文档详细内容(约588页)
8OffshoreRiskAssessmentSection2dealswithbarriers ordefences as theymay be called.Thissectionconcernsdesignaswellasoperationof installations.Section2BarriersThe operatoror theone responsiblefor theoperation ofa facility,shall stipulatethe strategies and principles on whichthe design,use and maintenance ofbarriers shall bebased,so that thebarrier function is ensured throughout thelifetime of the facility.It shall beknown what barriers havebeen established and which function theyare intended to fulfil, cf. Section 1 on risk reduction, second paragraph, andwhat performance requirements have been defined in respect of the technical,operational or organisational elements which are necessary forthe individualbarrier tobe effective.It shall beknown whichbarriers are notfunctioning or havebeen impairedThe party responsible shall take necessary actions to correct or compensate formissingorimpairedbarriersRisk acceptance criteria are specified in Section 6, including personnel, mainsafetyfunctions(seeSection1.5.3),pollutionanddamagetothirdpartygroupsandfacilities.The last aspect is not applicablefor offshore installations,but is appli-cabletoonshorefacilitiesthatalsofallunderthejurisdictionofthePSASection6Acceptancecriteria formajoraccident riskandenvironmental riskThe operator shall set acceptance criteria for major accident risk andenvironmental risk.Acceptance criteria shall be setforthe personnel on thefacility as a whole, and for groups of personnel whicha)are particularlyrisk exposed,b)the loss of main safety functions as mentioned in the Facilities RegulationsSection 6on main safety functions,c)pollution from thefacility,d)damage doneto thirdpartyThe acceptance criteria shall be used in assessing results from the quantitativerisk analyses,cf.Section14onanalysis of majoraccident risk,Section15onquantitative risk analyses and emergency preparedness analyses and Section16onenvironmentallyorientedriskandemergencypreparednessanalyses.Cf.alsothe Framework Regulations Section 9 on principles relatingto risk reduction.1.5.3FacilitiesRegulationsWithrespectto risk assessment,themain contributions from theFacilities regula-tionsaretheprinciplesformaximumfrequency of eventsthat impairthemainsafetyfunctions.Thetextof Sections6and 10areshownbelow
8 Offshore Risk Assessment Section 2 deals with barriers or defences as they may be called. This section concerns design as well as operation of installations. Section 2 Barriers The operator or the one responsible for the operation of a facility, shall stipulate the strategies and principles on which the design, use and maintenance of barriers shall be based, so that the barrier function is ensured throughout the life time of the facility. It shall be known what barriers have been established and which function they are intended to fulfil, cf. Section 1 on risk reduction, second paragraph, and what performance requirements have been defined in respect of the technical, operational or organisational elements which are necessary for the individual barrier to be effective. It shall be known which barriers are not functioning or have been impaired. The party responsible shall take necessary actions to correct or compensate for missing or impaired barriers. Risk acceptance criteria are specified in Section 6, including personnel, main safety functions (see Section 1.5.3), pollution and damage to third party groups and facilities. The last aspect is not applicable for offshore installations, but is applicable to onshore facilities that also fall under the jurisdiction of the PSA. Section 6 Acceptance criteria for major accident risk and environmental risk The operator shall set acceptance criteria for major accident risk and environmental risk. Acceptance criteria shall be set for a) the personnel on the facility as a whole, and for groups of personnel which are particularly risk exposed, b) the loss of main safety functions as mentioned in the Facilities Regulations Section 6 on main safety functions, c) pollution from the facility, d) damage done to third party. The acceptance criteria shall be used in assessing results from the quantitative risk analyses, cf. Section 14 on analysis of major accident risk, Section 15 on quantitative risk analyses and emergency preparedness analyses and Section 16 on environmentally oriented risk and emergency preparedness analyses. Cf. also the Framework Regulations Section 9 on principles relating to risk reduction. 1.5.3 Facilities Regulations With respect to risk assessment, the main contributions from the Facilities regulations are the principles for maximum frequency of events that impair the main safety functions. The text of Sections 6 and 10 are shown below
Introduction9Section6MainsafetyfunctionsThemain safety functions shall be defined unambiguously in respect of eachindividual facility in order to ensure the safety for personnel and to limitpollution.Withregard to permanently manned facilities the following main safetyfunctions shall bemaintained in the event of an accident situation:a)preventing escalation of accident situations so that personnel outside theimmediate vicinity of the scene of accident, are not injured,b)maintaining the main load carrying capacity in load bearing structures untilthefacility has been evacuated,c)protecting rooms of significance tocombating accidental events,sothattheyare operative until the facility has been evacuated, cf.Section29onfire divisionsprotecting the facility's safe areas so that they remain intact until the facilityd)hasbeenevacuated,e)maintainingat leastoneevacuationroutefromeveryareawherepersonnelmaybestaying until evacuation to the facility's safe areasand rescueofpersonnelhasbeencompletedSection10Loads, load effectsand resistanceThe loads that may affect facilities orparts of facilities, shall be determinedAccidental loads and environmental loads with an annual probability greaterthan or equal to 1xioshall not cause the loss of a main safety function, cf.Section6onmainsafetyfunctions.When loads are determined, the effects of seabed subsidence above or inconnection with thereservoir shall betaken into account.Functionalandenvironmentalloadsshallbecombinedinthemostunfavourableway.Facilities orparts of facilities shall be able to withstand the design loads and theprobablecombinationsof theseloadsatalltimes.Themain safety functions are more closely associated with design characteristics.compared tofor instance fatalities.But there are several aspects associated withhowthese requirements havebeen worded that arenotas clearas wouldhavebeenpreferred.This isinparticularassociatedwithhowtodefineareasandhowtosumoverdifferenteventcategories and areas.1.5.4ActivitiesRegulationsThere are no relevant requirements in the Activities regulations with respectto riskassessmentandmanagement.FromabroaderHESmanagementpointofview,the
Introduction 9 Section 6 Main safety functions The main safety functions shall be defined unambiguously in respect of each individual facility in order to ensure the safety for personnel and to limit pollution. With regard to permanently manned facilities the following main safety functions shall be maintained in the event of an accident situation: a) preventing escalation of accident situations so that personnel outside the immediate vicinity of the scene of accident, are not injured, b) maintaining the main load carrying capacity in load bearing structures until the facility has been evacuated, c) protecting rooms of significance to combating accidental events, so that they are operative until the facility has been evacuated, cf. Section 29 on fire divisions, d) protecting the facility’s safe areas so that they remain intact until the facility has been evacuated, e) maintaining at least one evacuation route from every area where personnel may be staying until evacuation to the facility’s safe areas and rescue of personnel has been completed. Section 10 Loads, load effects and resistance The loads that may affect facilities or parts of facilities, shall be determined. Accidental loads and environmental loads with an annual probability greater than or equal to 1x10-4 shall not cause the loss of a main safety function, cf. Section 6 on main safety functions. When loads are determined, the effects of seabed subsidence above or in connection with the reservoir shall be taken into account. Functional and environmental loads shall be combined in the most unfavourable way. Facilities or parts of facilities shall be able to withstand the design loads and the probable combinations of these loads at all times. The main safety functions are more closely associated with design characteristics, compared to for instance fatalities. But there are several aspects associated with how these requirements have been worded that are not as clear as would have been preferred. This is in particular associated with how to define areas and how to sum over different event categories and areas. 1.5.4 Activities Regulations There are no relevant requirements in the Activities regulations with respect to risk assessment and management. From a broader HES management point of view, the
10OffshoreRisk Assessmentmostrelevantaspectsareemergencypreparedness,workingenvironment, externalenvironmentaswell asdrillingandwell control andbarriers.1.5.5NMDRiskAnalysisRegulationsThe Norwegian Maritime Directorate has issuedRegulations for risk analysis ofmobile units',which applies to all mobile units that shall be registered in the Nor-wegian register of ships.The regulations applyto theowner ofthe unit,and have sections forexecutionand updating of risk analysis.It covers risk analysis of the concept, constructionrisk analysis, as built'risk analysis, in addition to reliability and vulnerabilityanalysis as well as emergency preparedness analysis. The regulations also containgeneral risk acceptancecriteria anddesign criteria for main safety functions.1.6UKRegulationsThe offshore regulatory regime was completely rewritten as a consequence of thePiperAlpha(seeSection4.7)in1988,basedontherecommendationsfromtheinquiry chaired by Lord Cullen (1990).The following regulations have been issued:SafetyCaseRegulations (SCR),(HSE,1992)PFEER(Prevention of Fireand Explosion,and EmergencyResponse)Regulations (HSE,1995a)Management andAdministrationRegulations (HSE,1995b)DesignandConstruction Regulations (HSE, 1996)1.6.1SafetyCaseRegulationsThe duty holder is required to identify hazards, evaluate risks and demonstrate thatmeasureshavebeenorwill betakentocontroltheriskssuchthattheresidual risklevel is as lowas reasonably practicable(ALARP).The SafetyCase should alsodemonstratethat the operator has a HES management systemwhich is adequate inorder to ensure compliance with all health and safety regulatory requirements.Thereis noreferencetoQRA intheregulations themselves.QRAismentionedin some of the schedules, listing the documentation to be submitted.Further discus-sion on theuseof QRAis however,found in'Contentof SafetyCases-GeneralGuidanceThe useof QRA under this legislation is mainly to analyse:Theriskof impairment of theTemporaryRefuge.Therisk topersonnel directly,expressed in termsofPLL and AIR,or someotherfatalitymeasures.Themain basis forthe useof theQRAapproach is actually implicit,as thedutyholder is required to demonstrate through the safety case that the risk level forpersonnel on the installation is'as lowas reasonably practicable',abbreviated asALARP.This can onlybe effectivelydone through the use ofQRA
10 Offshore Risk Assessment most relevant aspects are emergency preparedness, working environment, external environment as well as drilling and well control and barriers. 1.5.5 NMD Risk Analysis Regulations The Norwegian Maritime Directorate has issued ‘Regulations for risk analysis of mobile units’, which applies to all mobile units that shall be registered in the Norwegian register of ships. The regulations apply to the owner of the unit, and have sections for execution and updating of risk analysis. It covers risk analysis of the concept, construction risk analysis, ‘as built’ risk analysis, in addition to reliability and vulnerability analysis as well as emergency preparedness analysis. The regulations also contain general risk acceptance criteria and design criteria for main safety functions. 1.6 UK Regulations The offshore regulatory regime was completely rewritten as a consequence of the Piper Alpha (see Section 4.7) in 1988, based on the recommendations from the inquiry chaired by Lord Cullen (1990). The following regulations have been issued: x Safety Case Regulations (SCR), (HSE, 1992) x PFEER (Prevention of Fire and Explosion, and Emergency Response) Regulations (HSE, 1995a) x Management and Administration Regulations (HSE, 1995b) x Design and Construction Regulations (HSE, 1996) 1.6.1 Safety Case Regulations The duty holder is required to identify hazards, evaluate risks and demonstrate that measures have been or will be taken to control the risks such that the residual risk level is as low as reasonably practicable (ALARP). The Safety Case should also demonstrate that the operator has a HES management system which is adequate in order to ensure compliance with all health and safety regulatory requirements. There is no reference to QRA in the regulations themselves. QRA is mentioned in some of the schedules, listing the documentation to be submitted. Further discussion on the use of QRA is however, found in ‘Content of Safety Cases – General Guidance’. The use of QRA under this legislation is mainly to analyse: x The risk of impairment of the Temporary Refuge. x The risk to personnel directly, expressed in terms of PLL and AIR, or some other fatality measures. The main basis for the use of the QRA approach is actually implicit, as the duty holder is required to demonstrate through the safety case that the risk level for personnel on the installation is >as low as reasonably practicable=, abbreviated as ALARP. This can only be effectively done through the use of QRA
11IntroductionThe approach to QRA under the SCR is virtually the same as under theNorwegianregulations,withtheexceptionthatSCRappliestorisktopersonnelonly,whereas the Norwegian regulations applyto a set of risk dimensions includepersonnel, environment and assets,as hasbeen discussed in Chapter2.The Safety Caseregulations were modified inApril,2006.Theexplicit require-mentfordemonstrationofALARPwasremovedfromtheregulations.Thisshouldnotaffectpracticehowever,asthemanagementofhealthandsafetyatworkac(HSE, 1974)hasa correspondingrequirementfordemonstration ofALARP.Someofthe othermain changes are thefollowing:1.Resubmission.Previously a SC lasted 3years and then required to beresubmittedforassessment.UnderthenewSCR.itlaststhelifeoftheinstallation, no more resubmission.However, the dutyto revise as appro-priateremains.Anewdutytocarryoutthoroughreviewat5-yearintervalsor as directed is introduced.HSE has gained powers to'direct a revision"and to‘suspend'a SC.Material changerevisions to a SC will still requiretobesubmittedandaccepted2.Combined Operations SC. Previously a COSC was required before anycombined ops.This is replaced bya simpler Notification and the operatio-nal SCwill includeagenericdescription of themanagement of combinedoperations, if any.If generic details are not included but combined ops areplanned,a material change revisionwill haveto be submitted and acceptedbeforehand3.Design SC. Previously a DSC was submitted before a new fixed designwas completed.This has been replaced by a simpler, earlier, DesignNotification.It also applies to some conversions.4.Abandonment SC.Previously an Abandonment SC was required beforestarting decommissioning,defined to include e.g.activities for end ofproduction such as plugging wells.It hasbeen replacedby submission of aSC revision specificallyfor dismantling.Other, earlier, activities will bedealt with byrevising the operational SC.1.6.2PFEERRegulationsTheso-calledPFEER(PreventionofFireandExplosion,andEmergencyRespon-se)Regulations (HSE,1995a)implyimportant requirements foractiveandpassivesafety systems, as well as emergency preparedness systems and functions. Thepurpose of these regulations is to ensure that measures to protect against fire andexplosion result in a risk level which is as low as reasonably practicable, and thatsufficientarrangementsareinplaceinordertoprovideagoodprospectofrescueand recovery for personnel in all reasonablyforeseeable situations.Operators areaccording to these regulations required to:Takemeasurestopreventfiresand explosions and provideprotectionfromany which do occur,Provideeffectiveemergencyresponsearrangements
Introduction 11 The approach to QRA under the SCR is virtually the same as under the Norwegian regulations, with the exception that SCR applies to risk to personnel only, whereas the Norwegian regulations apply to a set of risk dimensions include personnel, environment and assets, as has been discussed in Chapter 2. The Safety Case regulations were modified in April, 2006. The explicit requirement for demonstration of ALARP was removed from the regulations. This should not affect practice however, as the management of health and safety at work act (HSE, 1974) has a corresponding requirement for demonstration of ALARP. Some of the other main changes are the following: 1. Resubmission. Previously a SC lasted 3 years and then required to be resubmitted for assessment. Under the new SCR, it lasts the life of the installation; no more resubmission. However, the duty to revise as appropriate remains. A new duty to carry out thorough review at 5-year intervals or as directed is introduced. HSE has gained powers to ‘direct a revision’ and to ‘suspend’ a SC. Material change revisions to a SC will still require to be submitted and accepted. 2. Combined Operations SC. Previously a COSC was required before any combined ops. This is replaced by a simpler Notification and the operational SC will include a generic description of the management of combined operations, if any. If generic details are not included but combined ops are planned, a material change revision will have to be submitted and accepted beforehand. 3. Design SC. Previously a DSC was submitted before a new fixed design was completed. This has been replaced by a simpler, earlier, Design Notification. It also applies to some conversions. 4. Abandonment SC. Previously an Abandonment SC was required before starting decommissioning, defined to include e.g. activities for end of production such as plugging wells. It has been replaced by submission of a SC revision specifically for dismantling. Other, earlier, activities will be dealt with by revising the operational SC. 1.6.2 PFEER Regulations The so-called PFEER (Prevention of Fire and Explosion, and Emergency Response) Regulations (HSE, 1995a) imply important requirements for active and passive safety systems, as well as emergency preparedness systems and functions. The purpose of these regulations is to ensure that measures to protect against fire and explosion result in a risk level which is as low as reasonably practicable, and that sufficient arrangements are in place in order to provide a good prospect of rescue and recovery for personnel in all reasonably foreseeable situations. Operators are according to these regulations required to: x Take measures to prevent fires and explosions and provide protection from any which do occur; x Provide effective emergency response arrangements
12OffshoreRiskAssessmentThe need for risks tobe as low as reasonablypracticable is thebasis forusingariskbased design inrelation tofireand explosion.The need toprovide facilities whichgiveagood prospectof rescue and recove-ry for personnel in all reasonablyforeseeablesituationsmay appearas a probabi-listicframework, but this is questionable.Theway this requirement appears tobeimplemented, is that any accidental situation which a lay person would consider asreasonablyforeseeable,isareasonablyforeseeableevent.Theimplicationofthisisthat there is very little room for a probabilistic consideration, if the situation canoccur,then the operator has touse the situation in a deterministic wayas thebasisfortheprovision of'good prospects of rescueand recovery'If this is notpossiblethenthe activityhas to be halted until such prospects may be restored.This ismainly associated with the possibility to provide such'good prospectsduringperiods of severe environmental conditions.1.6.3Management andAdministration RegulationsTheOffshore Installations and PipelineWorks(Management and Administration)Regulations(1995b)(MAR)setoutrequirementsforthesafemanagementandad-ministration of an offshore installation,such as the useof permitto worksystems.The requirements are essential provisions in orderto comply with the legislation,but there are no requirements as such to risk assessment and management.1.6.4 Design and Construction RegulationsThe Offshore Installations and Wells (Design and Construction, etc.)Regulations(1996)(DCR)are aimed at ensuring the integrity of installations, the safety ofoffshoreand onshore wells,and the safety of theworkplace environmentoffshore.1.7National and International StandardsThere is a small core group of international standards, by the International Orga-nizationfor Standardization(ISO),reflectingarisk basedapproachto decision-making in the offshore industry.Thefollowing standards havebeen issued:ISO10418:Analysis,design,installation andtesting of basic surfacesafetysystemsforoffshoreproductionplatforms(IsO,2003)ISO13702:Control and mitigation of fires andexplosions on offshoreproduction installations -requirements and Guidelines (ISO,1999b)ISO15544;Requirements andguidelinesforemergencyresponse(IsO,2000a)ISO17776:Guidelines on tools and techniques for identification and-assessmentof hazards(IsO,2000b).The ISO organisation has the responsibility to revise and reissue vital APIstandardswithrespecttosafety.ForexampleISO10418replacesAPIRP14C.No
12 Offshore Risk Assessment The need for risks to be as low as reasonably practicable is the basis for using a risk based design in relation to fire and explosion. The need to provide facilities which give a good prospect of rescue and recovery for personnel in all reasonably foreseeable situations may appear as a probabilistic framework, but this is questionable. The way this requirement appears to be implemented, is that any accidental situation which a lay person would consider as reasonably foreseeable, is a reasonably foreseeable event. The implication of this is that there is very little room for a probabilistic consideration, if the situation can occur, then the operator has to use the situation in a deterministic way as the basis for the provision of >good prospects of rescue and recovery=. If this is not possible, then the activity has to be halted until such prospects may be restored. This is mainly associated with the possibility to provide such >good prospects= during periods of severe environmental conditions. 1.6.3 Management and Administration Regulations The Offshore Installations and Pipeline Works (Management and Administration) Regulations (1995b) (MAR) set out requirements for the safe management and administration of an offshore installation, such as the use of permit to work systems. The requirements are essential provisions in order to comply with the legislation, but there are no requirements as such to risk assessment and management. 1.6.4 Design and Construction Regulations The Offshore Installations and Wells (Design and Construction, etc.) Regulations (1996) (DCR) are aimed at ensuring the integrity of installations, the safety of offshore and onshore wells, and the safety of the workplace environment offshore. 1.7 National and International Standards There is a small core group of international standards, by the International Organization for Standardization (ISO), reflecting a risk based approach to decisionmaking in the offshore industry. The following standards have been issued: x ISO 10418; Analysis, design, installation and testing of basic surface safety systems for offshore production platforms (ISO, 2003) x ISO 13702; Control and mitigation of fires and explosions on offshore production installations - requirements and Guidelines (ISO, 1999b) x ISO 15544; Requirements and guidelines for emergency response (ISO, 2000a) x ISO 17776; Guidelines on tools and techniques for identification and assessment of hazards (ISO, 2000b). The ISO organisation has the responsibility to revise and reissue vital API standards with respect to safety. For example, ISO 10418 replaces API RP 14C. No
