Blowout Prevention
Jason Knights, Global Communications Manager, Energy
Lloyd's Register Group Services Limited

Between April and July 2010, an estimated 4.9 million barrels of crude oil gushed from the damaged Macondo well into the Gulf of Mexico following the explosion that destroyed the Deepwater Horizon drilling rig. This was, according to President Obama, the worst environmental disaster America had ever faced. The response to the Deepwater Horizon disaster has spurred an innovative solution, reports Jason Knights.

By the time the crude oil leak from the Macondo well was stopped, oil had affected more than 1,000 miles of coast in five US states seriously damaging local fishing and tourist industries - as well as the reputation of the offshore oil and gas sector.

Something had to be done to make sure it never happened again.

A new US government department - the Bureau of Safety and Environmental Enforcement (BSEE) - was set up, which has implemented the most aggressive and comprehensive offshore oil and gas regulatory reforms in American history.

Spotlight on BOP
The disaster was the result of a blowout, and 'the blowout was the product of human error, engineering mistakes, and management failures', according to the official report of the US government's Oil Spill Commission. This put the spotlight on the failure of the well's blowout preventer (BOP).

A blowout preventer is a large, specialised valve used to seal, control and monitor an oil or gas well. It can be the size of a double-decker bus and, in the case of the Macondo BOP, weigh up to 400 tonnes. It is there to prevent the uncontrolled release of oil or gas and is critical to the safety of the crew, the rig and the environment. It is the final line of defence.

BOP failures are uncommon, but far from unknown: there have been at least [two] major incidents since the Deepwater Horizon. Failures can be electrical, hydraulic or mechanical. But whatever the cause, failure in such a complex system, controlling 500,000-750,000 pounds of ram force in water that might exceed 9000’ deep, can pose a catastrophic risk of fire, explosion and death.

When a problem is detected in a BOP system or component, a decision has to be made whether to pull the BOP to the surface for inspection – or not. Such decisions are made on the basis of some understanding of what the problem might be, and a risk assessment of the potential seriousness of the fault.

But such decisions can also have significant cost implications. According to Duco de Haan, CEO of Lloyd’s Register Energy - Drilling: "The operational cost of drilling a deep water well typically ranges from USD 1 million to USD 1.2 million a day. In some of the ultra-deep water projects, it could take 8-12 days - or even longer - to secure the well, recover and repair the BOP, re-run and then re-test it before resuming operations. So, one incident could cost USD 14 million." The annual cost to the industry as a whole of pulling up BOPs runs into many hundreds of millions of dollars .

However, most risk assessments currently used in the industry do not employ a uniform process, meaning that 'pull' or 'no pull' decisions are not being made on a consistent basis. The human factor is also significant, and can result in decisions that are subjective and non-transparent, which are difficult for senior management to understand and unacceptable to regulatory bodies.

One of the key recommendations of the Oil Spill Commission's report was that the US should introduce "a 'riskbased' regulatory approach" similar to that which "has long-since been adopted in both Norway and the United Kingdom."

As a result of the subsequent regulatory changes, there was a clear industry need for a BOP failure-decision model which could detail changes in operational risk quickly and confidently, that removed subjectivity and that was verifiable.

Innovative Response
Following discussions with leading owners and operators in the sector, Lloyd's Register group members ModuSpec and Scandpower began work on developing such a model. ModuSpec has extensive experience in the industry, having evaluated 80 percent of the world's offshore oil and gas drilling units; while Scandpower's RiskSpectrum software is used in 50% of the world's nuclear power plants to help them operate safely.

The BOP Risk Model they created is an innovative new application for the Scandpower software. With the expertise of Lloyd's Register acquisition WEST Engineering Services, the leading drilling industry BOP specialist, the BOP Risk Model can be taken to the next level.

Scandpower's Vice President Business Development Inge Alme explains: "There are many similarities between the fail-safe requirements of a BOP and those of the safety systems in a nuclear plant. In order to ensure that they work when they are needed, there is a high degree of functional redundancy built into these systems. Safety features are duplicated in order to reduce the consequences of single failures.

"The software models the performance of the BOP. If everything is working as it should, all on-screen indicators show green. Indicators can move to amber or red depending on the significance of any problem that is detected and entered into the model. Redundancy within BOPs means that they have parallel functions doing the same thing. The risk model can suggest whether a problem in one component or subsystem warrants a decision to pull the BOP , or whether the back-up functions are sufficient to allow the rig to continue operating."

All 'pull' or 'no pull' decisions are ultimately made by a human operator. "But," Alme says, "what the model does is to provide better decision support - consistent factual information - upon which those decisions can be based."

It also improves audit traceability and regulatory compliance, as decisions can be supported by evidence-based explanations.

"The risk model can and will reduce non-productive time dramatically," says Duco de Haan "which will save money. But it also gives everyone involved an unbiased assessment of the risk quickly, based upon regulations and specifications, removing the potential influence of cost on the 'pull'/'no pull' decision."

The model is now in use in the Gulf of Mexico. In a 12-month period, ModuSpec's Well Control Centre of Excellence in Houston - acting as an independent thirdparty - recommended the continuation of operations on 29 occasions when, following the detection of potential failures, the regulator would otherwise have forced the operator to pull their BOPs to the surface.

And, by preventing non-productive time, this saved operators more than USD 200 million in lost revenue - and it helps protect the environment. In the sizing of individual relief valves protecting equipment or process or system, it is a common practice not to take cognizance of any immediate operator action or the action of any mitigating devices. However, when it comes to designing an overall refinery flare system to cope with common mode failures (e.g., loss of power, or cooling water supply failure), an increasing number of experts are supporting taking credit for the action of devices such as unit emergency shutdown (ESD) systems, trips (for example, fired heater fuel supply cut-offs), or auto-starts of pumps whose actions reduce the potential load on the overall refinery flare system. Savings can thus be realised in the sizing of flare headers and other ancillary equipment. While there is no objection, in principle, to taking credit for ESDs in the design of relief systems, its application in practice deserves careful scrutiny. There are still many related issues that have not been adequately addressed by the proponents of the credit-taking approach. This paper highlights these concerns and offers practical advice to those facing relief system design decisions.

In a modern refinery, the practice of atmospheric discharge of gaseous hydrocarbons from Pressure Relief Valve (PRV) tail pipes, irrespective of whether on-plot or off-plot, is neither permissible under environmental guidelines nor desirable from a safety standpoint. The common approach, therefore, is to tie all (or most) pressure relief discharges from a unit into a manifold or unit header, which is then routed to a refinery relief header connected to a suitably sized flare system. Two systems are sometimes preferred - a low-pressure system and a high-pressure system.

The key parameters in the design and sizing of such a relief/ flare header or manifold are the flow rate, the driving pressure and the type of material expected to enter the header from the discharge pipes of various relief valves connected to it. This in turn depends upon assumptions made as to the concurrence of relieving from several sources.

If it is assumed the header is required to handle the numerical sum of the rated capacities of all the relief devices in all the units discharging to it, then its calculated design size will truly be of enormous proportions - and require an equally enormous flare stack to match! Clearly, such an approach is wasteful and unjustifiable, especially where it can be demonstrated that an event culminating in simultaneous relief from all the valves at their respective rated capacities is impossible to occur (except, perhaps, as an extremely elaborate act of sabotage).

A certain degree of realism can be injected into the header design process by assuming that the maximum relief load will be equal to the sum of the actual expected maximum relief flows from those valves which could lift under a given emergency situation. For example, consider utility failure (power, cooling water, instrument air, steam, fuel oil/fuel gas, inert gas, or a combination based upon inter-relationship or common cause) or unit /plant fire. The header size derived will be smaller than that resulting from the total rated relieving-capacity assumption discussed previously. It will, however, be large enough to handle the relief load from all foreseeable emergency situations.

Hence, in sizing a header/flare system, there can really be no serious objection to utilising a conservative time-line analysis approach or a dynamic analysis based on process parameter levels expected under ‘upset’ conditions to calculate the required relief load, provided individual peak relieving rates get adequately addressed in the analysis.

Further economy in the header and flare system size can be realised by assuming that, in practice, several of the relief valves will not be required to lift in an emergency. Pressure in the vessels or equipment protected by them will not rise above the PRV set pressures due to the action of any "automatic instrumentation" installed that tends to pacify the source of pressure build-up. Automatic instrumentation here does not refer to the normally operating control systems and instruments used to operate the refinery [sometimes referred to as the Basic Process Control systems (BPCS) - see CCPS (1993) automation guidelines]. It refers to non -normal instrumentation such as emergency shutdown devices (ESDs), trips, safety interlock systems, auto-lockouts or auto-starts (all termed "ESD" for the purpose of this paper).

Size reduction sought on the basis of ESDs (i.e., taking credit for ESDs in relief and flare system design) - though it appears to have a 'prima facie' justification - is nonetheless fraught with controversy and a source of genuine concern, especially among operations managements. The key question, therefore, is: should we or should we not take credit for ESDs in the relief/flare system design?

Note that the design of other parts of the relief system - such as PRV sizing, individual discharge piping and the header piping - can be carried out on the basis of the various API recommended practices. Applicable sections of the API RPs are illustrated in Figure 1.

Clearly, the biggest advantage of taking credit for ESDs is minimising the size of the relief system required to handle the PRV discharges from a unit or the entire facility. Reduction in relief load means reduced flare stack diameter and length, reduced header and sub-header sizes, and hence lower investment. In addition to the effect on installation costs, and perhaps of greater significance, is the impact of relief load reduction on the following key parameters associated with the performance and siting of a flare stack:
  • In-plant thermal radiation at grade
  • Radiation received at adjacent equipment
  • Radiation level at refinery fence-line
  • Combined radiation from more than one flare
  • Dispersion of combustion products
  • Dispersion on flame failure
  • Compliance with environmental regulations
  • Health impact on immediate area
  • Health impact on surrounding communities
  • Quantity of product sent to flare.
OBJECTIONS TO CREDIT TAKING
There is no objection in principle, to the concept of taking credit for ESDs or any other shutdown devices/trips in evaluating relief system capacities. It is no different from any other cost versus risk-reduction benefit decisions faced by managements every day. In the highly competitive environment, which currently prevails in the oil business, the potential for savings associated with a smaller flare system cannot be dismissed lightly .

Nonetheless, before lending unequivocal support to the concept, a few concerns need to be aired and resolved. From the standpoint of operations and engineering managements these are considered to be extremely significant - in fact so much so as to disfavor the practice of ESD credit taking. Past incidents on record involving flare systems further add to a plant owner’s anxiety in what is perceived as ‘cutting corners’ in the system design. One example is the Grangemouth (U.K.) Refinery incident. Although not related to flare line sizing, it was, nonetheless, a major incident involving a flare system.

API RP-521 states that the discharge piping system should be designed so that the built-up back pressure caused by the flow through the valve under consideration does not reduce the capacity of any pressure relief valve that may be relieving simultaneously. This statement is extremely clear and specific in terms of its content and guiding intent. It can be argued that ESD credit-taking violates the requirement quoted above in that if a smaller header size is selected it may permit the build-up of back pressure to such a level as to reduce the capacity of another PRV connected to the system if the ESDs fail to act in the assumed manner.

The hydrocarbon processing and the chemical industries are sometimes portrayed in the media as being those causing many major incidents resulting in loss of life and property. Setting aside the validity of such claims, there is no denying that most reputable companies have been acutely aware of their responsibilities in terms of safety of the communities and the environmental issues since well before the onset of recent legislation on clean air and process safety management.

In the post-OSHA period, the punitive element, invariably associated with the law, has forced a major modification in the outlook of many operations managers. The first question management wants answered is: "Does this decision conform to existing international standards, codes of practice, or guidelines or best-known/approved practices?" Or, conversely: "Will we be in violation of, or interpreted to be in violation of any international code?" In the past, the fact that the API has been silent on the subject of ESD credit taking would have been just one factor in the overall decision-making process. Nowadays, this silence will get noticed with added alarm.

Lack of a recognised standard leaves engineers and managers, who permit the design and installation of a relief system taking credit for ESDs, vulnerable to the possibility of unfavorable comment from official investigations of any loss or injury incidents involving relief system sizing. This concern should not be considered a mere speculation. Past experience of management on incidents elsewhere, in which established industry practices were set aside in favor of calculated low-risk options, forces us to a closer scrutiny of this issue.

COMPROMISING A KEY SAFETY FEATURE:
Even if the law permits taking credit for ESDs, a carte blanche approval can not be granted for this practice. Each application must be thoroughly analysed on the basis of its particular situation.

It can be argued that the ESD credit-taking practice compromises the safety margins. An "undersized" flare header receiving load from several units makes it possible for an equipment over-pressure event (which might lead to an explosion or fire) to occur simultaneously in more than one or all the units connected to the single flare system following a common mode initiating event such as power failure or cooling water failure.

Correct actuation of an ESD does not necessarily mean the relief load gets reduced to zero at the same instant. Residual heat in the fluid contained in a tower will often be sufficient to maintain flow through the relief valve for some time. Also, the time taken to discharge the vapor inventory from the PRV opening pressure down to the reseat pressure is not negligible.

If you feel extremely confident that the ESD will work and will not permit an overpressure situation to arise, then don’t install a PRV.