Insights Into Essa

Offshore Safety Studies

Insights into Offshore Emergency System Survivability Assessment (ESSA)

A. Preface: As offshore HSE consultants, the authors has come across various assessment methodologies of offshore emergency systems and has found that the assessment has some typical flaws thus making the assessment process unclear resulting in incomplete assessment. In this short note, an attempt is made to bring about clarity by suggesting some improvements to enhance the emergency systems assessment in the ESSA study. B. Background of ESSA: In 1988, the Piper Alpha disaster that occurred in North Sea resulted in 167 fatalities and a total asset loss of £1.7 billion (US$ 3.4 billion) and finally caused Occidental Petroleum to go out of business in UK. A public inquiry by Lord Cullen was commissioned in November 1988 to establish the circumstances that led to the accident on Piper Alpha and its causes. In November 1990, the report [1] was concluded and the report revealed that several emergency systems on the Piper Alpha did not survive the fire/ explosion and hence could perform its intended design objectives. Among the recommendations that Lord Cullen proposed, was a thorough ‘review of the ability of emergency systems to survive severe accident be performed’ [1 – R 65] for all installations. This recommendation has been transformed into a study known as the ‘Emergency Systems Survivability Assessment (ESSA)’ and included as one of the Formal Safety Assessment (FSA) studies as required by UK Safety Case Regulations, 2005. C. Interesting findings on Piper Alpha: Lord Cullen investigation report summarized and highlighted issues related to emergency systems on Piper Alpha. The key flaws associated with emergency systems that were identified in the Piper alpha disaster are listed below:

•

The control room and radio room was both outside the TSR. Hence when the explosion occurred, both the control and radio room were damaged. There were no facilities in the ERQ to assess or exercise control over it or to communicate with external parties. They were also unable to obtain information on status of Fire and Gas (F&G) Detection, Emergency Shutdown (ESD) or deluge systems [1-19.176];

Technical Safety Note / November 2008

Offshore Safety Studies

•

Both the main and emergency power supplies as well as part of the Uninterrupted Power Supply (UPS) were knocked out after the explosion and hence there was no electrical power supply on Piper Alpha platform;

•

Battery power supplies dedicated to individual equipment mainly performed well;

•

It was suspected that the main means of communication to the personnel on the platform, the PA/GA, (Public Address /General Alarm) was not functioning/ disabled as it was not used;

•

The first explosion occurred before signals from the gas detection systems led to either a manual or automatic ESD [1-19.38];

•

ESD of the gas pipelines were not part of the platform ESD system and had to be affected manually for each pipeline separately from the control room [1-19.38];

•

Some of the ESD valves appear not to have closed fully [1-19.38];

•

The Piper Alpha had only firewalls retrofitted and not blast walls. [1-19.55] even after the installation of gas compression module;

•

Lord Cullen report inferred that emergency power supply, ESD system and communication system should possess a high degree the ability to survive severe accident conditions [119.189];

•

The vulnerability of the emergency systems to severe accident conditions need to be reviewed and steps need to be taken to enhance their ability to survive such conditions [119.190]: o

Vulnerability of the ESD and SSIV (Sub Surface Isolation Valve) systems to be reviewed [1-R48];

o

The ability of fire water deluge systems to survive severe accident conditions [1R51].

•

Design to be fail safe i.e. they can still convey their essential message even on loss of power [1-19.193]; and

•

The initial explosion on the Piper knocked out the control room and disabled power supplies, communications and firewater deluge systems and caused severe vibration which may have affected the ESD system [1-19.44].

Note: [1-19.38]: Reference to specific findings in Lord Cullen Report

Technical Safety Note / November 2008

Offshore Safety Studies

E. Typical Offshore Emergency Systems: Typically, the following systems are considered as emergency systems in offshore installations: No.

Systems

1.

Fire and Gas (F&G) Detection and Alarm System

2.

Emergency Shut Down (ESD) System

3.

Blow Down & Relief System

4.

Active Fire Protection System

5.

Passive Fire Protection

6.

Heating, Ventilation and Air Conditioning (HVAC) System

7.

Emergency Communications System

8.

Emergency Power System (Emergency Power Generator & UPS)

9.

Emergency Lighting System

F. Issues to Consider: 1. Identification of emergency systems: Based on the definition of Emergency Systems, these systems mitigate / recover effects of major accident events such fire / explosion, ship collision, hydrocarbon release, dropped objects, etc. From this perspective, the safety systems / barriers that are on the right side of the bow tie are emergency systems. Once the bow ties are constructed for MAEs (major Accident Event) as part of the HAZID (Hazard Identification), the mitigation and recovery measures should be listed as emergency systems and assessed for survivability.

MAE Hazartd Mitigation & Recovery

Prevention

Bow Tie Diagram

Technical Safety Note / November 2008

Offshore Safety Studies

The identification of emergency systems could be carried by developing a matrix with all offshore systems (marine, process and utilities) and MAEs. The emergency system definition may be applied on this matrix to identify emergency systems. 2. Survivability duration of emergency systems: The duration for which the emergency system (ES) is supposed to function is generally not discussed in ESSA reports. However duration is a very important criterion while determining survivability of the ES. Some emergency systems are designed to perform and survive MAEs while some other emergency systems can get impaired/ fail after performing its intended objective. For example, the detectors can fail once it has already sent a signal to the F&G panel and the alarm has sounded and need not survive the whole fire duration. Likewise with the blowdown system, it can fail once it has depressurized the line. However if the blowdown system is impaired before it is able to perform its function, then there is a possibility of an escalation of the MAE. As far as the emergency power system is concerned, this system should be able to withstand fires (maybe explosions) for the entire MAE duration and it is required for safe personnel evacuation. 3. Location of the Emergency Systems: The location of the emergency system is critical as it influences the survivability of the system. As mentioned above, the Piper Alpha control and radio room were not located in a strategic and safe locations. For example, it is critical that the location of the emergency diesel generators and UPS systems are away from fire prone areas or high inventory hydrocarbon areas as the emergency power supply is required to provide power supply for the whole evacuation period. Emergency lighting with self contained batteries should also be strategically located so that in the event of the emergency power supply failure, the escape routes will still be illuminated to some extend so that all personnel will be able to access to the TR (Temporary Refuge) safely. If the FEA or ETRERA or ESSA assessment justifies the need for a fire / blast wall or layout change, the same has to be carried out through a risk /performance based approach. 3. Assessment of Fail Safe-design of Emergency Systems; The assessments of fail safe design for ES are often quite misleading. Generally a fail safe system is a system that performs its required safe function automatically upon failure of a system component. For example, in the event a fire impingement occurs on the instrument air supply line to the ESD valve resulting in the failure of instrument air, then automatically the ESD valves shuts

Technical Safety Note / November 2008

Offshore Safety Studies

or opens, performing its intended fail-safe function. However the fail safe design will not be applicable most of the emergency systems and hence it is not logical to assess all ES for the failsafe design. 4. Vulnerability Assessment: By definition, vulnerability is the possibility of MAEs impairing emergency systems causing it to be impaired/ damaged before they perform their intended function. In order to assess the impairment of emergency systems, studies such as FEA or ETRERA or Dispersion and Radiation Assessment should be performed as necessary. Once it is confirmed from the specific assessments that the ES will be potentially impaired, then the other aspects such as redundancy, etc. are to be assessed as part of ESSA. 5. Assessment of Redundancy: If the emergency system is found vulnerable to MAEs, then it is logical to assess redundancy levels for the required systems. The following sequence would help in carrying out redundancy assessment: • Are all the sub components for emergency systems provided with redundancy? • Is the location of the redundant system close to the main system? If so, then there is no point in having a redundancy as both the components will be affected by the MAEs. Hence here it is worth mentioning that the Life Saving Plan /Fire Safety Plan or other relevant drawings need to be assessed to ascertain whether the location of the redundant systems are appropriate from the survivability point of view. 6. Assessment of all sub systems of Emergency Systems: Logically, all sub systems for all emergency systems should be identified and then should be separately assessed for survivability. A functional block diagram could be developed for each of the emergency systems. For example, the sub systems for PFP on an FPSO (Floating Production, Storage and Offloading) could be: •

Fire walls;

•

Blast walls;

•

Heat shields;

•

In tumescent coatings on structures; and

•

Fire blanket insulation on shutdown valves.

For an F&G Detection and Alarm System, detectors, the Logic Controller, cables and F&G panel should all be assessed as the components are critical to ensure that whole system functions to

Technical Safety Note / November 2008

Offshore Safety Studies

meet its intended objective. Very often, only the major systems/ components are assessed. It is recommended that all the sub components of the emergency systems be separately subjected to the survivability assessment for completeness. G. Performance Objective and Survivability Issues: The emergency systems will be designed to meet their performance objectives and it is logical to expect at least some of them to survive emergency conditions. The performance objective and survivability requirement for a few emergency systems are provided in the table below.

Emergency system

Performance Objectives

Checkpoints

To detect fires, smoke and gas and to provide timely signal (within milli seconds) to PLC for alarm / trip

Is there a possibility that an explosion will impinge the detectors before the detectors detect a leak etc.

Active Fire Protection

Designed to fight fires (and not explosions), normally with redundant systems.

Passive Fire Protection

Designed to survive fires and explosions for defined design conditions. Normally designed based on quantitative fire and explosion assessment

Emergency Shut Down

Required to provide a reliable means for safely isolating and shutting down process hydrocarbon inventories to a safe condition. .

• Fire impingement on the AFP equipment • Location of the equipment • Redundancy of equipment • Duration it is expected to last • Fire impingement on the equipment • Location of the equipment • Redundancy of equipment • Duration it is expected to last (longer than evacuation time) • Firewall ratings • Blast rating wall requirement • Valves fitted with PFP • Able to withstand fires for a certain duration • Fail safe design

Blow Down & Relief System

To rapidly depressurize hydrocarbon gas inventories and dispose of them at a safe distance from the installation usually through the flare system.

Heating, Ventilation and Air Conditioning (HVAC) System

Fire dampers to close on demand of confirmed gas / smoke detection at the intake

F&G Detection System

and

Alarm

Technical Safety Note / November 2008

• Meets API 521 design criteria? • Fire impingement on the equipment? • Duration it is expected to last as opposed to time taken to depressurize line/tank • Fire impingement? • Fail safe design? • Internal air circulation

Offshore Safety Studies

Emergency system

Emergency Communications System

Performance Objectives to TR to avoid ingress of gas and smoke Means of communication with personnel on the facility as well as onshore, emergency response groups, nearby vessels etc

Checkpoints

• Fire impingement on the equipment • Location of the equipment • Redundancy of equipment • Duration it is expected to last

Emergency Power System (Emergency Power Generator & UPS)

Provides power to various emergency systems, including emergency lighting, emergency communications, etc upon loss of normal power supply

• Fire impingement on the equipment • Location of the equipment • Redundancy of equipment • Duration it is expected to last

Emergency Lighting

Required to provide adequate illumination to escape routes, Muster Area etc that is not reliant on external power supplies during an emergency situation

• Fire impingement on the equipment • Location of the equipment • Redundancy of equipment • Duration it is expected to last

While carrying out ESSA, the above table may be referred to perform the survivability assessment of emergency systems. H. Conclusion: ESSA is one of the critical safety assessments defined in UK Safety Case Regulations 2005. Hence this paper IS intended to create awareness as well as provide some details in producing a comprehensive ESSA report. It is imperative that both the operators and safety consultants understand and assess the emergency systems in a comprehensive manner taking technically correct and logical steps to produce a convincing assessment report. If ESSA process is carried out based on the performance-based survivability criteria, then the assessment will take a logical route without any confusion. References: 1. Department of Energy UK, The Public Inquiry in the Piper Alpha Disaster, Lord Cullen, 1991 2. The Offshore Installations (Safety Case) Regulations 2005, No. 3117, UK Authors: Pillai Sreejith ([email protected]) Alvin Rajan ([email protected])

Technical Safety Note / November 2008