1

MANAGING RISK AT GAS COMPRESSOR STATION, FROM HAZARD RISK UNTIL SECURITY VULNERABILITIES ASSESSMENT

Arie Wisianto PT PERTAMINA GAS Bontang, Indonesia

Raditya Prima Yudha PT PERTAMINA GAS Bontang, Indonesia

ABSTRACT Gas compressor station is one of the important aspect in gas transmission pipeline business beside pipeline itself, managing risk at gas compressor station is the way to ensure our business and maintaining commitment to the stakeholder. SKG Bontang is a gas compressor station located in East Kalimantan Area, operated and owned by PT Pertamina Gas. It was build in 1981 and several modifications have been made during the period such as adding piping connection, office building extension and renovation, installation of new equipments and increasing number of persons involve in this area. Considering gas compressor station changes and its lifetime, a gas compressor station risk management was conducted with objectives are to ensure safety and integrity of this asset, ensuring no harm to people, no damage to environment and no business interruption. The program based on AS/NZS 4360:2004 standard, AS/NZS 3931, HB435:2004, API 580/581, API NPRA SVA, CCPS guidelines for analyzing and managing the security vulnerabilities of fixed chemical sites, scope of work are station inspection and testing, risk register, risk assessment (HAZOP, LOPA, FMEA), SVA (security vulnerability assessment), risk mapping, risk mitigation plan, residual risk estimation. To support consequence analysis a gas dispersion modeling and gas jet flame simulation were conducted, objectives of this simulation are to characterize jet flame and gas dispersion occurrences so we can estimate impact zone of the event then we can calculate their consequences and finally we can figure their risk.

Risk and security vulnerabilities assessment resulting hundred of risk events were identified and registered, finally we took the top ten risks based on their Risk Priority Number (RPN) score and a risk mitigation plan was developed to be implemented.

Keyword: Gas compressor station, risk, security vulnerability, gas dispersion and jet flame, risk mitigation, LOPA, HAZOP

INTRODUCTION

Bontang Gas Compressor Station (SKG Bontang) is one of gas compressor stations that was operated and owned by PT Pertamina Gas, a subsidiary company of Indonesia States owned oil and gas company (Pertamina Perseo). SKG Bontang was built in 1981 and it was operated since 1984, during that time (almost 25 years of age) several modifications and extension such as piping modification, installing additional scrubber, office building renovation and extension have been done. All of this improvement was done to accommodate increasing gas capacity and company reorganization. An attention should be paid to calculate the effect of changes; a management of changes shall be documented and socialized. Changes have two side effects, at first it will improve operational aspect and of course we must consider side effect to the system.

PT Pertamina (Persero) established Enterprise Risk Management (ERM) policy by issued decree of Pertamina President & CEO Kpts 045/C0000/2004-S0 dated 28 September 2004 regarding implementation of enterprise risk management (ERM). Based on this decree we prepare an ERM program, starting from risk identification, risk analysis, risk evaluation, risk register and doing risk management cycle.

PT Pertamina Gas Area Kalimantan has received Quality Management System (ISO 9001) certificate and OHSAS 18001 certificate. Inline with ERM policy and OHSAS 18001 then we conduct a comprehensive risk assessment that cover strategic risk, operational risk, financial risk and hazard risk. Objectives of this initiative are managing risk in our area, reducing risk as low as practicable level, compliance with regulation and protecting our people, environment and assets.

2

riskassociatedtoimproperstrategyimplementation riskassociatedtooperationaldisruption riskassociatedtofinancialaspect,market riskassociatedtoassetdamage,harm,injuryandenvironmentdamagewrongbusinessdecision,unanticipateexternalen duetoprocessbusinessinteruption liquidity,credit,currency,cash,fundingvironmentchanges. humanresourecesproblem, improperbusinessscheme,inefficiency(legal,reputation,regulationetc) organization,whereabnormaloperation opprtunityrevenueloss

occurduringthetime

ResignfromPOMA Unsatisfiedlaboursupply Unpaidtollfee/latepaymentSKGSantantakeover impropertechnologyimplementation overcapacity/lowutilizationassetPTBadakNglpipelineoperation&maintenanceservice Socialproblem ImproperaccessarrangementschemeEnteringNGLandDMEbussiness Environmentproblem latepettycashtransfer

EnterpriseRiskManagement

FinancialRiskOperational RiskStrategicRisk Hazard Risk

HAZOPLOPARiskMatrixQRAFMEAJSARiskGraphFireriskassessment

RiskAssessment

STATICEQUIPMENT

PIPING&PIPELINEVESSEL

ROTATINGEQUIPMENT

PUMPCOMPRESSORGENSET

LIFTINGEQUIPMENTCRANE

AUTOMATION&ELECTRICALSCADAELECTRICAL/POWERSYSTEMCONTROLSYSTEMUTILITIES/AIR

FUNCTIONALSAFETYSYSTEMSISFLAREALARMSAFETYRELIEFVALVEFIRESYSTEM

HUMAN

OFFICE&BUILDING

NATURALHAZARD

SECURITY

HRATHERP

RiskAssessment

sva RiskAssessment

Geohazardriskassessment(riskmatrix)

RiskAssessment

Station Pipeline

RISK MANAGEMENT Ref AS/NZS 4630 risk management is the culture, processes and structures that are directed towards realizing potential opportunities whils managing adverese effect. Risk management process is the systematic application of management policies, procedure and practises to task of communicationg, establishing the context, identifying, analyzing, treating, monitoing and reviewing risk. ISO 31000 showing risk management process as follows :

Figure 1 Risk management Process Based On ISO 31000

The first step of risk management process is defining context, in this paper I only talk about risk at gas compressor station. The boundary limit of this subject is shown in figure 2.

Figure 2 Plant Lay Out and Risk Assessment Boundary Limit

Risk structure at gas compressor station can be seen in figure 3 as follows:

Figure 3 Risk Structure in the context of ERM PT Pertamina Gas Kalimantan Area facing four risks and categorized as follows:

1. Strategic Risk, risk associated to improper business strategy decision. In our case included in this category is a decision to take over Santan Gas Compressor station from Chevron and will be operated by our self.

2. Operational Risk, risk associated to operational disruption due to process business interruption. In our case is potency of strike of the labors.

3. Financial Risk, risk associated to financial aspects such as cash flows, currency and project financing. In our case included in this category is risk due to rejection of toll fee payment based on new tariff.

4. Hazard risk, risk associated to injury, harm, fatality, environment damage and assets damage.

As a result from risk management team workshop the highest risk contributor in Kalimantan Area is hazard risk. I will not discuss more detail about how we decide and compare strategic risk, operational risk, financial risk and hazard risk and then resulting hazard risk is the most contributor. But I prefer discussing how do we develop hazard risk management effectively, in this case effective mean the programs have ability to:

1. Discover risk that cannot be revealed using previous method

2. Engage participation of all employees, labor contract and every one at workplace. More people thinking about risk, more risk can be discovered.

3. Consistent compared against criteria (risk appetite) 4. Well documented for continuous improvement

The problems found during early program are: 1. Hazard and risk data not well documented, some

important documents are missing (HAZOP, Cause & effect matrix, environment impact study, latest P & ID after modification, no accident investigation report, no incident record etc).

2. Lack of risk knowledge especially for contract labor. 3. Risk assessments have been done by several

departments; they were separated process and not

3

integrated. Integrity department doing risk assessment for RBI purpose, HSE department doing risk assessment especially for safety and environment purpose. They were not integrated process, not a consistent process so very hard for decision maker to decide risk treatment program based on their priority.

4. They were not a life cycle process so very difficult doing continuous improvement.

HAZARD IDENTIFICATION & RISK ASSESSMENT SKG Bontang is a business unit that already established and running well, as I explain before the highest risk contributor is hazard risk thats way we focus on developing risk treatment program especially to reduce risk associated to hazard from physical assets. Definition of hazard is any real or potential condition that can cause injury, illness, or death to personnel, damage or loss of a system, property or environment (MIL-STD 882D). According risk management process as depicted on figure 1, the first step on doing risk assessment is risk identification. Risk identification in case of hazard risk assessment is hazard identification. Hazard identification is very important when doing risk analysis, an effective hazard identification/risk identification need to be performed to avoid unidentified hazard becoming mishap. To identify hazard we did step by step process as follows:

First layer of risk in the context of hazard risk are coming from station facilities and mostly are hazard from physical assets (figure 4). At gas compressor station we can find hazard at :

a. Hazard located at rotating equipment b. Hazard located at static equipment c. Hazard located at electrical equipment d. Hazard located at SCADA (automation) e. Hazard located at building, workshop,

warehouse f. Hazard that come from human error g. Hazard located at gas flare & disposal system

Figure 4 Hazard and Risk from physical assets

Although during normal operation these hazards have been protected by design (e.g. high pressure protected by sufficient wall thickness), there is always opportunity an initiating mechanism could transform hazard from dormant state to mishap state. Also although some protection layers have been installed to prevent and mitigate mishap, there is also an opportunity the protection layers fail to perform their function and mishap occur or escalate becoming disaster (figure 5).

To avoid this evident we shall ensure prevention system and mitigation system always ready to do their job.

An experience when doing SIL assessment resulting requirement of SIL 1 for ESD system at inlet pipe. Actually the existing ESD system is not comply with SIL 1 and another new ESD is required to install at 16 inlet pipe. This evident show us that during that time we live under high risk condition due to our protection layers actually were not enough giving protection to us.

Figure 5 Risks from Protection Layer

Potency occurring mishap because of human intervention such as sabotage by external or internal party. The risks are controlled by security aspect and

4

Number of Consequences by Severity and Likelihood (Risk Matrix)

1

44

10231

33

1

23

115

thats why a security vulnerability assessment (SVA) also important to be done to ensure risk has been properly controlled.

METHODOLOGY I have mentioned that one of our problems is hazard and risk document is not well documented. It is important at the beginning to do hazard identification then we can analyze their risk. When doing risk analysis and hazard identification several techniques are available, in our case we use HAZOP technique at first stage, HAZOP can be done quickly, easy, qualitative and applicable for simple scenario. Limitation of HAZOP technique is only identify and assess risk at process line where we can see in P & ID (piping, scrubber, gas turbine compressor, heat exchanger etc), HAZOP cannot identify risk at workplace, cannot state that independent protection layer is sufficient. LOPA having capability to enhance HAZOP result and decide the Independent Protection Layer (IPL) is sufficient. So after doing HAZOP we conduct LOPA to enhance HAZOP and ensuring our risks are properly controlled. After finishing HAZOP we continue doing semi quantitative risk analysis using Layer of Protection Analysis (LOPA) technique. Center for Chemical Process Safety (CCPS) suggest to do risk assessment within spectrum as depicted in figure 6.

Figure 6 Spectrum of Risk based decision making by CCPS (LOPA Simplified Process Risk Assessment)

LOPA help us to inform risk that we assess are acceptable against criteria or not, still under ALARP or not. HAZOP cannot perform this task. Identifying and analyzing risk not only related with process line, we must also analyze risk at workplace, risk associated to security, risk associated to our job etc. Hence, other risk identification techniques are needed. The important aspect is how to make risk management process as a life cycle process, participate by whole people in organization and can be updated rapidly. How do we identify risk at workplace? Job Safety Analysis (JSA) and PEKA card (similar to STOP card by Dupont) were conducted. These programs intended to discover risk that cannot revealed by HAZOP or LOPA. Risk identification at

workplace, wherever, whenever risk identified by employee, contract labor or guests can be recorded and informed to officer or risk account. The programs engage all people to participate in identifying risk where they found, more people participate in identifying risk more risk can be discovered. Summary of participation result can be seen in figure 9, also risk identification through PEKA card depicted in figure 10. Another risk that currently also big issue is risk associated to security aspect, although our asset having high reliability and protected by good safety management but once our plant attack by third party hence serious consequence will occur. We have experience where a plant exploded due to theft case, a theft trying to take a hydrocarbon product using nylon rope and causing static discharge and generated fire explosion. Security issue should be considered as serious risk and we implement Security Vulnerability Assessment (SVA) to assess risk with regard security aspects and then developing risk treatment accordingly. According 2009 data we got two security cases (see figure 11) so we took credit in security issue. Safety Integrity Level (SIL) also contributing significant risk reduction program to ensure our risk related to safety integrity function under criteria. Figure 13a is an example, according to SIL assessment can be concluded that ESD at inlet pipe should be SIL 1 category but actually non SIL ESD installed. A modification of ESD at inlet pipe was suggested. What we have done can be seen in figure 8, the important thing is risk management should be a life cycle process, need strong spirit to make it live. RESULT OF RISK ANALYSIS From P & ID drawing team decided to divide process system into 40 nodes, HAZOP study resulting 254 causes with detail of the figure are Risk Level C (acceptable with control category) 112 causes , risk level N (Not desirable) 142 causes. Risk distribution according assessment can be seen in figure 7.

Figure 7 Risk Distribution

5

A; acceptable, no risk control measures are needed C: acceptable with control, risk control measures are in place N: not desirable, risk control measures are should be introduced within a specified time period, U: unacceptable, risk control measures should be introduced at the earliest opportunity From qualitative risk analysis (HAZOP) need to be refined using semi quantitative technique, LOPA is then be used to refine HAZOP and determine the risk is under tolerable region or not. Using the same node (40 nodes) and risk matrix 5 x 7 we can conclude risk mapping from LOPA as follows:

Risk mitigated event level 4 are 19 causes Risk mitigated event level 5 are 27 causes Risk mitigated event level 6 are 65 causes Risk mitigated event level 7 are 7 causes

The highest risk level (level 7) is risk due to fire case with initiating event gas leak at node 1, the case having probability of failure at least 1 x x10-4 with level of severity 4. From HAZOP and LOPA assessment can be concluded no risk exceeded tolerable area. But to achieve the lowest risk as low as practicable hence several risk mitigation were proposed. Several recommendations that have been proposed are:

Repair Liquid Level Controlled (LLC) at main scrubber.

Replace floater level controller at main scrubber. Enhance alarm management. Install new ESDV at inlet pipe 16 Enhance and modify F & G system. Install CCTV and access control. Install toxic gas detector to identity ammonia where

they are exceeding tolerance criteria then alarmed. Always maintain control room into positive pressure

to mitigate ammonia from fertilizer plant.

SVA has been conducted and the results are: 1. Turbine house is the most risky area 2. 17 assets are having risk level at TR4 3. 3 assets are categorized as TR3

4. 3 assets are categorized as TR2

Its suggested to install CCTV, access control and move parking area into outside compressor station fence. As an example I attach photographs (figure 12 and 13) that showing risk discovered during the program.

CONCLUSION & SUGGESTION Conclusion

When doing ERM implementation as general can be conluded risk at SKG Bontang are under tolerable criteria. But several safety measures suggested to maintain risk at acceptable region.

HAZOP, LOPA, PEKA card, JSA, SIL assessment and SVA have been used to identity risk, to analyze risk. No single tool having capability to assess all risk, selection of tool that is most suitable method is critical to do risk assessment effectively.

Other factor to do risk management effectively is involvement of all people in workplace. More people active to participate in risk identification, more risk can be discovered. Socialization, training and communication are important to build risk behaviour.

Most people have been trapped to do risk assessment and only emphasize on integrity and safety aspects, such as Risk Based Inspection (RBI) or HAZOP. Widely perspective shall be considered (SVA, SIL, PEKA card, JSA, RCM, Human Risk Assessment/HRA) to build risk management effectively.

Risk management shoul be done across departments, a team consist of member from multi dicipline can build risk management effectively. Risk analyst from integrity department, from HSE department, from project department or finance department could share their knowledge and develop comprehensive risk assessment.

Risk always changes as the internal and or external condition changes, changes due to regulation changes, criteria changes, plant modification, changes in technology etc. A continual improvement based risk management there for needed, ISO 31000 is one of good guideline to do risk management process.

Recommendation

6

A risk register database and risk assessment application consist of several methods are suggested to build risk infrastructure. An easy update process, widely distributed and easy to access is needed to support effective risk management.

ACKNOWLEDGMENTS The Authors wish to thank the management of PT

Pertamina Gas for their permission to publish this paper, The authors are grateful to VP Operation East Region for his support and for proofreading this paper.

REFERENCES

1. API RP 521, Guide for Pressure Relieving and Depressuring System

2. API RP 581 2nd edition-2008, Risk Based Inspection Technology

3. API 580 1st edition 2002, Risk Based Inspection 4. API 2nd edition 2004, Security Vulnerability Assessment

Methodology for The Petroleum and Petrochemical Industries

5. API 1164 1st edition - 2004, Pipeline SCADA Security 6. AS/NZS 3931 Australian/New Zealand standard, IEC

60300, Risk Analysis of technological system application guide

7. AS/NZS 4630:2004 Australian/New Zealand standard, Risk Management guideline

8. CCPS-2003, Guidelines for Analyzing and Managing The Securities Vulnerabilities of Fixed Sites

9. Clifton A Ericson II, Hazard Analysis Techniques for System Safety, John Wiley & Sons 2005, New Jersey Chemical

10. COSO (The Committee of Sponsoring Organization of The Treadway Commission) 2004 , Enterprise Risk Management Integrated Framework

11. David Mc Donald, Practical HAZOP, Trips and Alarms, Elseviers Science & Technology, Oxford UK

12. Final Report Risk, Safety and Security Assessment at PT PERTAMINA GAS Kalimantan Area, PT Trihasco Utama 2009

13. Final Report Risk Analysis at Bontang Gas Compressor Station, PT Trihasco Utama 2008

14. ISO 31000-2009, Risk Management Principles & Guidelines

15. OHSAS 18001-2007, Occupational Health and Safety Management System requirements

16. Mark Tweeddale, Managing Risk & Reliability of Process Plant, Gulf Professional Publishing - 2003

17. PT PERTAMINA (PERSERO) Board of Director Decision Letter No. Kpts-045/C0000/2004-SO dated 28 September 2004 regarding Risk Management Policy

7

8

Figure 8 Risk Management Implementation in PT Pertamina Gas Area Kalimantan

Figure 9 PEKA card (STOP card) participants

0

5

10

15

20

25

30

PEKA Card Participant 2009

PEKA Card

9

S V A cases

Figure 10 PEKA card finding during 2009

No DescriptionMonth Total

CumulativeUntill Dec2009 January1 No.ofSabotage 0 0

2 No.ofMajorLossProperty 0 0

3 No.ofMinor LossProperty 2 0 2

4 No.ofDestruction 2 0 2

Figure 11 Security Performance Indicators

(a) (b) (c)

Risk potency causing Injury Risk potency causing electric shock & short Risk causing insufficient IPL discovered by using PEKA card discovered by using PEKA card discovered by using LOPA

Figure 12 Examples of Hazard Risk Discovered during 2009

10

(a) (b) Risk due to insufficient Protection Layer that revealed by LOPA Increasing risk due to regulation changes

- SIL Assessment (IPL performance below SIL 1) (Minister 0f Environment No. 13/2009, prohibited to burn hydrocarbon at open pit), discovered by audit trail

Figure 13 Examples of Increasing Risk after Assessment