Offshore Technical Safety FAQ

Offshore Technical Safety FAQ

Offshore Technical Safety FAQ

The FAQ and their answers provided below are intended to provide guidance / clarifications to The FAQ and their answers provided below are intended to provide guidance / clarifications to offshore safety engineers while carrying out technical safety assessments.

offshore safety engineers while carrying out technical safety assessments. 1.

1. In HAZID In HAZID (Hazard Identification), how should (Hazard Identification), how should the risk levels the risk levels determined? Should thedetermined? Should the safety devices / procedures in place be considered in the probability while ranking risks? safety devices / procedures in place be considered in the probability while ranking risks?

The r 

The r isk levels for each of the identified hazards are determined using operator or field isk levels for each of the identified hazards are determined using operator or field  owner’s risk matrix considering the proposed safeguards. The probability gets reduced  owner’s risk matrix considering the proposed safeguards. The probability gets reduced  once the safeguards are considered, thereby lowering the risk levels. If the safeguards  once the safeguards are considered, thereby lowering the risk levels. If the safeguards  are not decided, then they will be recorded under the recommendations.

are not decided, then they will be recorded under the recommendations.

2.

2. Since HAZID is Since HAZID is the logical starting the logical starting point for safety apoint for safety assessment, the Major ssessment, the Major AccidentAccident Events (MAE) will have to be identified in this facilitated exercise. One of the common Events (MAE) will have to be identified in this facilitated exercise. One of the common practice is to cull out the medium and high risks and categorize them as MAEs. Is this practice is to cull out the medium and high risks and categorize them as MAEs. Is this logical?

logical?

In the definition of MAEs, probability aspect is not mentioned and hence it may not be  In the definition of MAEs, probability aspect is not mentioned and hence it may not be  logical to consider risks. MAEs should ideally be identified based on consequences alone. logical to consider risks. MAEs should ideally be identified based on consequences alone.

3.

3. Can Can you you summarize summarize HAZID HAZID objectives objectives and and methodology?methodology?

HAZID is the logical starting point for FSA (Formal Safety Assessment) studies where the  HAZID is the logical starting point for FSA (Formal Safety Assessment) studies where the  MAEs are identified through this facilitated exercise. The causes and consequences for  MAEs are identified through this facilitated exercise. The causes and consequences for  all hazards are identified for various systems using guidewords. Then the consequences  all hazards are identified for various systems using guidewords. Then the consequences  are ranked based on the agreed risk matrix.

are ranked based on the agreed risk matrix.

4.

4. In ESSA In ESSA (Emergency System Survivability (Emergency System Survivability Assessment), normally Assessment), normally only the only the major sub-major sub-systems are assessed. Is this the right approach?

systems are assessed. Is this the right approach?

All sub-systems for all emergency systems should be assessed in order to make the  All sub-systems for all emergency systems should be assessed in order to make the  ESSA process complete.

5.

5. Are Are all emergency all emergency systems dsystems designed to esigned to survive all survive all MAEs?MAEs?

No. The survivability of emergency systems depends on their performance objective. No. The survivability of emergency systems depends on their performance objective. Some emergency systems will be designed to survive MAEs but not all. For details, the  Some emergency systems will be designed to survive MAEs but not all. For details, the  Technical Safety Note, ‘Insights on ESSA’ may be referred.

Technical Safety Note, ‘Insights on ESSA’ may be referred.

6.

6. In FPSOs In FPSOs (Floating Production, Storage (Floating Production, Storage and Offloading), typically and Offloading), typically all accommodationall accommodation forward bulkhead is protected with A60 fire wall. A60 fire walls are designed to withstand forward bulkhead is protected with A60 fire wall. A60 fire walls are designed to withstand cellulistic fires for 1 hour where as on FPSOs, hydrocarbon fires are possible. Is there a cellulistic fires for 1 hour where as on FPSOs, hydrocarbon fires are possible. Is there a logic

logical explanation for this?al explanation for this?

A class fire walls are designed to withstand cellulistic fires for a defined period of time. A class fire walls are designed to withstand cellulistic fires for a defined period of time. Ideally, H class fire walls are recommended if hydrocarbon fires are expected.

Ideally, H class fire walls are recommended if hydrocarbon fires are expected.

7.

7. Can you explain Can you explain the design specifications for Athe design specifications for A0, B30, H15, J 0, B30, H15, J 30 fire wall & 30 fire wall & 7 bar Blast7 bar Blast wall?

wall?

A 0: Steel wall, will withstand 1 minute of jet fire and 8 minutes of pool fire (not designed  A 0: Steel wall, will withstand 1 minute of jet fire and 8 minutes of pool fire (not designed  for limiting temperature rise)

for limiting temperature rise)

A60: withstands 60 minutes of cellulistic fire  A60: withstands 60 minutes of cellulistic fire 

(The partitions shall be made of steel or equivalent material. They shall be sufficiently braced and  (The partitions shall be made of steel or equivalent material. They shall be sufficiently braced and  shall prevent flames and smoke from advancing for the duration designed for. A type firewall:  shall prevent flames and smoke from advancing for the duration designed for. A type firewall:  partitions shall be insulated with non-combustible materials so that the average temperature on the  partitions shall be insulated with non-combustible materials so that the average temperature on the  side of the wall not being exposed does not exceed 139 degree C above the initial temperature and  side of the wall not being exposed does not exceed 139 degree C above the initial temperature and  the temperature shall not at any place exceed 180 degree C above the initial temperature within the  the temperature shall not at any place exceed 180 degree C above the initial temperature within the  designed time limits)

designed time limits) B 30: 

B 30: 

(B type firewall: The partitions shall be made of non combustible materials and shall prevent flames  (B type firewall: The partitions shall be made of non combustible materials and shall prevent flames  from advancing for the duration designed for. The partitions shall be in such a way that the average  from advancing for the duration designed for. The partitions shall be in such a way that the average  temperature on the side of the wall not being exposed does not exceed 139 degree C above the  temperature on the side of the wall not being exposed does not exceed 139 degree C above the  initial temperature and the temperature shall not at any place exceed 225 degree C above the initial  initial temperature and the temperature shall not at any place exceed 225 degree C above the initial  temperature within the designed time limits)

temperature within the designed time limits)

H 15: withstands 15 minutes of hydrocarbon fire  H 15: withstands 15 minutes of hydrocarbon fire 

(H type firewall: The partitions shall be insulated in such a way that the that the average  (H type firewall: The partitions shall be insulated in such a way that the that the average  temperature on the side of the wall not being exposed does not exceed 139 degree C above the  temperature on the side of the wall not being exposed does not exceed 139 degree C above the  initial temperature within the designed time limits)

initial temperature within the designed time limits) J 30: withstands 30 minutes of hydrocarbon fire  J 30: withstands 30 minutes of hydrocarbon fire 

Blast wall 7 bar: withstand 7 bar over explosion pressure  Blast wall 7 bar: withstand 7 bar over explosion pressure 

8.

8. While carrying While carrying out FEA out FEA (Fire & Explosion (Fire & Explosion Analysis), why Analysis), why should the should the sensitive receivers besensitive receivers be defined?

defined?

Generally the emergency systems and critical areas / rooms are identified as sensitive  Generally the emergency systems and critical areas / rooms are identified as sensitive  receivers to check if any of the fires or explosion will cause impairment. Typical sensitive  receivers to check if any of the fires or explosion will cause impairment. Typical sensitive  receivers on an FPSO are accommodation forward wall, escape routes, life boat access  receivers on an FPSO are accommodation forward wall, escape routes, life boat access  areas, control room, etc.

areas, control room, etc.

9.

9. Is it Is it logical to logical to provide water provide water deluge for deluge for gas gas compression module?compression module?

No. Normally water deluge is provided for liquid hydrocarbon vessels to provide cooling  No. Normally water deluge is provided for liquid hydrocarbon vessels to provide cooling  to avert escalation from jet fires. The scrubbers in the gas compression modules could be  to avert escalation from jet fires. The scrubbers in the gas compression modules could be  provided with water deluge since they will contain some liquid hydrocarbon.

provided with water deluge since they will contain some liquid hydrocarbon.

10. The sub sea reservoir design data will normally involve several Heat & Material Balance 10. The sub sea reservoir design data will normally involve several Heat & Material Balance (HMB) diagrams for various cases (pressure, oil, water). Which case should be (HMB) diagrams for various cases (pressure, oil, water). Which case should be considered in FEA?

considered in FEA?

Generally, the HMB with maximum pressure and oil case is considered for assessment  Generally, the HMB with maximum pressure and oil case is considered for assessment  since this will be the worst case.

since this will be the worst case.

11. If the liquid hydrocarbon process equipment is provided with local coaming with a 6” open 11. If the liquid hydrocarbon process equipment is provided with local coaming with a 6” open

drain system, will there be still a pool fire possibility? drain system, will there be still a pool fire possibility?

Technically, hydrocarbon leak from a 4” hole will get drained from the local coaming  Technically, hydrocarbon leak from a 4” hole will get drained from the local coaming  through the open drain system provided there is leak is not from pressurized equipment  through the open drain system provided there is leak is not from pressurized equipment  and the leak size is limited to the open drain size. But in FEA, these factors are not given  and the leak size is limited to the open drain size. But in FEA, these factors are not given  credit since the assessment is based on worst case conditions. Sometimes, these design  credit since the assessment is based on worst case conditions. Sometimes, these design  measures are considered when the pool fire can impair some sensitive receivers and the  measures are considered when the pool fire can impair some sensitive receivers and the  impairment frequency is higher than the industry acceptable value.

impairment frequency is higher than the industry acceptable value.

12. The blast assessment in FEA typically considers critical factors such as stoichiometric 12. The blast assessment in FEA typically considers critical factors such as stoichiometric mixture, congestion, blockage ratio, etc. How is a practical balance achieved in mixture, congestion, blockage ratio, etc. How is a practical balance achieved in determining realistic explosion over pressure?

determining realistic explosion over pressure?

These are the factors that finally decide the blast / explosion over pressure values. The  These are the factors that finally decide the blast / explosion over pressure values. The  explosion modeling software guidelines should be properly understood and interpreted  explosion modeling software guidelines should be properly understood and interpreted  while choosing the values. Since the blast results can cause lot of cost impact, it is very  while choosing the values. Since the blast results can cause lot of cost impact, it is very 

essential that this assessment is done with practical judgment. CFD (Computational Fluid  essential that this assessment is done with practical judgment. CFD (Computational Fluid  Dynamics) modeling will provide realistic blast values when compared with point source  Dynamics) modeling will provide realistic blast values when compared with point source  models.

models.

13. What is DOPE in the context of NHHA? 13. What is DOPE in the context of NHHA?

DOPE or Dropped Object Protection Equipment are identified from the DOA (Dropped  DOPE or Dropped Object Protection Equipment are identified from the DOA (Dropped  Object Assessment) results. Based on the impact energy of dropped objects and the  Object Assessment) results. Based on the impact energy of dropped objects and the  structure/deck design, it may be required to protect some critical areas / equipment. structure/deck design, it may be required to protect some critical areas / equipment. DOPE consists of both topsides, marine and sub-sea installations.

DOPE consists of both topsides, marine and sub-sea installations.

14. How DP (Dynamic Positioning) of marine vessels is is considered in ship collision 14. How DP (Dynamic Positioning) of marine vessels is is considered in ship collision

assessments? assessments?

DP of marine vessels reduces possibility of collision with offshore installations and hence  DP of marine vessels reduces possibility of collision with offshore installations and hence  due credit should be given while calculating the collision frequency. One of the  due credit should be given while calculating the collision frequency. One of the  presentations by Dynamic Positioning Committee (part of Marine Technology Society) presentations by Dynamic Positioning Committee (part of Marine Technology Society) gives the collision frequency with DP classed vessels of 1.45 x 10 

gives the collision frequency with DP classed vessels of 1.45 x 10 -5 -5 (1998 -2004).(1998 -2004).

15. Typically, FPSOs have a trim to aft

15. Typically, FPSOs have a trim to aft and transverse coaming in front of accommodationand transverse coaming in front of accommodation block. What does this mean from a pool fire perspective?

block. What does this mean from a pool fire perspective?

If local coaming is not installed on the main deck for process modules, in case of a leak, If local coaming is not installed on the main deck for process modules, in case of a leak, the hydrocarbon will get pooled up at the transverse coaming in front of the  the hydrocarbon will get pooled up at the transverse coaming in front of the  accommodation block. If there a pool fire, then the deck foam monitors will be used to  accommodation block. If there a pool fire, then the deck foam monitors will be used to  fight this fire. Some engineers argue against this design with the point that with this  fight this fire. Some engineers argue against this design with the point that with this  design, the heat radiation from this pool fire is brought near the accommodation block. design, the heat radiation from this pool fire is brought near the accommodation block.

16. Is frequency assessment part of a typical FEA? 16. Is frequency assessment part of a typical FEA?

Typically, frequency assessment is carried out in FRA (Fire Risk Assessment) or in QRA. Typically, frequency assessment is carried out in FRA (Fire Risk Assessment) or in QRA. In short, FEA report will provide only consequence based recommendations and not risk-  In short, FEA report will provide only consequence based recommendations and not risk-  based recommendations.

based recommendations.

17. Generally AFP (Active Fire Protection) design is based on consequence whereas PFP 17. Generally AFP (Active Fire Protection) design is based on consequence whereas PFP

design is based on risk / performance based recommendations. Why? design is based on risk / performance based recommendations. Why?

AFP is based on identified fire scenarios and are considered as a minimum requirement, AFP is based on identified fire scenarios and are considered as a minimum requirement, as part of standard design. PFP measures are identified and implemented based on  as part of standard design. PFP measures are identified and implemented based on  impairment potential of sensitive receivers through a risk-based decision making process. impairment potential of sensitive receivers through a risk-based decision making process. Elasticity / Plasticity Structural study needs to be carry out in order to understand details  Elasticity / Plasticity Structural study needs to be carry out in order to understand details  of fire propagation with reference to flame spread and temperature gradients. Several  of fire propagation with reference to flame spread and temperature gradients. Several  FPSO operating companies and field owners insist on carrying out this extensive and  FPSO operating companies and field owners insist on carrying out this extensive and  expensive study to assess specific PFP requirements.

expensive study to assess specific PFP requirements.

18. Inert Gas (IG) blanketing system plays an important barrier in preventing cargo tank 18. Inert Gas (IG) blanketing system plays an important barrier in preventing cargo tank

explosions. How is this achieved? explosions. How is this achieved?

Typically the boiler offtake contains inert gases and is connected to the Cargo Oil Tanks  Typically the boiler offtake contains inert gases and is connected to the Cargo Oil Tanks  (COT) to provide the inert blanketing so that the hydrocarbon vapour does not mix with  (COT) to provide the inert blanketing so that the hydrocarbon vapour does not mix with  air to form explosive mixture. A vent will be connected from the cargo tanks to disperse  air to form explosive mixture. A vent will be connected from the cargo tanks to disperse  off mixture of IG & crude vapours. When the offloading occurs, the COT will require more  off mixture of IG & crude vapours. When the offloading occurs, the COT will require more  inert gas and when the COTs are filled, the excess vapour-IG mixture will be vented out. inert gas and when the COTs are filled, the excess vapour-IG mixture will be vented out. The PV (Pressure Vaccum) valve connected to the COT ensures constant pressure in  The PV (Pressure Vaccum) valve connected to the COT ensures constant pressure in  the tanks. A detailed assessment is required to design the IG system.

the tanks. A detailed assessment is required to design the IG system.

19.

19. What are the applications of Break-Away coupling? Where are the FPSO applications?What are the applications of Break-Away coupling? Where are the FPSO applications?

The Safety breakaway couplings consists of two halves, each with a poppet that has a  The Safety breakaway couplings consists of two halves, each with a poppet that has a  flat type-sealing surface similar to a dry disconnect coupling. The coupling remains  flat type-sealing surface similar to a dry disconnect coupling. The coupling remains  constantly open under normal use. The two halves of the breakaway coupling only  constantly open under normal use. The two halves of the breakaway coupling only  close when there is excessive force, such as in a truck or railcar drive away situation  close when there is excessive force, such as in a truck or railcar drive away situation  or in a offtake tanker moving away from an FPSO, while the offloading is in progress. or in a offtake tanker moving away from an FPSO, while the offloading is in progress. When the couplings separate, this allows the poppets to close. Loss of crude oil is  When the couplings separate, this allows the poppets to close. Loss of crude oil is  minimized because the two poppets close rapidly, minimizing exposure to personnel  minimized because the two poppets close rapidly, minimizing exposure to personnel  and the environment.

and the environment.

20. In NHHA (Non Hydrocarbon Hazard Analysis), the FAR (Fatality Accident Rate) is 20. In NHHA (Non Hydrocarbon Hazard Analysis), the FAR (Fatality Accident Rate) is considered to calculate occupational risk. But FAR includes all contributions from all risks considered to calculate occupational risk. But FAR includes all contributions from all risks (fire / explosions / dropped objects, etc.) and this means that we double count certain (fire / explosions / dropped objects, etc.) and this means that we double count certain risks thereby increasing individual risks. Any solution?

Yes, this will result in a double-count situation thereby increasing the individual risk levels. Yes, this will result in a double-count situation thereby increasing the individual risk levels. As per CMPT QRA Guidelines, around 30% of the FAR values correspond to  As per CMPT QRA Guidelines, around 30% of the FAR values correspond to  occupational health issues.

occupational health issues.

21. What are MODU & MOPU? 21. What are MODU & MOPU?

MODU is the acronym for Mobile Offshore Drilling Unit and MOPU stands for Mobile  MODU is the acronym for Mobile Offshore Drilling Unit and MOPU stands for Mobile  Offshore Production Unit.

Offshore Production Unit.

22. Are there any comprehensive assessment guidelines to assess adequacy of fire and 22. Are there any comprehensive assessment guidelines to assess adequacy of fire and

explosion mitigation measures in offshore installations? explosion mitigation measures in offshore installations?

Yes. ISO 13702 ‘Control & Mitigation of Fires and Explosions-Requirements and  Yes. ISO 13702 ‘Control & Mitigation of Fires and Explosions-Requirements and  Guidelines’ can be used to carry out this assessment, in a comprehensive manner.

Guidelines’ can be used to carry out this assessment, in a comprehensive manner.

23. Is FPSO deck protection design based on dropped object impact logical? Is there a 23. Is FPSO deck protection design based on dropped object impact logical? Is there a

performance / risk based solution for this? performance / risk based solution for this?

DOA can be carried out using a specific risk assessment process to arrive at risk-based  DOA can be carried out using a specific risk assessment process to arrive at risk-based  recommendations. Recommendations based on pure consequences may not necessarily  recommendations. Recommendations based on pure consequences may not necessarily  result in risk benefits over the cost involved.

result in risk benefits over the cost involved.

24. Is BLEVE (Boiling Liquid Expanding Vapor Explosion) possible with crude oil? 24. Is BLEVE (Boiling Liquid Expanding Vapor Explosion) possible with crude oil?

BLEVE is more probable with liquidified petroleum products such as LPG. When crude oil  BLEVE is more probable with liquidified petroleum products such as LPG. When crude oil  is heated, a hazardous condition known as Boil Over Explosion (BOE) can occur. Water  is heated, a hazardous condition known as Boil Over Explosion (BOE) can occur. Water  deluge is provided on vessels / equipment containing crude on FPSOs is to avert BOE  deluge is provided on vessels / equipment containing crude on FPSOs is to avert BOE  conditions from fire escalations.

conditions from fire escalations.

25. For control of LOC (Loss of Containment) situations, plated decks are preferred over 25. For control of LOC (Loss of Containment) situations, plated decks are preferred over grated floors, especially for elevated equipment decks. How do we take a risk-based grated floors, especially for elevated equipment decks. How do we take a risk-based  justification on this issue?

Both plated and grated decks have their own advantages and disadvantages. For  Both plated and grated decks have their own advantages and disadvantages. For  elevated equipment / vessels containing liquid hydrocarbon, it is recommended to have  elevated equipment / vessels containing liquid hydrocarbon, it is recommended to have  the secondary spill containment at the equipment floor so as to avert the catastrophe of  the secondary spill containment at the equipment floor so as to avert the catastrophe of  COTs getting impaired from deck pool fires.

COTs getting impaired from deck pool fires.

26. In almost FEA study, the explosion values are a major concern and can result in 26. In almost FEA study, the explosion values are a major concern and can result in expensive modifications involving blast walls, deck steel strengthening, etc. What are the expensive modifications involving blast walls, deck steel strengthening, etc. What are the issues here?

issues here?

The common point source modeling software / tools (although some are validated  The common point source modeling software / tools (although some are validated  through scientific research) typically provide pessimistic explosion values due to their  through scientific research) typically provide pessimistic explosion values due to their  limitations. If the explosion values are found to be higher than the typical values, CFD  limitations. If the explosion values are found to be higher than the typical values, CFD  analysis may be carried out to take a final decision.

analysis may be carried out to take a final decision.

27. In FPSO design and assessments, there is always a conflict between class rules and 27. In FPSO design and assessments, there is always a conflict between class rules and

engineering standards. How is this major issue resolved? engineering standards. How is this major issue resolved?

Class rules (ABS, Lloyds, DNV, etc.) typically apply to vessel floating and stability  Class rules (ABS, Lloyds, DNV, etc.) typically apply to vessel floating and stability  aspects and marine systems (below deck) and the regulations (IMO-SOLAS, etc.) and  aspects and marine systems (below deck) and the regulations (IMO-SOLAS, etc.) and  engineering standards (API, NFPA, etc.) apply to topsides (above deck). Typically, class  engineering standards (API, NFPA, etc.) apply to topsides (above deck). Typically, class  rules are prescriptive and the engineering standards are performance or risk based.

rules are prescriptive and the engineering standards are performance or risk based.

Most common point of design conflict between class rules and standards is on the  Most common point of design conflict between class rules and standards is on the  boarder. On FPSOs, it will be most often the deck. Impairment of main deck from topside  boarder. On FPSOs, it will be most often the deck. Impairment of main deck from topside  hazards is always looked at and deliberated with interest by the classification societies. hazards is always looked at and deliberated with interest by the classification societies.

28. Logically for brown field offshore assets, the risk levels should be assessed based on the 28. Logically for brown field offshore assets, the risk levels should be assessed based on the actual performance of safety systems or barriers or safety critical elements. How is this actual performance of safety systems or barriers or safety critical elements. How is this done?

done?

Yes. Since the risk levels depend on the safety barrier performance for an operating  Yes. Since the risk levels depend on the safety barrier performance for an operating  asset, in order to calculate realistic risk levels, it is logical to assess performance of  asset, in order to calculate realistic risk levels, it is logical to assess performance of  safety systems. One of the common ways to do this is by using the traffic light system  safety systems. One of the common ways to do this is by using the traffic light system  used by UK HSE & NOPSA.

used by UK HSE & NOPSA.

29.

IVB (Independent Verification Body) is appointed by DH (Duty Holder) to verify  IVB (Independent Verification Body) is appointed by DH (Duty Holder) to verify  performance of safety systems or SCEs. The asset integrity verification is an important  performance of safety systems or SCEs. The asset integrity verification is an important  process that verifies the performance of safety barriers based on their defined  process that verifies the performance of safety barriers based on their defined  performance standards. IVB carries out the verification using WSE (Written Scheme of  performance standards. IVB carries out the verification using WSE (Written Scheme of  Examination) through ICP (Independent Competent Person).

Examination) through ICP (Independent Competent Person).

Generally the consultants (Bureau Veritas. ABS, DNV, Lloyds, etc.) collaborate with the  Generally the consultants (Bureau Veritas. ABS, DNV, Lloyds, etc.) collaborate with the  asset owners to develop the verification scheme which establishes a system of  asset owners to develop the verification scheme which establishes a system of  independent and competent scrutiny of safety-critical elements throughout the life cycle  independent and competent scrutiny of safety-critical elements throughout the life cycle  of an installation. This written scheme then drives the verification activities. The actual  of an installation. This written scheme then drives the verification activities. The actual  verification is executed through a sampling process, including examination of facilities, verification is executed through a sampling process, including examination of facilities, review of maintenance and inspection records, and witnessing of tests on safety critical  review of maintenance and inspection records, and witnessing of tests on safety critical  systems.

systems.

The purpose of this independent verification activity is to satisfy the UK legal requirements to have  The purpose of this independent verification activity is to satisfy the UK legal requirements to have  an Independent Competent Person verify the suitability of the installations Safety Critical Elements  an Independent Competent Person verify the suitability of the installations Safety Critical Elements  (SCEs) thus providing confidence to the operator and the regulator in the suitability of risk  (SCEs) thus providing confidence to the operator and the regulator in the suitability of risk  management measures.

management measures.

30. What is traffic light system from the context of SCE assessment? 30. What is traffic light system from the context of SCE assessment?

The asset integrity of the ageing offshore assets in the UK Continental shelf (mainly in  The asset integrity of the ageing offshore assets in the UK Continental shelf (mainly in  the North Sea) was verified through a sampling process (40%) by the Offshore Division of  the North Sea) was verified through a sampling process (40%) by the Offshore Division of  UK HSE using the traffic light system. Green means the performance of the safety critical  UK HSE using the traffic light system. Green means the performance of the safety critical  element is healthy, amber means the performance has deteriorated and red means the  element is healthy, amber means the performance has deteriorated and red means the  SCE has failed or is not performing. For details, the KP 3 inspection report from UK HSE  SCE has failed or is not performing. For details, the KP 3 inspection report from UK HSE  may be referred.

may be referred.

31. Bow Ties are developed for all MAEs and they should be used to demonstrate ALARP. 31. Bow Ties are developed for all MAEs and they should be used to demonstrate ALARP. But Bow Ties are qualitative but ALARP (As Low As Reasonably Practical) is about But Bow Ties are qualitative but ALARP (As Low As Reasonably Practical) is about specific numbers. How is this conflict resolved?

specific numbers. How is this conflict resolved?

As per Shell guidelines, if the performance of all safety systems / barriers is Green as per  As per Shell guidelines, if the performance of all safety systems / barriers is Green as per  the traffic light assessment, then the risk levels are in the tolerable region of ALARP. the traffic light assessment, then the risk levels are in the tolerable region of ALARP. Since Shell introduced Bow Tie technique, generally oil & gas operators follow this  Since Shell introduced Bow Tie technique, generally oil & gas operators follow this  criterion which is logical.

criterion which is logical.

32. What are KP (Key Performance) inspections from UK HSE? 32. What are KP (Key Performance) inspections from UK HSE?

The offshore oil and gas industry on the UK Continental Shelf (UKCS) is a mature  The offshore oil and gas industry on the UK Continental Shelf (UKCS) is a mature  production area. Much of the offshore infrastructure is at, or has exceeded, its intended  production area. Much of the offshore infrastructure is at, or has exceeded, its intended  design life. Between 2000 and 2004, HSE’s Offshore Division (OSD) ran a major  design life. Between 2000 and 2004, HSE’s Offshore Division (OSD) ran a major  programme KP1 aimed at reducing hydrocarbon releases and focusing on the integrity of  programme KP1 aimed at reducing hydrocarbon releases and focusing on the integrity of  process plant. This resulted in a considerable reduction in the number of major and  process plant. This resulted in a considerable reduction in the number of major and  significant hydrocarbon releases. During this time, however, OSD became increasingly  significant hydrocarbon releases. During this time, however, OSD became increasingly  concerned about an apparent general decline in the condition of fabric and plant on  concerned about an apparent general decline in the condition of fabric and plant on  installations and responded with Key Programme 3 (KP3) directed more widely at asset  installations and responded with Key Programme 3 (KP3) directed more widely at asset  integrity, and were conducted between 2004 and 2007.

integrity, and were conducted between 2004 and 2007.

33. What is UKOOA? 33. What is UKOOA?

UKOOA stands for United Kingdom Offshore Operators Association. Several safety and  UKOOA stands for United Kingdom Offshore Operators Association. Several safety and  asset integrity publications are freely available from their web site,

asset integrity publications are freely available from their web site, www.ukooa.co.uk www.ukooa.co.uk ..

34.

34. Can MAE Bow Ties be used to identify emergency systems? How?Can MAE Bow Ties be used to identify emergency systems? How?

Yes. The mitigation and recovery barriers that are located on the right side of Bow Tie are  Yes. The mitigation and recovery barriers that are located on the right side of Bow Tie are  logically the emergency systems.

logically the emergency systems.

35. Can Bow Ties be used in all FSA (Formal Safety Assessments) studies to demonstrate 35. Can Bow Ties be used in all FSA (Formal Safety Assessments) studies to demonstrate ‘Safe Operation of Offshore Assets’ as a common thread (HAZID to Operational Safety ‘Safe Operation of Offshore Assets’ as a common thread (HAZID to Operational Safety Case)? How can this be done?

Case)? How can this be done?

Yes, this can be done. If Bow Ties developed at the HAZID stage are used in all FSA Yes, this can be done. If Bow Ties developed at the HAZID stage are used in all FSA studies, then the demonstrate ion in the safety case would be very visible with a common  studies, then the demonstrate ion in the safety case would be very visible with a common  thread running through the assessments. For details, please contact the author.

thread running through the assessments. For details, please contact the author.

36.

36. Can the Bow Ties be developed in a quantitative manner? How can this be done?Can the Bow Ties be developed in a quantitative manner? How can this be done?

Fault tree could be developed on the left side and event tree on the right side and this  Fault tree could be developed on the left side and event tree on the right side and this  could be done in a quantitative manner. The probabilities of consequences from various  could be done in a quantitative manner. The probabilities of consequences from various  threats can be demonstrated using bow ties. Generally the frequency analysis is carried  threats can be demonstrated using bow ties. Generally the frequency analysis is carried  out using published failure data using various safety gates in event trees.

out using published failure data using various safety gates in event trees.

37.

The escape time calculated in the ETRERA study. Logically, the critical facilities in  The escape time calculated in the ETRERA study. Logically, the critical facilities in  offshore installation that aid safe escape & evacuation of personnel should survive major  offshore installation that aid safe escape & evacuation of personnel should survive major  fires. Based on the ETRERA and FEA studies, escape routes and ESD valves should be  fires. Based on the ETRERA and FEA studies, escape routes and ESD valves should be  provided with appropriate PFP measures for the escape duration.

provided with appropriate PFP measures for the escape duration.

38. BDVs (Blow Down Valves) and PSVs (Pressure Safety Valves). Are both these devices 38. BDVs (Blow Down Valves) and PSVs (Pressure Safety Valves). Are both these devices

intended to cause de-pressurization? intended to cause de-pressurization?

BDV valves are designed to open on confirmed external fire condition to depressurize  BDV valves are designed to open on confirmed external fire condition to depressurize  gas systems to 6.9 barg or to 50% of the operating pressure (whichever is lesser) within  gas systems to 6.9 barg or to 50% of the operating pressure (whichever is lesser) within  15 minutes as per API 521. PSVs are set to open at a set over pressure value to de-  15 minutes as per API 521. PSVs are set to open at a set over pressure value to de-  pressurize the process equipment due to process upset conditions. In a way, both are  pressurize the process equipment due to process upset conditions. In a way, both are  installed to protect equipment from over pressurization but the design objectives are  installed to protect equipment from over pressurization but the design objectives are  different.

different.

39. What are MOPO & SIMOPS? 39. What are MOPO & SIMOPS?

MOPO or Matrix Of Permitted Operations is a matrix with SCE failure conditions against MOPO or Matrix Of Permitted Operations is a matrix with SCE failure conditions against safety critical activities. MOPO is normally developed in a facilitated workshop to identify safety critical activities. MOPO is normally developed in a facilitated workshop to identify restrictions for critical operations during SCE failure conditions. Some activity may be restrictions for critical operations during SCE failure conditions. Some activity may be permitted / not permitted / permitted with restrictions during SCE failure conditions.

permitted / not permitted / permitted with restrictions during SCE failure conditions.

SIMOPS or Simultaneous Operations involves concurrent activities such as production  SIMOPS or Simultaneous Operations involves concurrent activities such as production  and drilling; construction and production, etc. Generally, SIMOPS will generate additional  and drilling; construction and production, etc. Generally, SIMOPS will generate additional  hazards due to the concurrent or simultaneous activities. An example is hydrocarbon  hazards due to the concurrent or simultaneous activities. An example is hydrocarbon  venting (production) and welding (construction) which poses a SIMOPS hazard.

venting (production) and welding (construction) which poses a SIMOPS hazard. 40. What is a Verification Scheme and what are its typical contents?

40. What is a Verification Scheme and what are its typical contents? Refer FAQ 29.

Refer FAQ 29.

41. How are Safety Critical Elements (SCEs) identified? 41. How are Safety Critical Elements (SCEs) identified?

SCEs could be identified by developing a matrix between MAEs and all systems on the  SCEs could be identified by developing a matrix between MAEs and all systems on the  installation. Then by applying the definition of SCE (safety system that controls  installation. Then by applying the definition of SCE (safety system that controls   /prevents/mitigates / recovers from MAEs), those safety systems can be identified.

 /prevents/mitigates / recovers from MAEs), those safety systems can be identified.

42. How are MOPO & SCEs linked? 42. How are MOPO & SCEs linked?

As explained in FAQ 39, MOPO is developed to identify restrictions during SCE failure  As explained in FAQ 39, MOPO is developed to identify restrictions during SCE failure  conditions. So SCEs and MOPO are certainly linked.

conditions. So SCEs and MOPO are certainly linked.

43. What is included in ‘Case to Operate’ document? 43. What is included in ‘Case to Operate’ document?

Case to Operate’ document is a logical extension of MOPO, in which the procedures of  Case to Operate’ document is a logical extension of MOPO, in which the procedures of  continuing operations during SCE failure conditions are defined.

continuing operations during SCE failure conditions are defined.

44.

44. What do you mean by Dual Safety Performance assurance? How is this achieved?What do you mean by Dual Safety Performance assurance? How is this achieved?

Ideally safety performance should be measured using both leading (proactive) and  Ideally safety performance should be measured using both leading (proactive) and  lagging (reactive) performance indicators. As part of MHM (Major Hazard Management), lagging (reactive) performance indicators. As part of MHM (Major Hazard Management), safety performance indicators should be focused on process safety. Logically, both the  safety performance indicators should be focused on process safety. Logically, both the  leading & lagging performance indicators could be identified from bow ties and then can  leading & lagging performance indicators could be identified from bow ties and then can  be monitored through the HSEMS (HSE Management system).

be monitored through the HSEMS (HSE Management system).

45. What is the most important safety learning from BP Texas Explosion incident? 45. What is the most important safety learning from BP Texas Explosion incident?

BP management measured process safety performance as part of MHM process by  BP management measured process safety performance as part of MHM process by  measuring LTIs (Lost Time Injuries) which is an occupational safety (OH) issue. Although  measuring LTIs (Lost Time Injuries) which is an occupational safety (OH) issue. Although  the OH performance was good, the process safety at BP Texas refinery was on the  the OH performance was good, the process safety at BP Texas refinery was on the  decline and finally resulted in a major explosion.

decline and finally resulted in a major explosion.

46. There are several safety assessments which are performed as part of Operational Safety 46. There are several safety assessments which are performed as part of Operational Safety

Case. Is there a suggested logical sequence? Case. Is there a suggested logical sequence?

1.

1. HAZID HAZID 5. 5. ESSA ESSA 9.Verification 9.Verification SchemeScheme 2.

2. Layout Layout Review Review 6. 6. ETRERA ETRERA 10. 10. OSCOSC 3.

3. HAZOP HAZOP 7. 7. NHHANHHA 4.

4. FEA FEA 8. 8. QRAQRA

47. Safety case is a requirement most hazardous industry sectors such as offshore. Which 47. Safety case is a requirement most hazardous industry sectors such as offshore. Which

other MAH (Major Accident Hazard) industries require a safety case? other MAH (Major Accident Hazard) industries require a safety case?

The other MAH industries for which safety case requirement exists include aviation, rail, The other MAH industries for which safety case requirement exists include aviation, rail, and nuclear.

48. What are the typical triggers for safety case update? 48. What are the typical triggers for safety case update?

As per UK SCR (Safety Case Regulation) 2005, the safety case has to be updated every  As per UK SCR (Safety Case Regulation) 2005, the safety case has to be updated every  5 years. The typical safety case update triggers are: 

5 years. The typical safety case update triggers are: 

•

• Major modifications; Major modifications;  •

• Technology change; Technology change;  •

• Regulatory change; and Regulatory change; and  •

• Change in ownership; Change in ownership; 

49. Is Design Safety Case still a UK HSE requirement? 49. Is Design Safety Case still a UK HSE requirement?

No. As per ‘The Offshore Installation (Safety Case) Regulations 2005 (SCR05)’, the  No. As per ‘The Offshore Installation (Safety Case) Regulations 2005 (SCR05)’, the  requirement for a design safety case has been replaced with the new requirement for an  requirement for a design safety case has been replaced with the new requirement for an  (earlier) design notification.

(earlier) design notification.

50. UK Safety Case Regulation, 2005 is followed by several countries to safely operate their 50. UK Safety Case Regulation, 2005 is followed by several countries to safely operate their

offshore installations. What is the logic behind this? offshore installations. What is the logic behind this?

Since the UK HSE SCR 2005 is matured and is rather comprehensive, many countries  Since the UK HSE SCR 2005 is matured and is rather comprehensive, many countries  are adopting UK Safety Case Regulation for operating their offshore assets safely.

are adopting UK Safety Case Regulation for operating their offshore assets safely.

Compiled by: Compiled by: Pillai Sreejith

Pillai Sreejith([email protected])([email protected])

Disclaimer: Disclaimer:

The FAQ was generated based on author’s experience in assessing technical safety of offshore The FAQ was generated based on author’s experience in assessing technical safety of offshore installations and based on applicable standards and guidelines. It is possible that there are installations and based on applicable standards and guidelines. It is possible that there are different views on these answers. The author welcomes frank discussions on the above FAQs. different views on these answers. The author welcomes frank discussions on the above FAQs.