In the UK sector of the North Sea, it is a requirement (SCR) [3.14] that significant changes in an installation or its operation will require the Safety Case to be resubmitted which should address a review of hazards including a re-assessment including those due to explosion hazards. Even if an installation has not been modified or its use has not been changed a re-assessment may be required to take account of advances in methodology. Existing mobile installations entering UK waters will also require assessment.
The assessment of existing structures differs from the assessment of a structure during design
2. Intervention may give rise to an additional hazard which must be assessed.
3. Information may be available relating to expected explosion loads, structural and equipment response from the detailed design stage of the design and construction project.
Information should be available from the Safety Case, the original CAD and structural computer models of the facility. The Individual Risk (IR) per annum TRIF and PLL will have been used in the demonstration of ALARP in the existing Safety Case for the installation.
Use may be made of experience gained from the operation of the un-modified installation and from similar installations. The computer data files and design reports should be checked to confirm that they are a faithful representation of the present state of the facility.
Should modifications be necessary to improve the safety performance of the facility, then the work to be undertaken should not in itself pose such hazards and risk to personnel that this compromises the gains to be achieved by such modifications. All modification work should be accompanied by hazard identification, assessment and other controls as determined by the Safety Management system as well as method statements for their implementation.
All temporary structures and equipment utilised during the modification work should be removed as soon as the work is complete.
The HSE reference [3.41] clauses 51 and 52, states “It should be borne in mind that reducing the risks from an existing plant ALARP may still result in a level of residual risk which is higher than that which would be achieved by reducing risks to ALARP in a similar, new plant. Factors which could lead to this difference include the practicality of retrofitting a measure on an existing plant, the extra cost of retrofitting measures compared to designing them on the new plant, the risks involved in installation of the retrofitted measure (which must be weighed against the benefits it provides after installation) and the projected lifetime of the existing plant.
All this may mean, for example, that it is not reasonably practicable to apply retrospectively to existing plant, what may be demanded by reducing risks (to) ALARP for a new plant (and what may have become good practice for every new plant).”
The overall individual risk and the TR impairment frequency (TRIF) from all hazards must still be less than 10-3 per year. If risks are in this intolerable region then risk reduction measures must be implemented, irrespective of cost.
3.8.1.1 Explosion hazard review
Review of explosion risk for existing installations, poses a number of difficulties. These problems generally relate to the difficulty in retrofitting structure and equipment in modules that are operational and congested, with the usual constraints in working in a cramped offshore environment. There may also be a problem accessing design data which should include modifications that have taken place since the facility was installed. The implementation of effective change procedures is essential in these circumstances.
Before investigating the ability of the systems on the installation to withstand the blast effects, the facility should be reviewed with regard to the level of inherent safety that exists and what additional control mechanisms there may be for overpressure reduction. The existing wells may be operating at a lower reservoir pressure than originally designed for, however subsequent tie-ins may have offset this possible benefit.
For an existing installation there may be potential for:
• increased venting
• additional and/or improved gas detection (acoustic gas detection)
• introduction of flame detection
• lowering the level at which gas detection initiates executive actions
• voting for executive action on a single detector
• initiation of deluge on gas detection
• the removal of redundant equipment
• the relocation of equipment blocking vent paths
• vibration reduction
• enhanced robustness of small bore connections
• utilisation of past operational experience
• improved inspection/maintenance regimes
Some of these actions may not necessarily result in a reduction of calculated Individual Risk or loss of life (as shown in the QRA) but this should not be a reason for failing to undertake modifications if actual reduction in explosion risk can be foreseen.
Ideally, there should be no disproportionate contribution from any one hazard to the risk associated with the installation. For example fire and explosion hazards should contribute to the total risk at levels comparable with those for a similar installation. This is referred to as the
‘balanced risk contribution principle’.
The general philosophy should be to bring all SCEs up to a similar level of integrity for all accidental events. These systems include but may not be limited to:
• the TR;
• escape routes to the TR;
• evacuation systems;
• systems that could threaten the integrity of the above systems, e.g. ESDVs isolating off-site inventories.
In effect the list may include all the identified safety critical elements but, with respect to the ability to muster, assess and evacuate, some Safety Critical Elements may be in Criticality Levels 1, 2 or 3 as described in Section 3.5.5.
3.8.1.2 Use of previous analyses
A review will need to be undertaken of the ability of safety critical systems to withstand overpressure/drag effects. Whilst increased knowledge of the explosion phenomenon has resulted in a general increase in the overpressure loadings that are calculated for a given configuration, it is frequently the case that the integrity of systems is greater than originally assumed. The experience of the JIP full scale tests [3.42, 3.43 and 3.24] tended to confirm this
Where it is clear from preliminary inspection that it will be impracticable to meet maximum overpressures that may arise, there would seem to be little to be gained in determining to the last degree of accuracy what the actual overpressure characteristics will be. Simpler phenomenological models or comparison with similar installations would be adequate for the purposes of quantifying the residual risk.
(Note: the requirements of the SCR [3.14] imply that some form of overpressure calculation will be necessary in order to quantify the risks involved in mustering within the TR. The need to determine potential for TR damage would then seem to be necessary).
The aim should be to bring the design up to the same level of integrity for all major SCEs with the presumption that more effort should be made where the level of risk from explosions is high. Existing installations will have QRA data from which explosion risk can be determined.
Where this is high for explosion events the premise should be that greater cost is justified in providing mitigation and protection than where the risk posed is relatively low.
A means of determining the cut off point for additional mitigation would be to determine the costs involved with design enhancement to achieve integrity for successively increased overpressure values. Where a significant ‘cliff edge’ occurs this may indicate that design beyond the base of the cliff edge is not reasonably practicable and that design to this level is ALARP.
The accepted level above which the overall risk is considered intolerable relates to an individual risk of greater than 10-3 per year or a TR impairment probability of greater than 10-3 per year. The overall individual risk from all hazards must be less than this value. If risks are in the intolerable region then risk reduction measures must be implemented, irrespective of cost.
Hence the risk from other hazards may indirectly affect the acceptability of risk from explosions and these may need to be considered in setting the target risk levels for the explosion hazard.
Where the original design took account of explosion overpressure, but latest knowledge indicates that this needs to be reviewed, then recalculation and re-assessment will be appropriate. The calculation of overpressure should however be reasonably straightforward if the original CAD model is available and has been updated to include changes made since the design stage.
3.8.2 Early operating phase
Vigilance is required in the early stages of field life for deviations from the original process, structural, mechanical or instrument design intent. Such changes need review for any implications for fire hazard creation or management. Such a review needs to be scheduled and chaired by the project safety engineer and attended by a mixture of design and operations personnel. It should take place after a year or two of operation. Since key project design personnel are likely to have moved to another project by that stage, an alternative would be for operations to log all variations to original design, operating or maintenance assumptions/intent for formal follow-up by the installation safety engineer in order that the implications for fire hazard management can be explored and corrective action taken if found necessary.
Nowadays, plant modifications are closely scrutinised by a range of discipline engineers and onshore support staff for any detrimental effect on safety. Accumulated minor operating and maintenance changes (known as ‘creeping change’) however can go unremarked, unless vigilance is maintained.
Examples of the types of change that would not be obvious without a specific attempt to capture them are:
• Environmental data (sea level or weather pattern changes);
• Instrumentation problems – e.g., leading to changed operator response to alarms;
• New fire research findings;
• Change in production composition or phases, leading to changed fire scenarios or release frequencies.
3.8.3 Midlife operating phase
Some typical considerations for fire hazard management of existing installations at the mid-life stage are:
• Creeping change in original design assumptions – examples are development of sand, vibration or corrosion problems, increasing the likelihood of releases in certain areas;
changes in process conditions resulting in change to fire consequence modelling assumptions;
• Fire-related protective equipment proves unsatisfactory in operation – detection devices give frequent alarms or are found to be failed at every inspection. Alarms that are too frequent are eventually ignored;
• PFP left off vessels or other equipment for longer and longer periods to allow access for NDT/inspection;
• Areas of the platform always ‘keyed out’ of the automatic fire and gas system;
• Very slow process changes which come to be regarded as normal by operations personnel (e.g. more frequent alarms, very low or high operating temperatures etc.).
If minor deviations go unnoticed, over time it becomes custom and practice to operate outside the original design scope, and/or without all protective measures functioning. Problems then become apparent only during an emergency situation.
Many of these minor changes would be identified by the independent competent person during the course of his examinations of safety critical equipment and systems, but some changes can still be missed.
Most oil companies include operations personnel in their project teams. Often the intended OIMs plus key offshore supervisors are part of the project team specifically to become fully conversant with and supply operations input to the design process. Over a period of 10 years or so however, personnel change and key information, whether held personally, in hard-copy or in electronic format is likely to be lost if no active steps are taken to refresh the ‘corporate memory’ at regular intervals. In addition, over a prolonged period new research improves the understanding of the fire and explosion threats and the ability of the protective measures to counter the threat effectively. The implications of this updated knowledge must be taken into
It is thus recommended that a formal review (taking into account new research knowledge) or audit of the fire hazard management arrangements and records be carried out every 3 to 5 years.
3.8.4 Late operating phases
As platforms age the safety systems tend to require more repair and maintenance in order to keep them in full working condition. The late operating phase is also a time when the platform production tail off and there is a big drive to reduce OPEX costs. Fortunately, as platform age and production rates drop, process pressures also drop, water cut increases and fire risks tend to reduce.
It is possible on some installations, where parts of the process have been simplified or decommissioned or where drilling activity is finished, to review a platform’s fire hazard management arrangements and remove fire protection equipment that is, by then, surplus to requirement. This can reduce the maintenance burden. Any such modifications have to be formally justified and recorded through the Operator’s Plant Modification Request procedures, and documented in the Safety Case and associated PFEER/DCR documentation.
Typical Problems for the Late Operating Phase are:
• Degradation of Passive Fire Protection;
• Corrosion of firewater systems and leaks in air-trigger systems;
• Wear and tear on firewater pumps and deluge valve sets;
• Obsolescence of parts for Fire and Gas detection/protection systems;
• Increased leak likelihood due to sand erosion, corrosion (especially under lagging) and fatigue;
• Tightened commercial constraints and reductions in manning.
Despite the associated cost of maintenance and inspection, the performance standards laid down for of all the safety critical systems, subsystems and individual items must either:
• Continue to be met as per the original design; or
• Revised (with appropriate justification) to reflect the changing fire risk. The associated written schemes would be updated to reflect the changed performance standard in discussion with the appropriate Independent Competent Person(s).
3.8.5 Aging installations and life extension
3.8.5.1 Overview
Many installations in the North Sea have reached the end of their originally specified life but their continued operation is still worthwhile. Other installations have been modified to act as production hubs, taking product from other subsea wells or tie-ins and processing it, often with new or partially modified topsides plant, for export to pipeline or tanker.
Asset life extension raises several issues in relation to fire hazard management, these are discussed in the following sections.
3.8.5.2 Design issues
New process plant needs to be provided with adequate fire and gas detection systems. The existing systems may be adequate to cover the new equipment or may need extending, but the same considerations as for a new design will still apply. The existing system may be virtually obsolete and not feasible to extend so replacement of the whole system may be required.
The effect of the new plant on the ESD and blowdown systems must be evaluated in the light of the additional fire scenarios. It should not be assumed that tie-in to the existing platform blowdown system will be adequate, even though original demands on the system may have reduced. If the installation is old, the original blowdown system may have been under-designed by comparison with existing best practice especially where severe fire scenarios are involved.
All new fire scenarios must be reviewed for effect on existing deluge systems. A fire in the new plant may set off several other systems, especially on an open installation. The project may have to supply new fire pumps to cover the new plant as the existing pumps are unlikely to have spare capacity. The condition of existing pumps for extended future service must be assured.
More use of passive protection may be possible, but providing facilities/access for integrity assurance for aging piping/structure/equipment must be considered.
Existing deluge systems are often difficult to extend. The mechanical condition of the system needs to be assured for extended service. There may now be a new fire scenario with implications for important parts of the structure (e.g. the TR or TEMPSC areas or their supports) which are currently unprotected. (See Sections 3.2.8.9 and 10.3.2.2 for further discussions on the limits to PFP application, including some issues affecting retrofitting PFP to structures in situ). All escalation potential should be considered and the decisions relating to selection of protection recorded.
New fire scenarios must be evaluated for impact on evacuation, escape and rescue.
New support structure provided for the new plant may be vulnerable to fire impingement from existing fire scenarios, and may require protection.
3.8.5.3 Emergency response issues:
As platforms age, emergency equipment and facilities degrade. Although some items can be easily replaced once they fall below an acceptable standard, other items such as sea ladders, spider deck walkways, gratings on rarely-used escape routes to sea can fall into disrepair and are expensive to replace. Routes to sea are important in severe fire scenarios and must be kept up to standard as long as the fire hazard remains. Where new business is introduced over an old installation, new escape routes, as well as refurbishment of existing routes (where the original fire hazard still exists) may be needed.
3.8.5.4 General considerations
Fire hazards would be identified in the HAZID at FEED stage of the process modification design, and subsequently assessed as for any new design project.
Incorporation of new safety critical items into existing Safety Case, SCE and PS related documentation is a legal requirement.
3.8.6 Particular considerations for accommodation and other areas for personnel
3.8.6.1 General
Much fire measurement data, definitions and internationally accepted standard tests have been developed from building fires and the damage caused. Many of these have been adapted for use on the appropriate sections of petrochemical plants and their shortcomings in wider applications should be understood. The following sections deal with some standard aspects of conventional onshore fires but practitioners should refer to standards produced for onshore and civil use for these “non-hydrocarbon” areas.
Accommodation and other areas of the installation such as control rooms, some workshops (i.e. those without specific storage requirements for hazardous materials), leisure areas and galleys are all based on normal architectural practices. The internal materials are the same as onshore facilities and the design practices tend also to be the same with minor variation. The key difference with these areas is how they relate to process and other operating areas and extreme care should be taken to make sure that even the most apparently benign systems do not interface with a hydrocarbon system in an unforeseen manner.
Key aspects where interfaces can occur are listed below and these should be assessed when considering the process fire hazards:
• HVAC;
• Drainage;
• Storage areas/enclosures;
• Access (both for personnel using the facilities and working there and goods coming into or out of the area).
3.8.6.2 Compartment fires - general
In a compartment or building fire, the source of ignition will normally be at a discrete location and the initial fire growth will be slow. The temperature in compartment will increase and a hot layer of gas will build up below the ceiling. A point is reached when re-radiation from this gas layer causes the unburnt furniture etc to ignite. Within a short space of time the entire contents
In a compartment or building fire, the source of ignition will normally be at a discrete location and the initial fire growth will be slow. The temperature in compartment will increase and a hot layer of gas will build up below the ceiling. A point is reached when re-radiation from this gas layer causes the unburnt furniture etc to ignite. Within a short space of time the entire contents