Beruflich Dokumente
Kultur Dokumente
ISSUE 2
October 2003
Whilst every effort has been made to ensure the accuracy of the information contained in this
publication, neither UKOOA, nor any of its members will assume liability for any use made thereof.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system,
or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or
otherwise, without prior written permission of the publishers.
Foreword
1995 Edition - In publishing these Guidelines UKOOA gratefully acknowledges the support
and assistance given to their preparation by the Health & Safety Executive (USE), British
Chemical Engineering Contractors Association (BCECA) British Rig Owner’s Association
BROA), and International Association of Drilling Contractors (North Sea Chapter) (IADC).
2003 Edition – UKOOA gratefully acknowledges the continuing support and assistance
provided by the Health & Safety Executive during the production of the Fire and Explosion
Guidance Update.
This document is part of a series being produced by UKOOA and HSE on fires and
explosions, the full series being:
This Part 1 document is taken from MSL Engineering Reports C26800R006 Rev 2 and
C26800R007 Rev 2.
Part 0
Part 1:- Avoidance and mitigation of Part 2:- Avoidance and mitigation
explosions Part 1 Part 2 of fires
Describes design considerations for the Describe design considerations for the
prevention, control and mitigation of explosions prevention, control and mitigation
of fires
Part 3
Contents
1 Introduction................................................................................................................................. 1
3.1 Introduction...................................................................................................................... 14
3.2 The Use of the Fire and Explosion Assessment during the Installation Lifecycle ........... 14
3.3 Stages of the Installation Lifecycle .................................................................................. 17
4.1 Introduction...................................................................................................................... 26
4.2 Timing and Detail of the Assessment.............................................................................. 27
4.3 Hazard Identification........................................................................................................ 28
4.4 Initiating Frequency Analysis........................................................................................... 31
4.5 Characterisation of Fire and Explosion Hazardous Events ............................................. 32
4.6 Consequence Analysis.................................................................................................... 34
4.7 Escalation Analysis ......................................................................................................... 37
4.8 Risk Assessment............................................................................................................. 39
6 Selection and Specification of Systems for Fire and Explosion Detection, Control and
Mitigation......................................................................................................................................... 47
6.1 Principles......................................................................................................................... 47
6.2 Selection and Specification Overview ............................................................................. 47
6.3 Selection of Systems....................................................................................................... 50
6.4 Specification of a System ................................................................................................ 53
7 Guidance on Systems for the Detection, Control and Mitigation of Fires and Explosions........ 61
1 Introduction
The updated Fire and Explosion Guidance has been prepared to encourage an integrated
approach to the management of Fires and Explosions. As such, it complements the Safety
Case and should help those persons with responsibilities for the safe design, construction
and operation of installations to manage fire and explosion hazards. It should also assist
duty holders to comply with the Offshore Installation (Safety Case) Regulations (SCR), the
.Offshore Installations (Prevention of Fire and Explosion, and Emergency Response)
Regulations (PFEER), the Management of Health and Safety at Work Regulations
(MHSWR) and the Provision and Use of Work Equipment Regulations (PUWER).
The updated Fire and Explosion Guidance applies to new and existing, fixed and mobile
installations. It has been written specifically for the United Kingdom Offshore Oil and Gas
industry but may be applied elsewhere, both on and offshore. The principles may also be
applied to the management of other hazardous events.
The updated Fire and Explosion Guidance outlines a particular structured approach to the
management of fires and explosions. Operators/Owners of existing installations should
examine their management system to see how they comply with the overall aims outlined
in Section 2.1. They should then assess the need for change, the benefits, extent and
timing.
Mobile installations will also have to comply with their flag administration and international
maritime requirements. The updated guidance should be used in addition to those
requirements, to ensure that their management systems are adequate for all the fire and
explosion hazards which may be encountered.
The updated Fire and Explosion Guidance aims to promote understanding of hazardous
events involving fires and explosions by both designers and Operators/Owners. It is
through understanding of the causes, characteristics and likelihood of such events that an
effective management system can be put in place for each. The management system
would include inherently safer design and operation and a combination of suitable
prevention, detection, control and mitigation measures. The updated guidance shows how
the Operator/Owner, operators of plant and each engineering discipline play a part in
managing hazards and hazardous events. Effective management starts with the initial
studies and continues until the installation is decommissioned. The guidance uses the
lifecycle safety management concept and outline the role that each person should play in
the process.
The updated Fire and Explosion Guidance outlines the management process, the
analyses and decisions that need to be taken and the factors to be considered when
making those decisions. Above all, the aim is to encourage a balanced approach to
hazard management by ensuring that the resources provided to manage fires and
explosions are commensurate with the risks of these events. The guidance provides a
framework whereby everyone, managers, designers, Operators/Owners, contractors and
auditors, can work effectively together to understand and manage the hazardous events.
The updated Fire and Explosion Guidance sets out what is generally regarded in the
industry as good practice. They are not mandatory and Operators/Owners may adopt
different standards in a particular situation where to do so would maintain an equivalent
level of safety.
More specific guidance is available to support this Part 0 (“Fire and Explosion Hazard
Management”) of the updated guidance; further information is available in the informative
sections at the back of this document and there are three further guidance documents
which cover the design considerations for fires and explosions which can be found on the
UKOOA or fireandblast.com websites;
http://www.oilandgas.co.uk
http://www.fireandblast.com
The three further guidance documents for design considerations and implementation
cover the following topics:
• Part 1 Guidance on design and operational considerations for the avoidance and
mitigation of explosions
• Part 2 Guidance on design and operational considerations for the avoidance and
mitigation of fires
One intent of this Guidance is to move the decision-making processes within the fire and
explosion design field as much as possible towards a ‘Type A’ process from ‘Type B or C’
as defined in the UKOOA document the “Risk Based Decision Making Framework”, the
main figure of which is illustrated overleaf.
− all fire and explosion hazards should be identified, analysed and understood;
− overall risk from all major accidents including fires and explosion should be
assessed, and-be "as low as reasonably practicable" (ALARP);
− the systems provided to protect personnel from the effects of fires and explosions
should be suitable for these hazardous events and have performance standards
commensurate with the required risk reduction;
− any changes to the installation which may effect the likelihood or consequences
of fires and explosions should be identified, assessed and the systems revised to
take them into account as necessary.
2.2 Principles
Effective, economic FEHM depends on the appropriate timing and use of resources This
can be achieved by following the principles for identification and assessment of the
foreseeable hazardous events, see Section 4.1, and for selection and specification of
safety systems see Section 6.1: This approach is structured around the life cycle concept
described in Section 3.
− fire and explosion assessment should commence very early in the design and
should be used as one of the bases of hazard management throughout the
installation lifecycle;
− resources should be assigned to systems taking account of the risks from the
hazardous events and the role of the system in reducing them;
− the principles of quality management should be followed; e.g. ISO 9000 Quality
Management and Quality Assurance Standards - Guidelines for Selection and
Use.
− reduction of the risks from fires and explosions through inherently safer design
(see Section 5.1);
− design to reduce the likelihood, scale, intensity, duration and effects of each
hazardous event;
− verification;
− documentation.
The lifecycle approach shows how to prepare and implement a strategy for the
management of fire and explosion on an offshore installation throughout its life, i.e. from
design through commissioning and operations to decommissioning. This is developed
firstly by inherently safer design, followed by prevention of identified fire and explosion
hazardous events and then by the selection of detection, control and mitigation measures.
The fire and explosion assessment process is used in the lifecycle to provide information
on which to base decisions and design systems. Thereafter, it is used to assess these
arrangements to make sure that the high level performance standards have been
achieved.
− for new installations it should start during feasibility studies and be fully
developed during detail design. The results should then be communicated to
personnel operating the installation to ensure that they know the purpose and
capability of all the systems, can operate them properly and that adequate
maintenance schemes are in place;
The management of hazards to reduce the risks involves many interests which may often
appear to conflict with each other. The process is a multi-disciplinary activity, involving all
levels of personnel from senior management to junior staff from a number of different
organisations. Table 2.1 outlines a typical range of tasks for these personnel. It is
important that the input and activities of these personnel are fully coordinated and
managed. The SMS of each organisation should identify the relevant responsibilities.
ALARP can be described as the process of striving to reduce risks to a negligible level
while taking due consideration of the economic and schedule implications of this goal, see
the figure below.
The cost of a measure (in terms of the time, cost and difficulties in implementing it) must
be compared with the amount of risk reduction it brings. If the overall costs are ‘grossly
disproportionate’ to the benefits, then implementation of the measure may be
inappropriate.
Appropriate standards and accepted industry practice are tools to achieve and
demonstrate reasonably practicable risk reduction. These should be appropriate to the
hazards and hazardous events on the particular installation so that they contribute
significantly to the reduction of risk.
However, although concentrating on the primary risk contributors, care should be taken
not to miss reasonably practical ways of reducing the risk from apparently less serious
events.
Risks closer to the unacceptable region merit a closer examination of potential risk
reduction measures
Further guidance on the demonstration of ALARP is available from the following sources;
• Principles and Guidelines to Assist HSE in its Judgement that Duty Holders Have
Reduced Risk as Low as Reasonably Practicable
http://www.hse.gov.uk/hid/spc/perm12.htm
HSE Books have published a guide which sets out an overall framework for decision
taking by the HSE (R2P2), which is available in hard copy form (28) and as a free download
from http://www.hsr.gov.uk/dst/r2p2.pdf .
− Understand the hazardous events on the installation − Understand the hazards which may affect them − Verify that there is an
− Select the safety system and their response to the hazardous events adequate understanding of
− Set the system design specification − Perform their role (if any) in the management the hazards
of these hazardous events − Verify that adequate systems
are in place to manage the
− Develop and work − Develop designs to meet the hazards
system specification
to procedures − Verify that the systems meet
− Provide information to allow their performance standards
needed to manage the Operator to input and
the hazards − Feedback the results to the
maintain the systems to meet
operator
− operate the plant to the performance standards
the performance − Communicate the purpose and
documentation on the system
standards
to the Operator
The columns with the table are applications for three levels of personnel. They may work within the same organisation or
work separately.
9
Part 0: Fire and Explosion Hazard Management
UKOOA FIRE AND EXPLOSION GUIDANCE
Wh t ki i dt th f l th h ld kt th t th t it i i d t
UKOOA FIRE AND EXPLOSION GUIDANCE
Part 0: Fire and Explosion Hazard Management
For any goal it is usually possible to identify one or more measures whose performance
will be a reasonable indicator of how successfully the goal is achieved These can be
described as performance standards and defined as follows:
Performance Standards are particularly important (and legally required in the UK) for
defining the performance of elements that help to manage or defeat a specific hazard.
The Safety Critical Element (SCE) is defined as any structure, plant, equipment, system
(including computer software) or component part whose failure could cause or contribute
substantially to a major accident, and thus includes any measure which is intended to
prevent or limit the effect of a major accident. SCEs should have fulfilled their function or
remain operational. For example, plastic deformation of the structure is acceptable
provided collapse does not occur allowing barriers to remain in-place and adequately
resist any subsequent fires or other hazards.
Further general guidance on performance standards may be found in the HSE publication
“Successful Health and Safety Management” (see Appendix 3).
The Safety Case regime requires that performance standards should be set.
(HSE Publication “A Guide to the Offshore Installations (Safety Case)
Regulations 1992 “)
These are the goals for safety of the installation and relate to the overall risk to
persons on the installation. Fires and explosions will contribute to some of this
risk.
It may not be possible to measure these standards directly but they should be
capable of verification from the results of assessments of low level performance
standards. Nevertheless, even when not directly measurable they should be
auditable in order to fulfil their principal role which is to provide a benchmark so
that the adequacy of the arrangements may be assessed.
Performance standards at this level may relate to the principal systems, used to
detect, control and mitigate fires and explosions. However whatever performance
standards are selected, three key characteristics should apply. Firstly, the
selected items should make a significant contribution to the overall acceptability
of the FEHM arrangements. Secondly, the parameters chosen should be directly
relevant to the achievement of the system goal, and thirdly, the performance
standard should be capable of expression in terms of parameters that are
verifiable.
The process of setting the detailed low level performance standards therefore
involves a review of the required performances under the anticipated emergency
conditions of the systems, sub-systems or equipment that make up the fire and
explosion prevention, detection, control and mitigation arrangements. The
purpose of this review is to identify those items that make the most significant
contribution to the overall acceptability of the arrangements. It is necessary to
identify those items where significant performance deviation would jeopardise the
arrangements to the extent that the strategic objectives set for the installation
would not be satisfied. It is also important when undertaking this review to
determine what effective barriers to the occurrence of a particular hazard are
provided. The number and integrity of these should take into account the
magnitude of the hazardous event and the likelihood of the initiating event in the
absence of these barriers.
In the setting of the low level performance standards it may be helpful to consider
FEHM arrangements in hierarchical terms. First, those items of systems
performance that are primarily important in the achievement of the overall
objectives should be identified.
Moving down the hierarchy, assessment should indicate the most important
factors contributing to the success of that system.
Performance standard – These items must not fail during the DLB or SLB, ductile
response of the support structure is allowed during the DLB.
Some main feedback loops are shown but other stages may also require feedback.
3.2 The Use of the Fire and Explosion Assessment during the
Installation Lifecycle
FEHM is an integral part of the SMS Throughout the installation lifecycle.
The lifecycle is made up of the general stages of concept selection, detail design,
construction and commissioning, operation, modifications and decommissioning. These
are described in Section 3.3 detailing the approximate timing and sequencing of particular
activities..
FEHM is a continuous process rather than a series of discrete steps. There will be
overlaps and iterations between the various stages of the design, commissioning and
operation phases with earlier decisions reviewed and revised as necessary. However the
effective use of data from the fire and explosion assessment process at the appropriate
stage should reduce the need for continual changes - see Section 4.
Each numbered step of the assessment process for fires and explosions as outlined in
Section 4 is linked with the relevant stage of the lifecycle. These steps are shown in
Fig. 3.1 shaded in boxes 1, 5, 6, 7, 8 and 11 with the associated activity alongside. The
need to revise the assessment and repeat elements of the lifecycle is identified in boxes
19 and 20. At each step of the lifecycle where critical decisions are taken, particularly box
11, these should be reviewed to ensure that all reasonably practicable risk reduction
options have been considered, that the high level performance standards have been
achieved and risks are ALARP.
The lifecycle approach can be applied at any stage of the installation life. With an
operating field or a partially completed design, many or all of the systems will already be
specified or in place and the relevant lifecycle activities will have been completed. In these
cases, the steps of the assessment shown in boxes 5 to 8 and 11 should be carried out as
a discrete activity so that a full picture of the fire and explosion hazardous events can be
developed, before the need for any changes can be determined.
Concept selection
S et t he high level
2
perf orm ance standard
Com mi ssining
Desi gn hardware to meet
13 P l an f ut ure verification 12 14
param eters saf et y systems
V eri f y t hat sys t em s are effective and E nsure personnel are trained and
16 rel i abl e duri ng commissioning and 17 com pet ent t o i m pl ement / operate
t hroughout t he i nstallation life
M odif icat ion
− concept design;
− detail design;
− commissioning;
− operation;
− decommissioning.
This is the statement of the standards of the installation as a whole for the safety
of personnel. At this stage, Performance Standards may also be defined for
major systems such as Temporary Refuge (TR) impairment frequencies,
environmental standards and targets for reducing damage to the platform. These
would be relevant if the reduction of fire and explosion risks contributes to
meeting these targets.
Attention should be paid to the primary risk contributors and the practicality and
cost of preventing, controlling or mitigating tern.
This is the definition of which codes and standards will be used to design the
structure, plant and equipment These include the primary prevention measures
which ensure the technical integrity of the plant The appointment of the designer
and Operator/Owner management systems including structure and
responsibilities should also be defined.
This is the start of the formal assessment of the fire and explosion hazardous
events. It may use the output from the conceptual selection studies as a start
point. For a new design, the identification of possible hazardous events should be
used to review the layout and process design so as to eliminate or reduce all
hazards to meet the high level performance standards, concentrating particularly
on those hazards which make the predominant contribution to the overall risks.
On an existing installation, it may be possible to identity ways of reducing the
risks through changes in operational practices.
The assessment requires that initiating events are identified. This allows the
causes to be identified and a check of the design codes and standards and SMS
and operating parameters to ensure that they are suitable to address the causes
and adequate to deal with their severity. Where they are found to have shortfalls,
the codes and standards may be changed or enhanced. Procedural systems or
operating parameters may be changed and, if necessary, new specific prevention
measures may be added. This may lead to a further review of previous lifecycle
steps - follow feedback loop to Step 4 as shown in Fig 3.1.
The characterisation of the hazardous events identifies the size, intensity and
duration of representative hazardous events and the contribution of control
measures. This enables the most severe events to be identified and their control
measures to be enhanced or augmented to reduce their severity. At this point
those events to be used as the basis of design for mitigation systems are chosen.
Particular attention should be paid to the guidance in Section 4.5.1.
The plant and equipment which could fail when exposed to fire and explosion in
the characterised events should be identified. An assessment of the likelihood
and consequence of these failures determines the need for protection and, in the
case of existing installations, its provision and adequacy.
This applies to hardware (engineered) systems and is the definition of the overall
purpose of the systems and the essential parameters to be met by the system so
that it fulfils its role. The reliability and availability may need some iteration with
the escalation and risk assessment in Step 11. For existing installations this may
be a formalisation of the original design standards and objectives.
This defines the role and the essential parameters required to be met by
procedural systems. It requires confirmation that the manning and competence
levels are or will be available to the extent necessary.
This is the overall review of the fire and explosion risks and their acceptability. It
formalises the escalation analysis which will have been developing as part of the
assessment process. On new designs it is carried out prior to proceeding to detail
design to ensure that the proposed systems are suitable for the hazardous event
and will be sufficient to reduce, as far as is reasonably practicable, the risks from
each hazardous event. On existing installations it is the determination of the
adequacy and contribution of the safety systems provided. The cumulative risks
from all major accident hazardous events should be within the high level
performance standard and ALARP. This information is essential to determining if
remedial measures or improvements are needed to the existing or proposed
system provision. These results may lead to a review of other lifecycle steps -
follow feedback look to Steps 4, 7 or 9 as applicable, as shown in Fig. 3.1.
The design contractor and suppliers should co-operate in designing the systems
and components to meet the functional parameters and the availability and
reliability requirements and ensure that any interactions and also limitations are
addressed.
The requirements for verifying tat the design has been properly executed and that
systems can be fully inspected and tested at appropriate intervals during their life
should be determined. There is no point in specifying a performance standard
which cannot be verified.
This is to ensure that the systems can be properly operated and maintained and
that they achieve the functional parameters. On an existing installation, it is
necessary to ensure that these facilities are in place. The tasks may include:
− provision of access;
This is function testing which should be carried out prior to installation, during
commissioning, prior to-start-up, and at predetermined intervals during the
system life. The function testing during commissioning will normally cover the full
range of operational performance, so as to act as a base line for trouble shooting
throughout the remainder of the lifecycle.
Reference OGP (formerly E&P Forum) “Guidelines for the Development and
Application of Health, Safety and Environmental Management Systems” Section
3.4
This applies both to personnel training and competence for procedural systems
and for the operation, maintenance and testing of engineered systems. It may be
necessary to prepare training courses and schedules and to have sufficient
personnel trained prior to start-up. This applies not only to regular installation
personnel but also to individuals who may visit the installation to operate,
maintain or test the plant. On an existing installation it may be appropriate to
review the training and competence of existing personnel.
This requires the continued maintenance and operation of the plant so that the
engineered and procedural systems continue to meet their original intent as
developed during the design and initial assessment process.
During the life of the installation, changes may be considered or arise naturally
through, for example changes in the produced fluids from the reservoir.
Alternatively a safety system may deteriorate so that it is unlikely to continue to
achieve its intended functional performance, reliability and availability. All
changes should be assessed to determine the effects on the high level
performance standards and, where necessary, improvements should be
considered to the systems provision.
The design process should have considered likely decommissioning hazards and
identified the relevant procedures or systems. These should be formally reviewed
prior to decommissioning of either part or all the plant to ensure that all hazards
are identified and adequately addressed. Where the existing systems or
procedures are deficient, these should be addressed by following the relevant
steps in the lifecycle.
The output of the Fire and Explosion Assessment process also provides
information on the hazards and hazardous events for those responsible for safety;
managers, designers and Operators. This information includes the causes,
characteristics, likelihood and the means to prevent and limit the events and to
protect personnel.
− it should identify all foreseeable events with the potential to cause a major
accident;
− it should be continuous and recognise the need for revision of the assessment as
more information becomes available and the design evolves;
The assessment process should be used as a design and operational tool to understand
the hazards and hazardous events and to identify when prevention, control and mitigation
measures can be applied to reduce the risks. The flowchart Fig. 3.1 shows where and
when the assessment should provide information into the lifecycle and management
process.
4.2.1 Timing
The lifecycle approach in Section 3 and Fig 3.1 shows where information is
needed from particular steps in the assessment in order to make decisions on the
need for, and performance, of risk reduction measures.
On an existing installation, the assessment should already have been carried out
as part of the Safety Case. Modification should follow the lifecycle approach.
The level of detail and accuracy of an assessment is determined by the need for
precise information on which to base decisions and designs.
The quality of the assessment is dependent upon the identification and quality of
assumptions, validation of models, availability of data, including any relevant
experimental data and the competence of those undertaking the assessment. A
simple assessment with appropriate pessimistic assumptions resulting in a
conservative level of provisions may be equally appropriate in place of a refined
assessment resulting in greater accuracy, to justify more targeted risk reduction
measures. Such simple assessments may also be appropriate for some of the
smaller relatively simple installations. The decision as to which type of
assessment should be undertaken is likely to be determined by the capabilities
and technical resources of the organisation undertaking the assessment as well
as purely technical factors.
− the validity and accuracy of the analysis tools used to characterise the
hazardous events and the response of the plant;
− the sensitivity and accuracy of the figures for initiating event frequency
and safety system performance,
The identification of fire and explosion hazardous events is the start point for the
rest of the assessment and of the whole hazard management process. It should
use a structured, systematic and auditable approach which addresses both
process and non-process fires and explosions and covers all parts of the
installation including pipelines, risers and wells. The method employed should be
a structured process, which involves a suitable combination of operations
personnel, design engineers and safety specialists.
The hazard identification process should address all foreseeable fires and
explosions and, in particular, those involving releases of hydrocarbons. This
process should be fully documented including all of the foreseeable causes of
initial release as these should be addressed when identifying the need for
specific prevention measures.
To structure the process, the installation may be divided into discrete areas in
which hazards are identified by considering the process or utilities systems, plant,
fixtures, combustible inventory, etc. within each. Potential external initiators of
fires and explosions such as a helicopter crash are also important and should be
considered. The information required to carry out the initial hazard identification
may include the following (as available):
− Equipment lists;
The materials considered during the fire and explosion hazardous event
identification phase are likely to include:
− Process oil/gas/condensate;
In identifying hazards the parameters which define the type of hazardous event
should be identified and documented. These may include:
− System pressure;
− Temperature;
− Density;
− Composition of material;
− Flash point;
− Ignition sources;
− Combustible load;
− Oxidising agents.
The fire or explosion events identified will vary depending on the hazardous
material involved and the conditions relevant to the particular system or inventory
being considered. Typical events are:
Each identified hazardous event will have a range of possible scenarios, it is not
reasonable to examine every one. Therefore, representative cases should be
chosen to cover the range of foreseeable events. For example, pipework leak
source might range from that of a poorly fitted flange gasket through to a full bore
rupture. The most important are those foreseeable events where the initial
release and ignition characteristics are likely to cause the most extensive
damage and the greatest risks to personnel. In the case of fires, there needs to
be sufficient inventory to burn for long enough to cause failure of equipment or
structure. Personnel and delicate equipment may be injured or damaged after a
short fire exposure. Steelwork should survive for several minutes under the worst
case conditions, but protected or equipment exposed only to thermal radiation
may survive for considerable periods. The range of events considered should
cover the larger ones which may cause extensive damage to the installation and
those smaller events which could cause local damage leading to escalation.
In selecting the events, due regard should also be taken of the likely causes of
initial failure, the design features of the plant and the resultant size, shape,
arrangement and location of the failures.
In the case of flammable release events, the release frequency may be estimated by
counting all relevant system components which could give rise to a flammable release
within a specified area, and multiplying by failure rate data appropriate to the type,
standard or design, use and operating conditions.
The information available from this part of the analysis may include:
For Fires:
− Duration
− Variation with time (the change in the above characteristics with time; for
example due to reduction in release pressure).
For Explosions:
Both initiating event and those stages of an escalating event when further hydrocarbons
are likely to be released should be characterised. For initiating events, it is necessary to
clearly define the parameters listed below such that the resultant event can be analysed
with the appropriate accuracy and realism.
For escalating events, more general assumptions may need to be made where, for
example, further multiple releases and safety system failures may occur following an
explosion or structural weakening.
It may also be necessary to characterise the initiating events taking account of the failure
of a safety system, such as emergency isolation, where that failure could lead to
significant increase in the consequences.
In carrying out the analysis, the following parameters should be taken into account:
− location;
− inventory;
− ventilation;
− ignition sources;
- Control and detection measures and their response time where appropriate:
− depressurisation;
− electrical isolation;
The stage in the lifecycle will dictate the level of analysis required. This may range from
simple empirical correlations and engineering judgement to sophisticated modelling. The
more complex and detailed methods of analysis will take time and require a very high
level of design definition. Therefore their use as a tool to develop and refine the early
stages of design is limited.
The characterisation analysis will identify the most severe events and the analysis
process can be used to enhance the effectiveness of the control measures listed above in
limiting the size, scale and intensity of the fires and explosions.
The results should be presented so tat they clearly convey a realistic picture of the
anticipated hazardous events, and their potential for escalation. This is particularly
important for the preparation of an appropriate emergency response plan and the
development of an awareness of the possible h5~ardous events on the installation.
One of the most important decisions taken in the hazard management process is
the selection of hazardous events from which the concept of an upper bound, or
envelope, of conditions on which the design of control and mitigating systems are
based. The analysis of these events will give the loading parameters for fires and
for explosions as listed in Section 4.5. Alternatively the design could be based on
standard criteria with the loads from the actual design events being checked at a
later stage and compared to the design load. The characteristics of these
loadings need to be defined in sufficient detail so that protection systems can be
designed to match them.
With a new design, the escalation analysis is also important in the selection of the
design accident events, together with the perception of the extent and severity of
the escalation. As the analysis proceeds, a picture of the range of initiating
scenarios and escalating events throughout the platform will emerge. From this
overview, it should be possible to select the design events based on the
practicality of preventing larger initial events and stopping the escalation of
smaller events to those of an extreme magnitude. In particular, a designer would
need to consider the following when identifying a design event:
− the options for reducing the frequency of an incident so that the resulting
risk is ALARP;
− those within the TR, at muster areas or while evacuating who may be
exposed to the effects of the escalating incident
− those who may be exposed while carrying out their emergency response
duties, e.g. control room personnel, emergency teams.
This information can be used to assess and where necessary modify escape
routes and operating philosophies so that the exposure of personnel is reduced.
The need for mitigating measures can also be reviewed.
In assessing the likelihood and manner in which these failures could occur, the
following should be considered, the:
− time to failure;
− defined failure criteria of the plant or structure - see Sections 7.2.7 and
6.4.1.9;
− protection systems.
The purpose of this study is to identify and assess the vulnerability of those
hazard management systems which may be needed during or after a particular
hazardous event where that event might impair them. This may be used to define
any protection to meet their survivability criteria - see Section 6.4.3.
Such a review may start either with the hazardous events as described above or
with the systems. The later requires a full examination of all the hazardous events
to which they may be exposed, the importance of that system to control these
hazardous events and the likelihood and consequence of its failure. Particular
attention should be paid to complex systems which are spread and
interconnected throughout the platform. The effects of the failure of localised
components on the overall performance should be considered. In particular, the
following should be examined:
− hydraulic systems;
− electric cabling;
− field devices;
− power supplies.
It is probable that in some cases only part of a system may be exposed and
incapacitated. In such cases, the need to take action to reinstate the remainder of
the system (such as closing of firewater ringmain isolation valves) and the
practicality and likelihood of doing so in an emergency should be identified and
assessed. The performance of the remainder of the system should then be
assessed.
− identify the combination of measures needed to deal with each major hazardous
event and to provide an input to the development of associated performance
standards;
− evaluate the effects on the installation safety systems at each stage of escalation
and how this may affect subsequent escalation;
− evaluate the probability and hence the frequency of each escalation path which
affects the key facilities or systems such as the TR and Escape, Evacuation and
Rescue (EER) facilities and the time duration from the initial event.
This may be carried out as an event tree analysis. This can show the sequence of failures
which need to occur to result in a particular level of consequence and give designers and
Operator/Owner the opportunity to add, to or enhance the safety systems to break the
sequence of events.
Experience has shown that often only a relatively small number of escalating scenarios
contribute significantly to the major accident risk on an installation. Therefore the
escalation analysis is an important aspect of hazard assessment and risk management. It
is important that the location, frequency, timing and duration of different scenarios
previously established are fully considered so that mechanisms and routes by which a fire
or explosion could escalate to cause ‘critical failure’ can be identified.
This involves identifying those critical components or systems which, if they fail, have
significant consequences regarding:
− threat to life;
− environmental damage;
− the location and description of the initial event especially its size, severity,
duration and frequency;
− the means by which the initial event may escalate and, at each escalation stage,
the corresponding probability and time to escalation;
− the effects of the events on the installation including the safety systems at each
stage of escalation and how this affects subsequent event progression;
− the effects on the key facilities or systems such as the TR and EER facilities in
terms of impairment, time to impairment and impairment frequency;
In assessing the contribution of safety systems, the characteristics of each stage of the
event should be considered if it is possible that systems may fail to operate successfully
or could be damaged. Such systems may include:
− emergency shutdown;
− blowdown;
− detection systems;
− drainage;
− overpressure protection;
It may also be necessary to consider the actions and decisions of key personnel, in
particular the OIM, in responding to an escalating situation. The decision to move
personnel to different parts of the installation, to abandon the installation, to fight the fire,
etc. and the time at which these decisions are made can have major implications.
The need to take particular decisions should be reflected in the preparation of the
Emergency Response Plan and in the provision of communication and evacuation
systems.
The ability to take decisions may be affected by smoke, heat and the scale of the incident.
This should be taken into account, particularly if the TR and control centre are affected.
An accepted level above which the overall risk is considered intolerable is an individual
risk of greater than 10-3 per year or a TR impairment frequency of greater than 10-3 per
year. The overall individual risk from all hazards must be less than this value. If risks are
in the intolerable region then risk reduction measures must be implemented, irrespective
of cost. Hence the risk from other hazards may indirectly affect the acceptability of risk
from explosions and these may need to be considered in setting the target risk levels for
the explosion hazard.
The task consists of classifying the installation and its compartments into Low, Medium or
High risk categories to determine the level of explosion assessment required. The
complexity of the process in the compartment is taken as an important measure in the
screening exercise.
In this context, risk is defined as a measure of the product of the consequence and
probability of an incident, (estimated from the previous sections), an example might be of
an ignited release giving rise to a significant overpressure greater than 50 millibar.
Risk equals the product of Probability (or Likelihood) and Consequence (or Severity)
- siting of high pressure gas and Liquefied Petroleum Gas (LPG) inventories in
well ventilated areas and away from large inventories;
Further guidance on inherently safer design is given in HSE Report “Inherently Safer
Design".
The principles for the reduction of complexity and improving operability in Section 6.4.2.7
should also be used/applied to reduce the number of possible leak points and the
likelihood of operator error.
Note: In this guidance, measures to prevent ignition are considered as preventive measures
although it is possible to regard them as control measures - see Section 7.2.
− internal corrosion/erosion;
− external corrosion/erosion;
− construction defect;
− fire;
− explosion;
− isolation failure;
Most causes of failure will be addressed by the use of established codes and
standards for the design and protection of process plant. However, it may be
necessary to verify that these are appropriate for all the identified likely causes of
failure. This verification may be achieved by the use of a formal Hazard and
Operability Study (HAZOP) during design with an update on completion.
Compliance with the chosen standards should be verified during construction and
planned inspection throughout the life of the installation.
− reduction of possible release points, e.g. use of welded joints and non
invasive instruments;
− interlocks;
− controls on shipping;
− operational procedures.
The aim is to prevent the ignition and sustained combustion of solid, liquid and
gaseous fuels. This includes reduction of ignition sources and the selection of
materials that are less likely to be ignited or sustain combustion. The selection of
materials and specification of appropriately classed equipment falls within the
design remit but operational controls are needed to ensure that the selected
approach is implemented throughout the operational life of the installation.
− prevent gas ingress into internal combustion engines and non hazardous
areas.
The reduction of the likelihood of the formation and the size of a flammable gas
cloud will both reduce the possibility of ignition and any consequent explosion
overpressure or fireball. The following should be considered:
− reduce the distance from potential leak sources to the open air;
i) The assessment of fires and explosions should be used to determine the need for a system.
iii) Systems should be selected and specified to provide an appropriate balance between
prevention, detection, control and mitigation.
iv) Systems should be resourced with regard to the risks from the particular hazardous event
being addressed and their role and importance in reducing that risk.
v) Mitigation systems should be specified after taking into account the contribution from the
detection and control measures in reducing the extent and duration of the hazardous event.
vii) Systems should be capable of being operated, maintained, inspected and verified on the
installation. The design should therefore take these needs into consideration.
viii) Systems should be selected and specified after appropriate consultation with those
responsible for their use and operation.
ix) Systems which may introduce a new hazard, exacerbate an existing one or impair the
performance of another system should be avoided or the interaction should be addressed.
These drawbacks must not offset the risk reduction provided by the system, i.e. there should
be a significant overall benefit.
There are a number of options in the categories listed below. The provision of some
systems may eliminate the need for others in the same or different categories. The quality
of some systems will affect the need for, and standard of others.
- control measures to limit the scale of an event and avoid escalation to a major
accident;
Systems should be chosen with a full understanding of the likely hazardous events, their
means of escalation and the realistic expectation of the capability of the systems.
The fire and explosion assessment process described in Section 4 can be used to identify
where different systems may make a contribution and, by examining the frequency and
eventual consequences, the need for, and performance standards of the system.
The provision and quality of the prevention and avoidance measures may influence the
frequency of occurrence of an initial event. The consequences of this event will be
determined by the provision and effectiveness of the control systems. The provision of
mitigation systems will limit the consequences of escalation. Detection systems may be
used to initiate prevention, control and mitigation systems. The combined performance of
each of these systems will determine the overall risks to life. The provision and
performance of systems should be such that these risks are tolerable and reduced to
ALARP. The selection process should follow Fig. 3.1. The system options are discussed
in detail in Section 7. Evacuation, escape and rescue (EER) are dealt with in UKOOA
Guidelines on the Management of Emergency Response for Offshore Installations.
Each category may have both engineered and operational systems and may be either
specifically designed for a particular hazardous event or a generically applied measure
such as a code or procedure.
The selection of an appropriate combination of measures in a new design will require the
interaction of both designers and the Operator/Owner so that the relative contribution
from, and dependence on, procedural measures and engineered systems is fully
assessed and understood by all involved.
In the case of existing installations, all the measures should already be in place but the
relative dependence on engineered systems and operational measures should be
understood by those responsible for the systems and for the overall safe operation.
Factors to be taken into account in the selection and specification of systems include:
- the functional role of the system and the suitability of that system for the
fulfilment of that role;
- limitations that the systems may place on operations and vice versa;
- any adverse effect that the system may have on hazards or other safety
systems.
Table 6.1 can be used as a suitable consistent method for describing systems to aid their
appropriate selection and specification. The Table can be developed for individual
systems so that there is a common "language" between designers, operators,
Operators/Owners, vendors, auditors, etc. Each of the topics in the table is discussed in
the remainder of this chapter.
SYSTEM: ROLE:
Suitability:(6.3.3) Applicability:(6.3.4)
A statement of the hazardous events A statement of the application, location and types
for which the system may be of equipment for which using the system, may be
suitable. appropriate.
Types/Variations:(6.3.5) Interactions/Limitations:(6.3.6)
The different types or variations Details of possible interactions resulting from the
available of the particular system. use of the system. The interactions could be with
plant, personnel or other safety systems. A listing
of any limitations of the system.
SPECIFICATION PARAMETERS
For an existing installation, the safety systems will a]ready be in place. The assessment
carried out under the Safety Case will have identified those particular systems which are
important with regard to reduction of the risk from identified hazardous events and judged
their adequacy. It is advisable, initially, to concentrate any improvements on procedural
measures to prevent the occurrence or reduce the frequency and, thereafter, to consider if
further engineered systems are still required following the hierarchy listed in Section 2.3
and Section 6.2.
The extent of a system should be described so that its role and performance can
be defined. This may range from an overall system such as an active fire
protection system to a discrete part such as a deluge system. These may either
have a direct role in counteracting a particular hazardous event such as
preventing rupture of a vessel or a support role for these systems such as
firewater supply or fire and gas detection.
The systems chosen should be suitable for the role which they have to perform.
For Fires:
− flame temperature;
− heat flux;
− flame velocity;
For Explosions:
− overpressure;
− pressure profile;
− drag force;
The choice of a particular type of system should primarily be based on the list of
parameters in Section 6.2 for selecting the system. These parameters should be
assessed for the full lifecycle of the system taking into account the effects of the
environment and site conditions. In considering the applicability, the ability to
operate, maintain and repair it should be given equal consideration to the initial
cost and ease of installation. Systems should, where possible, be simple and
robust to enhance their long term effectiveness.
Interactions include:
− corrosion caused by the system; for example due to deluge system testing
or increased by passive fire protection;
Different parameters will be required for different systems. In some cases numerical
values may be appropriate and in others they may be described qualitatively.
The designer and Operator/Owner must determine the performance standards for the
system. There is a balance between the extent of risk reduction and what is reasonably
practical in terms of cost and manning. Over specification of systems should normally be
avoided as this may misdirect expenditure and apply disproportionate resources to
particular hazardous events or particular safety systems. It may also introduce over-
complexity and detract from the system’s reliability.
These are the parameters which define whether or not a system will fulfil its role
and its effectiveness. A list of parameters is given in Sections 6.4.1.1 to 6.4.1.9.
Each system should be examined to identify which of these parameters are
needed to define functional specification. These may then be used as the basis
of design, for initial verification that the identified role is fulfilled and for continued
verification during the life of the installation. They represent the minimum
acceptable performance standard to be achieved during routine testing. Failure to
achieve this performance would require remedial action or justification.
6.4.1.2 Coverage
The response time should be considered for all active systems which are
required to respond to emergency or hazardous events. The time should
be taken from the start of the event until full functional performance is
achieved. It is not necessary to set response times for the individual
components as it is the system response which is important. However,
individual component responses may be useful as an aid to system
confirmation through component test.
The time taken to detect an event should also be taken into account in
determining the systems overall response time.
6.4.1.4 Duration
6.4.1.5 Logic
It may be necessary to define the likelihood that a system will operate and fulfil its
role whenever required to do so.
The need to specify this criteria for a particular system should be determined
during the assessment of the fires and explosions and by the required risk
reduction from the system.
Systems provided to protect against those hazardous events which make the
greatest contribution to the total risk level will generally need a high reliability or
availability to ensure that they perform the necessary functions when required to
do so. Where there is a heavy dependence on a single safety system to reduce
the risks from a particular major accident, it may be appropriate to consider
duplication of the system to reduce the likelihood of failure on demand.
ii) By reviewing the design of an existing system and assessing the probability
of successful operation. This approach is most relevant to existing
installations.
iii) By applying a generic classification such that the systems are ranked in
accordance with industry practice, standards, codes or by internal company
standards.
The long term reliability of the system will be reflected in the quality of
the components, sub systems and in the design.
There should be clearly defined limits for the periods when a system
may be out of commission. In some cases, it may be appropriate to have
duplicate systems or to shutdown or curtail hazardous operations
whenever a system is not available. In others, it may be appropriate to
set a maximum continuous period when a system may be disabled or a
maximum cumulative downtime over a given period such as a year. It
may be appropriate to set controls on hazardous activities in areas
covered by the safety systems which are not available, or to have
contingency measures to provide alternative cover.
6.4.2.4 Actuation
For manual action the probability will depend on; the availability and
capability of personnel at the time of the initial event, the reasonable
expectation of their performance in an emergency, other duties which
they may have to perform and accessibility to the actuation point in the
emergency. Where such actions are critical, they should be documented
in emergency procedures, competent personnel specifically assigned to
the task and the actions simulated in exercises.
6.4.2.5 Duplication
6.4.2.6 Diversity
Diversity is the provision of different type components such that they are
not vulnerable to similar failure mechanisms. This would overcome any
common mode failure associated with one manufacturer, design or
maintenance activities.
6.4.3 Survivability
Where protection is provided, the characteristics and severity of the event should
be defined and the system or enclosure designed to withstand it.
The need for detection systems is identified in the assessment process and also by the
need for particular systems to be actuated. Detection systems may range from visual
inspection only, to a filly automatic system which integrates into the installation emergency
shutdown system. The degree of sophistication and sensitivity will depend on the
likelihood of the occurrence and the consequences of it either remaining undetected or
there being a delay in detection. Particular attention should be paid to the selection of a
system with respect to the conditions and characteristics of the hazardous event (Section
6.3.3) and the environmental and operating conditions in the area. The following
parameters should be determined when specifying the system; coverage (Section
6.4.1.2), response time (Section 6.4.1.3) and sensitivity (Section 6.4.1.6). Where control
action may be initiated, the logic should also be specified.
The following detection options may be considered for the particular roles.
This will identify deviations outside the normal operating envelope which, if
allowed to continue or deteriorate, could cause failure of the hydrocarbon
containment system. It may include detection of pressure, temperature, level or
composition. In using this updated Fire and Explosion Guidance, the results of
the fire and explosion assessment process should be used to determine the
demand rate of the system. Further guidance will be given in UKOOA Guidance
for Instrument Based Safety Systems (to be published in 1995).
The fire detection systems should be suitable for the identified fire types and their
combustion characteristics. The following types of detection may be considered.
− obscuration/effectiveness in smoke;
− false alarms e.g. those due to welding, hot surfaces, sun or flaring
(both direct and reflected);
− the location of the detectors with respect to the size of fire which
requires detection;
− the alarm level, taking into account the associated levels of other
potentially more dangerous products of combustion such as
carbon monoxide;
− the likely time to detection and the response time, taking into
account the time to impair personnel or the TR;
Gas detection systems commonly employ point and beam type detectors which
use the infra-red absorption or catalytic sensor principle. Other technologies are
required for certain hazards, e.g. electro chemical, semiconductor sensors for
hydrogen sulphide.
Point detectors are normally deployed in congested areas of plant or in air intake
ducts.
Beam detectors are most usefully employed to monitor the open spaces around
congested plant, where the main air flows will carry a plume of released gas.
They may also be used in large ducts.
− the shape, movement and extent of the resultant gas cloud taking into
account ventilation systems and obstructions;
− the sensitivity of the system; the size, concentration (if appropriate) and
location of the gas clouds;
− limitation of the local air flow, e.g. by temporary enclosures (point types);
There are few systems which have been specifically designed for this purpose.
However, there may be a number of measures which may indicate that an
unintended release of hydrocarbons has occurred. These include:
− visual inspection.
For active control measures, process and/or fire and gas detection systems are also
required to activate these systems either manually or automatically.
These systems offer greatest scope for limiting the size and scale of an incident. This is
preferable to accepting the size of an event and providing an excess amount of protection
to mitigate its effects.
During quantification of the characteristics of the fires and explosions, the effects or
contribution of each of these systems would normally be taken into account. The
escalation analysis should indicate the scale and consequence of the events if these
systems do not work. The difference is the contribution of the particular system. These
systems are normally included in the design and specified according to standard codes
such as API RP 14C or API RP 520. However, these codes only take into account a
nominal consideration of the hazardous events before defining the system requirements
and this provision may be optimised to further reduce risks.
An effective ESD system will limit the inventory released in an incident and
therefore the size and duration any resulting fire. The location of the ESD valves
will determine the areas where each particular inventory could be released.
These systems reduce the pressure within a system and in doing so dispose of a
portion of the inventory and, if the integrity of the system has failed, reduces the
release rate of the remainder. In the case of pressurised liquid releases this
reduces the fire intensity by causing spray fires to change into running or pool
fires. These may be controlled by bunding and drainage systems and possibly
even be extinguished.
It is important that the flare system design should take into account emergency
depressurisation events and recognise that its failure could lead to a release of all
the gaseous inventories from a failed section.
Gas and fire detection systems covering areas containing primarily flare system
components such as liquid knockout vessels should not cause automatic
depressurisation on detection.
These systems are not in common use offshore but they are a means to be
considered in seeking to limit the available inventory. Disposal to the sea has
significant environmental implications which need to be carefully considered and
taken into account. Disposal to a safe reservoir may be considered. Any such
system should taken into account any dissolved gases in the liquid to be
dumped. Inventory disposal should not normally be considered unless the
benefits significantly outweigh the inherent hazards and vulnerability of the
collection, disposal and recovery system.
Bunding and drainage limits the size of a liquid release and location and size of a
pool fire. The extent of bunding should take account of any liquid trajectory from
the points of release. Bunding drains should be capable of collecting and
disposing of all or most of the hydrocarbon release and the applied firewater.
These can reduce and control the likelihood, rate and location of release of fluids
from a well. They include Christmas trees, downhole safety valves, blowout
preventers, mud systems and diverters.
− limitation of the size of the flammable gas cloud - see Section 5.3;
− suppression systems.
− reduce congestion;
These are designated openings through which the explosion can vent.
They may be open or covered by specially designed vent panels or
normal cladding. These can limit the maximum overpressure and ensure
preferential venting in a particular direction. A range of panel types are
available including those with fire ratings from both sides, and
reclosable, retained and free types. In specifying such a system, the
following points should be considered:
− the relationship between the mass of the panel and its ability to
efficiently vent an overpressure within the timescale of the
pressure pulse;
− the effect of the vent on the gas flow and flame propagation
direction.
The maintenance of the integrity of the structure can reduce the escalation
described in Sections 4.6.2 and 4.7. This may be for either direct support, such
as that providing stability or for plant which may collapse on to or against
equipment. Particular failures which should be addressed include:
− the actual exposure to fires and explosions taking into account obstruction
and realistic combustion conditions;
− overall and local loads, e.g. direct loads on blast walls and blast reaction
forces on modules and topsides, including loads arising from thermal
expansion, changes of stiffness and any redistribution of externally applied
or internally transmitted loads;
− dynamic response, both local and global. This is most likely to result from
explosions, but could also result from localised structural failure and rapid
load re-distributions;
Systems should be selected on the basis of suitability for each hazardous event and
applicability to tie operational conditions taking due account of interactions with other plant
and systems; see particularly Sections 6.3.3, 6.3.4 and 6.3.6.
These are systems which require to be activated in order to perform their roles to
extinguish or limit the effects of fires and explosions. The roles of commonly used
systems are listed below together with specific points which should be considered
during their specification, design, operation and maintenance.
The role of the fire pumps and distribution system is to supply sufficient
water to the various systems and outlets to allow them to perform their
role.
Water deluge systems may have a range of roles in fires, - see Section
7.2.6 regarding explosions including:
The system should be suitable for its intended role. In the case of
existing systems, the effectiveness of the system in achieving the
identified roles should be reviewed. The following factors should be
considered:
− the coverage of the plant and the location of the nozzles with
respect to it - see Section 6.4.1.2;
7.3.1.5 Sprinklers
− the suitability for the types of fire which may occur and the choice
of the appropriate design code;
− extinguishers;
− hose reels;
Passive fire protection can be used to limit the effects of a fire, to prevent
escalation through critical failures as identified in Section 4.6 or to mitigate the
effects on personnel. Careful consideration must be given to any potential
reduction in safety due to increased bidden corrosion as a result of coatings or
lagging. The following may be protected:
− the TR;
− structural steelwork;
− walls;
− risers;
The use of the word verification in this guidance does not imply the application of the
scheme of verification developed for the Design and Construction Regulations / Safety
Case Regulations.
8.1 Communication
There must be adequate communication and documentation from each stage of a project
to the next so that the hazard management decisions are understood, recorded and
auditable. One way of achieving this is by summarising the key information about the
management of the fire and explosion hazardous events on the installation.
Such a summary may be incorporated into the documentation for the management of
hazardous events on the installation. An example is given in Table 8.1; the format and
layout should be developed to suit individual company needs.
For each of these major hazardous events, the information may include:
− a list of the prevention, control and mitigation measures for the particular
hazardous events;
The summary should be a living document which in its simplest form may be a
compilation of tables similar to Table & I within this section. It should convey
information to all those who are responsible for operations, in a form which is
concise and easily read.
Main Deck; Minimise Structural damage to Remote Standard hydrocarbon plant Limit the use of temporary Blast resistance of
Process Area overpressure utilities firewall procedures obstruction e.g. scaffolding structure, walls and
Vapour cloud separator supports
Possible missiles Optimise natural ventilation High vent area, limit congestion
explosion
Further release from Minimise/assess effects of any
HP & LP Separator permanent modification
Gas ingress to Prevent ingress Loss or damage to Improbable Control of modifications TR inlet gas detection to initiate Not appropriate
TR/utilities and ignition TR or utilities bringing gas release points ventilation S/D
closer to TR/utilities
Death or injury of Electrical isolation within
occupants Hydrocarbon plant TR/utilities
procedures and controls
applied to gas/live oil plant
within 30m of TR/utilities
Top Deck; Isolate, Low possibility of Occasional Standard hydrocarbon plant ESD system Emergency response
compressor gas jet depressurise structural weakening procedures procedures
Depressurisation system
fire and allow to
Control of heavy lifts Passive protection to
burn out. F&G Detection
flare structure
Personnel to ESD/depressurisation/F&G
shelter in TR lockouts
i) The format and layout of Table 8.1 is an example similar to one already in use. Each organisation should develop a specific
format and content suitable for their own needs
ii) The company SMS would identify and define responsibilities for specific hazard management activities.
iii) The table could be expanded to include the role; an indication of the importance (criticality) of each system; emergency
response actions; escalation potential; contribution to risk, etc. However the document should not contain so much information
that it is unmanageable
iv) Refer to Table A.2.1 in Appendix II for indications of frequency. These may be variable depending on the size of the incident.
− specification criteria:
− functionality
− availability
− reliability
− survivability
− criticality;
8.2 Competence
Personnel should have adequate qualifications, knowledge, experience and training to
undertake their responsibilities. These include:
− managers;
− designers;
Changes in the personnel or procedures should be reviewed to ensure that there are
sufficient competent personnel to continue to meet the responsibilities. The requirements
for competence are outlined in the OGP (formerly E&P Forum) Guidelines on “Health,
Safety and Environmental Management Systems”, Section 3.4.
Commissioning testing should be carried out, not only to verify that individual system
components meet the specification, but also that the performance of the system is
achieved. This includes the training of personnel in the inspection and maintenance, and
the use of systems in an emergency.
The minimum functional criteria should be the level at which repair or change-out is
required.
8.4 Audit
Audit of the systems provided is advisable. This may be achieved either through a specific
audit of the management system, maintenance/training/test records etc.; an individual
examination of selected elements; or by the use of independent/competent personnel to
routinely verify all of the systems. Independent audit personnel may be provided by the
Operator/Owner or from an external organisation. If they are employed by the
Operator/Owner they should be independent of the line management for the installation
being audited. See “A Guide to the Offshore Installations (Safety Case) Regulations 1992"
8.5 Modifications
Any modifications to the installation either through an engineering change or a change in
the management system may affect the fire/explosion hazardous events on the installation
or the ability to prevent, control and mitigate them. The Operator/Owner should review
these proposed modifications to determine whether or not the systems provision should
be revised. Where revision is necessary the hazard management process as described
(Fig. 3.1) should be followed. The degree of modification and change will determine the
re-entry point in the hazard management process. In some cases only a minor alteration
to the performance of a mitigation system may be needed, in others such as a process
modification, it may be necessary to start at the beginning and review several design
concepts.
Even if an installation has not been modified or its use has not been changed, a re-
assessment is required every three years when the Safety Case is updated (triennial
submission). Existing mobile installations entering UK waters also require assessment.
The assessment of existing structures differs from the assessment of a structure during
design in three important respects, ie.
1. There is less scope for the reduction of the frequency of a release and scope for
mitigation of the severity of an explosion may be limited.
2. Intervention may give rise to an additional hazard which must be assessed.
3. Information may be available relating to expected explosion loads, structural and
equipment response from the detailed design or construction stage for the installation.
Information should be available from the previously submitted Safety Cases, Approved
For Construction (AFC) or as-built structural, piping and layout drawings, operational
structural integrity support computer models and design or post-design analysis reports of
the facility.
Use may be made of experience gained from the operation of an un-modified installation
and from similar installations. The computer data files and design reports should be
checked to confirm that they are a faithful representation of the present state of the facility
and that the methods used for explosion loading and response are currently acceptable.
Should modifications be necessary to improve the safety performance of the facility, then
the work to be undertaken should not in itself pose such hazards and risk to personnel
that this compromises the gains to be achieved by such modifications. All modification
work should be accompanied by hazard identification, assessment and other controls as
determined by the Safety Management System as well as method statements for their
implementation.
All temporary structures and equipment utilised during the modification work should be
removed as soon as practicable after completion of the work.
The HSE have indicated that it should be borne in mind that reducing the risks from an
existing plant to ALARP may still result in a level of residual risk which is higher than that
which would be achieved by reducing risks to ALARP in a similar, new plant. Factors
which could lead to this difference include the practicality of retrofitting a measure on an
existing plant, the extra cost of retrofitting measures compared to designing them on the
new plant, the risks involved in installation of the retrofitted measure (which must be
weighed against the benefits it provides after installation) and the projected lifetime of the
existing plant.
The overall individual risk and the TR Impairment Frequency (TRIF) from all hazards must
still be less than 10-3 per year. If risks are in this intolerable region then risk reduction
measures must be implemented, irrespective of cost.
The following sub-sections focus on the specific aspects relevant to the assessment of
existing installations.
The ALARP framework requires dutyholders to always seek to reduce risks, and only to
argue against implementation of a measure if it is not reasonably practicable. Here the
number of options available are likely to be limited. The assessment tools described in this
Guidance should be used to assess existing risk, rank different options, and review the
reasonable practicability of implementation of any proposed changes.
For existing installations, the individual risk (IR) per annum from fire and explosion events
will have been used in the demonstration of ALARP in the existing Safety Case for the
installation. The total IR will be a good indicator of the appropriate level of sophistication of
analysis and whether the installation is in the low, medium or high risk category. Proposed
modifications to the facility may result in changes to these IR values.
A low potential of loss of life (PLL) for the installation may not be a good indicator for
normally unmanned installations and ageing platforms with extended life, because of low
occupancy. However, assuming the risks to any group of individuals is acceptable, the
effort and cost involved in assessing risks and incorporating risk reduction measures
should largely be justified on the basis of the potential for reducing the overall PLL.
It should be borne in mind that the methods considered adequate for hazard mitigation
during preparation of a previous Safety Case may no longer be adequate or correct, as a
consequence of improved understanding of technical integrity behaviour and loading, or
new research.
Details of the existing Safety Critical Elements should be available enabling their
classification into categories 1, 2 or 3. The high level performance standards for the facility
should be defined or confirmed at this stage. The general approach should be to bring the
SCEs up to the same level of integrity taking into account the criticality or consequences
of failure and the difficulty in achieving the level of performance desired.
A review should also consider which elements of the facility may be improved with respect
to inherently safer design principles and what additional measures may be taken to
improve the detection, control and mitigation of the explosion hazard. Fire hazard events
will usually be considered in parallel as some scenarios will fall into either class depending
on the ignition time relative to the release.
Where the design basis for overpressure determination does not take into account recent
developments (post 1997), re-calculation of the DLB and SLB overpressures and dynamic
pressures will be necessary using best practice as described in Section 3.4 and Chapter 5
of the Commentary.
ALARP arguments will need to be been used to justify new explosion loads and any
additionally required mitigation. It is recommended that a probabilistic arguments as
described in Section 3.4 and Chapter 5 of the Commentary should be used to develop
appropriate design loads and a reliability or risk arguments be used to justify design load
levels. If these levels are still not able to be accommodated by the structure and other
SCEs, then a further ALARP iteration may then have to be made.
One method of the demonstration of ALARP using a strength level analysis is to apply a
static pressure load to the structure and observe, through code checks, when member
failures occur. If the pressure is then ramped up in stages, there will come a point where
the incidence of failures rapidly starts to increase and begins to take in the majority of the
members. At this point it may be argued that it would be unreasonable to strengthen or
change the member properties as it would impact on members designed by the other load
cases. Design to this equivalent static pressure could then be said to be ALARP.
It is, however, unlikely that the differing levels of response to dynamic loads at the same
peak level as determined by the natural periods of the target structural elements will be
adequately represented without undue conservatism. The variability of pressure in the
explosion load cases is also not represented in this method.
The validity of this method will depend on the severity of other load cases which have
been used in the original design of the structure.
9.7 Evaluation
For each hazard or scenario which has been identified, an evaluation should be made of
the possible consequences and risk to personnel, the environment and the asset.
If the installation or any of the SCEs do not meet the performance standards or the level
of risk is unacceptable, the ALARP process must be continued.
Failure to achieve the performance standards, or to demonstrate ALARP for any identified
hazard, will require modification to the installation or its operating procedures and a return
to the prevention, control and mitigation activities.
The overall individual risk and the TR impairment frequency (41) from all hazards must be
less than 10-3 per year. If risks are in this intolerable region then risk reduction measures
must be implemented, irrespective of cost.
Design Accidental Events The Hazardous Events that define the most severe fire and explosion
loadings whiich the control and mitigation systems are designed to
withstand or counteract.
E&P Forum The Oil Industry International Exploration & Production Forum
now renamed the International Association of Oil and Gas Producers
(OGP)
ER Emergency Response
Flash Fire The combustion of a flammable vapour and air mixture in which flame
passes through that mixture and negligible damaging overpressure is
generated.
Functionality The ability of a system to perform its specified role. This may be
characterised and demonstrated by identifying critical functional
parameters.
Hazard The potential to cause harm, including ill health or injury; damage to
property, plant, products or the environment; production losses or
increased liabilities (e.g. pressurised hydrocarbons, high voltage
equipment).
Hazardous Event An incident which occurs when a Hazard is realised whether or not it
causes harm (e.g. a release of gas, fire explosion, short circuit of high
voltage equipment).
Hazard Analysis The identification of undesired events that lead to the realisation of a
hazard, the analysis of the mechanisms by which these undesired
events could occur and usually the estimation of the extent,
magnitude and likelihood of any harmful effects (see also Risk
Analysis).
IP Institute of Petroleum
Jet Fire (Flame) The combustion of material emerging with significant momentum from
an orifice.
Major Accident With respect to fires and explosions, this is defined in the UK Safety
Case Regulations (SI 1992 No. 2885) to be:
a) A fire, explosion or the release of a dangerous substance
involving death or serious personal injury to persons on the
installation or engaged in an activity on, or in connection with it.
b) Any event involving major damage to the structure of the
installation or plant affixed thereto and any loss in stability of the
installation.
c) The collision of a helicopter with the installation.
Pool Fire The combustion of material evaporating from a layer of liquid at the
base of the fire.
Risk The product of the frequency of a specified undesired event and the
consequences of that event.
Risk Analysis The quantified calculation of probabilities and risks without taking any
judgements about their relevance.
Risk Assessment The quantitative evaluation of the likelihood of undesired events and
the likelihood of harm or damage being caused together with the
value judgements made concerning the significance of the results.
SC Safety Case.
SI Statutory Instrument
TR Temporary Refuge
A.2.1 Introduction
Systems provided as part of the hazard management process need to match both the
hazard and the resulting risk. This Appendix describes an approach to enable designers
and others to provide safety systems which are fit for purpose. It also helps to convey the
importance of the system to the platform Operators and those responsible for lockouts,
maintenance and inspection of the system. The approach is based on material from:
Qualitative methods are available to classify or rank the risk of a particular incident or
identified major accident. Tables A.2.1 to A.2.4 provide an example of one possible
ranking. Such a method can be adapted to categorise the importance of systems. For
example, systems provided to protect against a probable-fatal accident (Class A in table
A.2.3 and A.2.4) could have a higher safety criticality rating than systems to protect
against an improbable-minor accident (Class D in Table A.2.3 and A.2.4).
Table A.2.1 Likelihood Ranges for Incidents (during the operational life of
installation)
Likelihood Definition
Accident Definition
Category
Accident Severity
Likelihood
Catastrophic Fatal Severe Minor
Frequent A A A B
Probable A B B C
Occasional A B C C
Remote B C C D
Improbable C C D D
Implausible D D D D
A Intolerable Risk
Undesirable Risk
(and tolerable only if risk reduction is impracticable or if
B
the costs are grossly disproportionate to the improvement
gained)
Tolerable Risk
C (if the cost of reduction would exceed the improvement
gained)
D Negligible Risk
Note that the use of the term ‘Negligible Risk” must be used with care when addressing
Catastrophic or Fatal Accidents. This would normally only be considered negligible if the
frequency of these events is of the order of 10-6/yr. or lower.
Once hazards have been ranked as described, then an appropriate safety integrity level
(criticality rating) can be applied to the systems specifically assigned to manage it. If there
is only one system standing between the hazardous event and the consequence, then the
criticality should be commensurate with the consequence and frequency. However, if
multiple system failures are required before the consequences are realised, the individual
system criticality may be lower. This gives greater flexibility in the design and operation of
the plant.
Appendix 3 References
Legislation
The Offshore Installations (Prevention of Fire and Explosion, and Emergency Response)
Regulations (PFEER).
HSE Publications
A Guide to the Offshore Installations (Safety Case) Regulations 1992 - ISBN 0 11-882055-9.
UKOOA Publications
Safety Management Systems for the Oil & Gas Production Industry - 1991
Instrument-Based Safety Systems [Draft] - Expected date for publication late 1995
Other Publications
CAA Guidelines CAP 437 Offshore Helicopter Landing Areas: A Guide to Criteria, Recommended
Minimum Standards and Best Practice.
OGP (formerly E&P Forum) Guidelines on Hea]th, Safety and Environmental Management
Systems, Report No. 6.3 6/210.
I.P. Model Code of Safe Practice Part 15 : Area Classification Code for Petroleum Installations
ISBN 0471 921603
ISO 9000 Quality Management and Quality Assurance Standards - Guidelines for Selection and
Use
ISO (Draft). Requirements and Guidelines for the Prevention, Control and Mitigation of Fire and
Explosion in Offshore Oil and Gas Installations; Reference CD 13702
Ministry of Defence, Hazard Analysis and Safety Classification of the Computer and Programmable
Electronic System Elements of Defence Equipment.
Congestion is a measure of the restriction of flow within the explosion region caused by
the obstacles within the region.
Gas explosions in more open environments can also lead to significant overpressures
depending on the rate of combustion and the mode of flame propagation in the cloud. All
of the above points from 1 to 5 can affect the explosion overpressures in this type of
environment.
Two types of explosion can be identified depending on the flame propagation rate:
Most vapour cloud explosions offshore would fall into the category of deflagrations.
The duration of the positive phase in an explosion can vary greatly with shorter durations
often associated with higher overpressure explosions. Typical durations range from 50 to
200milliseconds with longer durations common in large open areas such as the decks of
FPSOs.
For smaller objects, such as piping, the overpressures applied to the front and reverse
side of such items will be of approximately the same magnitude at any moment in time
and in this case the overpressure difference will not be the only load component on the
object. For this type of object the dynamic pressure associated with the gas flow in the
explosion will dominate.
Small objects may be picked up during the explosion, creating secondary projectiles. The
peak energy for typical projectiles may be calculated from the dynamic pressure load time
history and their mass.
Secondary, external explosions may result as the unburnt fuel/air mixture comes into
contact with the external (oxygen rich) atmosphere. These can affect the venting of the
compartment and enhance the overpressure within.
A blast wave will be generated which will propagate away from the explosion region and
may impinge on adjacent structures.
The ductility level blast is the design level overpressure used to represent the extreme
design event. This is a high consequence event important for the establishment of
survivability.
The strength level blast represents a more frequent design event where it is required that
the structure does not deform plastically and that the SCEs remain operational. This load
case is suggested for the following reasons:-
• An SLB event may give rise to an unexpected DLB by escalation if it is not considered
in the assessment.
• The prediction of equipment and piping response in the elastic regime is much better
understood than the conditions which give rise to rupture. The SLB enables these
checks to be made at a lower load level often resulting in good performance at the
higher level (strength in depth).
• The SLB offers a degree of asset protection.
• The SLB is a low consequence event important for the establishment of operability.
Frequently the ultimate peak overpressure ‘Pult’ derived in this way is too large to be
resisted by the structure. Checks should be made to ascertain whether the cloud of
maximal extent is feasible with respect to the shutdown philosophy and the isolatable
inventories. ALARP arguments are appropriate and can be used to demonstrate that risk
levels have been reduced to satisfactory levels which itself relies on frequency and risk
arguments. Pult will often correspond to an event with a return period out of proportion to
the design life of the installation.
A single event frequency of exceedance between 10-4 and 10-5 per year is considered a
reasonable frequency for the ductility level design event or DLB, by analogy with the
treatment of environmental and ship impact loads which are often considered at the 10-5
level. In order to determine the DLB, an exceedance curve must be constructed which
represents the frequency of exceedance of a given space averaged peak overpressure.
This curve will enable the DLB overpressure case to be identified. If the event impinges
directly on the TR, escape routes or means of escape then the target level should be the
10-5 level. If the event impinges on one or more barriers before impinging on these SCEs
then it may be argued that the 10-4 level is more appropriate.
The space averaged peak overpressure for the compartment is used for determination of
the design explosion load cases as it is more generally representative of the severity of
the event. A local overpressure peak may be used to generate exceedance curves for the
determination of load cases for local design of a blast wall for instance. Impulse
exceedance curves may also be generated which take into account the duration of the
load and its peak value; these give a better measure of the expected response of the
target which will be dynamic in nature.
The SLB may then be identified from a space averaged peak overpressure exceedance
curve, as that overpressure corresponding to a frequency one order of magnitude more
frequent or with a magnitude of one third of the DLB overpressure whichever is the
greater. The reason for the reduction factor of one third is related to the expected reserves
of strength in the structure and the observation that the primary structure will often only
experience received loads of this reduced magnitude.
• Drag loads (similar to the Morison drag loads experienced in fluid flow)
proportional to the square of the gas velocity, its density and the area
presented to the flow by the obstacle.
• Inertia loads proportional to the gas acceleration and the volume of the
obstacle.
• Pressure difference loads.
• Loads generated by differential movement of the supports.
Drag loads dominate for obstacles with dimensions less than 0.3m or on cylindrical
obstacles less than 0.3m in diameter and, in particular, in regions of high gas velocity near
vents. Pressure difference loads become important for obstacles with dimensions greater
than 0.3m where they must be added to the drag loads. Care must be taken in interpreting
the results of CFD simulations as the cell size/obstacle size ratio may make it difficult to
obtain accurate pressure and flow information at points near the obstacle.
Equipment items in the interior of a compartment away from the vents will experience
loads composed mostly of inertia loads due to gas accelerations. It is likely that these
loads will, however, be lower than the drag and pressure difference loads experienced by
items in the vent paths.
Exceedance curves for local dynamic pressures may be developed from simulations and
used in the same way as for overpressures in deriving design dynamic overpressures for
the DLB and SLB load cases. It is recommended that the DLB dynamic pressures are
applied to SCEs of criticality 1 and that both the DLB and SLB overpressures are applied
to SCEs of criticality 1 and 2 with the requirement for elastic response of the supports and
that the SCEs would remain functional.
Design explosion event peak overpressures and durations (or time histories) with known
frequencies of occurrence will be required for the response analyses.
A number of explosion loading experts have suggested that a suitable load level for the
representation of dynamic pressure loads is 1/3 of the smoothed peak overpressure local
to the equipment item. The duration of the load should be chosen to match the impulse of
the overpressure trace. This load must also be applied in the reverse direction. In open
areas, such as the decks of FPSOs, these loads should also be applied in the vertical
plane.
In general equipment items should be located to minimise obstruction of vents and be in-
line with the predominant flow direction. Piping runs should be located behind structural
elements if near vent areas. Supports and equipment items should be made as resistant
to explosion loads as is reasonably practicable.
The low risk methodology appropriate for some medium and all low risk installations,
follows that described earlier except that the simplifications described below may be
acceptable.
• The strength level blast (SLB) overpressure is recommended but need not be
considered.
• If a valid nominal overpressure is available for this installation type then use this
as the DLB.
• If a nominal overpressure can be accommodated then use this overpressure
with the corresponding duration and dynamic pressures for design and
assessment.
It must be borne in mind that nominal overpressures will only be representative values;
which do not represent the variability of the overpressure distribution. This variability may
be significant both for the structure and for equipment items, this must be established and
considered for both overpressure and dynamic pressure loads.
Dynamic pressure loads for the DLB should be generated for criticality level 1 safety
critical elements and vulnerable piping run locations.
Response to explosions
Over the last ten years, many structures have been designed to resist uncertain explosion
loads by the calculation of the capacity of the structure and the SCEs and the
demonstration of robustness in the structure as reflected in an insensitivity of response to
variations in load. This approach is to an extent scenario independent and may give
added protection against unidentified scenarios and in particular combined fire and
explosion scenarios.
The ‘robustness’ approach is still valuable and may be considered in addition to the more
rigorous probabilistic methods now available which enable design explosion loads to be
determined which should be accommodated by the structure and SCEs.
For installations and compartments of medium or high risk, equipment items which are
SCEs of criticality level 1 and 2 should be assessed against the SLB. SCEs of criticality 1
should also be assessed against the DLB.
If the general level of overpressure for the DLB is below the threshold overpressure Pth
then the primary structure may be deemed to be designed by other load cases with no
further analysis of this element being required. The threshold overpressure will be defined
and determined in Part 3 of the Guidance.
The structural checks for the SLB consist of strength checks for the primary and
secondary structure with the requirement of elastic response.
In all cases, it is imperative that connections and joints are suitably detailed to provide the
ductility required to develop their reserves of strength. For barriers such as fire and blast
walls, it will be necessary to check the ability of these elements to resist the DLB directly.
These elements are often non-load bearing and it is often possible to check them in
isolation.
One method of the demonstration of ALARP using a strength level analysis is to apply a
static pressure load to the structure and observe, through code checks, when member
failures occur. If the pressure is ramped up in stages, there will come a point where the
incidence of failures rapidly starts to increase and begins to take in the majority of the
members. At this point, it may be argued that it would be unreasonable to strengthen or
change the member properties, as it would affect members designed by the other load
cases. Design to this equivalent static pressure could then be said to be ALARP.
It is, however, unlikely that the differing levels of response to dynamic loads at the same
peak level as determined by the natural periods of the target structural elements will be
represented adequately without undue conservatism. The variability of pressure in the
explosion load cases is also not represented in this method. The validity of this method
will depend on the severity of other load cases, which have been used in the original
design of the structure.
The transfer of conclusions and load characteristics from the analysis of a geometrically
similar installation with similar structural and process characteristics is acceptable. The
nomination of a typical installation to represent a fleet of low explosion risk platforms is
acceptable. The use of a typical installation will be limited to the identification of general
levels of severity of credible explosion events and is unlikely to be suitable for the local
design of blast barriers for example.
For low risk installations and compartments, the structural assessment may be performed
against the ductility level blast (DLB) only.The performance of the structure and SCEs for
these scenarios must then be tested against the appropriate high level and equipment
specific (or low level) performance standards.
London Office:
2nd Floor, 232-242 Vauxhall Bridge Road, London, SW1V 1AU.
Tel: 020 7802 2400 Fax: 020 7802 2401
Aberdeen Office:
9, Albyn Terrace, Aberdeen, AB10 1YP
Tel: 01224 626652 Fax: 01224 626503
Email: info@ukooa.co.uk
Website: www.oilandgas.org.uk