Part 0 Guidance 03

Fire and explosion guidance
Part 0: Fire and explosion

hazard management
ISSUE 2
October 2003
Whilst every effort has been made to ensure the accuracy of the information contained in this
publication, neither UKOOA, nor any of its members will assume liability for any use made thereof.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system,
or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or
otherwise, without prior written permission of the publishers.
Crown copyright material is reproduced with the permission of the Controller of

Her Majesty’s Stationery Office.
Copyright © 2002 UK Offshore Operators Association Limited

UKOOA FIRE AND EXPLOSION GUIDANCE
Part 0: Fire and Explosion Hazard Management
Foreword
1995 Edition - In publishing these Guidelines UKOOA gratefully acknowledges the support
and assistance given to their preparation by the Health & Safety Executive (USE), British
Chemical Engineering Contractors Association (BCECA) British Rig Owner’s Association
BROA), and International Association of Drilling Contractors (North Sea Chapter) (IADC).
2003 Edition – UKOOA gratefully acknowledges the continuing support and assistance
provided by the Health & Safety Executive during the production of the Fire and Explosion
Guidance Update.
This document is part of a series being produced by UKOOA and HSE on fires and
explosions, the full series being:
Part 0 Hazard management (formerly FEHM)
Part 1 Avoidance and mitigation of explosions
Part 2 Avoidance and mitigation of fires
Part 3 Detailed design and assessment guidance
This Part 1 document is taken from MSL Engineering Reports C26800R006 Rev 2 and
C26800R007 Rev 2.
Part 0:- Fire and explosion hazard management

Describes Hazard Management principles
and practices with particular emphasis on the
management of fire and explosion hazards
Part 0
Part 1:- Avoidance and mitigation of Part 2:- Avoidance and mitigation
explosions Part 1 Part 2 of fires
Describes design considerations for the Describe design considerations for the
prevention, control and mitigation of explosions prevention, control and mitigation
of fires
Part 3
Part 3:- Design practices for fire and explosion engineering

Contains advice on the engineering implementation
of the measures outlined in principle in Parts 1 & 2
Basis Documents for Parts 1, 2 & 3

Contains base position papers as guidance was developed.
Available on www.fireandblast.com for those wishing to understand the
logic and data gathered for the positions taken in the guidance
ii Issue 2, October 2003

Contents
1 Introduction................................................................................................................................. 1
2 Aims and Principles.................................................................................................................... 4
2.1 Aims of Fire and Explosion Hazard Management (FEHM) ............................................... 4

2.2 Principles........................................................................................................................... 4
2.3 Overview of the Management Process ............................................................................. 5
2.4 Reasonable Practicability .................................................................................................. 7
2.5 Performance Standards .................................................................................................. 10
3 The Lifecycle Approach to Fire and Explosion Hazard Management....................................... 14
3.1 Introduction...................................................................................................................... 14
3.2 The Use of the Fire and Explosion Assessment during the Installation Lifecycle ........... 14
3.3 Stages of the Installation Lifecycle .................................................................................. 17
4 The Assessment of Fire and Explosion Hazardous Events ..................................................... 26
4.1 Introduction...................................................................................................................... 26
4.2 Timing and Detail of the Assessment.............................................................................. 27
4.3 Hazard Identification........................................................................................................ 28
4.4 Initiating Frequency Analysis........................................................................................... 31
4.5 Characterisation of Fire and Explosion Hazardous Events ............................................. 32
4.6 Consequence Analysis.................................................................................................... 34
4.7 Escalation Analysis ......................................................................................................... 37
4.8 Risk Assessment............................................................................................................. 39
5 Inherent Safety and Prevention................................................................................................ 41
5.1 Inherently Safer Design and Process/Layout Optimisation Options................................ 41

5.2 Design, Quality and Maintenance ................................................................................... 42
5.3 Prevention Options.......................................................................................................... 42
6 Selection and Specification of Systems for Fire and Explosion Detection, Control and
Mitigation......................................................................................................................................... 47
6.1 Principles......................................................................................................................... 47
6.2 Selection and Specification Overview ............................................................................. 47
6.3 Selection of Systems....................................................................................................... 50
6.4 Specification of a System ................................................................................................ 53
7 Guidance on Systems for the Detection, Control and Mitigation of Fires and Explosions........ 61
7.1 Detection Options............................................................................................................ 61

7.2 Control Options ............................................................................................................... 64
7.3 Mitigation Options............................................................................................................ 70
8 Implementation And Verification............................................................................................... 76
8.1 Communication ............................................................................................................... 76

8.2 Competence .................................................................................................................... 79
Issue 2, October 2003 iii

8.3 Commissioning and Routine Testing............................................................................... 80

8.4 Audit ................................................................................................................................ 80
8.5 Modifications ................................................................................................................... 80
9 Special features for the Assessment of Existing Installations .................................................. 81
9.1 Installation Risk Screening .............................................................................................. 83

9.2 Explosion Hazard Review ............................................................................................... 83
9.3 Scenario Definition .......................................................................................................... 84
9.4 Prevent, Detect, Control, Mitigate ................................................................................... 84
9.5 Determination of Explosion Loads................................................................................... 84
9.6 Response to Explosions.................................................................................................. 84
9.7 Evaluation........................................................................................................................ 85
iv Issue 2, October 2003

1 Introduction
The updated Fire and Explosion Guidance has been prepared to encourage an integrated
approach to the management of Fires and Explosions. As such, it complements the Safety
Case and should help those persons with responsibilities for the safe design, construction
and operation of installations to manage fire and explosion hazards. It should also assist
duty holders to comply with the Offshore Installation (Safety Case) Regulations (SCR), the
.Offshore Installations (Prevention of Fire and Explosion, and Emergency Response)
Regulations (PFEER), the Management of Health and Safety at Work Regulations
(MHSWR) and the Provision and Use of Work Equipment Regulations (PUWER).
Part 0 of the Fire and Explosion Guidance Update is complemented by other

industry and UKOOA guidance; they constitute a suite of information to support the
design, operational and regulatory efforts to manage fire and explosion hazards
effectively.
The updated Fire and Explosion Guidance applies to new and existing, fixed and mobile
installations. It has been written specifically for the United Kingdom Offshore Oil and Gas
industry but may be applied elsewhere, both on and offshore. The principles may also be
applied to the management of other hazardous events.
The updated Fire and Explosion Guidance outlines a particular structured approach to the
management of fires and explosions. Operators/Owners of existing installations should
examine their management system to see how they comply with the overall aims outlined
in Section 2.1. They should then assess the need for change, the benefits, extent and
timing.
Mobile installations will also have to comply with their flag administration and international
maritime requirements. The updated guidance should be used in addition to those
requirements, to ensure that their management systems are adequate for all the fire and
explosion hazards which may be encountered.
The updated Fire and Explosion Guidance aims to promote understanding of hazardous
events involving fires and explosions by both designers and Operators/Owners. It is
through understanding of the causes, characteristics and likelihood of such events that an
effective management system can be put in place for each. The management system
would include inherently safer design and operation and a combination of suitable
prevention, detection, control and mitigation measures. The updated guidance shows how
the Operator/Owner, operators of plant and each engineering discipline play a part in
managing hazards and hazardous events. Effective management starts with the initial
studies and continues until the installation is decommissioned. The guidance uses the
lifecycle safety management concept and outline the role that each person should play in
the process.
Issue 2, October 2003 1

The updated Fire and Explosion Guidance outlines the management process, the
analyses and decisions that need to be taken and the factors to be considered when
making those decisions. Above all, the aim is to encourage a balanced approach to
hazard management by ensuring that the resources provided to manage fires and
explosions are commensurate with the risks of these events. The guidance provides a
framework whereby everyone, managers, designers, Operators/Owners, contractors and
auditors, can work effectively together to understand and manage the hazardous events.
The updated Fire and Explosion Guidance sets out what is generally regarded in the
industry as good practice. They are not mandatory and Operators/Owners may adopt
different standards in a particular situation where to do so would maintain an equivalent
level of safety.
More specific guidance is available to support this Part 0 (“Fire and Explosion Hazard
Management”) of the updated guidance; further information is available in the informative
sections at the back of this document and there are three further guidance documents
which cover the design considerations for fires and explosions which can be found on the
UKOOA or fireandblast.com websites;
http://www.oilandgas.co.uk
http://www.fireandblast.com
The three further guidance documents for design considerations and implementation
cover the following topics:
• Part 1 Guidance on design and operational considerations for the avoidance and
mitigation of explosions
• Part 2 Guidance on design and operational considerations for the avoidance and
mitigation of fires
• Part 3 Guidance on design practices for fire and explosion engineering

Part 1 is currently available, a completed Part 2 will be available in December 2004 and a
completed Part 3 is scheduled to be available the following year.
One intent of this Guidance is to move the decision-making processes within the fire and
explosion design field as much as possible towards a ‘Type A’ process from ‘Type B or C’
as defined in the UKOOA document the “Risk Based Decision Making Framework”, the
main figure of which is illustrated overleaf.
2 Issue 2, October 2003

Figure 1.1 - The UKOOA Risk Based Decision Making Framework

The framework defines the weight given to various factors within the decision making
process, ranging from decisions dominated by purely technical matters to those where
company and societal values predominate.
A substantial number of installations will lie in Areas A or B of the chart resulting in an

approach which involves codes and Guidance based on experience and ‘best practice’ as
described in this document and supplemented by risk based arguments where required.
A glossary of terms used and definitions is given in Appendix 1.

2 Aims and Principles

2.1 Aims of Fire and Explosion Hazard Management (FEHM)
These are that:
− all fire and explosion hazards should be identified, analysed and understood;
− overall risk from all major accidents including fires and explosion should be
assessed, and-be "as low as reasonably practicable" (ALARP);
− an appropriate combination of prevention, detection, control and mitigation

systems should be implemented and maintained throughout the lifecycle of the
installation;
− the systems provided to protect personnel from the effects of fires and explosions
should be suitable for these hazardous events and have performance standards
commensurate with the required risk reduction;
− the design, operation and maintenance of the systems be undertaken by

competent staff who understand their responsibilities in the management of the
hazards and possible hazardous events;
− any changes to the installation which may effect the likelihood or consequences
of fires and explosions should be identified, assessed and the systems revised to
take them into account as necessary.
2.2 Principles
Effective, economic FEHM depends on the appropriate timing and use of resources This
can be achieved by following the principles for identification and assessment of the
foreseeable hazardous events, see Section 4.1, and for selection and specification of
safety systems see Section 6.1: This approach is structured around the life cycle concept
described in Section 3.
The following summarise the main principles:
− fire and explosion assessment should commence very early in the design and
should be used as one of the bases of hazard management throughout the
installation lifecycle;
− everyone involved in the design, commissioning, operation, maintenance and

modification of the installation should have sufficient knowledge of the hazards
and their contribution to the overall risks;
− the principles of inherent safety should be applied early in the design so as to

eliminate or reduce hazards so far as is reasonably practicable;

− safety systems should be selected based on the hierarchy of prevention,

detection, control and mitigation;
− resources should be assigned to systems taking account of the risks from the
hazardous events and the role of the system in reducing them;
− the hazard management process should be documented and communicated to

operations personnel so that they have adequate information about both the
hazards, hazardous events and safety systems provided to manage them;
− the principles of quality management should be followed; e.g. ISO 9000 Quality
Management and Quality Assurance Standards - Guidelines for Selection and
Use.
2.3 Overview of the Management Process

A thorough understanding of all hazards and hazardous events, including fires and
explosions, is at the heart of the Safety Management System (SMS) and it should be
proactive to reduce risks. This overall process is outlined in the OGP (formerly E&P
Forum) “Guidelines for the Development and Application of Health Safety and
Environment Management Systems”. Part 0 of this guidance adds more detail to this
process and applies it to fires and explosions. For these hazardous events the
management process is given below:
− identification of the hazardous events (coarse assessment);
− analysis and assessment of the hazardous events (type, areas affected,

magnitude of the consequences, duration, likelihood, etc.);
− reduction of the risks from fires and explosions through inherently safer design
(see Section 5.1);
− design to reduce the likelihood, scale, intensity, duration and effects of each
hazardous event;
− identification and specification of the particular prevention, detection, control and

mitigation measures needed for each hazardous event
− confirmation of the suitability and effectiveness of each of the measures selected;
− specification of the measures adopted;
− communication and implementation;
− verification;
− documentation.

The hazard management process should be employed in a timely manner and in

accordance with the type, severity and likelihood of each hazardous event. It is essential
that all parties who can contribute to the reduction of hazards, particularly design
engineering disciplines and those who will have to operate and maintain the plant,
understand the hazards and are involved during the appropriate stages of the lifecycle.
Section 3 provides details of the lifecycle for an installation, and describes the hazard
management process. It outlines the timing and interaction of the activities so that the
overall safety of the installation can be improved.
The lifecycle approach shows how to prepare and implement a strategy for the
management of fire and explosion on an offshore installation throughout its life, i.e. from
design through commissioning and operations to decommissioning. This is developed
firstly by inherently safer design, followed by prevention of identified fire and explosion
hazardous events and then by the selection of detection, control and mitigation measures.
The fire and explosion assessment process is used in the lifecycle to provide information
on which to base decisions and design systems. Thereafter, it is used to assess these
arrangements to make sure that the high level performance standards have been
achieved.
The FEHM process can be applied to new or existing installations:
− for new installations it should start during feasibility studies and be fully
developed during detail design. The results should then be communicated to
personnel operating the installation to ensure that they know the purpose and
capability of all the systems, can operate them properly and that adequate
maintenance schemes are in place;
− for an existing installation the process should be applied to current arrangements

and modifications. These should be assessed to determine if the high level
performance standards are achieved and that risks are as low as is reasonably
practicable.
The management of hazards to reduce the risks involves many interests which may often
appear to conflict with each other. The process is a multi-disciplinary activity, involving all
levels of personnel from senior management to junior staff from a number of different
organisations. Table 2.1 outlines a typical range of tasks for these personnel. It is
important that the input and activities of these personnel are fully coordinated and
managed. The SMS of each organisation should identify the relevant responsibilities.

2.4 Reasonable Practicability

Operators/Owners of offshore installations must demonstrate that the risks to personnel
from all major accidents have been reduced to a level which is ‘as low as reasonably
practicable” (the ALARP principle). The ALARP principle can be demonstrated by
quantification or qualitatively by using experienced judgement. For all hazardous events
including fires and explosions a more formal demonstration of quantified risk assessment
may be required. In weighing the costs of risk reduction measures the principle of
reasonable practicability applies so that there should be no gross disproportion between
the cost of preventative or protective measures and the reduction of the risk that they
would achieve to those already in place. The issues of risk levels and ALARP are more
fully discussed in HSE publications “A Guide to the Offshore Installations (Safety Case)
Regulations 1992” and “The Tolerability of Risks from Nuclear Power Stations
ALARP can be described as the process of striving to reduce risks to a negligible level
while taking due consideration of the economic and schedule implications of this goal, see
the figure below.
The cost of a measure (in terms of the time, cost and difficulties in implementing it) must
be compared with the amount of risk reduction it brings. If the overall costs are ‘grossly
disproportionate’ to the benefits, then implementation of the measure may be
inappropriate.
In endeavouring to reduce risks to ALARP, resources should be concentrated on the

primary risk contributors and on the areas or systems where the greatest risk reduction
can be achieved for the expenditure. This must be a “top down process” starting with the
hazard identification and consideration of areas for improvement and not a “bottom up’
process starting with the safety systems. It should be based on the need for
improvements or enhancements and not on the ready availability of particular systems.
Appropriate standards and accepted industry practice are tools to achieve and
demonstrate reasonably practicable risk reduction. These should be appropriate to the
hazards and hazardous events on the particular installation so that they contribute
significantly to the reduction of risk.
However, although concentrating on the primary risk contributors, care should be taken
not to miss reasonably practical ways of reducing the risk from apparently less serious
events.

Unacceptable region Risk cannot be justified

10-3 Per annum except in extraordinary
circumstances
The ALARP or tolerability Tolerable only if further

region (risk is undertaken risk reduction is
only if a benefit is impractical, or the cost is
desired) not proportionate to the
benefit gained
Broadly acceptable Negligible risk

region
Risks closer to the unacceptable region merit a closer examination of potential risk
reduction measures
Figure 2.1 - The ALARP Triangle
Further guidance on the demonstration of ALARP is available from the following sources;
• Policy and Guidance on reducing risks to ALARP in Design

http://www.hse.gov.uk/dst/alarp1.htm
• Principles and Guidelines to Assist HSE in its Judgement that Duty Holders Have
Reduced Risk as Low as Reasonably Practicable
http://www.hse.gov.uk/hid/spc/perm12.htm
HSE Books have published a guide which sets out an overall framework for decision
taking by the HSE (R2P2), which is available in hard copy form (28) and as a free download
from http://www.hsr.gov.uk/dst/r2p2.pdf .

Table 2.1: Typical Allocation of Tasks in a Management System
INSPECTORS/AUDIT
OPERATORS DESIGNERS OFFSHORE CONTRACTORS
ORS
SENIOR MANAGEMENT
− Set overall performance standards

− Ensure that effective systems and adequate resources are in place
− Maintain an overview off all major hazardous events
− Ensure effective communication within their own and external organisations
Issue 2, October 2003

− Initiate and ensure adequate response to audits
DESIGN AND PLANT MANAGERS

− Ensure the hazards and hazardous events are identified , − Ensure integration of the contractor and − Verify that an adequate SMS
effectively managed and that risk criteria are achieved Operator/Owner SMS is in place for the installation
− Establish document and communicate the hazard − Ensure contractors understand the hazards − Verify that risk criteria are
management process and hazardous events as well as their own role met
− Integrate all design disciplines and operator input to achieve in managing these events
an acceptably safe design − Ensure personnel are competent to carry out
− Set performance standards their duties
− Provide and deploy adequate resources and competent − Identify, manage and bring to attention of the
personnel to develop and carry out hazard management Operator any hazards concerned with their
work which may not have been identified
INDIVIDUALS: DESIGNERS, TECHNICIANS AND PLANT OPERATORS
− Understand the hazardous events on the installation − Understand the hazards which may affect them − Verify that there is an
− Select the safety system and their response to the hazardous events adequate understanding of
− Set the system design specification − Perform their role (if any) in the management the hazards
of these hazardous events − Verify that adequate systems
are in place to manage the
− Develop and work − Develop designs to meet the hazards
system specification
to procedures − Verify that the systems meet
− Provide information to allow their performance standards
needed to manage the Operator to input and
the hazards − Feedback the results to the
maintain the systems to meet
operator
− operate the plant to the performance standards
the performance − Communicate the purpose and
documentation on the system
standards
to the Operator
The columns with the table are applications for three levels of personnel. They may work within the same organisation or
work separately.
9
Wh t ki i dt th f l th h ld kt th t th t it i i d t
2.5 Performance Standards

The principle behind the “goal setting” approach is that it should be possible to define
overall goals for design and operation, together with a method for assessing the extent to
which these are realised.
For any goal it is usually possible to identify one or more measures whose performance
will be a reasonable indicator of how successfully the goal is achieved These can be
described as performance standards and defined as follows:
Performance Standard: A performance standard is a statement, which can be expressed

in qualitative or quantitative terms, of the performance required of a system, item of
equipment, person or procedure, and which is used as the basis for managing the hazard
- e.g. planning, measuring, control or audit - through the lifecycle of the installation.
When characterising “performance” in relation to the whole range of operational activities

associated with an installation, it is helpful to consider a hierarchy of performance
standards. High level performance standards are applied to the installation as a whole or
to the major systems that comprise the installation (e.g. the Temporary Refuge (TR) or the
fire and explosion arrangements). Lower level performance standards are used to
describe the required performance of lesser systems, which may contribute to the high
level performance standards.
An important principle to be adopted in setting performance standards is that their number

and level of detail should be commensurate with the magnitude of the risk being
managed. Thus caution should be exercised to avoid setting performance standards for
systems, sub-systems or components of systems that contribute little to the management
of overall risk reduction associated with the installation.
Performance Standards are particularly important (and legally required in the UK) for
defining the performance of elements that help to manage or defeat a specific hazard.
The Safety Critical Element (SCE) is defined as any structure, plant, equipment, system
(including computer software) or component part whose failure could cause or contribute
substantially to a major accident, and thus includes any measure which is intended to
prevent or limit the effect of a major accident. SCEs should have fulfilled their function or
remain operational. For example, plastic deformation of the structure is acceptable
provided collapse does not occur allowing barriers to remain in-place and adequately
resist any subsequent fires or other hazards.
Further general guidance on performance standards may be found in the HSE publication
“Successful Health and Safety Management” (see Appendix 3).

2.5.1 High Level Performance Standards
The Safety Case regime requires that performance standards should be set.
(HSE Publication “A Guide to the Offshore Installations (Safety Case)
Regulations 1992 “)
These are the goals for safety of the installation and relate to the overall risk to
persons on the installation. Fires and explosions will contribute to some of this
risk.
The performance of the systems and arrangements provided to manage major

accidents involving fires and explosions will contribute to meeting this standard
and it may also be appropriate to set standards for these major systems.
It may not be possible to measure these standards directly but they should be
capable of verification from the results of assessments of low level performance
standards. Nevertheless, even when not directly measurable they should be
auditable in order to fulfil their principal role which is to provide a benchmark so
that the adequacy of the arrangements may be assessed.
2.5.2 Low Level Performance Standards
Having completed the development and assessment of the FEHM arrangements

and demonstrated that risks to persons using these arrangements are ALARP, it
can be useful to establish detailed “low level” performance standards to ensure
that this position is both initially verified and subsequently maintained.
The appropriate application of low level performance standards may significantly

reduce the risks from fires and explosions.
Performance standards at this level may relate to the principal systems, used to
detect, control and mitigate fires and explosions. However whatever performance
standards are selected, three key characteristics should apply. Firstly, the
selected items should make a significant contribution to the overall acceptability
of the FEHM arrangements. Secondly, the parameters chosen should be directly
relevant to the achievement of the system goal, and thirdly, the performance
standard should be capable of expression in terms of parameters that are
verifiable.

The process of setting the detailed low level performance standards therefore
involves a review of the required performances under the anticipated emergency
conditions of the systems, sub-systems or equipment that make up the fire and
explosion prevention, detection, control and mitigation arrangements. The
purpose of this review is to identify those items that make the most significant
contribution to the overall acceptability of the arrangements. It is necessary to
identify those items where significant performance deviation would jeopardise the
arrangements to the extent that the strategic objectives set for the installation
would not be satisfied. It is also important when undertaking this review to
determine what effective barriers to the occurrence of a particular hazard are
provided. The number and integrity of these should take into account the
magnitude of the hazardous event and the likelihood of the initiating event in the
absence of these barriers.
In the setting of the low level performance standards it may be helpful to consider
FEHM arrangements in hierarchical terms. First, those items of systems
performance that are primarily important in the achievement of the overall
objectives should be identified.
Moving down the hierarchy, assessment should indicate the most important
factors contributing to the success of that system.
For engineered systems, these can be expressed in terms of functionality,

availability, reliability and survivability. They should relate to the overall ability of a
system to fulfil its role, the probability of the system operating successfully when
required and its ability to continue to function during a fire or following an
explosion. These are described in more detail in Section 6.4.
It may be is helpful to consider a hierarchical approach to the identification of

SCEs. It is suggested that the number of SCEs (systems, equipment or functions)
requiring detailed assessment are classified into three levels of criticality, these
are illustrated with respect to the explosion hazard as below, using the Ductility
Level Blast (DLB) and Strength Level Blast (SLB) defined later in this document.
Criticality 1 Items whose failure would lead direct impairment of the TR or

emergency escape and rescue (EER) systems including the associated
supporting structure.
Performance standard – These items must not fail during the DLB or SLB, ductile
response of the support structure is allowed during the DLB.
Criticality 2 Items whose failure could lead to major hydrocarbon release

and escalation affecting more than one module or compartment. (Indirect impact
on the TR is possible through subsequent fire).
Performance standard – These items must have no functional significance in an

explosion event and these items and their supports must respond elastically
under the strength level blast (SLB)

Criticality 3 Items whose failure in an explosion may result in module wide

escalation, with potential for inventories outside the module contributing to a fire
due to blowdown and or pipework damage.
Performance standard – These items have no functional significance in an

explosion event and must not become or generate projectiles.

3 The Lifecycle Approach to Fire and Explosion Hazard

Management
3.1 Introduction
The updated Fire and Explosion Guidance proposes the use of the lifecycle approach to
implement hazard management (Fig 3.1). The concept is outlined in the International
Electrotechnical Commission ‘~Guidance on Functional Safety; Safety Related Systems”
(Parts 1-6). This has been broadened in scope in this document so that it both highlights
opportunities for enhancing inherent safety and also addresses all safety systems. It
summarises those activities which need to be carried out, the decisions which need to be
taken and The optimum timing in the lifecycle. It can also be used to integrate the work of
all contributors to the risk management process including; the different design disciplines,
risk assessors, fire and explosion specialists, Operators and auditors.
Some main feedback loops are shown but other stages may also require feedback.
3.2 The Use of the Fire and Explosion Assessment during the
Installation Lifecycle
FEHM is an integral part of the SMS Throughout the installation lifecycle.
The lifecycle is made up of the general stages of concept selection, detail design,
construction and commissioning, operation, modifications and decommissioning. These
are described in Section 3.3 detailing the approximate timing and sequencing of particular
activities..
FEHM is a continuous process rather than a series of discrete steps. There will be
overlaps and iterations between the various stages of the design, commissioning and
operation phases with earlier decisions reviewed and revised as necessary. However the
effective use of data from the fire and explosion assessment process at the appropriate
stage should reduce the need for continual changes - see Section 4.
Each numbered step of the assessment process for fires and explosions as outlined in
Section 4 is linked with the relevant stage of the lifecycle. These steps are shown in
Fig. 3.1 shaded in boxes 1, 5, 6, 7, 8 and 11 with the associated activity alongside. The
need to revise the assessment and repeat elements of the lifecycle is identified in boxes
19 and 20. At each step of the lifecycle where critical decisions are taken, particularly box
11, these should be reviewed to ensure that all reasonably practicable risk reduction
options have been considered, that the high level performance standards have been
achieved and risks are ALARP.
The lifecycle approach can be applied at any stage of the installation life. With an
operating field or a partially completed design, many or all of the systems will already be
specified or in place and the relevant lifecycle activities will have been completed. In these
cases, the steps of the assessment shown in boxes 5 to 8 and 11 should be carried out as
a discrete activity so that a full picture of the fire and explosion hazardous events can be
developed, before the need for any changes can be determined.

Fire and Explosion Hazard Management

The Life Cycle - Figure 3.1

E xi stin g In stal lati ons New I nstall atio ns
I dent i f y f i re and explosion

A ppl y i nherent safe
1 hazards on
desi gn principles
di f f erent concepts
Concept selection
S et t he high level
2
perf orm ance standard
S el ect concept t aki ng i nt o account risks from all

3
possi bl e hazards i ncl udi ng fires and explosions
Def i ne t he desi gn and operat ional regime - codes,

4
st andards and s af et y m anagement systems
Conf i rm al l hazards Opt i m i se desi gn to improve

5
are i dentified t he i nherent safety
I dent i f y t he causes V eri f y t hat t he design codes are

6 of t he hazardous sui t abl e f or t he haz ardous events and
events sel ect speci f i c prevention methods
S el ect / opti mi se control systems to

Det erm i ne fire and
7 l i m i t t he escal at ion of hazardous
expl os i on loadings
Concept ual and detail design

events
I dent i f y vul nerable plant,

8 equi pm ent , personnel and S el ect mi ti gati on systems
rout es t o escalation
Def i ne t he rol es and functionality, Def i ne rol es, manning and

9 rel iabi li ty, avai labi li ty and survi vability 10 c om pet ence requi rements for
param et ers f or engi neered systems procedural systems
Devel op escalation V eri f y t hat al l haz ardous events are

11 anal y si s and risk addressed, syst em s are suitable, and
ass essment t he overal l perf orm ance is achieved
Const ruct i on and

Devel op procedural
Com mi ssining
Desi gn hardware to meet
13 P l an f ut ure verification 12 14
param eters saf et y systems
P rovi de / i dent i f y procedures and schedules for

15
operat i on, m ai nt enence and testing
V eri f y t hat sys t em s are effective and E nsure personnel are trained and
16 rel i abl e duri ng commissioning and 17 com pet ent t o i m pl ement / operate
t hroughout t he i nstallation life
M odif icat ion
Operat e and maintain

Operation
18 systems t o achi eve

cont i nued ef f ectiveness
I dent i f y and assess any

Revi se as sessment and
19 change / m odification / 20
syst em provision
det eri oration
F i re and Explosion
A ssessm ent Process
Updat e assessm ent and safety
A bandonment
21 syst em provi si on to address

decom m i ssi oning hazards
Decom mi ssion pl ant using

22
ef f ec t i ve safety systems

3.3 Stages of the Installation Lifecycle

The lifecycle includes a number of stages:
− concept design;
− detail design;
− commissioning;
− operation;
− modification and change;
− decommissioning.
Whenever an installation is modified or changes take place, the hazard management

process should be repeated to a level of detail commensurate with the change.
The hazards associated with decommissioning should, so far as reasonably practicable,

be taken into account during detail design.
Each of the steps shown in The process is explained as follows:
3.3.1 Individual Steps
See figure 3.1.
IDENTIFY FIRE AND EXPLOSION APPLY INHERENT SAFE DESIGN

1
HAZARDS DIFFERENT CONCEPTS PRINCIPLES
Reference Section 4.3 Hazard Identification

5.1 Inherently Safer Design
During the review of the alternative development concepts, an identification and

coarse quantification of the risks from the hazardous events should be carried
out. This information should be used as part of the overall consideration for
concept selection and also to optimise the layout and guide the selection of
hydrocarbon processing methods for each concept.

2 SET HIGH LEVEL PERFORMANCE STANDARD
Reference Section 2.5 Performance Standards
This is the statement of the standards of the installation as a whole for the safety
of personnel. At this stage, Performance Standards may also be defined for
major systems such as Temporary Refuge (TR) impairment frequencies,
environmental standards and targets for reducing damage to the platform. These
would be relevant if the reduction of fire and explosion risks contributes to
meeting these targets.
SELECT THE CONCEPT TAKING INTO ACCOUNT RISKS FROM ALL

3
POSSIBLE HAZARDS INCLUDING FIRES AND EXPLOSIONS
Reference Section 4. 7 Escalation Analysis
The selection process should include consideration of the risks of major

accidents of the different concepts and the particular contribution from fires and
explosions.
Attention should be paid to the primary risk contributors and the practicality and
cost of preventing, controlling or mitigating tern.
DEFINE THE DESIGN AND OPERATIONAL REGIME - CODES,

4
STANDARDS AND SAFETY MANAGEMENT SYSTEMS
Reference Section 6.2 System Selection

5.3 Prevention Options
This is the definition of which codes and standards will be used to design the
structure, plant and equipment These include the primary prevention measures
which ensure the technical integrity of the plant The appointment of the designer
and Operator/Owner management systems including structure and
responsibilities should also be defined.

CONFIRM ALL FIRE AND

OPTIMISE THE DESIGN TO
5 EXPLOSION HAZARDS ARE
IMPROVE THE INHERENT SAFETY
IDENTIFIED
Reference Section 4.3 Hazard Identification

4.8 Risk Assessment
5.1 Inherently Safe Design
6.2 System Selection
This is the start of the formal assessment of the fire and explosion hazardous
events. It may use the output from the conceptual selection studies as a start
point. For a new design, the identification of possible hazardous events should be
used to review the layout and process design so as to eliminate or reduce all
hazards to meet the high level performance standards, concentrating particularly
on those hazards which make the predominant contribution to the overall risks.
On an existing installation, it may be possible to identity ways of reducing the
risks through changes in operational practices.
IDENTIFY THE CAUSES VERIFY THAT THE DESIGN CODES ARE

6 OF HAZARDOUS SUITABLE FOR THE HAZARDOUS EVENTS AND
EVENTS SELECT SPECIFIC PREVENTION METHODS
Reference Section 4.3 Hazard identification

4.4 Initiating Frequency Analysis
The assessment requires that initiating events are identified. This allows the
causes to be identified and a check of the design codes and standards and SMS
and operating parameters to ensure that they are suitable to address the causes
and adequate to deal with their severity. Where they are found to have shortfalls,
the codes and standards may be changed or enhanced. Procedural systems or
operating parameters may be changed and, if necessary, new specific prevention
measures may be added. This may lead to a further review of previous lifecycle
steps - follow feedback loop to Step 4 as shown in Fig 3.1.

SELECT / OPTIMISE CONTROL SYSTEMS TO

DETERMINE FIRE AND
7 LIMIT THE ESCALATION OF HAZARDOUS
EXPLOSION LOADINGS
EVENTS
Reference Section 4.5 Hazard Characterisation

7.1 DetectIon Options
7.2 Control Options
The characterisation of the hazardous events identifies the size, intensity and
duration of representative hazardous events and the contribution of control
measures. This enables the most severe events to be identified and their control
measures to be enhanced or augmented to reduce their severity. At this point
those events to be used as the basis of design for mitigation systems are chosen.
Particular attention should be paid to the guidance in Section 4.5.1.
IDENTIFY VULNERABLE PLANT,

SELECT MITIGATION
8 EQUIPMENT, PERSONNEL AND ROUTES TO
SYSTEMS
ESCALATION
Reference Section 4.6 Consequence Analysis

4. 7 Escalation Analysis
7.2 Control Options
7.3 Mitigation Options
The plant and equipment which could fail when exposed to fire and explosion in
the characterised events should be identified. An assessment of the likelihood
and consequence of these failures determines the need for protection and, in the
case of existing installations, its provision and adequacy.
DEFINE THE ROLE AND FUNCTIONALITY, RELIABILITY, AVAILABILITY AND

9
SURVIVABILITY PARAMETERS FOR ENGINEERED SYSTEMS
Reference Section 6.4 Specification of a System
This applies to hardware (engineered) systems and is the definition of the overall
purpose of the systems and the essential parameters to be met by the system so
that it fulfils its role. The reliability and availability may need some iteration with
the escalation and risk assessment in Step 11. For existing installations this may
be a formalisation of the original design standards and objectives.

DEFINE THE ROLE, MANNING AND COMPETENCE REQUIREMENTS FOR

10
PROCEDURAL SYSTEMS
Reference Section 6.4 Specification of a System

8. Implementation
This defines the role and the essential parameters required to be met by
procedural systems. It requires confirmation that the manning and competence
levels are or will be available to the extent necessary.
VERIFY THAT ALL HAZARDOUS

DEVELOP FIRE AND EXPLOSION
EVENTS ARE ADDRESSED, SYSTEMS
11 ESCALLATION ANALYSIS AND
ARE SUITABLE AND THE HIGH LEVEL
RISK ASSESSMENT
PERFORMANCE IS ACHIEVED
Reference Section 4. 7 Escalation Analysis

4.8 Risk Assessment
This is the overall review of the fire and explosion risks and their acceptability. It
formalises the escalation analysis which will have been developing as part of the
assessment process. On new designs it is carried out prior to proceeding to detail
design to ensure that the proposed systems are suitable for the hazardous event
and will be sufficient to reduce, as far as is reasonably practicable, the risks from
each hazardous event. On existing installations it is the determination of the
adequacy and contribution of the safety systems provided. The cumulative risks
from all major accident hazardous events should be within the high level
performance standard and ALARP. This information is essential to determining if
remedial measures or improvements are needed to the existing or proposed
system provision. These results may lead to a review of other lifecycle steps -
follow feedback look to Steps 4, 7 or 9 as applicable, as shown in Fig. 3.1.
12 DESIGN HARDWARE TO MEET THE REQUIREMENTS
Reference Section 6.3.3 Types of systems

6.3.6 Interactions and limitations
6.4 Specifications
7.1-7.3 System Options
The design contractor and suppliers should co-operate in designing the systems
and components to meet the functional parameters and the availability and
reliability requirements and ensure that any interactions and also limitations are
addressed.

13 PLAN FUTURE VERIFICATION
Reference Section 6.4.2.2 Maintenance, inspection

8. Implementation
The requirements for verifying tat the design has been properly executed and that
systems can be fully inspected and tested at appropriate intervals during their life
should be determined. There is no point in specifying a performance standard
which cannot be verified.
14 DEVELOP PROCEDURAL SAFETY SYSTEMS
Reference Section 6.4.1 Functional specifications

8. Implementation
This includes the provision of specific procedures to complement the generic

procedures and practices associated with the SMS. On an existing installation,
the existence and quality of these procedures should be assessed.
PROVIDE / IDENTIFY PROCEDURES AND SCHEDULES FOR OPERATION,

15
MAINTENANCE AND TESTING
Reference Section 64.1 Functional specification

6.4.2 Availability and reliability
8 Implementation
This is to ensure that the systems can be properly operated and maintained and
that they achieve the functional parameters. On an existing installation, it is
necessary to ensure that these facilities are in place. The tasks may include:
− provision of access;
− provision of specialist test and maintenance equipment;
− preparation of effective operation, maintenance and test procedures;
− setting of maintenance and test frequencies;
− identification of training and competence requirements.

VERIFY THAT SYSTEMS ARE EFFECTIVE AND RELIABLE DURING

16
COMMISSIONING AND THROUGHOUT THE INSTALLATION LIFE
Reference Section 6.4.2.2 Maintenance, inspection

8. implementation
This is function testing which should be carried out prior to installation, during
commissioning, prior to-start-up, and at predetermined intervals during the
system life. The function testing during commissioning will normally cover the full
range of operational performance, so as to act as a base line for trouble shooting
throughout the remainder of the lifecycle.
ENSURE PERSONNEL ARE TRAINED AND COMPETENT TO IMPLEMENT,

17
OPERATE, MAINTAIN AND TEST SYSTEMS
Reference OGP (formerly E&P Forum) “Guidelines for the Development and
Application of Health, Safety and Environmental Management Systems” Section
3.4
This applies both to personnel training and competence for procedural systems
and for the operation, maintenance and testing of engineered systems. It may be
necessary to prepare training courses and schedules and to have sufficient
personnel trained prior to start-up. This applies not only to regular installation
personnel but also to individuals who may visit the installation to operate,
maintain or test the plant. On an existing installation it may be appropriate to
review the training and competence of existing personnel.
OPERATE AND MAINTAIN SYSTEMS TO ACHIEVE CONTINUED

18
EFFECTIVENESS
Reference Section 8. Implementation
This requires the continued maintenance and operation of the plant so that the
engineered and procedural systems continue to meet their original intent as
developed during the design and initial assessment process.

IDENTIFY AND ASSESS ANY CHANGE, MODIFICATION OR

19
DETERIORATION
Reference Section 4. Assessment of Fire and Explosion Hazardous

Events
6.2 Systems selection
8. Implementation
During the life of the installation, changes may be considered or arise naturally
through, for example changes in the produced fluids from the reservoir.
Alternatively a safety system may deteriorate so that it is unlikely to continue to
achieve its intended functional performance, reliability and availability. All
changes should be assessed to determine the effects on the high level
performance standards and, where necessary, improvements should be
considered to the systems provision.
20 REVISE THE ASSESSMENT AND SYSTEM PROVISION

Events
This is the update of the assessment required by a relevant significant change

identified in Step 19. It may also lead to a review of the other lifecycle steps
affected by the change including the hardware, procedures and documentation
and to a revision of the Safety Case. Follow feedback loop to Steps 4, 7 or 9 as
applicable, as shown in Fig. 3.1.
UPDATE ASSESSMENT AND SAFETY SYSTEM PROVISION TO ADDRESS

21
DECOMMISSIONING HAZARDS

Events
6. System selection and specification
The design process should have considered likely decommissioning hazards and
identified the relevant procedures or systems. These should be formally reviewed
prior to decommissioning of either part or all the plant to ensure that all hazards
are identified and adequately addressed. Where the existing systems or
procedures are deficient, these should be addressed by following the relevant
steps in the lifecycle.

22 DECOMMISSION THE PLANT USING EFFECTIVE SAFETY SYSTEMS
Reference Section 6.2 System selection and specification
The safe decommissioning of the plant and eventual abandonment of the

installation may be dependent on special hardware or particular procedures.
These should be in place and sufficient competent persons be available to
operate and implement them.

4 The Assessment of Fire and Explosion Hazardous Events

4.1 Introduction
The assessment of fire and explosion hazardous events is the process whereby these
events are identified, probabilities and consequences are determined and a judgement is
made on the adequacy of the risk reduction measures. It is an iterative process which, if
the arrangements to manage the hazardous events are judged to be inadequate, involves
modifying them and revising the assessment. It provides critical information which should
be the basis for effective FEHM.
The output of the Fire and Explosion Assessment process also provides
information on the hazards and hazardous events for those responsible for safety;
managers, designers and Operators. This information includes the causes,
characteristics, likelihood and the means to prevent and limit the events and to
protect personnel.
This information is fundamental to managing the hazards and reducing risks to

people from fires and explosions, to ALARP.
The following principles should be applied to the assessment process:
− it should start early in the conceptual design;
− it relies on a thorough hazard identification;
− it should identify all foreseeable events with the potential to cause a major
accident;
− it should be continuous and recognise the need for revision of the assessment as
more information becomes available and the design evolves;
− it should be used to assist in identification of prevention, control and mitigation

measures;
− a representative selection of events should be analysed to encompass the range

of foreseeable hazardous events;
− it should be documented to give a clear overall picture of the possible hazardous

events and of the role of the safety systems in their control and mitigation.
The assessment process should be used as a design and operational tool to understand
the hazards and hazardous events and to identify when prevention, control and mitigation
measures can be applied to reduce the risks. The flowchart Fig. 3.1 shows where and
when the assessment should provide information into the lifecycle and management
process.

4.2 Timing and Detail of the Assessment

The timing and detail of the assessment will depend on the stage in the lifecycle, the level
of information available at that time, and the frequency and severity of the hazardous
events. Those events which result in the major risks to life will deserve the greatest
attention, particularly in terms of analysing initiating frequency and consequence.
4.2.1 Timing
The lifecycle approach in Section 3 and Fig 3.1 shows where information is
needed from particular steps in the assessment in order to make decisions on the
need for, and performance, of risk reduction measures.
The assessment progressively builds a picture of the fire and explosion

hazardous events as the design develops from the feasibility studies, through
concept development, selection and detail design. In practice it may be
necessary to revisit a stage a number of times as a design progresses and new
information becomes available, or if more detailed analysis is required to resolve
a particular concern. Up-to-date results should be available and communicated to
designers and Operators/Owners for consideration.
At an early stage of the conceptual design of an installation the details required

for an in-depth consequence analysis may not be available. As a result, only
broad scoping predictions would be undertaken with the aim of identifying those
scenarios which have the potential to cause a major accident. In performing
scoping calculations, it will be necessary to make a range of assumptions. These
should be clearly stated, including particular assumptions about the provision and
effectiveness of prevention and control systems.
The major accident scenarios should then be examined in sufficient detail to

verify that it would be reasonably practicable to provide systems to control and
mitigate them and that the risks would be tolerable. It may also enable the
effective screening out of many events which are of low consequence or very low
frequency and therefore unlikely to contribute significantly to overall risk levels.
However, this will depend upon the extent of information available. It is important
that apparently low consequence events are not discarded at this stage if their
consequences may be underestimated as a result of limited information. Also,
that large numbers of events of low frequency are not discarded without due
consideration being given to the cumulative risk which they may pose.
As the design of the installation progresses and further information becomes

available, the analysis and assumptions of the critical’ events identified should be
reviewed. This may include more sophisticated validated modelling techniques,
as appropriate and/or sensitivity analysis. Parts of the analysis may have to be
repeated as the design evolves and more information becomes available.
On an existing installation, the assessment should already have been carried out
as part of the Safety Case. Modification should follow the lifecycle approach.

4.2.2 Detail and Accuracy
The level of detail and accuracy of an assessment is determined by the need for
precise information on which to base decisions and designs.
The quality of the assessment is dependent upon the identification and quality of
assumptions, validation of models, availability of data, including any relevant
experimental data and the competence of those undertaking the assessment. A
simple assessment with appropriate pessimistic assumptions resulting in a
conservative level of provisions may be equally appropriate in place of a refined
assessment resulting in greater accuracy, to justify more targeted risk reduction
measures. Such simple assessments may also be appropriate for some of the
smaller relatively simple installations. The decision as to which type of
assessment should be undertaken is likely to be determined by the capabilities
and technical resources of the organisation undertaking the assessment as well
as purely technical factors.
The quality of the analysis is dependent on the following:
− the quality of the available information;
− the validity and accuracy of the analysis tools used to characterise the
hazardous events and the response of the plant;
− the sensitivity and accuracy of the figures for initiating event frequency
and safety system performance,
− the stage in the lifecycle;
In some cases, events will be subjected to specific assessment, particularly

where their risks may be significant. In others, it may be acceptable to group
smaller events together and subject them to generic assessment
4.3 Hazard Identification

Hazard identification should commence at the early stages of a design while there is still
sufficient flexibility to change the design and layout to reduce hazards by inherently safer
design or to reduce their scale and impact.
4.3.1 Means of Identification
The identification of fire and explosion hazardous events is the start point for the
rest of the assessment and of the whole hazard management process. It should
use a structured, systematic and auditable approach which addresses both
process and non-process fires and explosions and covers all parts of the
installation including pipelines, risers and wells. The method employed should be
a structured process, which involves a suitable combination of operations
personnel, design engineers and safety specialists.

The hazard identification process should address all foreseeable fires and
explosions and, in particular, those involving releases of hydrocarbons. This
process should be fully documented including all of the foreseeable causes of
initial release as these should be addressed when identifying the need for
specific prevention measures.
To structure the process, the installation may be divided into discrete areas in
which hazards are identified by considering the process or utilities systems, plant,
fixtures, combustible inventory, etc. within each. Potential external initiators of
fires and explosions such as a helicopter crash are also important and should be
considered. The information required to carry out the initial hazard identification
may include the following (as available):
− Operating and maintenance philosophy;
− Plot plans and plant layouts;
− Piping and Instrumentation Diagrams (P&IDs);
− Process Flow Diagrams (PFDs);
− Equipment lists;
− Process data sheets.
Other information such as incident statistics or records may also be useful.
The materials considered during the fire and explosion hazardous event
identification phase are likely to include:
− Process oil/gas/condensate;
− Process additives (e.g. methanol and tri-ethylene glycol);
− Fuels (diesel, aviation fuel, etc.) and lubricants;
− Bottled gas (e.g. propane, acetylene);
− Industrial explosives and detonators;
− Combustible material (e.g. wood, furnishings, paper, plastics);
− Laboratory and process chemicals.
In identifying hazards the parameters which define the type of hazardous event
should be identified and documented. These may include:
− System pressure;
− Isolated and non-isolated inventory;

− Temperature;
− Density;
− Composition of material;
− Likely release points and their size;
− Flash point;
− Ignition sources;
− Combustible load;
− Oxidising agents.
The fire or explosion events identified will vary depending on the hazardous
material involved and the conditions relevant to the particular system or inventory
being considered. Typical events are:
− Pool fire (combustion of a flammable liquid pool);
− Jet fire (combustion of high pressure gas or liquid);
− Spray fire (combustion of a pressurised liquid release);
− Blowout (wellhead spray or jet fire);
− Flash fire (combustion of a flammable gas where the flame

propagates at a speed insufficient to result in damaging
overpressures);
− Explosion (combustion of flammable gas/vapour in which

confinement and/or flame velocities are sufficient to result
in damaging overpressure);
− BLEVE (rapid ignited release of flammable pressurised contents of

a heated vessel resulting in blast overpressure, missile
fragments and fireball) see Appendix 1;
− Cellulosic fire (fire involving material, such as wood, paper, etc.);
− Electrical equipment fire.
Users of this guidance should decide what information is relevant to their

particular needs.

4.3.2 Choice of Events for Analysis
A range of hazardous events should be analysed both to provide information on

which to base the design of control and mitigation systems - see Section 4.5.1-
and to support the Safety Case and PFEER. The type of events chosen for each
purpose will depend on the information required.
Each identified hazardous event will have a range of possible scenarios, it is not
reasonable to examine every one. Therefore, representative cases should be
chosen to cover the range of foreseeable events. For example, pipework leak
source might range from that of a poorly fitted flange gasket through to a full bore
rupture. The most important are those foreseeable events where the initial
release and ignition characteristics are likely to cause the most extensive
damage and the greatest risks to personnel. In the case of fires, there needs to
be sufficient inventory to burn for long enough to cause failure of equipment or
structure. Personnel and delicate equipment may be injured or damaged after a
short fire exposure. Steelwork should survive for several minutes under the worst
case conditions, but protected or equipment exposed only to thermal radiation
may survive for considerable periods. The range of events considered should
cover the larger ones which may cause extensive damage to the installation and
those smaller events which could cause local damage leading to escalation.
In selecting the events, due regard should also be taken of the likely causes of
initial failure, the design features of the plant and the resultant size, shape,
arrangement and location of the failures.
4.4 Initiating Frequency Analysis

The initiating frequency estimate is derived from the causes of incidents and should be
used to identify both generic and specific prevention measures. The relative importance of
initiating events should be evaluated from their severity and expected frequency of
occurrence; i.e. risk. This may initially be obtained from historical UKCS data (or more
specific data if available), modified where necessary to take account of any particular
considerations for the installation which may affect the likelihood or frequency. The
probability of ignition and detection of a hazardous event should also be taken into
account. As the design develops, the engineering specifications used, the provision of
prevention measures, the Operator/Owner safety culture and SMS should endeavour to
reduce these initial estimates.
In the case of flammable release events, the release frequency may be estimated by
counting all relevant system components which could give rise to a flammable release
within a specified area, and multiplying by failure rate data appropriate to the type,
standard or design, use and operating conditions.
It may be appropriate under some particular circumstances to examine the sequence of

events which may lead to a failure. Techniques such as Fault Tree Analysis may be used
to estimate the frequency of these events.

4.5 Characterisation of Fire and Explosion Hazardous Events

This is the quantification of the characteristics of the particular fire and explosion events
which are chosen for analysis. It provides information to identify which plant and
personnel are exposed and to judge the effects of exposure. It is also required as an input
to the preparation of the emergency response plan. The estimate of the initial size,
severity and duration of fire and explosion events requires different levels of analysis
depending of their perceived importance. A range of representative scenarios should be
considered in detail with justification given for the choice.
The information available from this part of the analysis may include:
For Fires:
− Type (hydrocarbon, jet, pool, spray, and cellulosic)
− Size (diameter, flame length, spread, shape and volume)
− Severity (emissive power, engulfment heat flux, remote heat

flux levels, smoke concentration/toxicity)
− Location (the location and direction of the release, location and

spread of pool fires, direction of flame spread, shape
and size of flame extension into other areas and the
outside of the platform).
− Duration
− Variation with time (the change in the above characteristics with time; for
example due to reduction in release pressure).
For Explosions:
− Type (confined explosions, high flame speed explosions,

chemical explosions)
− Size (extent of flammable gas cloud)
− Severity (maximum overpressure, impulse pressure pulse rise

time, both within and outside gas cloud)
− Location (location of flammable gas cloud and the pattern

severity and extent of the overpressure and impulses
both within the module and beyond).
Both initiating event and those stages of an escalating event when further hydrocarbons
are likely to be released should be characterised. For initiating events, it is necessary to
clearly define the parameters listed below such that the resultant event can be analysed
with the appropriate accuracy and realism.

For escalating events, more general assumptions may need to be made where, for
example, further multiple releases and safety system failures may occur following an
explosion or structural weakening.
It may also be necessary to characterise the initiating events taking account of the failure
of a safety system, such as emergency isolation, where that failure could lead to
significant increase in the consequences.
In carrying out the analysis, the following parameters should be taken into account:
- Installation and process parameters:
− location;
− inventory;
− type and composition of the fuel;
− type and rate of release;
− ventilation;
− obstacles and boundaries;
− ignition sources;
− wind direction and strength.
- Control and detection measures and their response time where appropriate:
− Emergency Shut Down (ESD);
− depressurisation;
− drainage and bunding;
− electrical isolation;
− fire and gas detection.
The stage in the lifecycle will dictate the level of analysis required. This may range from
simple empirical correlations and engineering judgement to sophisticated modelling. The
more complex and detailed methods of analysis will take time and require a very high
level of design definition. Therefore their use as a tool to develop and refine the early
stages of design is limited.
The characterisation analysis will identify the most severe events and the analysis
process can be used to enhance the effectiveness of the control measures listed above in
limiting the size, scale and intensity of the fires and explosions.

The results should be presented so tat they clearly convey a realistic picture of the
anticipated hazardous events, and their potential for escalation. This is particularly
important for the preparation of an appropriate emergency response plan and the
development of an awareness of the possible h5~ardous events on the installation.
4.5.1 Design Fire and Explosion Loadings
Selection of the representative design accident events.
One of the most important decisions taken in the hazard management process is
the selection of hazardous events from which the concept of an upper bound, or
envelope, of conditions on which the design of control and mitigating systems are
based. The analysis of these events will give the loading parameters for fires and
for explosions as listed in Section 4.5. Alternatively the design could be based on
standard criteria with the loads from the actual design events being checked at a
later stage and compared to the design load. The characteristics of these
loadings need to be defined in sufficient detail so that protection systems can be
designed to match them.
With a new design, the escalation analysis is also important in the selection of the
design accident events, together with the perception of the extent and severity of
the escalation. As the analysis proceeds, a picture of the range of initiating
scenarios and escalating events throughout the platform will emerge. From this
overview, it should be possible to select the design events based on the
practicality of preventing larger initial events and stopping the escalation of
smaller events to those of an extreme magnitude. In particular, a designer would
need to consider the following when identifying a design event:
− the scale of the incident relative to the installation size;
− the options for reducing the frequency of an incident so that the resulting
risk is ALARP;
− the practicality of controlling and mitigating the event.
4.6 Consequence Analysis

The purpose of the consequence analysis is to identify which plant, structure, safety
systems and personnel are exposed to the initial and escalating events described in
Section 4.5 and to assess the likely effects and failures.
4.6.1 Personnel Exposure
Personnel may be directly exposed to an initiating event or to subsequent

escalation. The assessment should attempt to quantify the numbers of people
involved at each stage and the effects of exposure. These effects may include an
inability to escape to the TR, a reduced ability to respond to the emergency,
serious injury and death. These results would be collated to determine the risk to
personnel from fires and explosions as input to the overall risk assessment for
the installation.

In addressing the exposure, the following groups of personnel should be

considered:
− those working in the area of the initiating event;
− those working in adjacent areas which may be affected by the initiating

event;
− those who may be exposed as they attempt to reach the TR;
− those within the TR, at muster areas or while evacuating who may be
exposed to the effects of the escalating incident
− those who may be exposed while carrying out their emergency response
duties, e.g. control room personnel, emergency teams.
This information can be used to assess and where necessary modify escape
routes and operating philosophies so that the exposure of personnel is reduced.
The need for mitigating measures can also be reviewed.
4.6.2 Plant, Structure and Safety System Exposure
An assessment of plant exposed to fire and explosion hazardous events should

be carried out to determine if it would fail and lead to:
− loss of further inventory from vessels, storage tanks or pipework;
− spread of fire (e.g. within the accommodation);
− penetration of fire or blast walls allowing the passage of overpressure or

flame;
− catastrophic rupture or failure;
− loss of or damage to safety systems required to control the incident:
− loss or damage to mitigation systems, or impairment of evacuation and

escape systems;
− impairment of the TR, including the effects of smoke and heat;
− loss of structural support leading to any of the above or progressive

collapse.
In assessing the likelihood and manner in which these failures could occur, the
following should be considered, the:
− likely exposure of the equipment;
− extent and intensity of that exposure;

− duration of the exposure;
− time to failure;
− inherent resistance of the equipment;
− exposure of any critical elements which could cause an overall failure;
− defined failure criteria of the plant or structure - see Sections 7.2.7 and
6.4.1.9;
− protection systems.
The time to failure should be assessed as it may significantly affect the

consequences; for example, gas plant may have already depressurised or a
safety system may have fulfilled its role. The time of escalation is also important
in predicting the development of the incident.
4.6.3 Safety System Vulnerability
The purpose of this study is to identify and assess the vulnerability of those
hazard management systems which may be needed during or after a particular
hazardous event where that event might impair them. This may be used to define
any protection to meet their survivability criteria - see Section 6.4.3.
It may be appropriate to review the safety systems as part of a vulnerability study

which examines their exposure to all hazardous events.
Such a review may start either with the hazardous events as described above or
with the systems. The later requires a full examination of all the hazardous events
to which they may be exposed, the importance of that system to control these
hazardous events and the likelihood and consequence of its failure. Particular
attention should be paid to complex systems which are spread and
interconnected throughout the platform. The effects of the failure of localised
components on the overall performance should be considered. In particular, the
following should be examined:
− hydraulic systems;
− electric cabling;
− control panels, logic, relays and electronic systems;
− piping, e.g. firewater ringmain, vent headers/flare lines
− field devices;
− engines, fuel systems, cooling and combustion air supplies;
− Heating Ventilation and Air Conditioning (HVAC);

− power supplies.
It is probable that in some cases only part of a system may be exposed and
incapacitated. In such cases, the need to take action to reinstate the remainder of
the system (such as closing of firewater ringmain isolation valves) and the
practicality and likelihood of doing so in an emergency should be identified and
assessed. The performance of the remainder of the system should then be
assessed.
The output of the analysis is primarily an awareness of any vulnerability by both

Operators/Owners and designers. This allows measures and procedures to be
prepared to address this situation. It also allows the vulnerable component to be
eliminated (if offering no real contribution to the system performance), moved to a
safer location or protected so that it can survive until it has completed its function.
Alternatively, duplicated components or systems located in different areas may

be considered such tat the simultaneous loss of both would be unlikely. However,
care should be taken to ensure that the overall vulnerability of the system is not
increased by exposing a greater number of components to a wider range of
hazardous events. Duplication should be considered only if it adds significantly to
the overall availability or realistic survivability of the system such that it is able to
deliver its required functional performance - see Sections 6.4.2.5 and 6.4.3.
Further guidance on the types of emergency systems which may be required

during or following an incident is included in the UKOOA Guidelines on the
Management of Emergency Response for Offshore Installations.
4.7 Escalation Analysis

In addition to the effects of an initial fire or explosion it is important that a structured
approach is taken to determine whether and how an event can escalate to endanger
personnel. It is also the means to identify all the subsequent failures which would have to
occur before personnel are put at risk.
The primary objectives of the escalation analysis are to:
− identify mechanisms whereby an initial event may escalate to impinge on key

systems or facilities, e.g. the TR and/or evacuation and escape facilities;
− identify where control or mitigating measures could be used to prevent, delay or

reduce escalation or protect life;
− identify the combination of measures needed to deal with each major hazardous
event and to provide an input to the development of associated performance
standards;
− evaluate the effects on the installation safety systems at each stage of escalation
and how this may affect subsequent escalation;

− evaluate the probability and hence the frequency of each escalation path which
affects the key facilities or systems such as the TR and Escape, Evacuation and
Rescue (EER) facilities and the time duration from the initial event.
This may be carried out as an event tree analysis. This can show the sequence of failures
which need to occur to result in a particular level of consequence and give designers and
Operator/Owner the opportunity to add, to or enhance the safety systems to break the
sequence of events.
Experience has shown that often only a relatively small number of escalating scenarios
contribute significantly to the major accident risk on an installation. Therefore the
escalation analysis is an important aspect of hazard assessment and risk management. It
is important that the location, frequency, timing and duration of different scenarios
previously established are fully considered so that mechanisms and routes by which a fire
or explosion could escalate to cause ‘critical failure’ can be identified.
This involves identifying those critical components or systems which, if they fail, have
significant consequences regarding:
− threat to life;
− environmental damage;
− loss of assets (plant/production).
Input data from the previous steps of the assessment include:
− the location and description of the initial event especially its size, severity,
duration and frequency;
− the means by which the initial event may escalate and, at each escalation stage,
the corresponding probability and time to escalation;
− the effects of the events on the installation including the safety systems at each
stage of escalation and how this affects subsequent event progression;
− the contribution of safety systems to reducing the consequences and the

probability of their successful operation;
− the effects on the key facilities or systems such as the TR and EER facilities in
terms of impairment, time to impairment and impairment frequency;
− the fatality levels associated with each scenario.
In assessing the contribution of safety systems, the characteristics of each stage of the
event should be considered if it is possible that systems may fail to operate successfully
or could be damaged. Such systems may include:
− emergency shutdown;
− blowdown;

− active/passive fire protection;
− detection systems;
− communications (internal and external);
− essential control and instrumentation;
− essential power supplies;
− drainage;
− overpressure protection;
− active/passive explosion protection.
It may also be necessary to consider the actions and decisions of key personnel, in
particular the OIM, in responding to an escalating situation. The decision to move
personnel to different parts of the installation, to abandon the installation, to fight the fire,
etc. and the time at which these decisions are made can have major implications.
The need to take particular decisions should be reflected in the preparation of the
Emergency Response Plan and in the provision of communication and evacuation
systems.
The ability to take decisions may be affected by smoke, heat and the scale of the incident.
This should be taken into account, particularly if the TR and control centre are affected.
4.8 Risk Assessment

The collation of the risks from each of the possible major accidents from fires and
explosions should be integrated into the installation Safety Case risk assessment. This will
assist the judgement of the adequacy of the high level performance standards and their
achievement.
An accepted level above which the overall risk is considered intolerable is an individual
risk of greater than 10-3 per year or a TR impairment frequency of greater than 10-3 per
year. The overall individual risk from all hazards must be less than this value. If risks are
in the intolerable region then risk reduction measures must be implemented, irrespective
of cost. Hence the risk from other hazards may indirectly affect the acceptability of risk
from explosions and these may need to be considered in setting the target risk levels for
the explosion hazard.
In addition, installation screening is recommended to enable resources and time to be

focussed where it is most appropriate when little detailed information is available for the
specific hazards on the installation. It is also a useful exercise at the early stages of a
project in order to focus attention on the safety issues at a time when the most benefit
may be gained at the least cost.

The task consists of classifying the installation and its compartments into Low, Medium or
High risk categories to determine the level of explosion assessment required. The
complexity of the process in the compartment is taken as an important measure in the
screening exercise.
In this context, risk is defined as a measure of the product of the consequence and
probability of an incident, (estimated from the previous sections), an example might be of
an ignited release giving rise to a significant overpressure greater than 50 millibar.
Risk equals the product of Probability (or Likelihood) and Consequence (or Severity)
Likelihood is a more appropriate term in this context where a qualitative assessment is

being performed, the terms probability and frequency imply that numerical values are
available.
Therefore, successful installation screening is achieved by early consideration of the

vulnerability of the installation and the likelihood of an explosion event.

5 Inherent Safety and Prevention

The concept of inherently safer design refers, to an approach to design in which hazards
are ‘designed out at source. The primary means of prevention are the use of appropriate
standards for design and operation, the optimisation of the layout for safety and the quality
standards applied to design, construction and operation.
5.1 Inherently Safer Design and Process/Layout Optimisation

Options
The greatest opportunities to reduce risks are during the initial hazard identification stage
during the conceptual design phase. Once into detail design there may be limited scope to
apply hazard avoidance (as opposed to prevention) methods.
Adoption of the following principles where possible will reduce hazards:
- use less hazardous materials (substitution);
- use simpler process systems (simplification);
- reduce the inventory of hazardous materials on the installations (intensification);
- use hazardous materials at lower temperature and/or pressure, or use inert

materials to dilute hazardous ones (attenuation).
Facilities designed on this basis can be described as intrinsically or inherently safer.
The extraction and processing of hydrocarbons inevitably involves some hazards.

Consideration of inherently safer design and process/layout optimisation may include the
following but it must be recognised that the design will also depend very largely on
economic criteria:
- choice of the concept; single or multiple jacket, floating production etc.;
- choice of the operating philosophy; pre-drilling wells, manning, etc.;
- reduction of hazardous inventories;
- reduction of process pressures and temperatures;
- minimisation of High Pressure/Low Pressure (HP/LP) interfaces;
- use of non flammable or low flammability materials;
- minimisation of the number of processing operations carried out on the

installation;
- selection of simpler processes;

- reduction of particular causes of failure (e.g. dropped loads onto equipment);
- control or avoidance of simultaneous hazardous operations;
- physical separation of major components containing hydrocarbons (e.g. risers,

wells, separators);
- location of the TR remote from major hydrocarbon inventories, in particular

wellheads, risers;
- reduction of congestion in process areas;
- reduction of external confinement and congestion of gas process areas;
- siting of high pressure gas and Liquefied Petroleum Gas (LPG) inventories in
well ventilated areas and away from large inventories;
- location of risers to avoid supply boat impacts.
Further guidance on inherently safer design is given in HSE Report “Inherently Safer
Design".
5.2 Design, Quality and Maintenance

The likelihood of hydrocarbon release which could lead to a fire or explosion will depend,
amongst other factors, on the quality of the design, the components, the construction of
the plant and its maintenance/operation. The principles outlined for safety systems in
Sections 6.4.2.1 and 6.4.2.2 also apply to process and other plant and should be used to
eliminate or minimise the possibility of hydrocarbon release.
The principles for the reduction of complexity and improving operability in Section 6.4.2.7
should also be used/applied to reduce the number of possible leak points and the
likelihood of operator error.

Prevention in the context of an installation means avoiding uncontrolled releases of
hydrocarbons and/or the accumulation of explosive atmospheres and avoiding fires and
explosions from other sources, e.g. electrical fires and fires in the accommodation. As the
risk from fires and explosions offshore is often dominated by releases of hydrocarbons,
then the prevention of such releases represents the starting point followed by the
consideration of preventing (or controlling) ignition.
Effective prevention of hazardous events is dependent on aspects of the SMS, i.e.:
- the use of appropriate design codes and standards, and
- the implementation of good operating practice.

Prevention measures may be either engineered or procedural and may be specifically

applied to a particular hazard or item of plant or generically applied throughout the
installation.
Note: In this guidance, measures to prevent ignition are considered as preventive measures
although it is possible to regard them as control measures - see Section 7.2.
5.3.1 Prevent Release (Maintain Equipment Integrity)
The primary prevention measure on plant containing hydrocarbon is the

prevention of the unplanned release of inflamable liquids and gases under all
circumstances including commissioning, operation, shutdown, maintenance and
decommissioning.
All foreseeable causes of failure should be identified and a combination of

engineered and operational systems put in place to seek to avoid each cause.
The likely causes of failure can be identified by a formal hazard identification
process such as HAZID - see Section 4.3.1- which could consider aspects such
as:
− mechanical overload/overstressing (external loadings including

environmental);
− overpressure (internal overloading);
− internal corrosion/erosion;
− external corrosion/erosion;
− construction defect;
− fire;
− explosion;
− impact (including dropped objects);
− breaches of containment due to human error;
− isolation failure;
− decommissioning, in particular hazards associated with purging, breaches

of containment or permanent isolation systems.
Most causes of failure will be addressed by the use of established codes and
standards for the design and protection of process plant. However, it may be
necessary to verify that these are appropriate for all the identified likely causes of
failure. This verification may be achieved by the use of a formal Hazard and
Operability Study (HAZOP) during design with an update on completion.
Compliance with the chosen standards should be verified during construction and
planned inspection throughout the life of the installation.

Typical prevention measures include:
− the integrity of hydrocarbon plant; including piping, vessels, pumps.

compressors, etc. and supporting structures;
− reduction of possible release points, e.g. use of welded joints and non
invasive instruments;
− overpressurisation protection systems;
− process control and shutdown systems;
− material selection, corrosion allowances, inspection and protection;
− impact decks and control of heavy lifts;
− breach of containment controls;
− isolation valves, systems and procedures and associated competence of

personnel;
− interlocks;
− controls on shipping;
− operational procedures.
These prevention measures can impinge on all engineering and operation

disciplines and this highlights the need for a fully integrated approach to hazard
management.
The need to provide measures to maintain integrity during maintenance and

decommissioning of the installation should be considered at the design stage.
These may include provision for:
− draining down of vessels and the entire hydrocarbon containing system;
− isolation, decontamination, purging and removal of pipeline risers and

piping;
− draining, decontamination and removal of oil storage tanks;
− suspension or abandonment of wells;
− inert gas or flushing systems.

5.3.2 Ignition Prevention
The aim is to prevent the ignition and sustained combustion of solid, liquid and
gaseous fuels. This includes reduction of ignition sources and the selection of
materials that are less likely to be ignited or sustain combustion. The selection of
materials and specification of appropriately classed equipment falls within the
design remit but operational controls are needed to ensure that the selected
approach is implemented throughout the operational life of the installation.
The generic means of preventing ignition of minor releases of hydrocarbons is

the classification of areas according to the probability, type and potential size of a
release, the provision of suitable equipment in these areas, (Reference I.P.
Model Code of Safe Practice Part 15 Area Classification Code for Petroleum
Installations) the control of other sources of ignition and the specification of
materials which are difficult to ignite or do not sustain combustion.
Further reduction of ignition probabilities may be achieved as follows:
− avoid any unnecessary electrical equipment in the area;
− use suitably designed and approved electrical equipment for the

classification of the area;
− maximise the distance of any source of ignition from possible sources of

release;
− shutdown selected equipment on detection of gas;
− control hot work and spark potential activities;
− use non flammable or low flammability material;
− avoid fired heaters in proximity to hazardous areas;
− avoid processing hydrocarbons near their auto ignition temperature;
− control of hot surfaces;
− ensure adequate ventilation in the areas - see Section 5.6.3;
− prevent gas ingress into internal combustion engines and non hazardous
areas.
5.3.3 Reduction of a Flammable Atmosphere
The reduction of the likelihood of the formation and the size of a flammable gas
cloud will both reduce the possibility of ignition and any consequent explosion
overpressure or fireball. The following should be considered:
− locate hazardous plant in the open air;

− minimise congestion and ‘dead areas’ around likely leak sources;
− optimise natural or mechanical ventilation;
− reduce the distance from potential leak sources to the open air;
− control of the size of process areas.

6 Selection and Specification of Systems for Fire and

Explosion Detection, Control and Mitigation
6.1 Principles
Detection, control and mitigation systems should be selected and specified according to
the following principles:
i) The assessment of fires and explosions should be used to determine the need for a system.
ii) Each system should have a clearly defined role.
iii) Systems should be selected and specified to provide an appropriate balance between
prevention, detection, control and mitigation.
iv) Systems should be resourced with regard to the risks from the particular hazardous event
being addressed and their role and importance in reducing that risk.
v) Mitigation systems should be specified after taking into account the contribution from the
detection and control measures in reducing the extent and duration of the hazardous event.
vi) Systems should preferably be specified in terms of functional parameters, reliability,

availability and survivability.
vii) Systems should be capable of being operated, maintained, inspected and verified on the
installation. The design should therefore take these needs into consideration.
viii) Systems should be selected and specified after appropriate consultation with those
responsible for their use and operation.
ix) Systems which may introduce a new hazard, exacerbate an existing one or impair the
performance of another system should be avoided or the interaction should be addressed.
These drawbacks must not offset the risk reduction provided by the system, i.e. there should
be a significant overall benefit.
6.2 Selection and Specification Overview

The purpose of this section is to assist those responsible for the selection and
specification of detection, control and mitigation systems to select an appropriate
combination of measures. The arrangements selected to manage each identified
hazardous event should be such tat the risks to persons are reduced to a tolerable level
and to ALARP.
There are a number of options in the categories listed below. The provision of some
systems may eliminate the need for others in the same or different categories. The quality
of some systems will affect the need for, and standard of others.

In addition to the prevention measures discussed in Section 5, the categories are:
- detection and alarm measures to alert personnel and, where appropriate, to

actuate systems
- control measures to limit the scale of an event and avoid escalation to a major
accident;
- mitigation measures to minimise undesirable consequences of a major accident;
- emergency response and manual intervention.
Systems should be chosen with a full understanding of the likely hazardous events, their
means of escalation and the realistic expectation of the capability of the systems.
The fire and explosion assessment process described in Section 4 can be used to identify
where different systems may make a contribution and, by examining the frequency and
eventual consequences, the need for, and performance standards of the system.
The provision and quality of the prevention and avoidance measures may influence the
frequency of occurrence of an initial event. The consequences of this event will be
determined by the provision and effectiveness of the control systems. The provision of
mitigation systems will limit the consequences of escalation. Detection systems may be
used to initiate prevention, control and mitigation systems. The combined performance of
each of these systems will determine the overall risks to life. The provision and
performance of systems should be such that these risks are tolerable and reduced to
ALARP. The selection process should follow Fig. 3.1. The system options are discussed
in detail in Section 7. Evacuation, escape and rescue (EER) are dealt with in UKOOA
Guidelines on the Management of Emergency Response for Offshore Installations.
Each category may have both engineered and operational systems and may be either
specifically designed for a particular hazardous event or a generically applied measure
such as a code or procedure.
The selection of an appropriate combination of measures in a new design will require the
interaction of both designers and the Operator/Owner so that the relative contribution
from, and dependence on, procedural measures and engineered systems is fully
assessed and understood by all involved.
In the case of existing installations, all the measures should already be in place but the
relative dependence on engineered systems and operational measures should be
understood by those responsible for the systems and for the overall safe operation.
Factors to be taken into account in the selection and specification of systems include:
- severity of the eventual consequences;
- frequency and severity of the initiating events;
- the functional role of the system and the suitability of that system for the
fulfilment of that role;

- applicability to the circumstances in which they will be used;
- timescale and potential for escalation of an initial event to a major accident;
- limitations that the systems may place on operations and vice versa;
- hazards which may be introduced by the systems themselves;
- requirements for, and practicality of maintenance, inspection and testing;
- capital and maintenance costs;
- availability, suitability and applicability of alternative systems;
- performance of the combination of systems in meeting the risk criteria;
- any adverse effect that the system may have on hazards or other safety
systems.
Table 6.1 can be used as a suitable consistent method for describing systems to aid their
appropriate selection and specification. The Table can be developed for individual
systems so that there is a common "language" between designers, operators,
Operators/Owners, vendors, auditors, etc. Each of the topics in the table is discussed in
the remainder of this chapter.

Table 6.1 : System Selection and Specification
SYSTEM: ROLE:
Title of Hazard Management System Statement of purpose (6.3.2)
Suitability:(6.3.3) Applicability:(6.3.4)
A statement of the hazardous events A statement of the application, location and types
for which the system may be of equipment for which using the system, may be
suitable. appropriate.
Types/Variations:(6.3.5) Interactions/Limitations:(6.3.6)
The different types or variations Details of possible interactions resulting from the
available of the particular system. use of the system. The interactions could be with
plant, personnel or other safety systems. A listing
of any limitations of the system.
SPECIFICATION PARAMETERS
Functionality:(6.4.1) Reliability/Availability: Survivability: (6.4.3)

(6.4.2)
A listing of essential The parameters relating to
parameters relevant to The overall reliability/ hazardous events which the
functional capability which availability requirement. system may have to
should be considered when withstand or be considered
specifying the system to when designing or
fulfil its identified role. specifying the system.
6.3 Selection of Systems

The selection of safety systems from the range available will depend on the stage in the
installation life cycle. Refer to Section 3 for guidance on the timing and sequencing of the
selection.
For an existing installation, the safety systems will a]ready be in place. The assessment
carried out under the Safety Case will have identified those particular systems which are
important with regard to reduction of the risk from identified hazardous events and judged
their adequacy. It is advisable, initially, to concentrate any improvements on procedural
measures to prevent the occurrence or reduce the frequency and, thereafter, to consider if
further engineered systems are still required following the hierarchy listed in Section 2.3
and Section 6.2.

When an installation is modified, the principles of inherent safety should be applied.

Thereafter the provision of systems should be examined to determine if they are adequate
to address any new or changed hazardous events. The generic systems, design codes
and procedures would normally be the same as those already in place unless they are no
longer recognised as good industry practice. Any new systems should be chosen in line
with the hierarchy in Sections 2.3 and 6.2.
6.3.1 The Definition of a System
The extent of a system should be described so that its role and performance can
be defined. This may range from an overall system such as an active fire
protection system to a discrete part such as a deluge system. These may either
have a direct role in counteracting a particular hazardous event such as
preventing rupture of a vessel or a support role for these systems such as
firewater supply or fire and gas detection.
6.3.2 The Role of a System
The role of a system should be clearly defined by providing a statement of what

the system is intended to achieve. A system may be required for more than one
hazardous event and may also have more than one role, (e.g. a deluge system
can reduce oil burn rate, or prevent catastrophic rupture of a pressure vessel
under certain fire conditions). It should be clear how the system relates to its role
in managing each particular event.
6.3.3 The Suitability of a System
The systems chosen should be suitable for the role which they have to perform.
If a system is required to detect, control, mitigate or survive a fire or explosion, it

should be specified so that it is suitable for the range of hazardous events for
which it is to be used. These are identified in the assessment of fires and
explosions and it is important that they should be considered, as appropriate, for
the system.
in specifying a system, it may be appropriate to specify either the type of fire or

explosion, the release and combustion conditions or particular characteristics
such as:
For Fires:
− flame temperature;
− heat flux;
− flame velocity;
− type and concentration of products of combustion.
For Explosions:

− overpressure;
− pressure profile;
− drag force;
− missile velocity or energy.
Where practical, the system suitability should be verified by representative

testing. Care should be taken when extrapolating results or basing a design on a
purely theoretical analysis.
6.3.4 The Applicability of a System
Each system should be designed to ensure it can be installed, maintained and

tested effectively taking into account the working environment, access and site
conditions. It should not introduce undue maintenance and repair requirements
such that either the system will have limited availability or require
disproportionate resources on the installation to maintain it. It should not seriously
inhibit the day to day activities on the installation. A system should normally be
capable of fulfilling the role for the anticipated life of the installation providing that
the designated inspection, maintenance and repair requirements are carried out.
If this is not practical, or cannot be guaranteed, it should have a predetermined
lifespan at the end of which it should either be replaced or fully assessed to
determine the extension of that lifespan.
6.3.5 Types and Variations
There is a large variety of systems ranging from those operating on

fundamentally different principles to subtle variations between different
manufacturers. For example, there are a number of types of passive fire
protection systems including demountable panels and spray applied systems and
there are variations within these different options.
The choice of a particular type of system should primarily be based on the list of
parameters in Section 6.2 for selecting the system. These parameters should be
assessed for the full lifecycle of the system taking into account the effects of the
environment and site conditions. In considering the applicability, the ability to
operate, maintain and repair it should be given equal consideration to the initial
cost and ease of installation. Systems should, where possible, be simple and
robust to enhance their long term effectiveness.
6.3.6 Interaction and Limitations
System interactions are those characteristics of a system which may:
− introduce a new hazard;
− increase the frequency or consequence of an existing hazardous event;
− reduce the effectiveness or reliability of another safety system.

These should be identified and, where necessary, either an alternative safety

system selected or measures put in place to address the interactions.
Interactions include:
− increased direct risk to personnel operating, maintaining or testing the

system;
− increased numbers of leak points and breaches of containment due to the

addition and testing of process safety systems;
− increased explosion overpressures due to the obstruction caused by it or

ladders / walkways / scaffolding needed for its inspection, maintenance or
operation;
− corrosion caused by the system; for example due to deluge system testing
or increased by passive fire protection;
− corrosion due to increased saline exposure resulting from free ventilation

and open venting to reduce explosions;
− increased probability of ignition for example due to deluge water ingress to

electrical systems;
− limitations on inspection, maintenance and non-destructive testing of

plant, equipment or structure as a result of passive fire protection
materials or enclosures;
− deterioration of passive fire protection systems caused by repeated

removal for inspection of the protected plant;
− increased explosion overpressure caused by firewalls;
− reduced ventilation caused by ftrewalls;
− projectiles created by safety systems such as vent panels.
6.4 Specification of a System

Systems should be specified by identifying the critical parameters which define their ability
to fulfil the role and the likelihood of success. These parameters have been divided into
three groups: functionality, availability/reliability and survivability.
Different parameters will be required for different systems. In some cases numerical
values may be appropriate and in others they may be described qualitatively.

The designer and Operator/Owner must determine the performance standards for the
system. There is a balance between the extent of risk reduction and what is reasonably
practical in terms of cost and manning. Over specification of systems should normally be
avoided as this may misdirect expenditure and apply disproportionate resources to
particular hazardous events or particular safety systems. It may also introduce over-
complexity and detract from the system’s reliability.
6.4.1 Functional Parameters
These are the parameters which define whether or not a system will fulfil its role
and its effectiveness. A list of parameters is given in Sections 6.4.1.1 to 6.4.1.9.
Each system should be examined to identify which of these parameters are
needed to define functional specification. These may then be used as the basis
of design, for initial verification that the identified role is fulfilled and for continued
verification during the life of the installation. They represent the minimum
acceptable performance standard to be achieved during routine testing. Failure to
achieve this performance would require remedial action or justification.
6.4.1.1 Fire or Explosion Type and Characteristics
It may be appropriate to define either a particular hazard condition or a

characteristic as described in Section 6.3.3, whichever is more suitable
for system specification or verification. It may also be necessary to
define a maximum fire size or explosion overpressure (for protection) or
a minimum fire/gas cloud size (for detection) in accordance with the
design accident loadings or boundary.
Where a system has to detect, extinguish, suppress or protect against

one or more particular hazardous event, it should be specified so that it
is effective for all these events.
6.4.1.2 Coverage
This is a definition of the equipment or areas to which the system is

applied. It may be a list of equipment, a discrete part of the installation or
a part of a module.
6.4.1.3 Response Time
The response time should be considered for all active systems which are
required to respond to emergency or hazardous events. The time should
be taken from the start of the event until full functional performance is
achieved. It is not necessary to set response times for the individual
components as it is the system response which is important. However,
individual component responses may be useful as an aid to system
confirmation through component test.
The time taken to detect an event should also be taken into account in
determining the systems overall response time.

6.4.1.4 Duration
Duration is the length of time during which a system is required to

operate to fulfil its role until the hazardous event is adequately reduced
or persons moved to a place of safety.
6.4.1.5 Logic
Logic is the sequential activation of parts of a system to cause it to

operate in accordance with its role. As well as ensuring actions it can
also prevent actions until certain others have taken place.
6.4.1.6 Sensitivity/Preset Values
Systems which are required to operate at a particular level should have

this value defined, together with the acceptable limit of tolerance. This
can apply to preventive measures which alarm or operate when
equipment or process characteristics deviate from their design or
operating specification and to detection systems which alarm and
possibly actuate control and mitigation systems.
6.4.1.7 Flow/Application Rates/Concentration
This applies to active systems where a minimum or maximum flow,

application rate or concentration is required to fulfil the defined role. It
should be clear whether or not it includes an allowance for losses during
the application of the fluid, for example, loss of deluge water due to
thermal effects, or losses after application such as gaseous
extinguishing agent leakage from an enclosure.
6.4.1.8 Environmental Conditions
It may be necessary to specify the range of environmental conditions

such as air velocity, temperature, humidity, visibility or contaminants in
which a system is required to operate.
6.4.1.9 Failure Criteria
Where a system is provided to prevent a failure, this may have to be

defined by a particular characteristic. This may also be associated with
duration, as the role may be achieved so long as failure does not occur
within a specified time. Examples include a limiting structural steel
temperature in a fire, or impairment criteria within a TR which may be
defined as a limiting combination of heat, asphyxiant and toxic gases.
6.4.2 Availability and Reliability
It may be necessary to define the likelihood that a system will operate and fulfil its
role whenever required to do so.

The need to specify this criteria for a particular system should be determined
during the assessment of the fires and explosions and by the required risk
reduction from the system.
Systems provided to protect against those hazardous events which make the
greatest contribution to the total risk level will generally need a high reliability or
availability to ensure that they perform the necessary functions when required to
do so. Where there is a heavy dependence on a single safety system to reduce
the risks from a particular major accident, it may be appropriate to consider
duplication of the system to reduce the likelihood of failure on demand.
This criterion can be developed in three ways:
i) By identifying the required probability of success of a system in order to

achieve a given level of risk reduction. Based on this, the system can be
specified and designed to achieve the required probability of success. This
approach is generally only relevant when new systems are to be provided.
ii) By reviewing the design of an existing system and assessing the probability
of successful operation. This approach is most relevant to existing
installations.
iii) By applying a generic classification such that the systems are ranked in
accordance with industry practice, standards, codes or by internal company
standards.
The ranking of systems may be variously described as System Integrity Levels,

Criticality Ratings or Safety System Categorisation. One approach is given in
Appendix 2. These ranking systems should ensure an expected probability of
success by predefining the parameters given below. It has the advantage that it
can clearly identify the most critical safety systems on the installation so that due
attention can be paid to them. It can also demonstrate the relative importance of
different types of safety systems. It is used to apply a standardised approach for
design, construction and operation to systems in the same category avoiding the
need for individual assessment of each system. It has the disadvantage that it is
well developed for some types of system - e.g. Instrumented Protection Systems
but not for all the prevention, control and mitigation systems. Applying a ranking
system to one group of systems in isolation should be treated with care to avoid
over specification or over concentration on these systems.
Whichever approach is chosen the following parameters should be defined or

assessed:
6.4.2.1 Design and Build Quality
The long term reliability of the system will be reflected in the quality of
the components, sub systems and in the design.

The components should be suitable for long term exposure to the

environmental and operating conditions either through their design,
material qualities or their protective coatings or enclosures. They should
have a proven reliability which may be demonstrated by appropriate
representative inspection and testing during design and manufacture.
The design should integrate the components into an effective system

which achieves its functional performance standard throughout its life.
There should be clear design responsibility for the whole system where
components and sub systems are sourced from different suppliers and
different parties carry out parts of the design All parties involved in the
design should be competent and have a clear understanding of the
purpose and functional requirement of the whole system. Systems
should not be over complex or enhanced with features which are not
essential to the fulfilment of the role. Adequate integrated operating and
maintenance information about the whole systems should be provided
for the operator in order to overcome failures due to lack of
understanding.
The whole system should be commissioned and subject to full

representative testing of the functional parameters to verify that it fulfils
its role and will continue to do so throughout its life providing it is
maintained and tested to a given schedule.
6.4.2.2 Maintenance, Inspection and Testing
All safety systems should be inspected, tested and maintained to a

particular standard at predetermined intervals by competent personnel.
These intervals will be determined by the required probability that the
equipment will not have an unrevealed fault (e.g. would not start or
continue to operate when required). These intervals and standards
should be determined after taking into account the required reliability or
the criticality of the system, historical information on the likelihood of
failure, known causes of failure and the environmental conditions.
6.4.2.3 Non-Availability (Downtime)
Systems may not be available because of maintenance, testing, repair,

breakdown or impairment while other unrelated activities are being
carried out. They may also be partially impaired during some activities
such that the functional parameters may not be fully achieved; for
example a system may be switched to manual from automatic thereby
extending its response time or scaffolding may limit the coverage of
deluge and optical fire detection systems.

There should be clearly defined limits for the periods when a system
may be out of commission. In some cases, it may be appropriate to have
duplicate systems or to shutdown or curtail hazardous operations
whenever a system is not available. In others, it may be appropriate to
set a maximum continuous period when a system may be disabled or a
maximum cumulative downtime over a given period such as a year. It
may be appropriate to set controls on hazardous activities in areas
covered by the safety systems which are not available, or to have
contingency measures to provide alternative cover.
In the circumstances where the functional performance of the system

may be impaired by activities in the area, such limitations should be
identified and assessed. Where necessary, controls on hazardous
activities or contingency measures should be considered.
6.4.2.4 Actuation
The method of actuation of a system may influence the probability that it

will operate. It may be automatic (e.g. from a fire and gas detection or
process instrumentation signal) or manual (e.g. a remote operation from
a control room or an external walkway or local to the equipment such as
a valve handle).
With automatic systems, the probability will depend on the reliability of

the detection and of the interface logic and systems between it and the
system. Where practical, full functional actuation tests should be can-led
out between detectors and the system. Where this is not practical,
representative tests of all the links and the logic of the system should be
undertaken.
For manual action the probability will depend on; the availability and
capability of personnel at the time of the initial event, the reasonable
expectation of their performance in an emergency, other duties which
they may have to perform and accessibility to the actuation point in the
emergency. Where such actions are critical, they should be documented
in emergency procedures, competent personnel specifically assigned to
the task and the actions simulated in exercises.
6.4.2.5 Duplication
Duplication will normally only need to be considered for those systems

where it may not be acceptable to continue operations when a system or
part of it is disabled, It may also be considered where part of the system
is damaged in a fire or explosion - see Section 4.6.
Duplication is likely to add significantly to the system cost and it may

also add to the vulnerability and complexity of the system. It should only
be used where the reliability and availability of a single simple system is
not sufficient to achieve the required risk reduction.

In some cases, a system may have a variable demand, for example,

firewater supply. With multiple pumps, there may be effective duplication
for smaller incidents but the total capacity may be needed for larger
events. In these cases, this should be fully documented and, where
necessary, analysed, to ensure that the systems can deliver the required
functional performance for the different events and provide adequate
availability and reliability for the frequency of the particular events.
6.4.2.6 Diversity
Diversity is the provision of different type components such that they are
not vulnerable to similar failure mechanisms. This would overcome any
common mode failure associated with one manufacturer, design or
maintenance activities.
Diversity would normally only be considered if there was a total

dependence on one system to prevent a major accident and a very high
reliability was required from that system.
6.4.2.7 Over Complexity/Operability
The overall reliability of a system may be impaired if the level of

complexity raises the numbers of components that can fail or makes it
difficult to operate and maintain. Any reduction in reliability through the
addition of system features or enhancements should be identified and,
where necessary, justified. It may be necessary for designers to consult
with the Operators/Owners to determine an appropriate balance
between dependence on complex engineered systems and on
installation personnel. Where complex systems are provided,
documentation should be sufficient to enable them to be operated, and
maintained effectively.
6.4.2.8 False Alarms/Spurious
Systems which are subject to false alarms or spurious operations due to

their oversensitivity, poor design or response to normal installation
activities are likely to lose the mast of the Operators. As a result they are
more likely to be locked out and have reduced availability. Designers
should seek to overcome this by talcing account of all foreseeable
operation and maintenance activities. Systems should be operable
under these conditions where practicable. Where such problems
become apparent during operations, alternative arrangements should be
considered to reduce risks.

6.4.3 Survivability
The exposure of parts of control or mitigation systems to a hazardous event is

identified by the assessment process, see Sections 4. S to 4. 7. The need for that
system to survive the event should be determined by examining the likelihood of
the system failing and the frequency and consequence of the escalation without
its contribution. Safety systems such as ballast control systems on a floating
installation should also be considered. Survival is important only where that
system is specifically needed to counteract the hazardous event which causes its
failure or to preserve life during and after the event. Protection may be achieved
in four ways:
i) by re-locating the system so that it is not exposed to the hazardous event;
ii) by constructing the system so that it has sufficient inherent resistance to

withstand the event;
iii) by shielding the system with fire or explosion protection;
iv) by providing redundant components which are widely separated so that

sufficient parts of the system remain operable.
In a new design, systems should be positioned following an assessment of the

hazardous events so that exposure can be reduced.
Where a system is duplicated, it may be necessary to locate duplicated

components or sub systems m different areas with alternative routings for
distribution systems such as cabling and firewater systems. Duplication will only
increase survivability if failure 5T the duplicated component does not cause total
system failure or the damage can be effectively isolated and the system
reinstated during the emergency. The latter requires a method of determining the
location and extent of the damage, access and availability of competent
personnel. Those persons responsible for emergency response should confirm
that it would be practicable to reinstate the system during an emergency - see
Section 4.6.
Where protection is provided, the characteristics and severity of the event should
be defined and the system or enclosure designed to withstand it.

7 Guidance on Systems for the Detection, Control and

Mitigation of Fires and Explosions
7.1 Detection Options
Detection measures can be used to identify hazardous conditions on the plant such as
excess process pressure, an unignited release of flammable gas or a fire. Detection
should provide information to personnel to enable them to identify and, to a limited extent
assess the nature and magnitude of the hazardous event. This enables control or
mitigation measures and emergency response to be initiated. This section does not
address the detection of incipient hazardous conditions. such as corrosion. This is
addressed in Section 5.
The need for detection systems is identified in the assessment process and also by the
need for particular systems to be actuated. Detection systems may range from visual
inspection only, to a filly automatic system which integrates into the installation emergency
shutdown system. The degree of sophistication and sensitivity will depend on the
likelihood of the occurrence and the consequences of it either remaining undetected or
there being a delay in detection. Particular attention should be paid to the selection of a
system with respect to the conditions and characteristics of the hazardous event (Section
6.3.3) and the environmental and operating conditions in the area. The following
parameters should be determined when specifying the system; coverage (Section
6.4.1.2), response time (Section 6.4.1.3) and sensitivity (Section 6.4.1.6). Where control
action may be initiated, the logic should also be specified.
The following detection options may be considered for the particular roles.
7.1.1 Process Monitoring
This will identify deviations outside the normal operating envelope which, if
allowed to continue or deteriorate, could cause failure of the hydrocarbon
containment system. It may include detection of pressure, temperature, level or
composition. In using this updated Fire and Explosion Guidance, the results of
the fire and explosion assessment process should be used to determine the
demand rate of the system. Further guidance will be given in UKOOA Guidance
for Instrument Based Safety Systems (to be published in 1995).
7.1.2 Fire Detection
The fire detection systems should be suitable for the identified fire types and their
combustion characteristics. The following types of detection may be considered.
7.1.2.1 Optical Flame Detectors
These may be of either the ultraviolet or infra-red type or a combination.

In selecting, specifying, locating and maintaining the system, attention
should be paid to the following:
− nature of the fire type and combustion characteristics;

− location and size of fires which require detection;
− obscuration by equipment and temporary obstruction;
− obscuration/effectiveness in smoke;
− reduction of performance e.g. with dirty lenses;
− the ability to perform representative function testing on site;
− false alarms e.g. those due to welding, hot surfaces, sun or flaring
(both direct and reflected);
− the need for, and control over, lockouts;
− the detection of fires outside the area resulting in other control

actions, e.g. deluge actuation due to flame extension from
adjacent modules.
7.1.2.2 Heat Detection
These may be either point or linear detectors and operate on electrical,

pneumatic or hydraulic systems. They can be used to actuate control
systems directly through loss of pneumatic or hydraulic pressure, or by
electrical contacts. In selecting, specifying and locating the system,
attention should be paid to the following points:
− the location of the primary fire sources;
− the location of the detectors with respect to the size of fire which
requires detection;
− the movement of the flames and hot combustion products taking

account of ceilings, obstructions and ventilation;
− the required actuation temperature.
7.1.2.3 Smoke detection
Smoke detection may use point optical or ionisation sensors or it may

assess the obscuration of a beam. It can give early warning of the
incipient stages of a fire.
The following points should be considered in selecting a system:
− the type and quantity of the products of combustion (POC)

emission from the identified fires;
− the suitability and sensitivity of the detector to that type of smoke

or POC;

− the alarm level, taking into account the associated levels of other
potentially more dangerous products of combustion such as
carbon monoxide;
− the likely time to detection and the response time, taking into
account the time to impair personnel or the TR;
− the ventilation regime and the associated movement of smoke or

POC. (Note: the design codes used should be appropriate and
take into account any forced ventilation.)
7.1.3 Gas Detection
Gas detection systems commonly employ point and beam type detectors which
use the infra-red absorption or catalytic sensor principle. Other technologies are
required for certain hazards, e.g. electro chemical, semiconductor sensors for
hydrogen sulphide.
Point detectors are normally deployed in congested areas of plant or in air intake
ducts.
Beam detectors are most usefully employed to monitor the open spaces around
congested plant, where the main air flows will carry a plume of released gas.
They may also be used in large ducts.
The following points should be considered when selecting, specifying, operating

and maintaining these systems:
− the location of possible releases;
− the type of gas;
− the shape, movement and extent of the resultant gas cloud taking into
account ventilation systems and obstructions;
− the consequences of ignition of the foreseeable range of gas clouds;
− the sensitivity of the system; the size, concentration (if appropriate) and
location of the gas clouds;
− the effects of dust, chemicals and the environmental conditions on the

effective life of the sensor (this is particularly important for catalytic gas
and H2S detectors);
− obscuration of the detectors (beam type);
− effects of contaminants on lenses and reflectors (beam type);
− limitation of the local air flow, e.g. by temporary enclosures (point types);
− over-sensitivity (beam type).

7.1.4 Flammable Liquid Release
There are few systems which have been specifically designed for this purpose.
However, there may be a number of measures which may indicate that an
unintended release of hydrocarbons has occurred. These include:
− low level alarm in process vessels and storage tanks;
− high level alarms in the open drain systems;
− oil mist detection;
− seal leakage alarms in double seal pumps;
− visual inspection.
7.2 Control Options

Control measures are the means of planned intervention to contain a developing situation
and hence limit escalation. This includes systems which prevent fires or explosions from
spreading to other areas, causing further significant release of hydrocarbons or increasing
the fire load. The specification of such active and passive fire protection measures is
covered under mitigation systems. Specific control options are listed in Sections 7.2.1 to
7.2.7.
For active control measures, process and/or fire and gas detection systems are also
required to activate these systems either manually or automatically.
The control systems can limit the following:
- quantity of inventory released;
- rate of release and size of the fire;
- intensity of the fire or explosion;
- spread and burn rate of a fire.
These systems offer greatest scope for limiting the size and scale of an incident. This is
preferable to accepting the size of an event and providing an excess amount of protection
to mitigate its effects.
During quantification of the characteristics of the fires and explosions, the effects or
contribution of each of these systems would normally be taken into account. The
escalation analysis should indicate the scale and consequence of the events if these
systems do not work. The difference is the contribution of the particular system. These
systems are normally included in the design and specified according to standard codes
such as API RP 14C or API RP 520. However, these codes only take into account a
nominal consideration of the hazardous events before defining the system requirements
and this provision may be optimised to further reduce risks.

The particular contribution of each system is as follows:
7.2.1 Emergency Shut Down (ESD) Systems
An effective ESD system will limit the inventory released in an incident and
therefore the size and duration any resulting fire. The location of the ESD valves
will determine the areas where each particular inventory could be released.
7.2.2 Depressurisation Systems
These systems reduce the pressure within a system and in doing so dispose of a
portion of the inventory and, if the integrity of the system has failed, reduces the
release rate of the remainder. In the case of pressurised liquid releases this
reduces the fire intensity by causing spray fires to change into running or pool
fires. These may be controlled by bunding and drainage systems and possibly
even be extinguished.
It is important that the flare system design should take into account emergency
depressurisation events and recognise that its failure could lead to a release of all
the gaseous inventories from a failed section.
Gas and fire detection systems covering areas containing primarily flare system
components such as liquid knockout vessels should not cause automatic
depressurisation on detection.
7.2.3 Liquid Inventory Disposal
These systems are not in common use offshore but they are a means to be
considered in seeking to limit the available inventory. Disposal to the sea has
significant environmental implications which need to be carefully considered and
taken into account. Disposal to a safe reservoir may be considered. Any such
system should taken into account any dissolved gases in the liquid to be
dumped. Inventory disposal should not normally be considered unless the
benefits significantly outweigh the inherent hazards and vulnerability of the
collection, disposal and recovery system.
7.2.4 Bunding and Drainage Systems
Bunding and drainage limits the size of a liquid release and location and size of a
pool fire. The extent of bunding should take account of any liquid trajectory from
the points of release. Bunding drains should be capable of collecting and
disposing of all or most of the hydrocarbon release and the applied firewater.
7.2.5 Well Control Systems
These can reduce and control the likelihood, rate and location of release of fluids
from a well. They include Christmas trees, downhole safety valves, blowout
preventers, mud systems and diverters.

7.2.6 Explosion Control
Explosion control may include the following:
− limitation of the size of the flammable gas cloud - see Section 5.3;
− design of layout and obstructions;
− blast relief vent panels;
− blast resistant walls;
− reduction of potential flame propagation distances through congested

volumes;
− suppression systems.
In addition the need to control escalation should be considered.
The considerations for these systems include:
7.2.6.1 Layout and Obstruction
The layout of a module should be designed to reduce the maximum

over-pressure which could be achieved. Detailed guidance is given in
the SCI Interim Guidance Notes but the following points should be
considered:
− arrange ventilation to reduce the likely build-up of the most

probable releases;
− reduce number of ignition sources;
− keep ignition sources near to the ventilation openings;
− reduce congestion;
− where possible, align equipment and vessels parallel to the

direction of venting;
− minimise obstructions across openings in the module boundaries

both during design and operation;
− maximise venting capability, where possible, particularly in floors

and ceilings by, for example, using grating (See Section 7.2.6.3);
− restrict module aspect ratios.

7.2.6.2 Blast Resistant Walls
These should be designed to withstand a specified explosion

overpressure and blast pulse. The following should be considered when
specifying blast walls or assessing the adequacy of existing walls:
− deflection of the wall;
− effects on and of equipment on the other side, particularly items

supported on the wall;
− continued effectiveness of any passive fire protection;
− method and extent of failure (missiles, etc.);
− integrity of penetrations such as doors, pipes and cables;
− transfer of load to the primary structure
7.2.6.3 Vent Areas
These are designated openings through which the explosion can vent.
They may be open or covered by specially designed vent panels or
normal cladding. These can limit the maximum overpressure and ensure
preferential venting in a particular direction. A range of panel types are
available including those with fire ratings from both sides, and
reclosable, retained and free types. In specifying such a system, the
following points should be considered:
− the relationship between the mass of the panel and its ability to
efficiently vent an overpressure within the timescale of the
pressure pulse;
− the initial breakout load of any panel or cladding;
− verification of the breakout load throughout the life of the panel;
− the effects of venting through openings or panels on other areas

such as escape routes;
− the maintenance of a clear vent path on the outside;
− the external effects of the flame front progressing through any

unburnt gas which is ejected through the vent;
− the effect of the vent on the gas flow and flame propagation
direction.

7.2.6.4 Preactivated Suppression Systems
These are suppression systems which are activated on detection of gas

and maintained while the gas is present. They can include inerting gas
systems, chemicals which interfere with the combustion process and
water spray systems. The following should be considered in specifying
such systems:
− the concentration required and distribution of the agent;
− the rate of flammable gas build-up and the speed of response of

the gas detection and suppression system;
− the maintenance of an effective concentration during the period of

gas release and dispersion;
− possible increased risk of ignition caused by the system, for

example by static discharge or a water system causing an
electrical short circuit;
− the likely explosion characteristics (low/high velocity) and the

suitability of the system for those characteristics;
− the speed of response to achieve effective coverage.
7.2.6.5 Reactive Suppression System
These are suppression systems which are released following sensing of

an explosion characteristic such as flash or pressure pulse. The
detectors of these systems are often highly sensitive and may be
susceptible to accidental activation. This could be overcome by
pre-arming them with a signal from the gas detection system. The
following should be considered when designing or assessing a system:
− the speed of detection of a gas release;
− the sensitivity of detectors taking into account the unpredictability

of the point of ignition and its obstruction by plant or temporary
equipment;
− the speed of response from detection to effective agent distribution

(this must be greater than the flame/pressure front);
− the explosion characteristics and flame propagation velocity;
− continued protection following suppression and continuing gas

release.

7.2.6.6 Design to Prevent Escalation
This covers both structural integrity as described in Section 7.2.7, and

the integrity of the hydrocarbon containing plant. Where explosions
could cause failure of vessels, valves, piping or instruments which may
lead to a further major hydrocarbon release, their effects should be
reduced or, alternatively where reasonably practicable, structures and
plant reinforced or protected to withstand the loadings. The following
points may be considered in addition to those suggested in Section 5:
− the location of instruments, piping and ESD valve actuators away

from explosion vent paths;
− the adequacy of pipe and vessel supports;
− the securing of pressure vessels so that the fixed end support

points towards the explosion source thereby seeking to avoid the
rotation of the vessel around the fixed end support.
7.2.7 Structural Integrity
The maintenance of the integrity of the structure can reduce the escalation
described in Sections 4.6.2 and 4.7. This may be for either direct support, such
as that providing stability or for plant which may collapse on to or against
equipment. Particular failures which should be addressed include:
− loss of integrity leading to a major or continuous hydrocarbon release, e.g.

riser, well, fuel storage, separator and flare system;
− loss of support of large structures, e.g. derrick and flare;
− loss of support of the TR;
− loss of support of safety system components.
Strategies to maintain structural integrity in the event of fire and explosion

include:
− limiting the exposure of critical structural components to fire and explosion

conditions (e.g. by suitable location);
− physical protection (e.g. by active means such as water deluge or passive

means such as insulation);
− provision of inherent strength such that the resultant deformation when

exposed to the design fire and explosion loadings is unlikely to lead to
escalation;
− provision of sufficient overall reserve strength so that even though an

identified structure fails it should not result in escalation.

The following should be considered when determining or assessing the level of

structural integrity:
− failure criteria such as steel temperature, deflection (both elastic and

plastic) and the remaining strength at the anticipated temperatures;
− verification of the initial build strength;
− inspection to determine any deviation from the original strength.
It may be necessary to evaluate the response of the structure to fire and

explosion events to determine where failures may occur and which strategy(s) to
adopt. The following points should be considered:
− the potential for failures to lead to escalation;
− the overall structural response to larger hazardous events;
− the actual exposure to fires and explosions taking into account obstruction
and realistic combustion conditions;
− the effect of protection systems;
− overall and local loads, e.g. direct loads on blast walls and blast reaction
forces on modules and topsides, including loads arising from thermal
expansion, changes of stiffness and any redistribution of externally applied
or internally transmitted loads;
− dynamic response, both local and global. This is most likely to result from
explosions, but could also result from localised structural failure and rapid
load re-distributions;
− the combined effects of other loads, having regard to the likelihood of

concurrence.
7.3 Mitigation Options

This Section discusses the choice and specification of systems to protect personnel and
equipment from a range of fires and explosions. For the purposes of this document, it
includes all fire protection systems including those to control escalation by protecting
plant. Explosion protection is covered under Section 7.2.6. The equipment and structure
which could be exposed for long enough to cause impairment or failure is identified in the
consequence analysis - Section 4.6. This analysis also identifies the type of fire or
explosion and the loadings.
Systems should be selected on the basis of suitability for each hazardous event and
applicability to tie operational conditions taking due account of interactions with other plant
and systems; see particularly Sections 6.3.3, 6.3.4 and 6.3.6.

7.3.1 Active Fire Protection
These are systems which require to be activated in order to perform their roles to
extinguish or limit the effects of fires and explosions. The roles of commonly used
systems are listed below together with specific points which should be considered
during their specification, design, operation and maintenance.
7.3.1.1 Fire Pumps and Distribution of Fire
The role of the fire pumps and distribution system is to supply sufficient
water to the various systems and outlets to allow them to perform their
role.
The functional parameters will be flow, pressure, response time and

duration. These will be derived from the range of hazardous events and
different demands for each one. In some cases, it may be necessary to
carry out a “scenario analysis” for a selection of the larger hazardous
events where a combination of demands may be required. These
demands will determine the flow and pressure envelope for the pumps
and ringmain, and the response time and duration parameters. For
example a small flow with a rapid response but limited duration may be
required for a helideck foam system whereas a large flow with slower
response and prolonged delivery may be needed for a major process
fire.
7.3.1.2 Water Deluge Systems
Water deluge systems may have a range of roles in fires, - see Section
7.2.6 regarding explosions including:
− the protection of structural integrity;
− the protection of hydrocarbon plant to prevent further release of

hydrocarbons;
− the reduction of the burn rate of hydrocarbon pool fires;
− the reduction of flame and module temperatures;
− the extinguishment of heavy oil pool fires by emulsification;
− the control of the movement of smoke and flame (water curtains)
− the reduction of radiation;
− the prevention of catastrophic rupture including BLEVE.
The system should be suitable for its intended role. In the case of
existing systems, the effectiveness of the system in achieving the
identified roles should be reviewed. The following factors should be
considered:

− the suitability for the fire type and its characteristics;
− the effectiveness in the anticipated conditions, e.g. wind;
− the coverage of the plant and the location of the nozzles with
respect to it - see Section 6.4.1.2;
− the droplet size, velocity and effective application rate - see

Section 6.4.1.7;
− the safe drainage of the water and any associated hydrocarbon

liquid;
Standard design codes, application rates and parameters should be

checked to ensure their suitability for the hazardous events and chosen
role. The method of actuation should be appropriate for the likelihood
and severity of the hazardous event - see Section 6.4.2.4.
7.3.1.3 Foam Systems
Foam may be used either as an extinguishing or vapour suppression

system. A deluge system may be enhanced by adding foam concentrate
to improve the probability of extinguishment or to further reduce the burn
rate in pool fires. Aspirated foam can also prevent ignition of an oil spill,
suppress vapours and secure a flammable liquid following
extinguishment. The design of the system should reflect the chosen
roles and address the following:
− the effective coverage, spread and application rate with respect to

the anticipated location of the liquid hydrocarbons;
− the type of foam, application rate, aspiration and concentration

with respect to the fuel type;
− the life of the foam (water retention and drainage);
− the duration of application.
7.3.1.4 Helideck Systems
The need for a fixed extinguishing system will be determined by the

number of flights, the likelihood of a crash and the practicality of
providing an effective system given an installation infrastructure (water
supplies) and anticipated manning. The primary role of the helideck
system is to save the lives of the passengers in a crashed aircraft. In
doing so, the helideck crew should not be unnecessarily exposed to
aircraft activity and crash debris.
If a system is specified, the most common is the use of foam monitors.

The particular points in Sections 7.3.1.3 and 73.1.7 should be
considered in addition to the following:

− the speed of control and extinguishment compared with the

survival time of the occupants of the aircraft;
− security following extinguishment (the maintenance of an effective

foam blanket) and during rescue of trapped personnel.
More detailed guidance can be found in the UKOOA Guidelines on the

Management of Helideck Operations and the Civil Aviation Authority
Guidelines CAP 437 - Offshore Helicopters Landing Areas: A Guide to
Criteria, Recommended Minimum Standards and Best Practice.
7.3.1.5 Sprinklers
Sprinklers can be used for accommodation, office/utility or storage

areas. They are unlikely to have adequate response to protect personnel
from the immediate effects of an initial incident but can be used to
prevent escalation and to limit damage. In selecting a system the
following should be considered
− the suitability for the types of fire which may occur and the choice
of the appropriate design code;
− the location of the sprinkler heads/detectors to ensue actuation by

the heat plume from the anticipated fires;
− the effective coverage of the hazardous events;
− the restriction of coverage onto particular unsuitable types of fires

(deep fat flyers, etc.).
7.3.1.6 Fixed Extinguishing
Fixed extinguishing systems (in addition to sprinklers, foam and deluge)

include gaseous agents, dry powder and water mist systems. Systems
should be selected according to the following:
− the suitability for the types of fire;
− their effectiveness in the particular environment and ventilation

conditions;
− their ability to maintain post extinguishing security, particularly if a

gaseous explosion may occur;
− the safety of personnel.
Halons should not be specified on new installations see OGP (formerly

E&P Forum) Guidance on Halon Free Fire Protection. Where such a
system already exists, see UKOOA Guidelines on Halon Firefighting
Equipment and Systems, and UKOOA Guidelines on Halon Utilisation,
Removal and Disposal.

Recent developments in extinguishing systems should be carefully

scrutinised to ensure their suitability and applicability. Where there are
no recognised approval or design standards, the effectiveness should be
demonstrated by representative testing.
7.3.1.7 Manual Response
This may be appropriate for the majority of smaller fires. It requires a

combination of sufficient suitable equipment and competent personnel.
The following equipment may be considered:
− extinguishers;
− hose reels;
− fixed and portable monitors;
− hydrants, hoses, water and foam branch-pipes.
In specifying and arranging the equipment, the following should be

considered:
− its location in a safe position with respect to the hazardous event

so as to organize an effective response;
− training and leadership of specialist emergency response

personnel;
− the safety of emergency response personnel including the

provision of sufficient appropriate clothing and breathing
apparatus.
While most of these arrangements have limited capacity with respect to

the size of fires, fixed monitors may have a role in larger incidents such
as the control of smoke movement or blowouts. They can also be
effective in open areas such as the top deck and used to perform or
support some of the roles of deluge systems. They should be carefully
located, taking into account the effects of smoke and radiant heat, when
considering Operator access.
Aspects of manual response should also be addressed in the

preparation of the emergency response plan. This may include the
provision of trained personnel with breathing equipment for search and
rescue and the assistance with evacuation in fire conditions. See
UKOOA Guidelines on the Management of Emergency Response for
Offshore Installations.

7.3.2 Passive Fire Protection
Passive fire protection can be used to limit the effects of a fire, to prevent
escalation through critical failures as identified in Section 4.6 or to mitigate the
effects on personnel. Careful consideration must be given to any potential
reduction in safety due to increased bidden corrosion as a result of coatings or
lagging. The following may be protected:
− the TR;
− structural steelwork;
− process vessels and their supports;
− walls;
− valves and actuators;
− risers;
− safety systems and plant.
There are a range of available systems including spray or trowel applied

coatings, panels, tiles and enclosures. They should be selected and specified by
considering:
− their suitability for the fire type;
− duration of the protection in the specified fire;
− failure criteria of the protected item;
− practicality of their application and repair;
− operability and inspection of the protected item;
− corrosion of the protected item;
− resistance to wear and tear;
− the ability to remain effective following explosions;
− their anticipated life.

8 Implementation And Verification

The essential information from the FEHM process must be communicated to operations
personnel. This enables responsibilities to be identified, competency assessed and the
safety systems maintained and tested to verify tat they meet their functional, availability,
reliability and survivability performance standards.
The use of the word verification in this guidance does not imply the application of the
scheme of verification developed for the Design and Construction Regulations / Safety
Case Regulations.
8.1 Communication
There must be adequate communication and documentation from each stage of a project
to the next so that the hazard management decisions are understood, recorded and
auditable. One way of achieving this is by summarising the key information about the
management of the fire and explosion hazardous events on the installation.
Such a summary may be incorporated into the documentation for the management of
hazardous events on the installation. An example is given in Table 8.1; the format and
layout should be developed to suit individual company needs.
8.1.1 Preparation of a Summary of the FEHM Process
Any summary should contain, in a brief and concise manner, sufficient

information to demonstrate that all major hazardous events relating to the
installation have been identified and considered and appropriate measures put in
place to prevent, control and mitigate potential consequences. It should include a
listing of the primary fire and explosion hazardous events (e.g. separator fire).
For each of these major hazardous events, the information may include:
− a description of the hazardous events, an indication of their likelihood and

their consequences;
− a list of the prevention, control and mitigation measures for the particular
hazardous events;
− reference to operational management (personnel) systems, e.g. permit to

work, needed to manage the hazardous event;
The summary should be a living document which in its simplest form may be a
compilation of tables similar to Table & I within this section. It should convey
information to all those who are responsible for operations, in a form which is
concise and easily read.

The preparation of summary information should commence at the design stage

when the major hazardous events are identified. As the project progresses, other
hazardous events may be identified, strategies selected and protective measures
specified. The summary information may need to be amended as new
information becomes available. The summary should also be included in the
Safety Case. Any summary information document should be periodically
reviewed and updated whenever there is a significant change.

78
Table 8.1:Example from Hazard Management Summary
HAZARDOUS STRATEGY ESCALATION FREQUENCY HAZARD MANAGEMENT SYSTEM
EVENT DAMAGE
PREVENTION CONTROL MITIGATION
Main Deck; Minimise Structural damage to Remote Standard hydrocarbon plant Limit the use of temporary Blast resistance of
Process Area overpressure utilities firewall procedures obstruction e.g. scaffolding structure, walls and
Vapour cloud separator supports
Possible missiles Optimise natural ventilation High vent area, limit congestion
explosion
Further release from Minimise/assess effects of any
HP & LP Separator permanent modification
Gas ingress to Prevent ingress Loss or damage to Improbable Control of modifications TR inlet gas detection to initiate Not appropriate
TR/utilities and ignition TR or utilities bringing gas release points ventilation S/D
closer to TR/utilities
Death or injury of Electrical isolation within
occupants Hydrocarbon plant TR/utilities
procedures and controls
applied to gas/live oil plant
within 30m of TR/utilities
Top Deck; Isolate, Low possibility of Occasional Standard hydrocarbon plant ESD system Emergency response
compressor gas jet depressurise structural weakening procedures procedures
Depressurisation system
fire and allow to
Control of heavy lifts Passive protection to
burn out. F&G Detection
flare structure
Personnel to ESD/depressurisation/F&G
shelter in TR lockouts
i) The format and layout of Table 8.1 is an example similar to one already in use. Each organisation should develop a specific
format and content suitable for their own needs
ii) The company SMS would identify and define responsibilities for specific hazard management activities.
iii) The table could be expanded to include the role; an indication of the importance (criticality) of each system; emergency
response actions; escalation potential; contribution to risk, etc. However the document should not contain so much information
that it is unmanageable
iv) Refer to Table A.2.1 in Appendix II for indications of frequency. These may be variable depending on the size of the incident.
Issue 2, October 2003

8.1.2 Operational Documentation
The following should be documented for the prevention, control, mitigation

measures, both hardware and software (as appropriate).
− specification criteria:
− functionality
− availability
− reliability
− interactions with other equipment
− survivability
− criticality;
− controls and limitations on operations during maintenance or non

availability of the hazard management systems;
− documentation of software/procedural measures;
− maintenance procedures and frequencies;
− inspection and test procedures/intervals.
8.2 Competence
Personnel should have adequate qualifications, knowledge, experience and training to
undertake their responsibilities. These include:
− managers;
− designers;
− those who control and implementation of procedural systems;
− those responsible for operation, maintenance and test of engineered systems.
Changes in the personnel or procedures should be reviewed to ensure that there are
sufficient competent personnel to continue to meet the responsibilities. The requirements
for competence are outlined in the OGP (formerly E&P Forum) Guidelines on “Health,
Safety and Environmental Management Systems”, Section 3.4.

8.3 Commissioning and Routine Testing

All systems should have a commissioning and operational plan encompassing the
inspection and test programme. This should be developed by the designers in conjunction
with the Operator/Owner (or by Operator/Owner alone in the case of existing installation)
in the light of the required role and specification parameters of the system. The
maintenance and testing requirements and frequencies should be determined from
Section 6.4.2.2.
Commissioning testing should be carried out, not only to verify that individual system
components meet the specification, but also that the performance of the system is
achieved. This includes the training of personnel in the inspection and maintenance, and
the use of systems in an emergency.
With new or novel technologies, particularly on critical systems, an enhanced

inspection/test programme may be needed during its early life to identify unexpected loss
of performance or failure.
The minimum functional criteria should be the level at which repair or change-out is
required.
8.4 Audit
Audit of the systems provided is advisable. This may be achieved either through a specific
audit of the management system, maintenance/training/test records etc.; an individual
examination of selected elements; or by the use of independent/competent personnel to
routinely verify all of the systems. Independent audit personnel may be provided by the
Operator/Owner or from an external organisation. If they are employed by the
Operator/Owner they should be independent of the line management for the installation
being audited. See “A Guide to the Offshore Installations (Safety Case) Regulations 1992"
8.5 Modifications
Any modifications to the installation either through an engineering change or a change in
the management system may affect the fire/explosion hazardous events on the installation
or the ability to prevent, control and mitigate them. The Operator/Owner should review
these proposed modifications to determine whether or not the systems provision should
be revised. Where revision is necessary the hazard management process as described
(Fig. 3.1) should be followed. The degree of modification and change will determine the
re-entry point in the hazard management process. In some cases only a minor alteration
to the performance of a mitigation system may be needed, in others such as a process
modification, it may be necessary to start at the beginning and review several design
concepts.

9 Special features for the Assessment of Existing

Installations
In the UK sector of the North Sea, it is a requirement (SCR) that significant changes to an
installation or its operation will necessitate the Safety Case being updated and in turn
requiring a re-assessment including the consideration of explosion hazards.
Even if an installation has not been modified or its use has not been changed, a re-
assessment is required every three years when the Safety Case is updated (triennial
submission). Existing mobile installations entering UK waters also require assessment.
The assessment of existing structures differs from the assessment of a structure during
design in three important respects, ie.
1. There is less scope for the reduction of the frequency of a release and scope for
mitigation of the severity of an explosion may be limited.
2. Intervention may give rise to an additional hazard which must be assessed.
3. Information may be available relating to expected explosion loads, structural and
equipment response from the detailed design or construction stage for the installation.
Information should be available from the previously submitted Safety Cases, Approved
For Construction (AFC) or as-built structural, piping and layout drawings, operational
structural integrity support computer models and design or post-design analysis reports of
the facility.
Use may be made of experience gained from the operation of an un-modified installation
and from similar installations. The computer data files and design reports should be
checked to confirm that they are a faithful representation of the present state of the facility
and that the methods used for explosion loading and response are currently acceptable.
Should modifications be necessary to improve the safety performance of the facility, then
the work to be undertaken should not in itself pose such hazards and risk to personnel
that this compromises the gains to be achieved by such modifications. All modification
work should be accompanied by hazard identification, assessment and other controls as
determined by the Safety Management System as well as method statements for their
implementation.
All temporary structures and equipment utilised during the modification work should be
removed as soon as practicable after completion of the work.
The HSE have indicated that it should be borne in mind that reducing the risks from an
existing plant to ALARP may still result in a level of residual risk which is higher than that
which would be achieved by reducing risks to ALARP in a similar, new plant. Factors
which could lead to this difference include the practicality of retrofitting a measure on an
existing plant, the extra cost of retrofitting measures compared to designing them on the
new plant, the risks involved in installation of the retrofitted measure (which must be
weighed against the benefits it provides after installation) and the projected lifetime of the
existing plant.

Therefore, it may not be reasonably practicable to apply measures retrospectively to

existing plant, that may represent good practice for new plant.
The overall individual risk and the TR Impairment Frequency (TRIF) from all hazards must
still be less than 10-3 per year. If risks are in this intolerable region then risk reduction
measures must be implemented, irrespective of cost.
The following sub-sections focus on the specific aspects relevant to the assessment of
existing installations.

9.1 Installation Risk Screening

It is recommended that a screening of an installation or compartment is performed giving
a low, medium or high risk classification for the facility. This may be achieved by using
information gained from previous explosion assessments or by following a prescribed
methodology. This will enable the efficient targeting of resources according to the risk
level of the installation and identify the important safety issues at an early stage of the
assessment.
The ALARP framework requires dutyholders to always seek to reduce risks, and only to
argue against implementation of a measure if it is not reasonably practicable. Here the
number of options available are likely to be limited. The assessment tools described in this
Guidance should be used to assess existing risk, rank different options, and review the
reasonable practicability of implementation of any proposed changes.
For existing installations, the individual risk (IR) per annum from fire and explosion events
will have been used in the demonstration of ALARP in the existing Safety Case for the
installation. The total IR will be a good indicator of the appropriate level of sophistication of
analysis and whether the installation is in the low, medium or high risk category. Proposed
modifications to the facility may result in changes to these IR values.
A low potential of loss of life (PLL) for the installation may not be a good indicator for
normally unmanned installations and ageing platforms with extended life, because of low
occupancy. However, assuming the risks to any group of individuals is acceptable, the
effort and cost involved in assessing risks and incorporating risk reduction measures
should largely be justified on the basis of the potential for reducing the overall PLL.
It should be borne in mind that the methods considered adequate for hazard mitigation
during preparation of a previous Safety Case may no longer be adequate or correct, as a
consequence of improved understanding of technical integrity behaviour and loading, or
new research.
Details of the existing Safety Critical Elements should be available enabling their
classification into categories 1, 2 or 3. The high level performance standards for the facility
should be defined or confirmed at this stage. The general approach should be to bring the
SCEs up to the same level of integrity taking into account the criticality or consequences
of failure and the difficulty in achieving the level of performance desired.
The number or proportion of existing SCEs vulnerable to explosion loads is also an

indicator of the risk category for the installation. The risk associated with TR impairment
under direct and indirect explosion loads combined with impairment of means of escape is
Key.
9.2 Explosion Hazard Review

For an explosion hazard, the first task to be performed is to review any previous hazard
reviews and the impact of any changes or new knowledge. This may involve design basis
checks and may also involve a survey of the installation.

A review should also consider which elements of the facility may be improved with respect
to inherently safer design principles and what additional measures may be taken to
improve the detection, control and mitigation of the explosion hazard. Fire hazard events
will usually be considered in parallel as some scenarios will fall into either class depending
on the ignition time relative to the release.
9.3 Scenario Definition

New scenarios relating to intervention/process change/changes in process operating
parameters will need to be identified and considered. New scenarios could arise during
preparation, performance of the modifications these should be identified before design
approval is granted. The scenarios considered during design may be materially changed
due to consequent changes in layout, confinement and congestion.
9.4 Prevent, Detect, Control, Mitigate

The most effective way of dealing with a hazard is to eliminate it. If this is not possible,
investigations into the means of reduction of the frequency of the initiating events should
be considered. Mitigation of the consequences should then be investigated. (see Section
3.3).
9.5 Determination of Explosion Loads

The explosion scenario used in the design of the facility may have been derived as a
worst credible event assuming a gas cloud of maximal extent with stoichiometric
composition ignited at the worst time in the worst position.
Where the design basis for overpressure determination does not take into account recent
developments (post 1997), re-calculation of the DLB and SLB overpressures and dynamic
pressures will be necessary using best practice as described in Section 3.4 and Chapter 5
of the Commentary.
ALARP arguments will need to be been used to justify new explosion loads and any
additionally required mitigation. It is recommended that a probabilistic arguments as
described in Section 3.4 and Chapter 5 of the Commentary should be used to develop
appropriate design loads and a reliability or risk arguments be used to justify design load
levels. If these levels are still not able to be accommodated by the structure and other
SCEs, then a further ALARP iteration may then have to be made.
9.6 Response to Explosions

For high and some medium risk installations, the structural assessment will be performed
against the strength level blast (SLB) and the ductility level blast (DLB). The structural
assessment will include the consideration of the capacities of the structure, including
barriers, decks, supporting structures and other safety critical elements at the appropriate
level of criticality. SCEs of criticality level 1 and 2 will be assessed against the SLB, and
SCEs of criticality 1 will also be assessed against the DLB. For low risk installations, the
checks need only be made against the DLB.

One method of the demonstration of ALARP using a strength level analysis is to apply a
static pressure load to the structure and observe, through code checks, when member
failures occur. If the pressure is then ramped up in stages, there will come a point where
the incidence of failures rapidly starts to increase and begins to take in the majority of the
members. At this point it may be argued that it would be unreasonable to strengthen or
change the member properties as it would impact on members designed by the other load
cases. Design to this equivalent static pressure could then be said to be ALARP.
It is, however, unlikely that the differing levels of response to dynamic loads at the same
peak level as determined by the natural periods of the target structural elements will be
adequately represented without undue conservatism. The variability of pressure in the
explosion load cases is also not represented in this method.
The validity of this method will depend on the severity of other load cases which have
been used in the original design of the structure.
9.7 Evaluation
For each hazard or scenario which has been identified, an evaluation should be made of
the possible consequences and risk to personnel, the environment and the asset.
If the installation or any of the SCEs do not meet the performance standards or the level
of risk is unacceptable, the ALARP process must be continued.
Failure to achieve the performance standards, or to demonstrate ALARP for any identified
hazard, will require modification to the installation or its operating procedures and a return
to the prevention, control and mitigation activities.
The overall individual risk and the TR impairment frequency (41) from all hazards must be
less than 10-3 per year. If risks are in this intolerable region then risk reduction measures
must be implemented, irrespective of cost.

Appendix 1 Glossary Of Abbreviations, Terms And

Definitions
Term Definition
API American Petroleum Institute.
API RP American Petroleum Institute, Recommended Practice
Availability The proportion of the total time that a component, equipment, or

system is performing in the desired manner
BCECA British Chemical Engineering Contractors Association
Blast Wave A pressure pulse formed by an explosion
BLEVE* The sudden rupture due to lire impingement of a vessel/system

containing liquefied flammable gas under pressure. The pressure
burst and the flashing of the liquid to vapour creates a blast wave,
potential missile damage, and immediate ignition of the expanding
fuel-air mixture leads to intense combustion creating a fireball.
* boiling liquid expanding vapour explosion
BROA British Rig Owners Association
Confined Explosion An explosion of a fuel-oxidant mixture inside a closed system (e.g.

vessel or module).
Control Means of intervention permitted by the design (e.g. pressure relief

valves, emergency power supplies) safety hardware (e.g. dump tanks,
coolant sprays), or the presence of manually or automatically initiated
ESD procedures which are intended to contain a developing situation
so that escalation and a major accident may be avoided.
Design Accidental Events The Hazardous Events that define the most severe fire and explosion
loadings whiich the control and mitigation systems are designed to
withstand or counteract.
ESD Emergency Shut Down.
E&P Forum The Oil Industry International Exploration & Production Forum
now renamed the International Association of Oil and Gas Producers
(OGP)
ER Emergency Response
EER Escape, Evacuation and Rescue.
Explosion A release of energy which causes a pressure discontinuity or blast

wave
Issue 2, October 2003 i

Fire A process of combustion characterised by heat or smoke or flame or

any combination of these
Flash Fire The combustion of a flammable vapour and air mixture in which flame
passes through that mixture and negligible damaging overpressure is
generated.
Frequency The number of occurrences per unit time.
Functionality The ability of a system to perform its specified role. This may be
characterised and demonstrated by identifying critical functional
parameters.
HSE Health and Safety Executive.
Hazard The potential to cause harm, including ill health or injury; damage to
property, plant, products or the environment; production losses or
increased liabilities (e.g. pressurised hydrocarbons, high voltage
equipment).
Hazardous Event An incident which occurs when a Hazard is realised whether or not it
causes harm (e.g. a release of gas, fire explosion, short circuit of high
voltage equipment).
Hazard Analysis The identification of undesired events that lead to the realisation of a
hazard, the analysis of the mechanisms by which these undesired
events could occur and usually the estimation of the extent,
magnitude and likelihood of any harmful effects (see also Risk
Analysis).
HAZOP Hazard and Operability Study; a systematic method utilising a multi-

discipline team to identify deviation from the design intent and assess
the consequences of these deviations.
HVAC Heating, Ventilation and Air Conditioning.
IADC International; Association of Drilling Contractors (North Sea Chapter)
IEC International Electrotechnical Commission.
IP Institute of Petroleum
ISO International Standards Organisation.
Individual Risk The frequency at which an individual may be expected to sustain a

given level of harm from the realisation of specified hazards.
Jet Fire (Flame) The combustion of material emerging with significant momentum from
an orifice.
Lifecycle The systematic portrayal of the sequencing and interaction of the

steps in the design and operational life of an installation.
ii Issue 2, October 2003

LPG Liquefied Petroleum Gas
Major Accident With respect to fires and explosions, this is defined in the UK Safety
Case Regulations (SI 1992 No. 2885) to be:
a) A fire, explosion or the release of a dangerous substance
involving death or serious personal injury to persons on the
installation or engaged in an activity on, or in connection with it.
b) Any event involving major damage to the structure of the
installation or plant affixed thereto and any loss in stability of the
installation.
c) The collision of a helicopter with the installation.
Mitigation Means taken to minimise the consequences of a major accident to

personnel and the installation after the accident has occurred.
OIM Offshore Installation Manager.
Overpressure In a pressure pulse (blast wave), the pressure developed above

atmospheric pressure at any stage or location is called the
overpressure. Overpressure is also sometimes used to describe
exposure of equipment to internal pressure in excess of its design
pressure, but the term overpressurisation is preferred.
Performance Standard A performance standard is a statement, which can be expressed in

qualitative or quantitative terms, of the performance required of a
system, item of equipment, person or procedure, and which is used as
the basis for managing the hazard - e.g. planning, measuring, control
or audit - through the lifecycle of the installation
PFD Process Flow Diagrams
P&ID Piping and Instrumentation Diagram
POC Products of Combustion
Pool Fire The combustion of material evaporating from a layer of liquid at the
base of the fire.
Prevention Means intended to prevent the initiation of a sequence of events

which could lead to a hazardous outcome of significance (i.e. major
accident). Such means include management systems applied to the
design, engineering and construction standards, the operation of the
installation, and its inspection and maintenance.
Probability A number in a scale from 0 to 1 which expresses the likelihood that

one event will succeed another.
Redundancy The performance of the same function by a number of identical but

independent means.
Issue 2, October 2003 iii

Reliability The probability that an item is able to perform a required function

under stated conditions for a stated period of time or for a stated
demand.
Risk The product of the frequency of a specified undesired event and the
consequences of that event.
Risk Analysis The quantified calculation of probabilities and risks without taking any
judgements about their relevance.
Risk Assessment The quantitative evaluation of the likelihood of undesired events and
the likelihood of harm or damage being caused together with the
value judgements made concerning the significance of the results.
SC Safety Case.
SCI Steel Construction Institute.
SI Statutory Instrument
Spray Fire The combustion of hydrocarbon liquid emerging with significant

momentum from an orifice such that full combustion will occur without
liquid dropping out to form a pool.
TR Temporary Refuge
UKCS United Kingdom Continental Shelf
UKOOA U.K. Offshore Operators Association
iv Issue 2, October 2003

Appendix 2 Categorisation Of Hazard Management Systems

Using Safety Integrity Level Approach
A.2 Categorisation Of Hazard Management Systems Using Safety
Integrity Level
This section has been included to describe principles and concepts which are worthy of
bringing to the wider attention of the industry. However there is little experience in
applying these principles/concepts in the offshore industry and care must be taken in their
application.
A.2.1 Introduction
Systems provided as part of the hazard management process need to match both the
hazard and the resulting risk. This Appendix describes an approach to enable designers
and others to provide safety systems which are fit for purpose. It also helps to convey the
importance of the system to the platform Operators and those responsible for lockouts,
maintenance and inspection of the system. The approach is based on material from:
- Draft IEC 1508 Parts I - 6; Functional Safety: Safety Related Systems.
- Ministry of Defence, Hazard Analysis and Safety Classification of the Computer

and Programmable Electronic System Elements of Defence Equipment
A.2.2 Classifying Risks and Applying a Criticality to Associated Safety

Systems
To enable the effective management of fire and explosion hazardous events there is a
need for means of relating the risk from a fire or explosion to the expected performance of
the hazard management systems provided. Categorising the importance of systems in
terms of their contribution to risk reduction is one way of trying to achieve this. For
example, if on a particular installation the emergency shut down system (ESD) contributed
significantly more to risk reduction than say firefighting arrangements, then the rigour of
ESD design, construction, commissioning and maintenance should be greater than tat of
the fire-fighting system. It may also guide the need for duplicate or redundant systems or
the provision of additional safeguards or plant shutdowns whenever a system is not
available because of breakdown or maintenance. There is no standard way of
categorising the safety criticality of hazard management systems, but relevant guidance is
provided in ISO (Draft), Requirements and Guidelines for the Prevention, Control and
Mitigation of Fire and Explosion in Offshore Oil and Gas Installations.
Qualitative methods are available to classify or rank the risk of a particular incident or
identified major accident. Tables A.2.1 to A.2.4 provide an example of one possible
ranking. Such a method can be adapted to categorise the importance of systems. For
example, systems provided to protect against a probable-fatal accident (Class A in table
A.2.3 and A.2.4) could have a higher safety criticality rating than systems to protect
against an improbable-minor accident (Class D in Table A.2.3 and A.2.4).
Issue 2, October 2003 v

Table A.2.1 Likelihood Ranges for Incidents (during the operational life of
installation)
Likelihood Definition
Frequent Likely to occur repeatedly
Probable Likely to occur from time to time
Occasional Likely to occur once
Remote Unlikely to occur
Improbable Very unlikely to occur
Implausible Extremely unlikely to occur
Table A.2.2 Incident Severity Categories
Accident Definition
Category
Catastrophic Multiple deaths
Fatal A single death and/or multiple severe injuries
Severe A single severe injury and/or multiple minor injuries
Minor At most a single minor injury
vi Issue 2, October 2003

Table A.2.3 Incident Risk Classification Matrix
Accident Severity
Likelihood
Catastrophic Fatal Severe Minor
Frequent A A A B
Probable A B B C
Occasional A B C C
Remote B C C D
Improbable C C D D
Implausible D D D D
Table A.2.4 Example of Risk Class Definitions
Risk Class Interpretation
A Intolerable Risk
Undesirable Risk
(and tolerable only if risk reduction is impracticable or if
B
the costs are grossly disproportionate to the improvement
gained)
Tolerable Risk
C (if the cost of reduction would exceed the improvement
gained)
D Negligible Risk
Issue 2, October 2003 vii

Note that the use of the term ‘Negligible Risk” must be used with care when addressing
Catastrophic or Fatal Accidents. This would normally only be considered negligible if the
frequency of these events is of the order of 10-6/yr. or lower.
Once hazards have been ranked as described, then an appropriate safety integrity level
(criticality rating) can be applied to the systems specifically assigned to manage it. If there
is only one system standing between the hazardous event and the consequence, then the
criticality should be commensurate with the consequence and frequency. However, if
multiple system failures are required before the consequences are realised, the individual
system criticality may be lower. This gives greater flexibility in the design and operation of
the plant.
A system of criticality with, say 3, 4 or 5 levels allows a standardised approach to systems

of the same rating. This may cover the need for duplication, the need to shutdown a plant
when the system is not available or otherwise, or the level and quality of inspection and
maintenance. Most importantly it gives, to all those responsible for safe operation, a
perception of the importance of the system. This technique is described in IEC 1508
where bands of reliability/availability are used to give safety integrity levels. The levels of
availability described may not be appropriate for offshore systems, but the concept could
be adapted to suit this industry and the hazardous events and systems in it.
viii Issue 2, October 2003

Appendix 3 References
Legislation
The Offshore Installation (Safety Case) Regulations (SCR).
The Offshore Installations (Prevention of Fire and Explosion, and Emergency Response)
Regulations (PFEER).
Management of Health and Safety at Work Regulations (MHSWR).
Provision and Use of Work Equipment Regulations (PUWER).
HSE Publications
The Tolerability of Risks from Nuclear Power Stations - ISBN 0 11 886368-9.
HS(G)65, Successful Health and Safety Management - ISBN 0 11-885988-9.
A Guide to the Offshore Installations (Safety Case) Regulations 1992 - ISBN 0 11-882055-9.
Inherently Safer Design – AEA/CS/HSE 1916- ISBN 0-85356415-9.
UKOOA Publications
Management of Emergency Response for Offshore Installations - 1995
Safety Management Systems for the Oil & Gas Production Industry - 1991
Safety Management System Interfacing - 1993
Instrument-Based Safety Systems [Draft] - Expected date for publication late 1995
Halon Firefighting Equipment and Systems - 1992
Halon Utilisation, Removal and Disposal - 1993
Management of Offshore Helideck Operations - 1993
Issue 2, October 2003 ix

Other Publications
API Recommended Practice 14C
API Recommended Practice 520
CAA Guidelines CAP 437 Offshore Helicopter Landing Areas: A Guide to Criteria, Recommended
Minimum Standards and Best Practice.
OGP (formerly E&P Forum) Guidance on I-Ialon Free Fire Protection
OGP (formerly E&P Forum) Guidelines on Hea]th, Safety and Environmental Management
Systems, Report No. 6.3 6/210.
International Electrotechnical Commission Guidance on Functional Safety; Safety Related

Systems; (IEC 1508 Parts 1-6)
IEC 65A (Ref. A1)
I.P. Model Code of Safe Practice Part 15 : Area Classification Code for Petroleum Installations
ISBN 0471 921603
ISO 9000 Quality Management and Quality Assurance Standards - Guidelines for Selection and
Use
ISO (Draft). Requirements and Guidelines for the Prevention, Control and Mitigation of Fire and
Explosion in Offshore Oil and Gas Installations; Reference CD 13702
Ministry of Defence, Hazard Analysis and Safety Classification of the Computer and Programmable
Electronic System Elements of Defence Equipment.
SCI Interim Guidance Notes
x Issue 2, October 2003

Appendix 4 Informative Sections

A4.1 Additional Detail on Explosions
The explosion hazard

For an explosion to occur a gas cloud with a concentration between the upper flammability
limit (UFL) and lower flammability limit (LFL) must be ignited. The overpressure caused by
the explosion will depend, amongst other things, on:
1. The gas or gas mixture present

2. The cloud volume and concentration
3. Ignition source type and location
4. The confinement or venting surrounding the gas cloud
5. The congestion or obstacles within the cloud (size, shape, number, location)
6. Cloud density inhomogeneity
7. Ignition timing
Confinement is defined as a measure the proportion of the boundary of the explosion

region which prevents the fuel/air mixture from venting which is the escape of gas through
openings (vents) in the confining enclosure.
Congestion is a measure of the restriction of flow within the explosion region caused by
the obstacles within the region.
Gas explosions in more open environments can also lead to significant overpressures
depending on the rate of combustion and the mode of flame propagation in the cloud. All
of the above points from 1 to 5 can affect the explosion overpressures in this type of
environment.
Two types of explosion can be identified depending on the flame propagation rate:
• A deflagration is propagated by the conduction and diffusion of heat. It develops by

feedback with the expansion flow. The disturbance is subsonic relative to the un-
burnt gas immediately ahead of the wave. Typical flame speeds range from 1-
1000m/s and overpressures may reach values of several bars. The overpressures
are not limited to the 8 bar maximum typical of completely confined explosions.
• A detonation is propagated by a shock that compresses the flammable mixture to

a state where it is beyond its auto-ignition temperature. The combustion wave
travels at supersonic velocity relative to the un-burnt gas immediately ahead of the
flame. The shock wave and combustion wave are coupled and in a gas-air cloud
the detonation wave will typically propagate at 1500-2000m/s and result in
overpressures of 15-20bar.
Most vapour cloud explosions offshore would fall into the category of deflagrations.
The duration of the positive phase in an explosion can vary greatly with shorter durations
often associated with higher overpressure explosions. Typical durations range from 50 to
200milliseconds with longer durations common in large open areas such as the decks of
FPSOs.
Issue 2, October 2003 xi

For smaller objects, such as piping, the overpressures applied to the front and reverse
side of such items will be of approximately the same magnitude at any moment in time
and in this case the overpressure difference will not be the only load component on the
object. For this type of object the dynamic pressure associated with the gas flow in the
explosion will dominate.
Small objects may be picked up during the explosion, creating secondary projectiles. The
peak energy for typical projectiles may be calculated from the dynamic pressure load time
history and their mass.
Secondary, external explosions may result as the unburnt fuel/air mixture comes into
contact with the external (oxygen rich) atmosphere. These can affect the venting of the
compartment and enhance the overpressure within.
A blast wave will be generated which will propagate away from the explosion region and
may impinge on adjacent structures.
Load cases for explosion response

Two levels of explosion loading are recommended for medium and high risk installations
by analogy with earthquake assessment: The ductility level blast (DLB) and the strength
level blast (SLB). Low risk installations may be assessed using only the DLB, as the
overpressures are likely to be low and the SLB is not likely to be critical in the design. The
risk levels and frequencies may not be the same as for earthquake analysis. This reflects
the fact that an explosion is perceived as a preventable event.
The ductility level blast is the design level overpressure used to represent the extreme
design event. This is a high consequence event important for the establishment of
survivability.
The strength level blast represents a more frequent design event where it is required that
the structure does not deform plastically and that the SCEs remain operational. This load
case is suggested for the following reasons:-
• An SLB event may give rise to an unexpected DLB by escalation if it is not considered
in the assessment.
• The prediction of equipment and piping response in the elastic regime is much better
understood than the conditions which give rise to rupture. The SLB enables these
checks to be made at a lower load level often resulting in good performance at the
higher level (strength in depth).
• The SLB offers a degree of asset protection.
• The SLB is a low consequence event important for the establishment of operability.
Determination of explosion design loads

Design explosion loads in the past have been derived from the a worst credible event
assuming a gas cloud of maximal extent with stoichiometric composition ignited at the
worst time in the worst position.
xii Issue 2, October 2003

Frequently the ultimate peak overpressure ‘Pult’ derived in this way is too large to be
resisted by the structure. Checks should be made to ascertain whether the cloud of
maximal extent is feasible with respect to the shutdown philosophy and the isolatable
inventories. ALARP arguments are appropriate and can be used to demonstrate that risk
levels have been reduced to satisfactory levels which itself relies on frequency and risk
arguments. Pult will often correspond to an event with a return period out of proportion to
the design life of the installation.
A single event frequency of exceedance between 10-4 and 10-5 per year is considered a
reasonable frequency for the ductility level design event or DLB, by analogy with the
treatment of environmental and ship impact loads which are often considered at the 10-5
level. In order to determine the DLB, an exceedance curve must be constructed which
represents the frequency of exceedance of a given space averaged peak overpressure.
This curve will enable the DLB overpressure case to be identified. If the event impinges
directly on the TR, escape routes or means of escape then the target level should be the
10-5 level. If the event impinges on one or more barriers before impinging on these SCEs
then it may be argued that the 10-4 level is more appropriate.
The space averaged peak overpressure for the compartment is used for determination of
the design explosion load cases as it is more generally representative of the severity of
the event. A local overpressure peak may be used to generate exceedance curves for the
determination of load cases for local design of a blast wall for instance. Impulse
exceedance curves may also be generated which take into account the duration of the
load and its peak value; these give a better measure of the expected response of the
target which will be dynamic in nature.
The SLB may then be identified from a space averaged peak overpressure exceedance
curve, as that overpressure corresponding to a frequency one order of magnitude more
frequent or with a magnitude of one third of the DLB overpressure whichever is the
greater. The reason for the reduction factor of one third is related to the expected reserves
of strength in the structure and the observation that the primary structure will often only
experience received loads of this reduced magnitude.
Loads on equipment items

The explosion loads on equipment items and pipework must be determined and are
referred to as dynamic pressure loads, which may be directly obtained from CFD
simulation results and consist of:
• Drag loads (similar to the Morison drag loads experienced in fluid flow)
proportional to the square of the gas velocity, its density and the area
presented to the flow by the obstacle.
• Inertia loads proportional to the gas acceleration and the volume of the
obstacle.
• Pressure difference loads.
• Loads generated by differential movement of the supports.
Drag loads dominate for obstacles with dimensions less than 0.3m or on cylindrical
obstacles less than 0.3m in diameter and, in particular, in regions of high gas velocity near
vents. Pressure difference loads become important for obstacles with dimensions greater
than 0.3m where they must be added to the drag loads. Care must be taken in interpreting
the results of CFD simulations as the cell size/obstacle size ratio may make it difficult to
obtain accurate pressure and flow information at points near the obstacle.
Issue 2, October 2003 xiii

Equipment items in the interior of a compartment away from the vents will experience
loads composed mostly of inertia loads due to gas accelerations. It is likely that these
loads will, however, be lower than the drag and pressure difference loads experienced by
items in the vent paths.
xiv Issue 2, October 2003

Exceedance curves for local dynamic pressures may be developed from simulations and
used in the same way as for overpressures in deriving design dynamic overpressures for
the DLB and SLB load cases. It is recommended that the DLB dynamic pressures are
applied to SCEs of criticality 1 and that both the DLB and SLB overpressures are applied
to SCEs of criticality 1 and 2 with the requirement for elastic response of the supports and
that the SCEs would remain functional.
Design explosion event peak overpressures and durations (or time histories) with known
frequencies of occurrence will be required for the response analyses.
A number of explosion loading experts have suggested that a suitable load level for the
representation of dynamic pressure loads is 1/3 of the smoothed peak overpressure local
to the equipment item. The duration of the load should be chosen to match the impulse of
the overpressure trace. This load must also be applied in the reverse direction. In open
areas, such as the decks of FPSOs, these loads should also be applied in the vertical
plane.
In general equipment items should be located to minimise obstruction of vents and be in-
line with the predominant flow direction. Piping runs should be located behind structural
elements if near vent areas. Supports and equipment items should be made as resistant
to explosion loads as is reasonably practicable.
The low risk methodology appropriate for some medium and all low risk installations,
follows that described earlier except that the simplifications described below may be
acceptable.
• The strength level blast (SLB) overpressure is recommended but need not be
considered.
• If a valid nominal overpressure is available for this installation type then use this
as the DLB.
• If a nominal overpressure can be accommodated then use this overpressure
with the corresponding duration and dynamic pressures for design and
assessment.
It must be borne in mind that nominal overpressures will only be representative values;
which do not represent the variability of the overpressure distribution. This variability may
be significant both for the structure and for equipment items, this must be established and
considered for both overpressure and dynamic pressure loads.
Dynamic pressure loads for the DLB should be generated for criticality level 1 safety
critical elements and vulnerable piping run locations.
A comparative assessment method may be used drawing on experience from a

demonstrably similar structure geometry and scenario. The nomination of a typical
installation to represent a fleet of demonstrably similar, low risk platforms is acceptable.
Issue 2, October 2003 xv

Response to explosions
Over the last ten years, many structures have been designed to resist uncertain explosion
loads by the calculation of the capacity of the structure and the SCEs and the
demonstration of robustness in the structure as reflected in an insensitivity of response to
variations in load. This approach is to an extent scenario independent and may give
added protection against unidentified scenarios and in particular combined fire and
explosion scenarios.
The ‘robustness’ approach is still valuable and may be considered in addition to the more
rigorous probabilistic methods now available which enable design explosion loads to be
determined which should be accommodated by the structure and SCEs.
Assessment based on prior exposure is applicable to explosion events, although it is

unlikely that this information will be available unless the platforms are nearly identical and
an explosion has been experienced on a similar platform which represents the DLB.
Load cases for explosion response

It is recommended that the structural assessment should performed against the strength
level blast (SLB) and the ductility level blast (DLB). The structural assessment should
include the consideration of the capacities of the structure, including barriers, decks,
supporting structures and other safety critical elements (SCEs) at the appropriate level of
criticality.
For installations and compartments of medium or high risk, equipment items which are
SCEs of criticality level 1 and 2 should be assessed against the SLB. SCEs of criticality 1
should also be assessed against the DLB.
If the general level of overpressure for the DLB is below the threshold overpressure Pth
then the primary structure may be deemed to be designed by other load cases with no
further analysis of this element being required. The threshold overpressure will be defined
and determined in Part 3 of the Guidance.
The structural checks for the SLB consist of strength checks for the primary and
secondary structure with the requirement of elastic response.
Simplified structural assessment methods

The structural checks for the DLB will consist of displacement and integrity checks for the
primary and secondary structure taking into account the reserves of strength offered by
ductile response and allowable local damage. For medium and low risk installations, these
checks may be accomplished by the implementation of modified code checks. This should
be followed by a non-linear ‘ductility level’ dynamic response analysis if the checks show
failure to satisfy the relevant performance standards or ALARP cannot be demonstrated.
In all cases, it is imperative that connections and joints are suitably detailed to provide the
ductility required to develop their reserves of strength. For barriers such as fire and blast
walls, it will be necessary to check the ability of these elements to resist the DLB directly.
These elements are often non-load bearing and it is often possible to check them in
isolation.
xvi Issue 2, October 2003

One method of the demonstration of ALARP using a strength level analysis is to apply a
static pressure load to the structure and observe, through code checks, when member
failures occur. If the pressure is ramped up in stages, there will come a point where the
incidence of failures rapidly starts to increase and begins to take in the majority of the
members. At this point, it may be argued that it would be unreasonable to strengthen or
change the member properties, as it would affect members designed by the other load
cases. Design to this equivalent static pressure could then be said to be ALARP.
It is, however, unlikely that the differing levels of response to dynamic loads at the same
peak level as determined by the natural periods of the target structural elements will be
represented adequately without undue conservatism. The variability of pressure in the
explosion load cases is also not represented in this method. The validity of this method
will depend on the severity of other load cases, which have been used in the original
design of the structure.
The transfer of conclusions and load characteristics from the analysis of a geometrically
similar installation with similar structural and process characteristics is acceptable. The
nomination of a typical installation to represent a fleet of low explosion risk platforms is
acceptable. The use of a typical installation will be limited to the identification of general
levels of severity of credible explosion events and is unlikely to be suitable for the local
design of blast barriers for example.
For low risk installations and compartments, the structural assessment may be performed
against the ductility level blast (DLB) only.The performance of the structure and SCEs for
these scenarios must then be tested against the appropriate high level and equipment
specific (or low level) performance standards.
Issue 2, October 2003 xvii

A4.2 Additional Detail on Fires

To be completed during 2004.
xviii Issue 2, October 2003

PUBLISHED BY UK OFFSHORE OPERATORS ASSOCIATION
London Office:
2nd Floor, 232-242 Vauxhall Bridge Road, London, SW1V 1AU.
Tel: 020 7802 2400 Fax: 020 7802 2401
Aberdeen Office:
9, Albyn Terrace, Aberdeen, AB10 1YP
Tel: 01224 626652 Fax: 01224 626503
Email: info@ukooa.co.uk
Website: www.oilandgas.org.uk

Part 0 Guidance 03

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Part 0 Guidance 03

Hochgeladen von

Copyright:

Verfügbare Formate

Fire and explosion guidance

Part 0: Fire and explosion

Crown copyright material is reproduced with the permission of the Controller of

Copyright © 2002 UK Offshore Operators Association Limited

Part 0 Hazard management (formerly FEHM)

Part 1 Avoidance and mitigation of explosions

Part 2 Avoidance and mitigation of fires

Part 3 Detailed design and assessment guidance

Part 0:- Fire and explosion hazard management

Part 3:- Design practices for fire and explosion engineering

Basis Documents for Parts 1, 2 & 3

ii Issue 2, October 2003

2 Aims and Principles.................................................................................................................... 4

2.1 Aims of Fire and Explosion Hazard Management (FEHM) ............................................... 4

3 The Lifecycle Approach to Fire and Explosion Hazard Management....................................... 14

4 The Assessment of Fire and Explosion Hazardous Events ..................................................... 26

5 Inherent Safety and Prevention................................................................................................ 41

5.1 Inherently Safer Design and Process/Layout Optimisation Options................................ 41

7.1 Detection Options............................................................................................................ 61

8 Implementation And Verification............................................................................................... 76

8.1 Communication ............................................................................................................... 76

Issue 2, October 2003 iii

8.3 Commissioning and Routine Testing............................................................................... 80

9 Special features for the Assessment of Existing Installations .................................................. 81

9.1 Installation Risk Screening .............................................................................................. 83

iv Issue 2, October 2003

Part 0 of the Fire and Explosion Guidance Update is complemented by other

Issue 2, October 2003 1

• Part 3 Guidance on design practices for fire and explosion engineering

2 Issue 2, October 2003

Figure 1.1 - The UKOOA Risk Based Decision Making Framework

A substantial number of installations will lie in Areas A or B of the chart resulting in an

A glossary of terms used and definitions is given in Appendix 1.

Issue 2, October 2003 3

2 Aims and Principles

− an appropriate combination of prevention, detection, control and mitigation

− the design, operation and maintenance of the systems be undertaken by

The following summarise the main principles:

− everyone involved in the design, commissioning, operation, maintenance and

− the principles of inherent safety should be applied early in the design so as to

4 Issue 2, October 2003

− safety systems should be selected based on the hierarchy of prevention,

− the hazard management process should be documented and communicated to

2.3 Overview of the Management Process

− identification of the hazardous events (coarse assessment);

− analysis and assessment of the hazardous events (type, areas affected,

− identification and specification of the particular prevention, detection, control and

− confirmation of the suitability and effectiveness of each of the measures selected;

− specification of the measures adopted;

− communication and implementation;

Issue 2, October 2003 5

The hazard management process should be employed in a timely manner and in

The FEHM process can be applied to new or existing installations:

− for an existing installation the process should be applied to current arrangements

6 Issue 2, October 2003

2.4 Reasonable Practicability

In endeavouring to reduce risks to ALARP, resources should be concentrated on the

Issue 2, October 2003 7

Unacceptable region Risk cannot be justified

The ALARP or tolerability Tolerable only if further

Broadly acceptable Negligible risk

Figure 2.1 - The ALARP Triangle

• Policy and Guidance on reducing risks to ALARP in Design

8 Issue 2, October 2003