Offshore Technical Safety FAQ

Offshore Technical Safety FAQ

Technical Safety FAQ / Sreejith / November 2008


The FAQ and their answers provided below are intended to provide guidance / clarifications to

offshore safety engineers while carrying out technical safety assessments.

1. In HAZID (Hazard Identification), how should the risk levels determined? Should the

safety devices / procedures in place be considered in the probability while ranking risks?

The risk levels for each of the identified hazards are determined using operator or field

owner’s risk matrix considering the proposed safeguards. The probability gets reduced

once the safeguards are considered, thereby lowering the risk levels. If the safeguards

are not decided, then they will be recorded under the recommendations.

2. Since HAZID is the logical starting point for safety assessment, the Major Accident

Events (MAE) will have to be identified in this facilitated exercise. One of the common

practice is to cull out the medium and high risks and categorize them as MAEs. Is this

logical?

In the definition of MAEs, probability aspect is not mentioned and hence it may not be

logical to consider risks. MAEs should ideally be identified based on consequences alone.

3. Can you summarize HAZID objectives and methodology?

HAZID is the logical starting point for FSA (Formal Safety Assessment) studies where the

MAEs are identified through this facilitated exercise. The causes and consequences for

all hazards are identified for various systems using guidewords. Then the consequences

are ranked based on the agreed risk matrix.

4. In ESSA (Emergency System Survivability Assessment), normally only the major sub-

systems are assessed. Is this the right approach?

All sub-systems for all emergency systems should be assessed in order to make the

ESSA process complete.



5. Are all emergency systems designed to survive all MAEs?

No. The survivability of emergency systems depends on their performance objective.

Some emergency systems will be designed to survive MAEs but not all. For details, the

Technical Safety Note, ‘Insights on ESSA’ may be referred.

6. In FPSOs (Floating Production, Storage and Offloading), typically all accommodation

forward bulkhead is protected with A60 fire wall. A60 fire walls are designed to withstand

cellulistic fires for 1 hour where as on FPSOs, hydrocarbon fires are possible. Is there a

logical explanation for this?

A class fire walls are designed to withstand cellulistic fires for a defined period of time.

Ideally, H class fire walls are recommended if hydrocarbon fires are expected.

7. Can you explain the design specifications for A0, B30, H15, J 30 fire wall & 7 bar Blast

wall?

A 0: Steel wall, will withstand 1 minute of jet fire and 8 minutes of pool fire (not designed

for limiting temperature rise)

A60: withstands 60 minutes of cellulistic fire

(The partitions shall be made of steel or equivalent material. They shall be sufficiently braced and

shall prevent flames and smoke from advancing for the duration designed for. A type firewall:

partitions shall be insulated with non-combustible materials so that the average temperature on the

side of the wall not being exposed does not exceed 139 degree C above the initial temperature and

the temperature shall not at any place exceed 180 degree C above the initial temperature within the

designed time limits)

B 30:

(B type firewall: The partitions shall be made of non combustible materials and shall prevent flames

from advancing for the duration designed for. The partitions shall be in such a way that the average

temperature on the side of the wall not being exposed does not exceed 139 degree C above the

initial temperature and the temperature shall not at any place exceed 225 degree C above the initial

temperature within the designed time limits)

H 15: withstands 15 minutes of hydrocarbon fire

(H type firewall: The partitions shall be insulated in such a way that the that the average

temperature on the side of the wall not being exposed does not exceed 139 degree C above the

initial temperature within the designed time limits)

J 30: withstands 30 minutes of hydrocarbon fire

Blast wall 7 bar: withstand 7 bar over explosion pressure



8. While carrying out FEA (Fire & Explosion Analysis), why should the sensitive receivers be

defined?

Generally the emergency systems and critical areas / rooms are identified as sensitive

receivers to check if any of the fires or explosion will cause impairment. Typical sensitive

receivers on an FPSO are accommodation forward wall, escape routes, life boat access

areas, control room, etc.

9. Is it logical to provide water deluge for gas compression module?

No. Normally water deluge is provided for liquid hydrocarbon vessels to provide cooling

to avert escalation from jet fires. The scrubbers in the gas compression modules could be

provided with water deluge since they will contain some liquid hydrocarbon.

10. The sub sea reservoir design data will normally involve several Heat & Material Balance

(HMB) diagrams for various cases (pressure, oil, water). Which case should be

considered in FEA?

Generally, the HMB with maximum pressure and oil case is considered for assessment

since this will be the worst case.

11. If the liquid hydrocarbon process equipment is provided with local coaming with a 6” open

drain system, will there be still a pool fire possibility?

Technically, hydrocarbon leak from a 4” hole will get drained from the local coaming

through the open drain system provided there is leak is not from pressurized equipment

and the leak size is limited to the open drain size. But in FEA, these factors are not given

credit since the assessment is based on worst case conditions. Sometimes, these design

measures are considered when the pool fire can impair some sensitive receivers and the

impairment frequency is higher than the industry acceptable value.

12. The blast assessment in FEA typically considers critical factors such as stoichiometric

mixture, congestion, blockage ratio, etc. How is a practical balance achieved in

determining realistic explosion over pressure?

These are the factors that finally decide the blast / explosion over pressure values. The

explosion modeling software guidelines should be properly understood and interpreted

while choosing the values. Since the blast results can cause lot of cost impact, it is very



essential that this assessment is done with practical judgment. CFD (Computational Fluid

Dynamics) modeling will provide realistic blast values when compared with point source

models.

13. What is DOPE in the context of NHHA?

DOPE or Dropped Object Protection Equipment are identified from the DOA (Dropped

Object Assessment) results. Based on the impact energy of dropped objects and the

structure/deck design, it may be required to protect some critical areas / equipment.

DOPE consists of both topsides, marine and sub-sea installations.

14. How DP (Dynamic Positioning) of marine vessels is is considered in ship collision

assessments?

DP of marine vessels reduces possibility of collision with offshore installations and hence

due credit should be given while calculating the collision frequency. One of the

presentations by Dynamic Positioning Committee (part of Marine Technology Society)

gives the collision frequency with DP classed vessels of 1.45 x 10 -5

(1998 -2004).

15. Typically, FPSOs have a trim to aft and transverse coaming in front of accommodation

block. What does this mean from a pool fire perspective?

If local coaming is not installed on the main deck for process modules, in case of a leak,

the hydrocarbon will get pooled up at the transverse coaming in front of the

accommodation block. If there a pool fire, then the deck foam monitors will be used to

fight this fire. Some engineers argue against this design with the point that with this

design, the heat radiation from this pool fire is brought near the accommodation block.

16. Is frequency assessment part of a typical FEA?

Typically, frequency assessment is carried out in FRA (Fire Risk Assessment) or in QRA.

In short, FEA report will provide only consequence based recommendations and not risk-

based recommendations.

17. Generally AFP (Active Fire Protection) design is based on consequence whereas PFP

design is based on risk / performance based recommendations. Why?



AFP is based on identified fire scenarios and are considered as a minimum requirement,

as part of standard design. PFP measures are identified and implemented based on

impairment potential of sensitive receivers through a risk-based decision making process.

Elasticity / Plasticity Structural study needs to be carry out in order to understand details

of fire propagation with reference to flame spread and temperature gradients. Several

FPSO operating companies and field owners insist on carrying out this extensive and

expensive study to assess specific PFP requirements.

18. Inert Gas (IG) blanketing system plays an important barrier in preventing cargo tank

explosions. How is this achieved?

Typically the boiler offtake contains inert gases and is connected to the Cargo Oil Tanks

(COT) to provide the inert blanketing so that the hydrocarbon vapour does not mix with

air to form explosive mixture. A vent will be connected from the cargo tanks to disperse

off mixture of IG & crude vapours. When the offloading occurs, the COT will require more

inert gas and when the COTs are filled, the excess vapour-IG mixture will be vented out.

The PV (Pressure Vaccum) valve connected to the COT ensures constant pressure in

the tanks. A detailed assessment is required to design the IG system.

19. What are the applications of Break-Away coupling? Where are the FPSO applications?

The Safety breakaway couplings consists of two halves, each with a poppet that has a

flat type-sealing surface similar to a dry disconnect coupling. The coupling remains

constantly open under normal use. The two halves of the breakaway coupling only

close when there is excessive force, such as in a truck or railcar drive away situation

or in a offtake tanker moving away from an FPSO, while the offloading is in progress.

When the couplings separate, this allows the poppets to close. Loss of crude oil is

minimized because the two poppets close rapidly, minimizing exposure to personnel

and the environment.

20. In NHHA (Non Hydrocarbon Hazard Analysis), the FAR (Fatality Accident Rate) is

considered to calculate occupational risk. But FAR includes all contributions from all risks

(fire / explosions / dropped objects, etc.) and this means that we double count certain

risks thereby increasing individual risks. Any solution?



Yes, this will result in a double-count situation thereby increasing the individual risk levels.

As per CMPT QRA Guidelines, around 30% of the FAR values correspond to

occupational health issues.

21. What are MODU & MOPU?

MODU is the acronym for Mobile Offshore Drilling Unit and MOPU stands for Mobile

Offshore Production Unit.

22. Are there any comprehensive assessment guidelines to assess adequacy of fire and

explosion mitigation measures in offshore installations?

Yes. ISO 13702 ‘Control & Mitigation of Fires and Explosions-Requirements and

Guidelines’ can be used to carry out this assessment, in a comprehensive manner.

23. Is FPSO deck protection design based on dropped object impact logical? Is there a

performance / risk based solution for this?

DOA can be carried out using a specific risk assessment process to arrive at risk-based

recommendations. Recommendations based on pure consequences may not necessarily

result in risk benefits over the cost involved.

24. Is BLEVE (Boiling Liquid Expanding Vapor Explosion) possible with crude oil?

BLEVE is more probable with liquidified petroleum products such as LPG. When crude oil

is heated, a hazardous condition known as Boil Over Explosion (BOE) can occur. Water

deluge is provided on vessels / equipment containing crude on FPSOs is to avert BOE

conditions from fire escalations.

25. For control of LOC (Loss of Containment) situations, plated decks are preferred over

grated floors, especially for elevated equipment decks. How do we take a risk-based

justification on this issue?



Both plated and grated decks have their own advantages and disadvantages. For

elevated equipment / vessels containing liquid hydrocarbon, it is recommended to have

the secondary spill containment at the equipment floor so as to avert the catastrophe of

COTs getting impaired from deck pool fires.

26. In almost FEA study, the explosion values are a major concern and can result in

expensive modifications involving blast walls, deck steel strengthening, etc. What are the

issues here?

The common point source modeling software / tools (although some are validated

through scientific research) typically provide pessimistic explosion values due to their

limitations. If the explosion values are found to be higher than the typical values, CFD

analysis may be carried out to take a final decision.

27. In FPSO design and assessments, there is always a conflict between class rules and

engineering standards. How is this major issue resolved?

Class rules (ABS, Lloyds, DNV, etc.) typically apply to vessel floating and stability

aspects and marine systems (below deck) and the regulations (IMO-SOLAS, etc.) and

engineering standards (API, NFPA, etc.) apply to topsides (above deck). Typically, class

rules are prescriptive and the engineering standards are performance or risk based.

Most common point of design conflict between class rules and standards is on the

boarder. On FPSOs, it will be most often the deck. Impairment of main deck from topside

hazards is always looked at and deliberated with interest by the classification societies.

28. Logically for brown field offshore assets, the risk levels should be assessed based on the

actual performance of safety systems or barriers or safety critical elements. How is this

done?

Yes. Since the risk levels depend on the safety barrier performance for an operating

asset, in order to calculate realistic risk levels, it is logical to assess performance of

safety systems. One of the common ways to do this is by using the traffic light system

used by UK HSE & NOPSA.

29. What does the terms ICP & IVB stand for from the context of Verification Plan?



IVB (Independent Verification Body) is appointed by DH (Duty Holder) to verify

performance of safety systems or SCEs. The asset integrity verification is an important

process that verifies the performance of safety barriers based on their defined

performance standards. IVB carries out the verification using WSE (Written Scheme of

Examination) through ICP (Independent Competent Person).

Generally the consultants (Bureau Veritas. ABS, DNV, Lloyds, etc.) collaborate with the

asset owners to develop the verification scheme which establishes a system of

independent and competent scrutiny of safety-critical elements throughout the life cycle

of an installation. This written scheme then drives the verification activities. The actual

verification is executed through a sampling process, including examination of facilities,

review of maintenance and inspection records, and witnessing of tests on safety critical

systems.

The purpose of this independent verification activity is to satisfy the UK legal requirements to have

an Independent Competent Person verify the suitability of the installations Safety Critical Elements

(SCEs) thus providing confidence to the operator and the regulator in the suitability of risk

management measures.

30. What is traffic light system from the context of SCE assessment?

The asset integrity of the ageing offshore assets in the UK Continental shelf (mainly in

the North Sea) was verified through a sampling process (40%) by the Offshore Division of

UK HSE using the traffic light system. Green means the performance of the safety critical

element is healthy, amber means the performance has deteriorated and red means the

SCE has failed or is not performing. For details, the KP 3 inspection report from UK HSE

may be referred.

31. Bow Ties are developed for all MAEs and they should be used to demonstrate ALARP.

But Bow Ties are qualitative but ALARP (As Low As Reasonably Practical) is about

specific numbers. How is this conflict resolved?

As per Shell guidelines, if the performance of all safety systems / barriers is Green as per

the traffic light assessment, then the risk levels are in the tolerable region of ALARP.

Since Shell introduced Bow Tie technique, generally oil & gas operators follow this

criterion which is logical.

32. What are KP (Key Performance) inspections from UK HSE?



The offshore oil and gas industry on the UK Continental Shelf (UKCS) is a mature

production area. Much of the offshore infrastructure is at, or has exceeded, its intended

design life. Between 2000 and 2004, HSE’s Offshore Division (OSD) ran a major

programme KP1 aimed at reducing hydrocarbon releases and focusing on the integrity of

process plant. This resulted in a considerable reduction in the number of major and

significant hydrocarbon releases. During this time, however, OSD became increasingly

concerned about an apparent general decline in the condition of fabric and plant on

installations and responded with Key Programme 3 (KP3) directed more widely at asset

integrity, and were conducted between 2004 and 2007.

33. What is UKOOA?

UKOOA stands for United Kingdom Offshore Operators Association. Several safety and

asset integrity publications are freely available from their web site, www.ukooa.co.uk.

34. Can MAE Bow Ties be used to identify emergency systems? How?

Yes. The mitigation and recovery barriers that are located on the right side of Bow Tie are

logically the emergency systems.

35. Can Bow Ties be used in all FSA (Formal Safety Assessments) studies to demonstrate

‘Safe Operation of Offshore Assets’ as a common thread (HAZID to Operational Safety

Case)? How can this be done?

Yes, this can be done. If Bow Ties developed at the HAZID stage are used in all FSA

studies, then the demonstrate ion in the safety case would be very visible with a common

thread running through the assessments. For details, please contact the author.

36. Can the Bow Ties be developed in a quantitative manner? How can this be done?

Fault tree could be developed on the left side and event tree on the right side and this

could be done in a quantitative manner. The probabilities of consequences from various

threats can be demonstrated using bow ties. Generally the frequency analysis is carried

out using published failure data using various safety gates in event trees.

37. Is there a relation between PFP and escape /evacuation time? How are these linked?



The escape time calculated in the ETRERA study. Logically, the critical facilities in

offshore installation that aid safe escape & evacuation of personnel should survive major

fires. Based on the ETRERA and FEA studies, escape routes and ESD valves should be

provided with appropriate PFP measures for the escape duration.

38. BDVs (Blow Down Valves) and PSVs (Pressure Safety Valves). Are both these devices

intended to cause de-pressurization?

BDV valves are designed to open on confirmed external fire condition to depressurize

gas systems to 6.9 barg or to 50% of the operating pressure (whichever is lesser) within

15 minutes as per API 521. PSVs are set to open at a set over pressure value to de-

pressurize the process equipment due to process upset conditions. In a way, both are

installed to protect equipment from over pressurization but the design objectives are

different.

39. What are MOPO & SIMOPS?

MOPO or Matrix Of Permitted Operations is a matrix with SCE failure conditions against

safety critical activities. MOPO is normally developed in a facilitated workshop to identify

restrictions for critical operations during SCE failure conditions. Some activity may be

permitted / not permitted / permitted with restrictions during SCE failure conditions.

SIMOPS or Simultaneous Operations involves concurrent activities such as production

and drilling; construction and production, etc. Generally, SIMOPS will generate additional

hazards due to the concurrent or simultaneous activities. An example is hydrocarbon

venting (production) and welding (construction) which poses a SIMOPS hazard.

40. What is a Verification Scheme and what are its typical contents?

Refer FAQ 29.

41. How are Safety Critical Elements (SCEs) identified?

SCEs could be identified by developing a matrix between MAEs and all systems on the

installation. Then by applying the definition of SCE (safety system that controls

/prevents/mitigates / recovers from MAEs), those safety systems can be identified.

42. How are MOPO & SCEs linked?



As explained in FAQ 39, MOPO is developed to identify restrictions during SCE failure

conditions. So SCEs and MOPO are certainly linked.

43. What is included in ‘Case to Operate’ document?

Case to Operate’ document is a logical extension of MOPO, in which the procedures of

continuing operations during SCE failure conditions are defined.

44. What do you mean by Dual Safety Performance assurance? How is this achieved?

Ideally safety performance should be measured using both leading (proactive) and

lagging (reactive) performance indicators. As part of MHM (Major Hazard Management),

safety performance indicators should be focused on process safety. Logically, both the

leading & lagging performance indicators could be identified from bow ties and then can

be monitored through the HSEMS (HSE Management system).

45. What is the most important safety learning from BP Texas Explosion incident?

BP management measured process safety performance as part of MHM process by

measuring LTIs (Lost Time Injuries) which is an occupational safety (OH) issue. Although

the OH performance was good, the process safety at BP Texas refinery was on the

decline and finally resulted in a major explosion.

46. There are several safety assessments which are performed as part of Operational Safety

Case. Is there a suggested logical sequence?

1. HAZID 5. ESSA 9.Verification Scheme

2. Layout Review 6. ETRERA 10. OSC

3. HAZOP 7. NHHA

4. FEA 8. QRA

47. Safety case is a requirement most hazardous industry sectors such as offshore. Which

other MAH (Major Accident Hazard) industries require a safety case?

The other MAH industries for which safety case requirement exists include aviation, rail,

and nuclear.



48. What are the typical triggers for safety case update?

As per UK SCR (Safety Case Regulation) 2005, the safety case has to be updated every

5 years. The typical safety case update triggers are:

• Major modifications;

• Technology change;

• Regulatory change; and

• Change in ownership;

49. Is Design Safety Case still a UK HSE requirement?

No. As per ‘The Offshore Installation (Safety Case) Regulations 2005 (SCR05)’, the

requirement for a design safety case has been replaced with the new requirement for an

(earlier) design notification.

50. UK Safety Case Regulation, 2005 is followed by several countries to safely operate their

offshore installations. What is the logic behind this?

Since the UK HSE SCR 2005 is matured and is rather comprehensive, many countries

are adopting UK Safety Case Regulation for operating their offshore assets safely.

Compiled by:

Pillai Sreejith ([email protected])

Disclaimer:

The FAQ was generated based on author’s experience in assessing technical safety of offshore

installations and based on applicable standards and guidelines. It is possible that there are

different views on these answers. The author welcomes frank discussions on the above FAQs.

Offshore Technical Safety FAQ

Documents

Transcript of Offshore Technical Safety FAQ