Document addresses new hazards introduced by move to remote-controlled pipe management
By Simon Brown, Norman Turner, Robert Denham, UK Health & Safety Executive, Offshore Division
The implementation of remotely controlled equipment on the drill floor is often portrayed as one phase in an inexorable drive to the ultimate goal of automated drilling operations. It is now common on the UK Continental Shelf (UKCS) for pipe handling to be undertaken by joystick control from sophisticated control chairs. However, unless personnel can be totally excluded from the drill floor and associated areas, a risk of serious injury from falling objects and moving equipment remains.
In North West Europe, several factors have motivated the move to remote control of pipe handling, including:
• A reduction in the number of people required for drill floor operations;
• Drill floor machines can continue operations in weather conditions that would have a significant adverse effect on human activity and productivity;
• By limiting human contact with mobile heavy plant, the incidence of many types of hand and limb injuries can be reduced; and
• Drilling rigs operating in Norwegian waters are obliged to comply with NORSOK standard D-001, which requires that “the drill floor shall be unmanned and equipment remotely operated in normal and tripping operations.”
However, while remote control of pipe handling may reduce certain types of incidents, it could also introduce new hazards. Collisions and other dangerous interactions may occur between remotely controlled equipment and personnel, between equipment and structures, between different items of drill floor equipment or within the equipment itself.
Health & Safety Executive
The Health & Safety Executive (HSE) is the UK government’s regulator for workplace safety in Great Britain. HSE’s Offshore Division (OSD) deals with drilling safety issues in Great Britain and on the UKCS. OSD also regulates safety on offshore oil and gas production installations on the UKCS.
In 2003, in response to a large number of incidents in deck and drilling operations offshore, OSD initiated Key Programme 2, Deck and Drilling Operations. This program resulted in a closer focus on the management of lifting operations associated with deck and drilling operations lifting activities offshore as these were seen to contribute significantly to fatalities and major injuries.
In 2004, OSD worked with users and suppliers to develop a methodology to assist in determining the appropriate level of mechanization for a particular rig carrying out specific types of operations. This methodology is known as the tubular handling appraisal tool. IADC took ownership of the tool.
In 2006, following a serious incident on a drill floor, OSD issued Safety Notice SN02/2006. However, despite subsequent improvements made by suppliers and users, high-potential incidents related to drilling machinery systems are still occurring.
OSD has investigated many drill floor incidents and reviewed their causal factors. One underlying factor is that despite technical advances, suppliers, users and integrators are frequently failing to consider the operability of the complete drilling machinery system. The demands on the driller can be very high, and this results in an increased likelihood of operating errors.
On some installations, drilling machinery systems have evolved from manual equipment (e.g., manually operated tongs) to remotely controlled equipment. In such cases, it is common for the space in which the newer equipment is required to operate to be severely constrained. The resulting systems can be complex and typically include a combination of electrical-, mechanical-, hydraulic- and software-controlled subsystems, possibly from different vendors.
OSD recently published an Offshore Information Sheet to assist machinery suppliers and the drilling industry in tackling risks arising from drill floor machinery and tubular-handling equipment.
The document draws heavily on a range of techniques and standards developed by other industries. It sets out what OSD regards as being necessary to comply with UK safety legislation, which is very much “goal setting.” This means that it sets out the goals to be achieved and leaves it to employers to choose the appropriate means to achieve these goals. It is generally considered that the adoption of authoritative benchmarks, such as international standards, will help meet the requirements of the legislation.
Safety legislation in the UK and Europe promotes a hierarchy of measures to manage risk. In decreasing order of priority, the hierarchy consists of:
• Elimination of the hazard;
• Hardware protective measures; and
• Procedural protective measures.
In particular, UK Statutory Instrument SI1998/2306, “Provision and Use of Work Equipment Regulations,” requires employers to ensure that, so far as is reasonably practicable, protection against any article falling or being ejected from work equipment does not rely on “soft measures,” such as personal protective equipment, information, instruction, training and supervision. Therefore, the primary protection against dropped objects and collisions should be provided by design measures to eliminate the hazard or by engineered protective measures, such as interlocks or automated zone management.
The skills of the driller can provide a secondary layer of protection, and instructions to the work force should only be employed to protect against the residual risks.
Problems in standards and management
When safety depends on the correct operation of machinery, it is key that a holistic approach is taken throughout the lifecycle, from initial concept and design through installation and integration and into operation and maintenance. This is particularly important when complex programmable machinery is employed and when a number of items of such machinery are integrated into the relatively confined space of the drill floor and associated areas on a rig. The benchmark generic standard for functional safety of electrical/electronic/programmable equipment (IEC 61508) places great emphasis on the management of functional safety throughout the lifecycle. However, it is the OSD’s experience that the responsibility for this is not recognized or clearly defined at senior management levels in drill floor machinery supply companies.
The problems are compounded by the fact that most of the current standards for drill floor machinery (e.g., API Spec 8c, ISO 14693, ISO 13535, IMO MODU Code) do not adequately address functional safety aspects. The Norwegian NORSOK standard D-001 requires that “no single failure shall entail a life-threatening situation.” However, many of the key steps in achieving functional safety of complex machinery are not addressed by any of the current drilling machinery standards.
In particular, there is little attention paid to software, which can be particularly problematic. On this front, it is anticipated that new guidance and standards from Det Norske Veritas and the American Bureau of Shipping will help in achieving and maintaining improved levels of software integrity.
Offshore information sheet
• Clear identification of the entire scope of the drilling machinery, its control system and interfaces;
• The use of a systematic approach (e.g., HAZOP, HAZID or FMEA) to identify potentially dangerous interactions or occurrences and to identify suitable means for prevention or mitigation;
• The application of international machinery/control system standards in the design, integration and maintenance of drilling machinery and drilling machinery systems;
• A team approach to safety management, with transparency and sharing of information; and
• Clear definition of responsibilities for functional safety, particularly in the supply companies.
The information sheet provides a general introduction to relevant hazard identification techniques and identifies key actions to be incorporated in the safety management systems of those involved in the supply or use of drill floor machinery. An appendix to the document uses brief, anonymous descriptions of drill floor incidents to illustrate the consequences of failing to implement the key actions.
In March 2012, the information sheet was distributed for comments to suppliers, trade bodies (e.g., IADC, IMCA), oil and gas companies, verification bodies/ classification societies and to regulators in other countries. Valuable comments were received and, where appropriate, incorporated into the information sheet.
Lessons from other industries
Industries with similar hazards have developed relevant standards and guidelines to assist in the development of safe systems and operations involving moving equipment. Despite this, specifications for remotely controlled drill floor machinery typically rely on “in-house” guidelines and often do not reference relevant international standards.
An important principle identified in other industries is that safety-related control systems should provide tolerance to single faults (see, for example, the standard for offshore cranes EN13852-1 for cranes). It is well known that mechanically actuated items can fail to move as instructed.
So that no single fault in an actuated element can lead to injury, there should be appropriate sensors to confirm that the actuated element has responded properly and logic to initiate appropriate mitigation action if the actuated element does not respond.
By contrast, HSE has encountered incidents where either:
• There is no feedback sensor to confirm correct movement of an actuated item; or
• There is a single feedback sensor with no means to actively cross-check that the values it supplies are valid.
Correct application of techniques such as HAZOP or FMECA would have identified the criticality of failure of each actuated element on demand and would have ensured that suitable feedback sensors with cross-checks were in place. It is recognized that the space to install sensors may be limited and that connecting to rotating equipment can be challenging, but that does not justify failure to implement appropriate feedback sensors and logic for critical actuated elements.
In the investigation of one recent incident, it was found that for each of the remotely controlled items of equipment that could approach the well center, a form of simplified FMECA (Failure Modes Effects and Criticality Assessment) assessment had been undertaken. However, each item of equipment had been considered in isolation.
The assessment concluded that the consequences of failure of one particular item of equipment to retract was
“minor,” without considering the possibility that there could be other movable items in the vicinity. On the drilling unit where the equipment was installed, there were several items of machinery that could approach the well center, and the consequence of a failure of the item of equipment to retract was a collision with another item of plant and debris that fell over a wide area of the drill floor.
It has been claimed that software often has not been fully tested by suppliers prior to installation at the yard. Testing of control system software may identify software problems, and there should always be tests to confirm the logic that operates a safety function will lead to the correct response. However, as other industries have found, for all but the most trivial software, the number of paths through the software and permutations of input values is so great that completely exhaustive testing of the software is not feasible. This is why it is important to adopt a systematic approach to design so that the likelihood of introducing faults in the design is minimized.
In several other industries, regulatory bodies mandate the use of data recorders for activities with high hazards. For example, in the UK, there are requirements for data recorders on civil airliners, trains and on some ships. At present there are no regulatory requirements for data recorders in relation to drilling equipment.
Although press reports regarding the use of data recorders (black boxes) are normally in relation to forensic investigations following accidents, data recorders can be a powerful tool for both operational efficiency and as part of a safety management system. A program to review operational data recorded for drill floor machinery can help an operator to identify, quantify, assess and address operational risks. In particular, it allows an operator to compare its operational procedures with what happens in everyday drilling. A feedback loop, as part of a safety management system, allows timely corrective action to be taken where safety is potentially compromised by degradation in performance or deviation from procedure.
Computer simulation of operations
Computer-aided design software is used extensively in design because it can increase the productivity of the designer, improve the quality of design and improve communications. Related packages are available that can generate the swept volume of a moving object. Such packages can be particularly helpful in identifying the potential trajectories of moving drill floor equipment and their loads and establishing safe limits for managing motion near the well center.
Despite improvements made by suppliers and users, high-potential incidents related to drilling machinery systems continue to occur on the UKCS. OSD has produced the Offshore Information Sheet to assist suppliers and users to reduce the likelihood of such incidents.
This article is based on a presentation at the IADC Drilling HSE Europe Conference & Exhibition, 26-27 Sept, Amsterdam.
The Offshore Information Sheet “Drill Floor Machinery and Tubular Handling Safety” is available from the HSE website.
The final report of OSD-initiated Key Programme 2, Deck and Drilling Operations is available from the OSD website.
© Crown copyright 2012. This information may be reused free of charge in any format or medium under the terms of the UK Open Government Licence, see nationalarchives
.gov.uk/doc/open-government-licence or email email@example.com.