A strong risk-management strategy for offshore oil and gas installations requires a comprehensive understanding and knowledge of the characteristics of major hazard events, as well as the effectiveness of safeguarding systems.
In the past decades, fire and explosion hazards, and related safety system performance, have become a mainstay of industry research projects, with the findings presented and pored over at industry events on a regular basis. The management systems used to communicate this information to the offshore workforce, in order to enact effective safety and integrity performance, are critical to risk management processes.
Industry best practice draws heavily on past experience and past mistakes, operator fallibility, societal concerns and lifecycle issues.
Predictive risk and reliability techniques have been applied in the North Sea offshore industry for 20 years or more, and helped towards the overall reduction of the incidence rate of severe accidents. Historically, these techniques have concentrated more on technical aspects of design, construction and operation, rather then the human and organisational aspects.
Some efforts have also been attributed to the modelling of operational safety. However, these models are largely descriptive, not predictive, and for this reason are considered ineffective in the effort to determine how to prevent accidents.
The industry has long grappled with the seeming arbitrariness of terms like ALARP, the acronym for ‘as low as reasonably practicable’, which refers to management processes whereby a risk is reduced so low that any further risk reduction would involve time, trouble, difficulty and cost which are unreasonably disproportionate to the additional risk reduction obtained.
Put simply, there is no acceptable level of risk, but it is widely recognised that operators and contractors alike have limited resources available. Logically, these should be directed to areas where they achieve the most significant reduction in risk. The aspiration to reduce a risk to ALARP requires achieving a balance between the reduction in risk and the expenses involved. When the costs become disproportionate to the additional risk reduction obtained, the point of ALARP has been missed.
Confusingly, despite its widespread recognition as a safety guideline in the UK in assessing the tolerability of risk, the ALARP principle is not a part of any UK law. However, it bears a marked similarity to the SFAIRP (so far as is reasonably practicable) principle, which does make an appearance in the Health and Safety at Work Act. Usually, ALARP and SFAIRP are considered to be broadly equivalent, for example by the Health and Safety Executive (HSE), but it is not seen that this equivalence has yet been demonstrated in law.
The relevance of the ALARP principle is mandated by the MoD itself. Hence, all IPTs involved with safety-related equipment or services need to be aware of ALARP and need to be able to work by it. Evidently, the ALARP principle has posed a multitude of problems for operators, as the issues with interpretation are followed closely by the difficulty of implementation and high cost of enforcement.
Most risk-management techniques used today to address a lack of required safety evidence for software (static analysis is an example) are, in fact, risk assessment techniques, rather than risk reduction techniques. This means that the techniques themselves have no direct benefit in terms of risk reduction – the benefits are only realised through fixing the software faults that the techniques isolate.
Moreover, because it not feasible to predict in advance how many software faults will be identified, it is not possible to accurately estimate the expense of fixing the faults. The cost can vary from nothing, if no faults are found, to the cost of completely redesigning the software if it proves to be so badly plagued with faults that it needs to be discarded.
Since ALARP demands estimation of the expense of risk reduction, it is not immediately obvious that it can be applied to software, which shows another shortcoming of ALARP.
Software poses unique problems in that there can be no proof that it is unsafe. At the same time, there might be insufficient evidence to demonstrate that it is safe (there is a lack of evidence of safety, not evidence of a lack of safety).
As a result, the default approach in such cases can be to downplay the safety of the software. This, in turn, means that more detailed risk assessment can be, effectively, a means to reduce the projected risk, as it will allow the overly negative assumptions to be relaxed.
Often, when applying ALARP to software risks, operators and contractors make an implicit assumption that the risk assessment techniques employed will find no software faults, demonstrating that the software is of high integrity. Hence, it is only necessary to estimate the cost of the software analysis, rather than the cost of fixing any identified faults.
This approach errs on the side of improving safety because it makes it more likely that software risk assessment followed, if necessary, by risk reduction, will be enacted.
Some elements of structural integrity are dependent on operational control, and floating structures are often reliant on ballast systems and mooring systems. Historical data from mobile drilling units has demonstrated that both ballast and mooring system incidents are typically caused by human and organisational mistakes. Thankfully, a majority of the accidents have been minor, without implications for integrity, but the potential has been there.
On occasion the structural integrity of a unit has been gravely threatened – a well-known example might be the capsizing of the mobile drilling unit Ocean Ranger off New Foundland in 1982. The Ocean Ranger incident was related to a loss of operational control.
The occurrence of low speed impacts from shuttle tankers into FPSOs in the North Sea has been a worry for operators in the last decade. Human and organisational factors have played a prominent role in these incidents, as far as the accepted information on these events is currently understood. The threat of low speed impacts reminds the industry of the importance of acting sufficiently early and extensively in order to avoid contact between the vessels.
A further reminder comes in the form of incidents involving operational problems related to shuttle tankers and off-loading buoys for crude oil export from fixed production installations. Most of these incidents have resulted in little more than a ruptured hose and minor oil spills, but the hazard is continually present.
The current approach to analysing operational safety during the design phase seems to be shaped mainly through what is identified in the various risk assessments and safety studies. In design, too, human and organisational aspects of safety cannot be viewed in complete isolation from the technical systems. For example, panels and control stations in main control rooms have often been designed and laid out in accordance with the principles of human factors engineering.
Independent evaluations of these aspects may also be carried out – for example, the performance of crisis intervention in offshore production analyses during late detail engineering.
STRONG SAFETY RECORD
Despite the numerous challenges in interpreting and applying ALARP, there have been no total losses worldwide of FPSOs, and no serious accidents for personnel. Two total losses have been recorded for other floating production units. One of these happened off West Africa during tow and the second event took place in the Gulf of Mexico during a hurricane. Both incidents involved converted mobile drilling units, and in neither case were lives lost.
These two total losses are not considered relevant for the present context of the FPSOs, but the absence of serious events indicates that risk management procedures employed by operators are working well in relation to physical safety, with cost and complexity the main challenges of the day.