c) "drainage"consideration

d)

e)

another very important

"isolation" - remains the most effective methodof extinguishing a hydrocarbon fire. Thesiting, location and remote control andaccessability of isolation valves is of criticalimportance. Equipment isolation is bestconsidered early in design as P & IDs becomeavailable.

"protection" - use of fire-resistant materials,active and passive fire protection and theprotection of ESD control lines are all

686

reduced use of halonincreased use of hydrocyclonessynthetic drilling fluids

What further trends may we see? Some aspects of

new technology which may be put to use are:

safe havens of composite materialselectronic staff tagging systemsunderfloor illumination systemsautomated drillingfibre optics to replace conventional lightingenhanced evacuation systemsenvironmental auditing of proposed installation



SPE 023485

designs, operation and removal

E F BRANDlE 7

Whatever futuristic designs may be adopted, theoverall system of management control will remaincritical. Formal Safety Assessment must fit withinthis overall control as without this there would be arisk of it becoming a one-off paper exercise.

I t is during conceptual and detailed design phasesthat the core documentation for inputting to the FSAis developed.

By this time the management systems will be firmlyin place and the design team will have an in-depthunderstanding of theproposed mode of construction,operation, maintenance and inspection. The majorhazards will have been assessed and plant design

specifications agreed. In essence, the total designconcept is, like the quality of management and themanagement system in place, a fundamental aspectof FSA.

With these important aspects of design philosophyincluded as part of the Company culture, andintegrated into the FSA approach, I believe we willhave taken a significant step towards optimising thesafety effort and preventing unnecessary loss withinour industry.

REFERENCES

Department of Energy, "The Public Inquiry into thePiper Alpha Disaster", The Hon Lord Cullen,Volumes I and 2, November 1990.

687



THE IMPORTANCE OF GOOD DESIGN CRITERIA CANNOT BEOVEREMPHASISED.

WITH A COMPLETE UNDERSTANDING OF REQUIREMENTS,DESIGNS CAN BE OPTIMISED & MINIMAL PROBLEMS

ENCOUNTERED.

IT IS THE RESPONSIBILITY OF THE DESIGNER TO GETTHEDESIGN RIGHT FIRST TIME.

FORMAL SAFETY ASSESSMENT (F.S.A.)

F.S.A. IS AN IN • DEPTH REVIEWOF EVERY PART OF AN

INSTALLATION, UTILISING SAFETY ANALYSIS TECHNIQUESDESIGNED TO ASSESSWHETHER THE RISKS ASSOCIATEDWITH ANY PARTICULAR HAZARD MEET ESTABLISHEDCRITERIA OF ACCEPTABILITY.IT DEMONSTRATESTHAT POTENTIAL MAJOR ACCIDENTHAZARDS HAVE BEEN IDENTIFIED AND THAT ADEQUATESTEPS HAVE BEEN TAKEN TO PREVENT AND MITIGATETHEIRCONSEQUENCES.IT ENABLES THE UNIQUE FEATURES OF DIFFERENT

INSTALLATIONS TO BE PROPERLY TAKEN INTOACCOUNT.

SPE 23 48 5

PRINCIPLES OF EFFECTIVE HEALTH AND SAFETYMANAGEMENT

THE MAIN PRINCIPLES INVOLVED IN THE ESTABLISHING OF A

STRONG SAFETY CULTURE ARE:

• Theaccep tance of responsibility atand from the top, exercised through aclear chain of command, seen to beactual and felt throughout theorganisation.

• A conviction that high standardsare achievable through proper management.

• Setting and monitor ing of relevant objectives and targets, based upon

satisfactory internal information systems.

• Systematic identif ication and assessment of hazardsand thedevisingandexercise of preventativesystems which are subject to auditand review.

• Immediate rectif ication of deficiencies.

• Promotion and reward of enthusiasm and good results.

SAFETY MANAGEMENT SYSTEM ELEMENTS

• SAFETY POLICY AND MANAGEMENT PROCEDURES

• SAFE SYSTEMS OFWORK AND SAFE WORKING PROCEDURES

• EMERGENCY PREPAREDNESS AND PROCEDURES

• CONTROL OFCONTRACTORS

• AUDITSAND INSPECTIONS

• CONTROL OFMODIFICATIONS

• TRAINING



B

"Man is a creature made at the end of

the week . . . when God was t ired"

Mark Twain

• DESIGN STANDARDS & CODES

• DESIGN COMMUNICATION & DOCUMENTATION

• HAZARD IDENTIFICATION

• DESIGN PRINCIPLES

• DESIGN MODIFICATION

• OVERDESIGN

• FAIL SAFE DESIGN

SPE 234 8



SEE 2348 5



• MANAGEMENT ATIITUDE

• MANAGEMENT ORGANISATION

• COMPETENT PEOPLE

• SYSTEMS & PROCEDURES

• STANDARDS & CODES OF PRACTICE

• DOCUMENTATION

• SYSTEM AUDITS

• INDEPENDENT CHECKS

• PRESSURE SYSTEMS

SPE 2 3 4 8 5

MODULE UNIT DESCRIPTION

Ml INTEGRATEDDECK (INCL CAISSONS)

M2 SEPARATION

M3 GAS COMPRESSION

M4 WELLBAY

MSA DERRICK

MSB DERRICK

M6 POWER GENERATION

M7 DRILLINGSERVICES

M8 EXHAUSTS

M9 DEARATORS

MIO ACCOMMODATION I HEUDECK

M11A FLARE BOOM

M11B FLARE BOOM

M12A CRANE

M12B CRANE

692

Designing for Safety

Documents

Transcript of Designing for Safety