Available online at www.sciencedirect.

com

Safety Science 46 (2008) 261271 www.elsevier.com/locate/ssci

Analysis of hazard scenarios for a research environment in an oil and gas exploration and production company
Marco de Bruin a,*, Paul Swuste b
a

Shell International Exploration and Production, HSE&SD Site Services Team, Rijswijk, Netherlands b Sectie Veiligheidskunde, Technische Universiteit Delft, Netherlands Received 13 November 2006; received in revised form 22 June 2007; accepted 22 June 2007

Samenvatting Het onderhavige artikel onderzoekt HSE-gevaarsscenarios in de onderzoeksfaciliteiten van een internationaal bedrijf dat gespecialiseerd is in de exploratie en productie van olie en gas. Doel is: I. het analyseren van de grootste HSE-gevaarsscenarios voor de experimentele opstellingen in de nieuwe onderzoeksfaciliteiten; II. in staat te zijn deze gevaren terug te dringen tot een te bepalen minimum door optimaal ontwerp. III. in staat te zijn het aantal en ernst van toekomstige (mondiale) onderzoeksgerelateerde incidenten/bijna-ongevallen terug te dringen. Om de tien grootste HSE-gevaarsscenarios te kunnen vaststellen die ontwikkeld zijn in een eerdere studie, wordt geb` res en General Failure Types bepaald voor ruikgemaakt van de Tripod -methode. Met deze methode worden ook barrie de tien grootste gevaarsscenarios. ` re is het checken van ontwerp, systemen en installaties. De tweede frequente barrie ` re is (cenDe meest frequente barrie ` res zijn het gebruik van juist materiaal/apparatuuronderdelen, traal georganiseerd) onderhoud. Andere frequente barrie periodieke inspectie en veiligheidsapparatuur. Meest frequente General Failure Type is ontwerp, op afstand gevolgd door onderhoudsbeheer, organisatie, procedures en de overige types. Om bovengenoemde reductie van incidenten te berei` res en General Failure Types voorgesteld. Alhoewel dit artikel zich concentreert ken, wordt verbetering van deze barrie op het Nederlandse deel van het bedrijf, zijn de resultaten ook bruikbaar voor de gelijkwaardige faciliteiten in de USA. Het gepresenteerde onderzoek is een afstudeerproject geweest van de post-academische opleiding Management of Safety, Health and Environment (MoSHE) van de Technische Universiteit Delft. 2007 Elsevier Ltd. All rights reserved.

Corresponding author. Tel.: +31 70 447 3702. E-mail address: Marco.DeBruin@shell.com (M. de Bruin).

0925-7535/$ - see front matter 2007 Elsevier Ltd. All rights reserved. doi:10.1016/j.ssci.2007.06.030

262

M. de Bruin, P. Swuste / Safety Science 46 (2008) 261271

Abstract The present study analyzes HSE hazard scenarios at the research areas of an international company that specializes in the exploration and production of oil and gas. Objective is: I. to analyze the major HSE hazard scenarios for the experimental facilities in the new research location; II. to be able to reduce those hazards to a pre-dened minimum through optimal design; III. to be able to reduce the amount and severity of future research-related incidents/near-misses. To analyze the ten major hazard scenarios, which were developed in a previous study, use is made of the Tripod technique. With this technique, also barriers and general failure types are determined for the major hazard scenarios. The most frequent barrier is the checking of design, systems and installations. Second frequent barrier is (centrally guided) maintenance. Further frequent barriers are the use of adequate material/equipment parts, periodic inspection and safety device. Most frequent general failure type is design, followed at a distance by maintenance management, organization, procedures and other types. To reach the above mentioned reduction of incidents, it is proposed to improve these barriers and general failure types. Although focusing on the Dutch part of the company, results are also usable for the equivalent facilities in the USA. The research presented in this article is based on a nal report of the post graduate master course Management of Safety, Health and Environment of the Delft University of Technology. 2007 Elsevier Ltd. All rights reserved.
Keywords: Hazard; Scenario; Tripod; Research; Barrier

1. Introduction This article analyzes health, safety and environmental (HSE) hazard scenarios at the research facilities of an international company that specializes in the exploration and production (E&P) of oil and gas. The location studied in this article houses a centre of technology, in which some 60 research locations are accommodated. In these locations, a wide range of equipment and chemicals are in use, all facilitating dedicated research and services in the eld of E&P for the oil and gas industry. The focus is on general physical, chemical and mechanical research on rock, multiphase (oil/water/air) systems, drilling ush and drilling technology; mainly by destructive and non-destructive experiments on rock, oil and (natural) gas samples. Emphasis herewith is on mechanical properties of tubes, drilling bars, drill heads, etc. and on analysis of properties of oils and gases. Experiments are mainly physical; chemical reactions are not common and chemicals in use are mainly used as solvent or extraction agent. Experimental research is carried out by 50 sta members; experiments take place under pressures up to 1000 bar and temperatures up to ca. 150 C. To deliver the necessary gases, a gas distribution system fed from a central facility is in use. Currently, the company is in the middle of a total renovation project of the site. The renovated site will amongst others contain a new indoor and outdoor research area in which all current large and small scale equipment will be based. To pave the way for the construction of the new facilities, large scale research equipment was moved to a temporary outside location in 2002. In 2007 all large and small scale equipment will be transferred to new facilities. The company owns a similar E&P centre in Houston, Texas (USA) in which 55 laboratories are housed, employing 40 research sta members. In the late 1990s globalization eorts started and global practices were adopted by the two centres. This resulted in amongst others the same system of incident reporting beginning in 2000. The USA facilities will be integrated in the present study; in this way, the USA incident data can also be used which will make nal results more accurate and globally applicable. To assess the hazards for the situation in the current and hence also new (from 2007 on) research facilities, major hazard scenarios were developed (de Bruin and Swuste, 2006). For development of these scenarios the following input was used: Layout Reviews, reported incidents from 19932004 and hazard scenarios from the

M. de Bruin, P. Swuste / Safety Science 46 (2008) 261271

263

companys risk inventory and evaluation (RIE) and HSE studies. Until now the major hazard scenarios have not been analyzed. Therefore the objective of this study is: I. to analyze the major HSE hazard scenarios for the experimental facilities in the new research location; II. to be able to reduce those hazards to a pre-dened minimum through optimal design; III. to be able to reduce the amount and severity of future research-related incidents/near-misses. To reach the objectives as mentioned, the following research questions are dened: (1) What are useful barriers to improve to reach reduction of amount and severity of future incidents/nearmisses? (2) What management choices should be made to install or enhance these barriers?

2. Material and methods In Table 1 the major hazard scenarios for the company are presented in decreasing order of importance. They were developed and evaluated in de Bruin and Swuste, 2006. Scenarios were structured according to the bow-tie principle: events/circumstances, top event, consequences. In this way the top event, the item management is interested in, is made explicitly clear. This bow-tie is a combination of a fault tree, leading from various hazards to a top event, and an event tree leading from the top event to dierent sorts of damage as is shown in Fig. 1. The fault tree is commonly referred to as the left hand side, while the event tree is the right hand side (Zemering and Swuste, 2005). To elaborate these scenarios, in this article the Tripod technique is used. This technique is one of the most structured approaches to represent scenarios (via targets, hazards and events) and their causation paths (EQE International webpage; Kennedy and Kirwan, 1998). For the present study the technique is excellently suitable, because it makes use of barriers (as required for research question 1) which are analyzed back to active and latent failures (and preconditions). Moreover, latent failures can be classied into general failure types (GFTs); in this way a GFT Prole can be set up that indicates areas of improvement for the company. Standardly used GFTs in the Tripod technique are: HW DE MM PR EC HK IG OR CO TR DF hardware design maintenance management procedures error enforcing conditions housekeeping incompatible goals organization communication training defences

It is important to notice that Tripod is used in this study as a prospective tool, while it was designed as a retrospective tool. This is justied in this case because the major hazard scenarios that are used for the future research facilities consist of a retrospective long-term analysis of all relevant available safety data. Within the company, the Tripod technique is the most widely used (and prescribed) tool to invest incidents; so also for future reference this is the preferred technique. In the Tripod technique events can also be a target or hazard leading up to a next event. Because of this fact, a tree model can be created which consists of several events. This is a fundamental dierence with a bow-tie model (which is built around one central top event) and because of this reason it is possible to split a bow-tie scenario into several sub events. This simplies analysis and hence it is also possible to investigate scenarios which are more on the left hand side of a

264

Table 1 Major hazard scenarios Code Hazard scenario Events, circumstances (1) Failure of equipment Inadequate design/material/installation/ maintenance/inspection, too high tuning, failure of safety device (if present) Wrong re extinguishers, open re-resistant doors, inadequate design/installation of detection/warning system, inadequate maintenance/inspection/re-ghting plan and number of BHV sta Inadequate design of high pressure equipment (incl. protecting device, e.g. relief valves, piping, walls, explosion proof control room), inadequate maintenance (re. corrosion, fatigue, wear) of vessel/mains, lines clogged Inadequate design/installation/inspection/ maintenance (resulting in o.a. corrosion), incorrect grounding, non-adherence to rules (PtW, resulting in e.g. cutting of cables) Hoisting paths used by several parties at the same time, no adherence to procedures during hoisting and on-/ooading, hoisting over hazardous equipment Operators mistake (miscommunication), forgetting procedures (also improperly lling system), overload of system, lack of inspection/ maintenance Poor waste/material management, housekeeping, cleaning after experiment/incident Non-adherence to/unfamiliarity with rules on area restrictions Top event Failure of equipment, overheating, ignition Consequences (Exposure of sta to) spill or jet, re, smoke, rerelated injury to sta and damage to building and assets Escalation of emergency

(2) Escalation of emergency

Sta trapped in case of emergency, no adequate BHV and re brigade reaction, sta warned too late

M. de Bruin, P. Swuste / Safety Science 46 (2008) 261271

(3) Excessive system pressure

Excessive pressure in system

Vessel/mains bursting, (exposure of sta to) explosion or jet (liquid or gas), possibly escalated by activities taking place nearby equipment

(4) Electrocution

Electricity being charged, inadequate shielding (also from water and collision), possible contact with sta Hoisting/lifting/loading over or in presence of undesired assets or sta, material (e.g. slings) failure System breakage/bursting/overow

Electrocution

(5) Hit by hoisted/lifted/ loaded goods

Undesired assets or sta hit by loads when loosing grip

(6) Operating error, spill

(7) Poor waste management (8) Exposure of unauthorized sta

Materials/equipment/waste/chemicals littering without maintenance/inspection Unauthorized sta (also security sta) entering area (also without Permit to Work)

Spill of chemicals/oils to oor/soil or ejection to sta, inadequacy of leak-tight facilities, drains erroneously connected to sewer, resulting in discharge to sewer system Leakage/spill or tripping/sliding Exposure of unauthorized sta to hazardous circumstances (high pressures, electricity, radiation, noise and chemicals), stopping of experiment, distraction of experimenting sta Discomfort, uncertainty about exposure, possible harm to lab sta Injury to operator

(9) Harm by lack of competences (10) Loss of control by insucient equipment knowledge on the device

Lack of knowledge, inadequate training, lacking clarity on HSE responsibilities and information by organization Excessive tuning by operator (unsuspectingly), unknown pressure in system, too less known about intrinsic system properties (incl. pumps), unknown maintenance, unknown specications (e.g. max. pressure capacity), unknown integrity/ behaviour of system

Insucient competencies, inability to assess (chemical) risks and protective measures Too high pressure in system, leakage, rupture, components failing, release of chemicals by system, unknown chemical hazards

M. de Bruin, P. Swuste / Safety Science 46 (2008) 261271

265

Fig. 1. Bow-tie concept.

bow-tie, like scenarios 9 and 10 in Table 1. After analysis and determination of barriers in the scenarios, the most eective mitigation measures can be determined to reach objectives II and III. 3. Results For all 10 scenarios, Tripod trees were developed. In Fig. 2 an example is given, dealing with scenario 5 (hit by hoisted/lifted/loaded goods). The corresponding GFT prole for this example is in Fig. 3. The barriers that were identied per scenario are presented in Tables 2.12.10. In total, 77 barriers were dened. The grand overview is presented in Table 3. In Table 4 the GFTs for the major scenarios are summarized; the prole is given in Fig. 4. 4. Discussion and conclusions 4.1. Analysis of the Tripod tree The reason for choosing scenario 5 as example in Fig. 2 is the fact that it is the least extensive tree of the major scenarios; other scenarios need a larger page format. Fig. 2 clearly shows the main elements of a Tripod tree: hazards (e.g. hoisting/loading/lifting), targets (e.g. sta/assets underneath) and top events (e.g. hoisting/loading/lifting loads over assets or sta). It is also clear that an event can also be a target leading up to a next event (assets or sta hit by loads). Various barriers are in between hazards and top events; examples in this scenario are: hoisting paths not used at the same time and procedures for hoisting. Barriers do also interfere between targets and top events, like no hazardous equipment/wires and evacuation of sta/assets. The barrier hoisting paths not used at the same time can fail, because it is not known among parties that other ones are hoisting too. This is an active failure. Precondition of this active failure is lack of communication between hoisting parties. Latent failure behind this precondition is the fact that there are ineective procedures about communication. The general failure types for this latent failure are classied to be predominantly procedural (PR) and communicative (CO). Summarizing all GFTs (Fig. 3) shows that for this scenario the dominant GFT is procedures (PR), the second ones being design (DE) and communication (CO).

266

M. de Bruin, P. Swuste / Safety Science 46 (2008) 261271

Fig. 2. Tripod tree for scenario 5.

M. de Bruin, P. Swuste / Safety Science 46 (2008) 261271

267

7 6 Occurrence in scenarios 6 5 4 3 3 2 2 1 1 0 HW DE MM PR EC HK IG OR CO TR DF General Failure Type

Fig. 3. GFT prole for scenario 5. Table 2.1 Barriers for scenario 1 (failure of equipment) Barrier Design/system/installation check Use of adequate material/equipment parts Screening on HSE items Periodic inspection (Centrally guided) maintenance Safety relief valves/fuses/device Physical separation Insulation/shielding of system Blocking of fresh air supply Table 2.2 Barriers for scenario 2 (escalation of emergency) Barrier Fire-resistance of doors/building Emergency doors, signs, lights, muster points, exits Fire-ghting tools Routing, evacuation procedure BHV organization Regular updates of plan Adequate re-ghting skills of BHV Design/system/installation check Design of automatic warning system Emergency and eye wash showers Periodic inspections (of driveway) Table 2.3 Barriers for scenario 3 (excessive system pressure) Barrier Design/system/installation check (Centrally guided) maintenance Adequate ushing of equipment/lines Safety relief valves/fuses/device Use of adequate material/equipment parts Walls, explosion proof control room Leak-tight facilities, incl. grooves No sta activities taking place nearby # 1 1 1 1 1 1 1 1 # 2 2 1 1 1 1 1 3 2 1 1 # 1 1 1 1 1 1 3 2 1

268 Table 2.4 Barriers for scenario 4 (electrocution) Barrier

M. de Bruin, P. Swuste / Safety Science 46 (2008) 261271

# 1 1 1 1 1 1 1 1 1 1

Design/system/installation check Use of adequate material/equipment parts Screening on HSE items Periodic inspection (Centrally guided) maintenance Use of adequate protective measures (PPE) Insulation/shielding of system PtW system for working on electricity Safety relief valves/fuses/device Grounding

Table 2.5 Barriers for scenario 5 (hit by hoisted/lifted/loaded goods) Barrier Hoisting paths not used at the same time Procedures for hoisting No hazardous equipment/wires underneath Evacuation of sta/assets Use of adequate material/equipment parts # 1 1 1 1 1

Table 2.6 Barriers for scenario 6 (operating error, spill) Barrier Design/system/installation check Use of adequate material/equipment parts Periodic inspection (Centrally guided) maintenance Indications/warning signs on equipment Safety relief valves/fuses/device Leak-tight facilities, incl. grooves # 1 1 1 1 1 1 2

Table 2.7 Barriers for scenario 7 (poor waste management) Barrier (Centrally guided) maintenance Cleaning after experiment Storage prescriptions Leak-tight facilities, incl. grooves Periodic inspection # 1 1 1 1 1

Table 2.8 Barriers for scenario 8 (exposure of unauthorized sta) Barrier Adherence to rules on research area access Internal PtW system for contractors Red warning light at entrance # 1 1 1

M. de Bruin, P. Swuste / Safety Science 46 (2008) 261271 Table 2.9 Barriers for scenario 9 (harm by lack of competences) Barrier Clarity on HSE responsibilities Information/instruction by organization Ability to assess risks Use of adequate protective measures (PPE)

269

# 1 1 1 1

Table 2.10 Barriers for scenario 10 (loss of control by insucient knowledge on equipment) Barrier Safety relief valves/fuses/device Correction by operator Sucient knowledge on system Intrinsic safe system (Centrally guided) maintenance Use of adequate protective measures (PPE) # 1 1 1 1 1 1

4.2. Barriers and GFTs In total, the barriers that are presented in Table 3 are the ones (in decreasing order of occurrence) that have to be improved to mitigate the major scenarios (and reach reduction of amount and severity of future incidents/near-misses). It needs to be realized that the exact results depend very much on the fundaments of the Tripod technique. In the present study, for all barriers three GFTs were dened; when this amount would be dierent, also the amounts in Table 4 and Fig. 4 would be dierent. Ratios between GFTs would roughly stay the same however. It needs also to be realized that the Tripod trees were set up by the author of the present study. Another author might have come up with slightly dierent trees. Again, it is about trends here. From Table 3 it is clear that the most frequent barrier is the checking of design, systems and installations. This is supported by the GFT design (Table 4). Looking at the major hazard scenarios (de Bruin, 2005) design shortcomings are mainly caused by a lack of thorough design safety studies (HAZIDs, HAZOPs, etc.) Due to the lack of these studies, in practice it appears that e.g. inadequate material, couplings and detection systems were used, manifested in incidents. Also, when design safety studies were held, there was no good system to track if action points were actually carried out. Another design shortcoming appears to be the difculty to assess the specications (e.g. maximum pressure capacity, intrinsic material properties and actual pressure in parts) for equipment under design. Second frequent barrier is (centrally guided) maintenance (supported by the GFT maintenance management). In the scenarios it appears that there is no adequate system in place for periodic inspection and that maintenance is not centrally coordinated. Besides it appears that not enough time is spent on regular system checks. This resulted in e.g. malfunctioning safety device, corrosion, clogged lines and failing slings. Further frequent barriers are the use of adequate material/equipment parts, periodic inspection and safety device, etc. If management decides to improve on the major hazard scenarios, these are the barriers to enhance. 4.3. Future reviews de Bruin and Swuste, 2006 propose Scenario Based Reviews. In the nuclear industry, working with scenarios is quite common (e.g. Liu et al., 1998; Borovoi et al., 1999; Na et al., 2004). Besides, there is a tendency that other industries start adopting a scenario approach, e.g. the Dutch Railways (Wielaard and Swuste, 2001) and General Electric Plastics started Scenario Based Audits (Zemering and Swuste, 2005). In Scenario Based Reviews, experts can discuss real barriers and their causation paths. It is proposed to use the bow-tie model, as the main hazard scenarios were structured according to this model (see Table 1). When reviewing the major scenarios it has to be assessed if barriers are eective. If not, improvement actions have to be dened per bar-

270 Table 3 Barriers in the major hazard scenarios Barrier

M. de Bruin, P. Swuste / Safety Science 46 (2008) 261271

# 7 6 5 5 5 4 3 3 3 2 2 2 2 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 77

Design/system/installation check (Centrally guided) maintenance Use of adequate material/equipment parts Periodic inspection Safety relief valves/fuses/device Leak-tight facilities, incl. grooves Physical separation Insulation/shielding of system Use of adequate protective measures (PPE) Screening on HSE items Fire-resistance of doors/building Emergency doors, signs, lights, muster points, exits Design of automatic warning system Blocking of fresh air supply Fire-ghting tools Routing, evacuation procedure BHV organization Regular updates of plan Adequate re-ghting skills of BHV Emergency and eye wash showers Adequate ushing of equipment/lines Walls, explosion proof control room No sta activities taking place nearby PtW system for working on electricity Grounding Hoisting paths not used at the same time Procedures for hoisting No hazardous equipment/wires underneath Evacuation of sta/assets Indications/warning signs on equipment Cleaning after experiment Storage prescriptions Adherence to rules on research area access Internal PtW system for contractors Red warning light at entrance Clarity on HSE responsibilities Information/instruction by organization Ability to assess risks Correction by operator Sucient knowledge on system Intrinsic safe system Total

rier. If, according to the reviewing team of experts, barriers might be missing, they can be added too. In this way, scenarios stay optimized and organizational learning can start. Accompanying research questions might be:  What barriers/defences appear to fail (and how often) in the presented scenarios and need to be enhanced?  Are there still barriers/defences missing in the presented scenarios?  Are there existing eective barriers that are being eroded? To reach objectives II and III, goals can be set by the companys management. If goals appear to be exceeded, it needs to be investigated which barriers fail in the presented scenarios and action items need to be dened for these barriers.

M. de Bruin, P. Swuste / Safety Science 46 (2008) 261271 Table 4 General failure types for the major hazard scenarios Scenario General failure type HW 1 2 3 4 5 6 7 8 9 10 Sum 7 2 2 1 DE 16 11 10 8 3 13 3 MM 5 6 5 6 2 5 4 PR 2 3 4 6 1 4 1 21 10 4 9 EC 1 6 1 1 1 4 3 HK IG 1 2 1 1 1 OR 3 4 4 3 1 2 3 1 3 1 25 CO 2 1 3 TR 4 3 DF 1 10 1 1 1 1 3

271

Sum

3 15

3 67

2 35

6 5 18

3 17

36 48 24 30 15 24 15 9 12 18 231

10

Occurrence in 10 major hazard scenarios

80 70 60 50 40 30
21 35 25 18 10 4 9 10 17 67

20 10 0

15

HW

DE

MM

PR

EC

HK

IG

OR

CO

TR

DF

General Failure Type

Fig. 4. General failure type prole for the major hazard scenarios.

References
Borovoi, A.A., Lagunenko, A.S., Pazukhin, E.M., 1999. Radiochemical and selected physicochemical characteristics of lava and concrete samples from subreactor room no 304/3 of the fourth block of the chernobyl nuclear power plant and their connection with the accident scenario. Radiochemistry 41 (2), 197202. de Bruin, M.D., 2005. Hazard scenarios for E&P research facilities at SIEP Rijswijk. Internal Shell Report EP 2005-5197, Rijswijk. de Bruin, M.D., Swuste, P.H.J.J., 2006. Identication of hazard scenarios for a research environment in an oil and gas exploration and production company. Tijdschrift voor Toegepaste Arbowetenschap 19 (4), 6575. EQE International webpage on hazard identication methods. <http://www.eqe.co.uk/consulting/pdf/tripod.pdf>. Kennedy, R., Kirwan, B., 1998. Development of a hazard and operability-based method for identifying safety management vulnerabilities in high risk systems. Safety Science 30, 249274. Liu, T.J., Lee, C.H., Chang, C.Y., 1998. Power-operated relief valve stuck-open accident and recovery scenarios in the Institute of Nuclear Energy Research integral system test facility. Nuclear Engineering and Design 186 (12), 149176. Na, M.G. et al., 2004. Prediction of major transient scenarios for severe accidents of nuclear power plants. IEEE Transactions on Nuclear Science 51 (2), 313321. Wielaard, P., Swuste, P.H.J.J., 2001. De veiligheid van treinreizigers, een zoektocht naar bruikbare indicatoren. Tijdschrift voor Toegepaste Arbowetenschap 14 (3), 712. Zemering, C.A., Swuste, P.H.J.J., 2005. Scenario based auditing. Tijdschrift voor Toegepaste Arbowetenschap 18 (4), 7988.