Part 0 Guidance 03

Fire and explosion guidance Part 0: Fire and explosion hazard management ISSUE 2 October 2003

Whilst every effort has been made to ensure the accuracy of the information contained in this publication, neither UKOOA, nor any of its members will assume liability for any use made thereof. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the publishers. Crown copyright material is reproduced with the permission of the Controller of Her Majesty’s Stationery Office. Copyright © 2002 UK Offshore Operators Association Limited

UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management

Foreword 1995 Edition - In publishing these Guidelines UKOOA gratefully acknowledges the support and assistance given to their preparation by the Health & Safety Executive (USE), British Chemical Engineering Contractors Association (BCECA) British Rig Owner’s Association BROA), and International Association of Drilling Contractors (North Sea Chapter) (IADC). 2003 Edition – UKOOA gratefully acknowledges the continuing support and assistance provided by the Health & Safety Executive during the production of the Fire and Explosion Guidance Update.

This document is part of a series being produced by UKOOA and HSE on fires and explosions, the full series being: Part 0 Hazard management (formerly FEHM) Part 1 Avoidance and mitigation of explosions Part 2 Avoidance and mitigation of fires Part 3 Detailed design and assessment guidance This Part 1 document is taken from MSL Engineering Reports C26800R006 Rev 2 and C26800R007 Rev 2. Part 0:- Fire and explosion hazard management Describes Hazard Management principles and practices with particular emphasis on the management of fire and explosion hazards

Part 0

Part 1:- Avoidance and mitigation of explosions

Part 1

Part 2

Describes design considerations for the prevention, control and mitigation of explosions

Part 2:- Avoidance and mitigation of fires Describe design considerations for the prevention, control and mitigation of fires

Part 3

Part 3:- Design practices for fire and explosion engineering Contains advice on the engineering implementation of the measures outlined in principle in Parts 1 & 2

Basis Documents for Parts 1, 2 & 3

Contains base position papers as guidance was developed. Available on www. fireandblast .com for those wishing to understand the logic and data gathered for the positions taken in the guidance

ii

Issue 2, October 2003


Contents 1

Introduction................................................................................................................................. 1

2

Aims and Principles .................................................................................................................... 4 2.1 2.2 2.3 2.4 2.5

3

The Lifecycle Approach to Fire and Explosion Hazard Management....................................... 14 3.1 3.2 3.3

4

Introduction...................................................................................................................... 14 The Use of the Fire and Explosion Assessment during the Installation Lifecycle ........... 14 Stages of the Installation Lifecycle .................................................................................. 17

The Assessment of Fire and Explosion Hazardous Events ..................................................... 26 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8

5

Aims of Fire and Explosion Hazard Management (FEHM) ............................................... 4 Principles ........................................................................................................................... 4 Overview of the Management Process ............................................................................. 5 Reasonable Practicability .................................................................................................. 7 Performance Standards .................................................................................................. 10

Introduction...................................................................................................................... 26 Timing and Detail of the Assessment .............................................................................. 27 Hazard Identification........................................................................................................ 28 Initiating Frequency Analysis........................................................................................... 31 Characterisation of Fire and Explosion Hazardous Events ............................................. 32 Consequence Analysis .................................................................................................... 34 Escalation Analysis ......................................................................................................... 37 Risk Assessment ............................................................................................................. 39

Inherent Safety and Prevention ................................................................................................ 41 5.1 5.2 5.3

Inherently Safer Design and Process/Layout Optimisation Options ................................ 41 Design, Quality and Maintenance ................................................................................... 42 Prevention Options .......................................................................................................... 42

6 Selection and Specification of Systems for Fire and Explosion Detection, Control and Mitigation......................................................................................................................................... 47 6.1 6.2 6.3 6.4 7

Guidance on Systems for the Detection, Control and Mitigation of Fires and Explosions ........ 61 7.1 7.2 7.3

8

Principles ......................................................................................................................... 47 Selection and Specification Overview ............................................................................. 47 Selection of Systems ....................................................................................................... 50 Specification of a System ................................................................................................ 53

Detection Options ............................................................................................................ 61 Control Options ............................................................................................................... 64 Mitigation Options............................................................................................................ 70

Implementation And Verification ............................................................................................... 76 8.1 8.2

Communication ............................................................................................................... 76 Competence .................................................................................................................... 79


iii


8.3 8.4 8.5 9

Commissioning and Routine Testing............................................................................... 80 Audit ................................................................................................................................ 80 Modifications ................................................................................................................... 80

Special features for the Assessment of Existing Installations .................................................. 81 9.1 9.2 9.3 9.4 9.5 9.6 9.7

iv

Installation Risk Screening .............................................................................................. 83 Explosion Hazard Review ............................................................................................... 83 Scenario Definition .......................................................................................................... 84 Prevent, Detect, Control, Mitigate ................................................................................... 84 Determination of Explosion Loads................................................................................... 84 Response to Explosions .................................................................................................. 84 Evaluation........................................................................................................................ 85



1

Introduction The updated Fire and Explosion Guidance has been prepared to encourage an integrated approach to the management of Fires and Explosions. As such, it complements the Safety Case and should help those persons with responsibilities for the safe design, construction and operation of installations to manage fire and explosion hazards. It should also assist duty holders to comply with the Offshore Installation (Safety Case) Regulations (SCR), the .Offshore Installations (Prevention of Fire and Explosion, and Emergency Response) Regulations (PFEER), the Management of Health and Safety at Work Regulations (MHSWR) and the Provision and Use of Work Equipment Regulations (PUWER).

Part 0 of the Fire and Explosion Guidance Update is complemented by other industry and UKOOA guidance; they constitute a suite of information to support the design, operational and regulatory efforts to manage fire and explosion hazards effectively. The updated Fire and Explosion Guidance applies to new and existing, fixed and mobile installations. It has been written specifically for the United Kingdom Offshore Oil and Gas industry but may be applied elsewhere, both on and offshore. The principles may also be applied to the management of other hazardous events. The updated Fire and Explosion Guidance outlines a particular structured approach to the management of fires and explosions. Operators/Owners of existing installations should examine their management system to see how they comply with the overall aims outlined in Section 2.1. They should then assess the need for change, the benefits, extent and timing. Mobile installations will also have to comply with their flag administration and international maritime requirements. The updated guidance should be used in addition to those requirements, to ensure that their management systems are adequate for all the fire and explosion hazards which may be encountered. The updated Fire and Explosion Guidance aims to promote understanding of hazardous events involving fires and explosions by both designers and Operators/Owners. It is through understanding of the causes, characteristics and likelihood of such events that an effective management system can be put in place for each. The management system would include inherently safer design and operation and a combination of suitable prevention, detection, control and mitigation measures. The updated guidance shows how the Operator/Owner, operators of plant and each engineering discipline play a part in managing hazards and hazardous events. Effective management starts with the initial studies and continues until the installation is decommissioned. The guidance uses the lifecycle safety management concept and outline the role that each person should play in the process.


1


The updated Fire and Explosion Guidance outlines the management process, the analyses and decisions that need to be taken and the factors to be considered when making those decisions. Above all, the aim is to encourage a balanced approach to hazard management by ensuring that the resources provided to manage fires and explosions are commensurate with the risks of these events. The guidance provides a framework whereby everyone, managers, designers, Operators/Owners, contractors and auditors, can work effectively together to understand and manage the hazardous events. The updated Fire and Explosion Guidance sets out what is generally regarded in the industry as good practice. They are not mandatory and Operators/Owners may adopt different standards in a particular situation where to do so would maintain an equivalent level of safety. More specific guidance is available to support this Part 0 (“Fire and Explosion Hazard Management”) of the updated guidance; further information is available in the informative sections at the back of this document and there are three further guidance documents which cover the design considerations for fires and explosions which can be found on the UKOOA or fireandblast.com websites; http://www.oilandgas.co.uk http://www.fireandblast.com The three further guidance documents for design considerations and implementation cover the following topics: •

•

•

Part 1 Guidance on design and operational considerations for the avoidance mitigation of explosions Part 2 Guidance on design and operational considerations for the avoidance mitigation of fires Part 3 Guidance on design practices for fire and explosion engineering

Part 1 is currently available, a completed Part 2 will be available in December 2004 and a completed Part 3 is scheduled to be available the following year. One intent of this Guidance is to move the decision-making processes within the fire and explosion design field as much as possible towards a ‘Type A’ process from ‘Type B or C’ as defined in the UKOOA document the “Risk Based Decision Making Framework”, the main figure of which is illustrated overleaf.

2



Figure 1.1 - The UKOOA Risk Based Decision Making Framework The framework defines the weight given to various factors within the decision making process, ranging from decisions dominated by purely technical matters to those where company and societal values predominate. A substantial number of installations will lie in Areas A or B of the chart resulting in an approach which involves codes and Guidance based on experience and ‘best practice’ as described in this document and supplemented by risk based arguments where required. A glossary of terms used and definitions is given in Appendix 1.


3


2

Aims and Principles

2.1

Aims of Fire and Explosion Hazard Management (FEHM) These are that:

2.2

−

all fire and explosion hazards should be identified, analysed and understood;

−

overall risk from all major accidents including fires and explosion should be assessed, and-be "as low as reasonably practicable" (ALARP);

−

an appropriate combination of prevention, detection, control and mitigation systems should be implemented and maintained throughout the lifecycle of the installation;

−

the systems provided to protect personnel from the effects of fires and explosions should be suitable for these hazardous events and have performance standards commensurate with the required risk reduction;

−

the design, operation and maintenance of the systems be undertaken by competent staff who understand their responsibilities in the management of the hazards and possible hazardous events;

−

any changes to the installation which may effect the likelihood or consequences of fires and explosions should be identified, assessed and the systems revised to take them into account as necessary.

Principles Effective, economic FEHM depends on the appropriate timing and use of resources This can be achieved by following the principles for identification and assessment of the foreseeable hazardous events, see Section 4.1, and for selection and specification of safety systems see Section 6.1: This approach is structured around the life cycle concept described in Section 3. The following summarise the main principles:

4

−

fire and explosion assessment should commence very early in the design and should be used as one of the bases of hazard management throughout the installation lifecycle;

−

everyone involved in the design, commissioning, operation, maintenance and modification of the installation should have sufficient knowledge of the hazards and their contribution to the overall risks;

−

the principles of inherent safety should be applied early in the design so as to eliminate or reduce hazards so far as is reasonably practicable;



2.3

−

safety systems should be selected based on the hierarchy of prevention, detection, control and mitigation;

−

resources should be assigned to systems taking account of the risks from the hazardous events and the role of the system in reducing them;

−

the hazard management process should be documented and communicated to operations personnel so that they have adequate information about both the hazards, hazardous events and safety systems provided to manage them;

−

the principles of quality management should be followed; e.g. ISO 9000 Quality Management and Quality Assurance Standards - Guidelines for Selection and Use.

Overview of the Management Process A thorough understanding of all hazards and hazardous events, including fires and explosions, is at the heart of the Safety Management System (SMS) and it should be proactive to reduce risks. This overall process is outlined in the OGP (formerly E&P Forum) “Guidelines for the Development and Application of Health Safety and Environment Management Systems”. Part 0 of this guidance adds more detail to this process and applies it to fires and explosions. For these hazardous events the management process is given below: −

identification of the hazardous events (coarse assessment);

−

analysis and assessment of the hazardous events (type, areas affected, magnitude of the consequences, duration, likelihood, etc.);

−

reduction of the risks from fires and explosions through inherently safer design (see Section 5.1);

−

design to reduce the likelihood, scale, intensity, duration and effects of each hazardous event;

−

identification and specification of the particular prevention, detection, control and mitigation measures needed for each hazardous event

−

confirmation of the suitability and effectiveness of each of the measures selected;

−

specification of the measures adopted;

−

communication and implementation;

−

verification;

−

documentation.


5


The hazard management process should be employed in a timely manner and in accordance with the type, severity and likelihood of each hazardous event. It is essential that all parties who can contribute to the reduction of hazards, particularly design engineering disciplines and those who will have to operate and maintain the plant, understand the hazards and are involved during the appropriate stages of the lifecycle. Section 3 provides details of the lifecycle for an installation, and describes the hazard management process. It outlines the timing and interaction of the activities so that the overall safety of the installation can be improved. The lifecycle approach shows how to prepare and implement a strategy for the management of fire and explosion on an offshore installation throughout its life, i.e. from design through commissioning and operations to decommissioning. This is developed firstly by inherently safer design, followed by prevention of identified fire and explosion hazardous events and then by the selection of detection, control and mitigation measures. The fire and explosion assessment process is used in the lifecycle to provide information on which to base decisions and design systems. Thereafter, it is used to assess these arrangements to make sure that the high level performance standards have been achieved. The FEHM process can be applied to new or existing installations: −

for new installations it should start during feasibility studies and be fully developed during detail design. The results should then be communicated to personnel operating the installation to ensure that they know the purpose and capability of all the systems, can operate them properly and that adequate maintenance schemes are in place;

−

for an existing installation the process should be applied to current arrangements and modifications. These should be assessed to determine if the high level performance standards are achieved and that risks are as low as is reasonably practicable.

The management of hazards to reduce the risks involves many interests which may often appear to conflict with each other. The process is a multi-disciplinary activity, involving all levels of personnel from senior management to junior staff from a number of different organisations. Table 2.1 outlines a typical range of tasks for these personnel. It is important that the input and activities of these personnel are fully coordinated and managed. The SMS of each organisation should identify the relevant responsibilities.

6



2.4

Reasonable Practicability Operators/Owners of offshore installations must demonstrate that the risks to personnel from all major accidents have been reduced to a level which is ‘as low as reasonably practicable” (the ALARP principle). The ALARP principle can be demonstrated by quantification or qualitatively by using experienced judgement. For all hazardous events including fires and explosions a more formal demonstration of quantified risk assessment may be required. In weighing the costs of risk reduction measures the principle of reasonable practicability applies so that there should be no gross disproportion between the cost of preventative or protective measures and the reduction of the risk that they would achieve to those already in place. The issues of risk levels and ALARP are more fully discussed in HSE publications “A Guide to the Offshore Installations (Safety Case) Regulations 1992” and “The Tolerability of Risks from Nuclear Power Stations ALARP can be described as the process of striving to reduce risks to a negligible level while taking due consideration of the economic and schedule implications of this goal, see the figure below. The cost of a measure (in terms of the time, cost and difficulties in implementing it) must be compared with the amount of risk reduction it brings. If the overall costs are ‘grossly disproportionate’ to the benefits, then implementation of the measure may be inappropriate. In endeavouring to reduce risks to ALARP, resources should be concentrated on the primary risk contributors and on the areas or systems where the greatest risk reduction can be achieved for the expenditure. This must be a “top down process” starting with the hazard identification and consideration of areas for improvement and not a “bottom up’ process starting with the safety systems. It should be based on the need for improvements or enhancements and not on the ready availability of particular systems. Appropriate standards and accepted industry practice are tools to achieve and demonstrate reasonably practicable risk reduction. These should be appropriate to the hazards and hazardous events on the particular installation so that they contribute significantly to the reduction of risk. However, although concentrating on the primary risk contributors, care should be taken not to miss reasonably practical ways of reducing the risk from apparently less serious events.


7


Unacceptable region 10-3 Per annum

Risk cannot be justified except in extraordinary circumstances

The ALARP or tolerability region (risk is undertaken only if a benefit is desired)

Tolerable only if further risk reduction is impractical, or the cost is not proportionate to the benefit gained

Broadly acceptable region

Negligible risk

Risks closer to the unacceptable region merit a closer examination of potential risk reduction measures

Figure 2.1 - The ALARP Triangle Further guidance on the demonstration of ALARP is available from the following sources; •

•

Policy and Guidance on reducing risks to ALARP in Design http://www.hse.gov.uk/dst/alarp1.htm Principles and Guidelines to Assist HSE in its Judgement that Duty Reduced Risk as Low as Reasonably Practicable http://www.hse.gov.uk/hid/spc/perm12.htm

Holders Hav

HSE Books have published a guide which sets out an overall framework for decision taking by the HSE (R2P2), which is available in hard copy form (28) and as a free download from http://www.hsr.gov.uk/dst/r2p2.pdf .

8



T I D U A / S R S O R T O C E P S IN

S n M io t S a ll e t a a ts u n q i e e d h a t n r a o f t ae c th la fy p ri in e V is −

re a ai r e t ri c k s ri t a th fiy t r e e V m

f o g in n d a n a is ts r re e e d th n s t u rd ae t a th a z u a fy q h ri e e e d h V a t

s m e te h s t y e s g a e t n a a u q m e o d t a e tc a la th p fiy in r e re V a

−

−

−

le ro

m te s y S t n e m e g a n a M a in s k s a T f o n o ti a c o ll A l a c i p y T : 1 . 2 e l b a T

S R O T C A R T N O C E R O H S F F O

T N E M E G A N A M R O I N E S

s rd a d n a t s e c n a rm o rf e p ll a r e v o t e S

e c la p in re a s e c r u o s re e t a u q e d a d n a s m e t s y s e ivt c e ff e t a th e r u s n E

s n io t a is n a rg o l a rn e t x e st d n n a e n v e w s o u ir o e rd h t a n z i a h h it r w jo n a io m ta ll c a in ff u o m w m ie o rv c e e v iv o ct n e a ffff e in e a t r in su a n M E

−

−

−

S R E N G I S E D

S R O T A R E P O

−

S R E G A N A M T N A L P D N A N G I S E D

d n a r o t c ra t n o c e h t f S o M n S io t re ra n g w te O / in ro t re a u re s n p E O

s n rd w a o z r a i h e t e h h t s d la l n e a t w rs s e a d n st u n e rs v o t e c s rat u o nd o ra c z re a u h s d n n E a

−

−

, d e fii t n e id re a ts n e v e s u o rd a z a h d n a s rd a z a

st n e v e e s e h t g in g a n a m in

e v ie h c a o t t u p in r o t ra e p o d n a s e n li ip c is d n ig s e d ll

t u o rry a c o t t n e t e p m o c re a l e n n o rs s e ie p t u re d u ir s n e E th

e h t f o n o it n e tt a o t g n ri b d n a e g a n a m , yf it n e Id

−

−

ir e h t h it w d e rn e c n o c s rd a z a h y n a r o t ra e p O

n a te ita i In

d e v e i h c a re a a ri e t ri c k s ri t a h t d n a d e g a n a hm ey th le v re it u c s e n ff E e

rd a z a h e h t e t a ic n u m m o n c ig d s n e a ss d t e n c e f e o a m rp s u t y l c b o n de aa t p hm e e t e s li g a r cc b a g ta n e a s a t n E m In a

t t n n e e t m e e p g m a o n c a d m n d a r s a e z a rc h u t o u s o re ry r e t a s a c u d r q d a e n d d a n a p a t y lo s lo e e p v c e e n d d a do t nl rm a e o rf e n e d n p vi o t rs e ro e S P p

−

−

−

−

st i d u a o t e s n o p s re e t a u q e d a re u s n e d


−

−

d ie ift n e id n e e b e v a h t o n y a m h ic h w rk o w

S R O T A R E P O T N A L P D N A S N A I C I N H C E T , S R E N G I S E D : S L A U D I V I D IN

s rd a z a h

t s e e rd m a s d n m a t e t s s e y c s n e a th m t r ao rf th e p fy r ri ie e h V t −

e h t o t st l u s re e

th k c r a o b ta d r e e e p F o

−

m e h t t c e ff a y a m h ic h w s rd a z a h e th

t st n e n m e e v g e a s n u a o m rd e a h z t a n h i s t e y) n h t n e a v o t if e e ( su s le o n o d o r r p ir a s ez de ha nr h t r ta ie e s m r h r se t e o d d rf h t n n e f U a P o

−

−

n o it a ll a t s in e h t n o st n e v e s u o rd a z a h e th

n io t a icf i c e p m s e t n s ig y s s e yt d e f m a et d s s n e y a t th s e rs ct h e t e d l t n e e U S S

−

−

−

e h t t e e m n o t io t s a n ic ig fi sc ee dp s p lo m e e v t e sy D s

w o ll d a n a o t t n u p io t in a o t rm r of o t in ra e e p id O v ro e P th

−

−

rk o w s de n ru ad p e lo c e ro v p e D to −

t e e m o t s m e t s y s e h t in a t in a m

d n a e s o rp u p e h t e

m e s t s rd y a s d e n h a t t s n o e r c n o n to it ta a aa r rm ic tn e p n o ue O rf e mm e p u mc h t e o o th C d to −

e g a n a m o t d e d e e n

s rd a z a h e th

o t t n la p

e c n a em th ro f te re ra p e e p o th

s rd a d n a t s

r o n io t a is n a rg o e m a s e h t in h ti w rk o w y a m y e h T l. e n n o rs e p f o ls e v le e re h t r o f s n ito a c li p p a re a le b a t e h t h it w s n m lu o c e h T

. ly et ra a p e s rk o w

−

9


2.5

Performance Standards The principle behind the “goal setting” approach is that it should be possible to define overall goals for design and operation, together with a method for assessing the extent to which these are realised. For any goal it is usually possible to identify one or more measures whose performance will be a reasonable indicator of how successfully the goal is achieved These can be described as performance standards and defined as follows: Performance Standard: A performance standard is a statement, which can be expressed in qualitative or quantitative terms, of the performance required of a system, item of equipment, person or procedure, and which is used as the basis for managing the hazard - e.g. planning, measuring, control or audit - through the lifecycle of the installation. When characterising “performance” in relation to the whole range of operational activities associated with an installation, it is helpful to consider a hierarchy of performance standards. High level performance standards are applied to the installation as a whole or to the major systems that comprise the installation (e.g. the Temporary Refuge (TR) or the fire and explosion arrangements). Lower level performance standards are used to describe the required performance of lesser systems, which may contribute to the high level performance standards. An important principle to be adopted in setting performance standards is that their number and level of detail should be commensurate with the magnitude of the risk being managed. Thus caution should be exercised to avoid setting performance standards for systems, sub-systems or components of systems that contribute little to the management of overall risk reduction associated with the installation. Performance Standards are particularly important (and legally required in the UK) for defining the performance of elements that help to manage or defeat a specific hazard. The Safety Critical Element (SCE) is defined as any structure, plant, equipment, system (including computer software) or component part whose failure could cause or contribute substantially to a major accident, and thus includes any measure which is intended to prevent or limit the effect of a major accident. SCEs should have fulfilled their function or remain operational. For example, plastic deformation of the structure is acceptable provided collapse does not occur allowing barriers to remain in-place and adequately resist any subsequent fires or other hazards.

Further general guidance on performance standards may be found in the HSE publication “Successful Health and Safety Management” (see Appendix 3).

10



2.5.1

High Level Performance Standards The Safety Case regime requires that performance standards should be set. (HSE Publication “A Guide to the Offshore Installations (Safety Case) Regulations 1992 “) These are the goals for safety of the installation and relate to the overall risk to persons on the installation. Fires and explosions will contribute to some of this risk. The performance of the systems and arrangements provided to manage major accidents involving fires and explosions will contribute to meeting this standard and it may also be appropriate to set standards for these major systems. It may not be possible to measure these standards directly but they should be capable of verification from the results of assessments of low level performance standards. Nevertheless, even when not directly measurable they should be auditable in order to fulfil their principal role which is to provide a benchmark so that the adequacy of the arrangements may be assessed.

2.5.2

Low Level Performance Standards Having completed the development and assessment of the FEHM arrangements and demonstrated that risks to persons using these arrangements are ALARP, it can be useful to establish detailed “low level” performance standards to ensure that this position is both initially verified and subsequently maintained. The appropriate application of low level performance standards may significantly reduce the risks from fires and explosions. Performance standards at this level may relate to the principal systems, used to detect, control and mitigate fires and explosions. However whatever performance standards are selected, three key characteristics should apply. Firstly, the selected items should make a significant contribution to the overall acceptability of the FEHM arrangements. Secondly, the parameters chosen should be directly relevant to the achievement of the system goal, and thirdly, the performance standard should be capable of expression in terms of parameters that are verifiable.


11


The process of setting the detailed low level performance standards therefore involves a review of the required performances under the anticipated emergency conditions of the systems, sub-systems or equipment that make up the fire and explosion prevention, detection, control and mitigation arrangements. The purpose of this review is to identify those items that make the most significant contribution to the overall acceptability of the arrangements. It is necessary to identify those items where significant performance deviation would jeopardise the arrangements to the extent that the strategic objectives set for the installation would not be satisfied. It is also important when undertaking this review to determine what effective barriers to the occurrence of a particular hazard are provided. The number and integrity of these should take into account the magnitude of the hazardous event and the likelihood of the initiating event in the absence of these barriers. In the setting of the low level performance standards it may be helpful to consider FEHM arrangements in hierarchical terms. First, those items of systems performance that are primarily important in the achievement of the overall objectives should be identified. Moving down the hierarchy, assessment should indicate the most important factors contributing to the success of that system. For engineered systems, these can be expressed in terms of functionality, availability, reliability and survivability. They should relate to the overall ability of a system to fulfil its role, the probability of the system operating successfully when required and its ability to continue to function during a fire or following an explosion. These are described in more detail in Section 6.4. It may be is helpful to consider a hierarchical approach to the identification of SCEs. It is suggested that the number of SCEs (systems, equipment or functions) requiring detailed assessment are classified into three levels of criticality, these are illustrated with respect to the explosion hazard as below, using the Ductility Level Blast (DLB) and Strength Level Blast (SLB) defined later in this document.

Criticality 1 Items whose failure would lead direct impairment of the TR or emergency escape and rescue (EER) systems including the associated supporting structure. Performance standard – These items must not fail during the DLB or SLB, ductile response of the support structure is allowed during the DLB. Items whose failure could lead to major hydrocarbon release Criticality 2 and escalation affecting more than one module or compartment. (Indirect impact on the TR is possible through subsequent fire). Performance standard – These items must have no functional significance in an explosion event and these items and their supports must respond elastically under the strength level blast (SLB)

12



Items whose failure in an explosion may result in module wide Criticality 3 escalation, with potential for inventories outside the module contributing to a fire due to blowdown and or pipework damage. Performance standard – These items have no functional significance in an explosion event and must not become or generate projectiles.


13


3

The Lifecycle Approach to Fire and Explosion Hazard Management

3.1

Introduction The updated Fire and Explosion Guidance proposes the use of the lifecycle approach to implement hazard management (Fig 3.1). The concept is outlined in the International Electrotechnical Commission ‘~Guidance on Functional Safety; Safety Related Systems” (Parts 1-6). This has been broadened in scope in this document so that it both highlights opportunities for enhancing inherent safety and also addresses all safety systems. It summarises those activities which need to be carried out, the decisions which need to be taken and The optimum timing in the lifecycle. It can also be used to integrate the work of all contributors to the risk management process including; the different design disciplines, risk assessors, fire and explosion specialists, Operators and auditors. Some main feedback loops are shown but other stages may also require feedback.

3.2

The Use of the Fire and Explosion Assessment during the Installation Lifecycle FEHM is an integral part of the SMS Throughout the installation lifecycle. The lifecycle is made up of the general stages of concept selection, detail design, construction and commissioning, operation, modifications and decommissioning. These are described in Section 3.3 detailing the approximate timing and sequencing of particular activities.. FEHM is a continuous process rather than a series of discrete steps. There will be overlaps and iterations between the various stages of the design, commissioning and operation phases with earlier decisions reviewed and revised as necessary. However the effective use of data from the fire and explosion assessment process at the appropriate stage should reduce the need for continual changes - see Section 4. Each numbered step of the assessment process for fires and explosions as outlined in Section 4 is linked with the relevant stage of the lifecycle. These steps are shown in Fig. 3.1 shaded in boxes 1, 5, 6, 7, 8 and 11 with the associated activity alongside. The need to revise the assessment and repeat elements of the lifecycle is identified in boxes 19 and 20. At each step of the lifecycle where critical decisions are taken, particularly box 11, these should be reviewed to ensure that all reasonably practicable risk reduction options have been considered, that the high level performance standards have been achieved and risks are ALARP. The lifecycle approach can be applied at any stage of the installation life. With an operating field or a partially completed design, many or all of the systems will already be specified or in place and the relevant lifecycle activities will have been completed. In these cases, the steps of the assessment shown in boxes 5 to 8 and 11 should be carried out as a discrete activity so that a full picture of the fire and explosion hazardous events can be developed, before the need for any changes can be determined.

14



Fire and Explosion Hazard Management The Life Cycle - Figure 3.1


15


E xi st in g In st al lati ons

New Installat io ns

1

Identify fire andexpo l sion hazardson different concepts

2

Apply inherent sae f design principe l s

3

Select concept taking intoaccountrisksfromal l possible hazards including fires andexpo l sions

4

Define the design and operational regime-codes, standards and safety managementsystems

Confirm all hazad rs are i denifie t d

5

C o n c e p t s e le c t io n

Set the high level performance standard

Optimise design toimpo r ve the inherent saey ft

6

Identify thecauses Verify that the design codesae r of the hazad r ous suitable for the hazardous eventsand select specific prevention meh t ods evens t

7

Determine fireand explosion loadn i gs

8

S el ec t / op ti mi se c on tr ol s ys te ms to l i m i t t h e e s c a l a t i on ofhaz ad r ous events

Identify vulnerablepa l nt, equipment, personnel and routes to escaaio l t n

Define the roles andfunctionaity, l 9 rel iabi li ty , av ai labi li ty and s ur vi vablity i parameters for engineee r d systems

C o n c e p t u a l a n d d e t a il d e s ig n

S el ec t mi ti ga ti on s ys tems

10

Define roles, mannn i g and competence requirementsfor procedural systems

r Devel op escaaio l t n Verify that all hazardous eventsae 11 analysis andrisk addressed, systems aresuta i ble,and assessment the overall performanceisache i ved

13

Pl an future veificaio r t n

15

16

12

14

C C o o n m s m rt u i s c s t in i o in n g a n d

Develop procedua rl safety systems

Provide / identify procedures andschedules for operation, maintenenceandtesting

Verify that systems aeefe r f ctiveand reliable during commissioning and throughout the i nstalaio l t nlife

17

18

Ensure personnel are tran i edand competent to implement/opeae rt

Operate and manan i ti s ys te ms t o ac hi ev e continued effectiveness

19

Identify and assessany change / modificaio t n/ deteri oraio t n

21

Update assessm ent andsaey ft system provisiontoadde r ss decom m i ssi oning hazad rs

22

Dec om mi ssion pl an t us ing effective safeysyste t ms

F i re and Expo l sion Assessm entProcess

16

Design hardwaretomeet param etes r

O p e r a t io n

20

M o d if ic a t io n

Revise assessmentand system provision

A b a n d o n m e n t



3.3

Stages of the Installation Lifecycle The lifecycle includes a number of stages: −

concept design;

−

detail design;

−

commissioning;

−

operation;

−

modification and change;

−

decommissioning.

Whenever an installation is modified or changes take place, the hazard management process should be repeated to a level of detail commensurate with the change. The hazards associated with decommissioning should, so far as reasonably practicable, be taken into account during detail design. Each of the steps shown in The process is explained as follows:

3.3.1 Individual Steps See figure 3.1.

1

IDENTIFY FIRE AND EXPLOSION HAZARDS DIFFERENT CONCEPTS Reference Section

4.3 5.1

APPLY INHERENT SAFE DESIGN PRINCIPLES

Hazard Identification Inherently Safer Design

During the review of the alternative development concepts, an identification and coarse quantification of the risks from the hazardous events should be carried out. This information should be used as part of the overall consideration for concept selection and also to optimise the layout and guide the selection of hydrocarbon processing methods for each concept.


17


2

SET HIGH LEVEL PERFORMANCE STANDARD Reference Section

2.5

Performance Standards

This is the statement of the standards of the installation as a whole for the safety of personnel. At this stage, Performance Standards may also be defined for major systems such as Temporary Refuge (TR) impairment frequencies, environmental standards and targets for reducing damage to the platform. These would be relevant if the reduction of fire and explosion risks contributes to meeting these targets.

3

SELECT THE CONCEPT TAKING INTO ACCOUNT RISKS FROM ALL POSSIBLE HAZARDS INCLUDING FIRES AND EXPLOSIONS Reference Section

4. 7 Escalation Analysis

The selection process should include consideration of the risks of major accidents of the different concepts and the particular contribution from fires and explosions. Attention should be paid to the primary risk contributors and the practicality and cost of preventing, controlling or mitigating tern.

4

DEFINE THE DESIGN AND OPERATIONAL REGIME -CODES, STANDARDS AND SAFETY MANAGEMENT SYSTEMS Reference Section

6.2 5.3

System Selection Prevention Options

This is the definition of which codes and standards will be used to design the structure, plant and equipment These include the primary prevention measures which ensure the technical integrity of the plant The appointment of the designer and Operator/Owner management systems including structure and responsibilities should also be defined.

18



5

CONFIRM ALL FIRE AND EXPLOSION HAZARDS ARE IDENTIFIED Reference Section

4.3 4.8 5.1 6.2

OPTIMISE THE DESIGN TO IMPROVE THE INHERENT SAFETY

Hazard Identification Risk Assessment Inherently Safe Design System Selection

This is the start of the formal assessment of the fire and explosion hazardous events. It may use the output from the conceptual selection studies as a start point. For a new design, the identification of possible hazardous events should be used to review the layout and process design so as to eliminate or reduce all hazards to meet the high level performance standards, concentrating particularly on those hazards which make the predominant contribution to the overall risks. On an existing installation, it may be possible to identity ways of reducing the risks through changes in operational practices.

6

IDENTIFY THE CAUSES VERIFY THAT THE DESIGN CODES ARE OF HAZARDOUS SUITABLE FOR THE HAZARDOUS EVENTS AND EVENTS SELECT SPECIFIC PREVENTION METHODS Reference Section

4.3 4.4 5.3 6.2

Hazard identification Initiating Frequency Analysis Prevention Options System Selection

The assessment requires that initiating events are identified. This allows the causes to be identified and a check of the design codes and standards and SMS and operating parameters to ensure that they are suitable to address the causes and adequate to deal with their severity. Where they are found to have shortfalls, the codes and standards may be changed or enhanced. Procedural systems or operating parameters may be changed and, if necessary, new specific prevention measures may be added. This may lead to a further review of previous lifecycle steps - follow feedback loop to Step 4 as shown in Fig 3.1.


19


7

SELECT / OPTIMISE CONTROL SYSTEMS TO DETERMINE FIRE AND LIMIT THE ESCALATION OF HAZARDOUS EXPLOSION LOADINGS EVENTS Reference Section

4.5 6.2 7.1 7.2

Hazard Characterisation System Selection DetectIon Options Control Options

The characterisation of the hazardous events identifies the size, intensity and duration of representative hazardous events and the contribution of control measures. This enables the most severe events to be identified and their control measures to be enhanced or augmented to reduce their severity. At this point those events to be used as the basis of design for mitigation systems are chosen. Particular attention should be paid to the guidance in Section 4.5.1.

8

IDENTIFY VULNERABLE PLANT, SELECT MITIGATION EQUIPMENT, PERSONNEL AND ROUTES TO SYSTEMS ESCALATION Reference Section

4.6 4. 7 6.2 7.2 7.3

Consequence Analysis Escalation Analysis System Selection Control Options Mitigation Options

The plant and equipment which could fail when exposed to fire and explosion in the characterised events should be identified. An assessment of the likelihood and consequence of these failures determines the need for protection and, in the case of existing installations, its provision and adequacy.

9

DEFINE THE ROLE AND FUNCTIONALITY, RELIABILITY, AVAILABILITY AND SURVIVABILITY PARAMETERS FOR ENGINEERED SYSTEMS Reference Section

6.4

Specification of a System

This applies to hardware (engineered) systems and is the definition of the overall purpose of the systems and the essential parameters to be met by the system so that it fulfils its role. The reliability and availability may need some iteration with the escalation and risk assessment in Step 11. For existing installations this may be a formalisation of the original design standards and objectives.

20



10

DEFINE THE ROLE, MANNING AND COMPETENCE REQUIREMENTS FOR PROCEDURAL SYSTEMS Reference Section

6.4 8.

Specification of a System Implementation

This defines the role and the essential parameters required to be met by procedural systems. It requires confirmation that the manning and competence levels are or will be available to the extent necessary.

11

VERIFY THAT ALL HAZARDOUS DEVELOP FIRE AND EXPLOSION EVENTS ARE ADDRESSED, SYSTEMS ESCALLATION ANALYSIS AND ARE SUITABLE AND THE HIGH LEVEL RISK ASSESSMENT PERFORMANCE IS ACHIEVED Reference Section

4. 7 4.8

Escalation Analysis Risk Assessment

This is the overall review of the fire and explosion risks and their acceptability. It formalises the escalation analysis which will have been developing as part of the assessment process. On new designs it is carried out prior to proceeding to detail design to ensure that the proposed systems are suitable for the hazardous event and will be sufficient to reduce, as far as is reasonably practicable, the risks from each hazardous event. On existing installations it is the determination of the adequacy and contribution of the safety systems provided. The cumulative risks from all major accident hazardous events should be within the high level performance standard and ALARP. This information is essential to determining if remedial measures or improvements are needed to the existing or proposed system provision. These results may lead to a review of other lifecycle steps follow feedback look to Steps 4, 7 or 9 as applicable, as shown in Fig. 3.1. 12

DESIGN HARDWARE TO MEET THE REQUIREMENTS Reference Section

6.3.3 6.3.6 6.4 7.1-7.3

Types of systems Interactions and limitations Specifications System Options

The design contractor and suppliers should co-operate in designing the systems and components to meet the functional parameters and the availability and reliability requirements and ensure that any interactions and also limitations are addressed.


21


13

PLAN FUTURE VERIFICATION Reference Section

6.4.2.2 Maintenance, inspection 8. Implementation

The requirements for verifying tat the design has been properly executed and that systems can be fully inspected and tested at appropriate intervals during their life should be determined. There is no point in specifying a performance standard which cannot be verified. 14

DEVELOP PROCEDURAL SAFETY SYSTEMS Reference Section

6.4.1 8.

Functional specifications Implementation

This includes the provision of specific procedures to complement the generic procedures and practices associated with the SMS. On an existing installation, the existence and quality of these procedures should be assessed.

15

PROVIDE / IDENTIFY PROCEDURES AND SCHEDULES FOR OPERATION, MAINTENANCE AND TESTING Reference Section

64.1 6.4.2 8

Functional specification Availability and reliability Implementation

This is to ensure that the systems can be properly operated and maintained and that they achieve the functional parameters. On an existing installation, it is necessary to ensure that these facilities are in place. The tasks may include:

22

−

provision of access;

−

provision of specialist test and maintenance equipment;

−

preparation of effective operation, maintenance and test procedures;

−

setting of maintenance and test frequencies;

−

identification of training and competence requirements.



16

VERIFY THAT SYSTEMS ARE EFFECTIVE AND RELIABLE DURING COMMISSIONING AND THROUGHOUT THE INSTALLATION LIFE Reference Section

6.4.2.2 Maintenance, inspection 8. implementation

This is function testing which should be carried out prior to installation, during commissioning, prior to-start-up, and at predetermined intervals during the system life. The function testing during commissioning will normally cover the full range of operational performance, so as to act as a base line for trouble shooting throughout the remainder of the lifecycle.

17

ENSURE PERSONNEL ARE TRAINED AND COMPETENT TO IMPLEMENT, OPERATE, MAINTAIN AND TEST SYSTEMS Reference OGP (formerly E&P Forum) “Guidelines for the Development and Application of Health, Safety and Environmental Management Systems” Section 3.4 This applies both to personnel training and competence for procedural systems and for the operation, maintenance and testing of engineered systems. It may be necessary to prepare training courses and schedules and to have sufficient personnel trained prior to start-up. This applies not only to regular installation personnel but also to individuals who may visit the installation to operate, maintain or test the plant. On an existing installation it may be appropriate to review the training and competence of existing personnel.

18

OPERATE AND MAINTAIN SYSTEMS TO ACHIEVE CONTINUED EFFECTIVENESS Reference Section

8.

Implementation

This requires the continued maintenance and operation of the plant so that the engineered and procedural systems continue to meet their original intent as developed during the design and initial assessment process.


23


19

IDENTIFY AND ASSESS ANY CHANGE, MODIFICATION OR DETERIORATION Reference Section

4. 6.2 8.

Assessment of Fire and Explosion Hazardous Events Systems selection Implementation

During the life of the installation, changes may be considered or arise naturally through, for example changes in the produced fluids from the reservoir. Alternatively a safety system may deteriorate so that it is unlikely to continue to achieve its intended functional performance, reliability and availability. All changes should be assessed to determine the effects on the high level performance standards and, where necessary, improvements should be considered to the systems provision. 20

REVISE THE ASSESSMENT AND SYSTEM PROVISION Reference Section

4.

Assessment of Fire and Explosion Hazardous Events

This is the update of the assessment required by a relevant significant change identified in Step 19. It may also lead to a review of the other lifecycle steps affected by the change including the hardware, procedures and documentation and to a revision of the Safety Case. Follow feedback loop to Steps 4, 7 or 9 as applicable, as shown in Fig. 3.1.

21

UPDATE ASSESSMENT AND SAFETY SYSTEM PROVISION TO ADDRESS DECOMMISSIONING HAZARDS Reference Section

4. 6.

Assessment of Fire and Explosion Hazardous Events System selection and specification

The design process should have considered likely decommissioning hazards and identified the relevant procedures or systems. These should be formally reviewed prior to decommissioning of either part or all the plant to ensure that all hazards are identified and adequately addressed. Where the existing systems or procedures are deficient, these should be addressed by following the relevant steps in the lifecycle.

24



22

DECOMMISSION THE PLANT USING EFFECTIVE SAFETY SYSTEMS Reference Section

6.2

System selection and specification

The safe decommissioning of the plant and eventual abandonment of the installation may be dependent on special hardware or particular procedures. These should be in place and sufficient competent persons be available to operate and implement them.


25


4

The Assessment of Fire and Explosion Hazardous Events

4.1

Introduction The assessment of fire and explosion hazardous events is the process whereby these events are identified, probabilities and consequences are determined and a judgement is made on the adequacy of the risk reduction measures. It is an iterative process which, if the arrangements to manage the hazardous events are judged to be inadequate, involves modifying them and revising the assessment. It provides critical information which should be the basis for effective FEHM.

The output of the Fire and Explosion Assessment process also provides information on the hazards and hazardous events for those responsible for safety; managers, designers and Operators. This information includes the causes, characteristics, likelihood and the means to prevent and limit the events and to protect personnel. This information is fundamental to managing the hazards and reducing risks to people from fires and explosions, to ALARP. The following principles should be applied to the assessment process: −

it should start early in the conceptual design;

−

it relies on a thorough hazard identification;

−

it should identify all foreseeable events with the potential to cause a major accident;

−

it should be continuous and recognise the need for revision of the assessment as more information becomes available and the design evolves;

−

it should be used to assist in identification of prevention, control and mitigation measures;

−

a representative selection of events should be analysed to encompass the range of foreseeable hazardous events;

−

it should be documented to give a clear overall picture of the possible hazardous events and of the role of the safety systems in their control and mitigation.

The assessment process should be used as a design and operational tool to understand the hazards and hazardous events and to identify when prevention, control and mitigation measures can be applied to reduce the risks. The flowchart Fig. 3.1 shows where and when the assessment should provide information into the lifecycle and management process.

26



4.2

Timing and Detail of the Assessment The timing and detail of the assessment will depend on the stage in the lifecycle, the level of information available at that time, and the frequency and severity of the hazardous events. Those events which result in the major risks to life will deserve the greatest attention, particularly in terms of analysing initiating frequency and consequence.

4.2.1

Timing The lifecycle approach in Section 3 and Fig 3.1 shows where information is needed from particular steps in the assessment in order to make decisions on the need for, and performance, of risk reduction measures. The assessment progressively builds a picture of the fire and explosion hazardous events as the design develops from the feasibility studies, through concept development, selection and detail design. In practice it may be necessary to revisit a stage a number of times as a design progresses and new information becomes available, or if more detailed analysis is required to resolve a particular concern. Up-to-date results should be available and communicated to designers and Operators/Owners for consideration. At an early stage of the conceptual design of an installation the details required for an in-depth consequence analysis may not be available. As a result, only broad scoping predictions would be undertaken with the aim of identifying those scenarios which have the potential to cause a major accident. In performing scoping calculations, it will be necessary to make a range of assumptions. These should be clearly stated, including particular assumptions about the provision and effectiveness of prevention and control systems. The major accident scenarios should then be examined in sufficient detail to verify that it would be reasonably practicable to provide systems to control and mitigate them and that the risks would be tolerable. It may also enable the effective screening out of many events which are of low consequence or very low frequency and therefore unlikely to contribute significantly to overall risk levels. However, this will depend upon the extent of information available. It is important that apparently low consequence events are not discarded at this stage if their consequences may be underestimated as a result of limited information. Also, that large numbers of events of low frequency are not discarded without due consideration being given to the cumulative risk which they may pose. As the design of the installation progresses and further information becomes available, the analysis and assumptions of the critical’ events identified should be reviewed. This may include more sophisticated validated modelling techniques, as appropriate and/or sensitivity analysis. Parts of the analysis may have to be repeated as the design evolves and more information becomes available. On an existing installation, the assessment should already have been carried out as part of the Safety Case. Modification should follow the lifecycle approach.


27


4.2.2

Detail and Accuracy The level of detail and accuracy of an assessment is determined by the need for precise information on which to base decisions and designs. The quality of the assessment is dependent upon the identification and quality of assumptions, validation of models, availability of data, including any relevant experimental data and the competence of those undertaking the assessment. A simple assessment with appropriate pessimistic assumptions resulting in a conservative level of provisions may be equally appropriate in place of a refined assessment resulting in greater accuracy, to justify more targeted risk reduction measures. Such simple assessments may also be appropriate for some of the smaller relatively simple installations. The decision as to which type of assessment should be undertaken is likely to be determined by the capabilities and technical resources of the organisation undertaking the assessment as well as purely technical factors. The quality of the analysis is dependent on the following: −

the quality of the available information;

−

the validity and accuracy of the analysis tools used to characterise the hazardous events and the response of the plant;

−

the sensitivity and accuracy of the figures for initiating event frequency and safety system performance,

−

the stage in the lifecycle;

In some cases, events will be subjected to specific assessment, particularly where their risks may be significant. In others, it may be acceptable to group smaller events together and subject them to generic assessment

4.3

Hazard Identification Hazard identification should commence at the early stages of a design while there is still sufficient flexibility to change the design and layout to reduce hazards by inherently safer design or to reduce their scale and impact.

4.3.1

Means of Identification The identification of fire and explosion hazardous events is the start point for the rest of the assessment and of the whole hazard management process. It should use a structured, systematic and auditable approach which addresses both process and non-process fires and explosions and covers all parts of the installation including pipelines, risers and wells. The method employed should be a structured process, which involves a suitable combination of operations personnel, design engineers and safety specialists.

28



The hazard identification process should address all foreseeable fires and explosions and, in particular, those involving releases of hydrocarbons. This process should be fully documented including all of the foreseeable causes of initial release as these should be addressed when identifying the need for specific prevention measures. To structure the process, the installation may be divided into discrete areas in which hazards are identified by considering the process or utilities systems, plant, fixtures, combustible inventory, etc. within each. Potential external initiators of fires and explosions such as a helicopter crash are also important and should be considered. The information required to carry out the initial hazard identification may include the following (as available): −

Operating and maintenance philosophy;

−

Plot plans and plant layouts;

−

Piping and Instrumentation Diagrams (P&IDs);

−

Process Flow Diagrams (PFDs);

−

Equipment lists;

−

Process data sheets.

Other information such as incident statistics or records may also be useful. The materials considered during the fire and explosion hazardous event identification phase are likely to include: −

Process oil/gas/condensate;

−

Process additives (e.g. methanol and tri-ethylene glycol);

−

Fuels (diesel, aviation fuel, etc.) and lubricants;

−

Bottled gas (e.g. propane, acetylene);

−

Industrial explosives and detonators;

−

Combustible material (e.g. wood, furnishings, paper, plastics);

−

Laboratory and process chemicals.

In identifying hazards the parameters which define the type of hazardous event should be identified and documented. These may include: −

System pressure;

−

Isolated and non-isolated inventory;


29


−

Temperature;

−

Density;

−

Composition of material;

−

Likely release points and their size;

−

Flash point;

−

Ignition sources;

−

Combustible load;

−

Oxidising agents.

The fire or explosion events identified will vary depending on the hazardous material involved and the conditions relevant to the particular system or inventory being considered. Typical events are: −

Pool fire

(combustion of a flammable liquid pool);

−

Jet fire

(combustion of high pressure gas or liquid);

−

Spray fire

(combustion of a pressurised liquid release);

−

Blowout

(wellhead spray or jet fire);

−

Flash fire

(combustion of a flammable gas where the flame propagates at a speed insufficient to result in damaging overpressures);

−

Explosion

(combustion of flammable gas/vapour in which confinement and/or flame velocities are sufficient to result in damaging overpressure);

−

BLEVE

(rapid ignited release of flammable pressurised contents of a heated vessel resulting in blast overpressure, missile fragments and fireball) see Appendix 1;

−

Cellulosic fire (fire involving material, such as wood, paper, etc.);

−

Electrical equipment fire.

Users of this guidance should decide what information is relevant to their particular needs.

30



4.3.2

Choice of Events for Analysis A range of hazardous events should be analysed both to provide information on which to base the design of control and mitigation systems - see Section 4.5.1and to support the Safety Case and PFEER. The type of events chosen for each purpose will depend on the information required. Each identified hazardous event will have a range of possible scenarios, it is not reasonable to examine every one. Therefore, representative cases should be chosen to cover the range of foreseeable events. For example, pipework leak source might range from that of a poorly fitted flange gasket through to a full bore rupture. The most important are those foreseeable events where the initial release and ignition characteristics are likely to cause the most extensive damage and the greatest risks to personnel. In the case of fires, there needs to be sufficient inventory to burn for long enough to cause failure of equipment or structure. Personnel and delicate equipment may be injured or damaged after a short fire exposure. Steelwork should survive for several minutes under the worst case conditions, but protected or equipment exposed only to thermal radiation may survive for considerable periods. The range of events considered should cover the larger ones which may cause extensive damage to the installation and those smaller events which could cause local damage leading to escalation. In selecting the events, due regard should also be taken of the likely causes of initial failure, the design features of the plant and the resultant size, shape, arrangement and location of the failures.

4.4

Initiating Frequency Analysis The initiating frequency estimate is derived from the causes of incidents and should be used to identify both generic and specific prevention measures. The relative importance of initiating events should be evaluated from their severity and expected frequency of occurrence; i.e. risk. This may initially be obtained from historical UKCS data (or more specific data if available), modified where necessary to take account of any particular considerations for the installation which may affect the likelihood or frequency. The probability of ignition and detection of a hazardous event should also be taken into account. As the design develops, the engineering specifications used, the provision of prevention measures, the Operator/Owner safety culture and SMS should endeavour to reduce these initial estimates. In the case of flammable release events, the release frequency may be estimated by counting all relevant system components which could give rise to a flammable release within a specified area, and multiplying by failure rate data appropriate to the type, standard or design, use and operating conditions. It may be appropriate under some particular circumstances to examine the sequence of events which may lead to a failure. Techniques such as Fault Tree Analysis may be used to estimate the frequency of these events.


31


4.5

Characterisation of Fire and Explosion Hazardous Events This is the quantification of the characteristics of the particular fire and explosion events which are chosen for analysis. It provides information to identify which plant and personnel are exposed and to judge the effects of exposure. It is also required as an input to the preparation of the emergency response plan. The estimate of the initial size, severity and duration of fire and explosion events requires different levels of analysis depending of their perceived importance. A range of representative scenarios should be considered in detail with justification given for the choice. The information available from this part of the analysis may include: For Fires: −

Type

(hydrocarbon, jet, pool, spray, and cellulosic)

−

Size

(diameter, flame length, spread, shape and volume)

− Severity

(emissive power, engulfment heat flux, remote heat flux levels, smoke concentration/toxicity)

− Location

(the location and direction of the release, location and spread of pool fires, direction of flame spread, shape and size of flame extension into other areas and the outside of the platform).

− Duration − Variation

with time (the change in the above characteristics with time; example due to reduction in release pressure).

For Explosions: − Type

(confined explosions, high flame speed explosions, chemical explosions)

− Size

(extent of flammable gas cloud)

− Severity

(maximum overpressure, impulse pressure pulse rise time, both within and outside gas cloud)

− Location

(location of flammable gas cloud and the pattern severity and extent of the overpressure and impulses both within the module and beyond).

Both initiating event and those stages of an escalating event when further hydrocarbons are likely to be released should be characterised. For initiating events, it is necessary to clearly define the parameters listed below such that the resultant event can be analysed with the appropriate accuracy and realism.

32



For escalating events, more general assumptions may need to be made where, for example, further multiple releases and safety system failures may occur following an explosion or structural weakening. It may also be necessary to characterise the initiating events taking account of the failure of a safety system, such as emergency isolation, where that failure could lead to significant increase in the consequences. In carrying out the analysis, the following parameters should be taken into account: -

-

Installation and process parameters: −

location;

−

inventory;

−

type and composition of the fuel;

−

type and rate of release;

−

ventilation;

−

obstacles and boundaries;

−

ignition sources;

−

wind direction and strength.

Control and detection measures and their response time where appropriate: −

Emergency Shut Down (ESD);

−

depressurisation;

−

drainage and bunding;

−

electrical isolation;

−

fire and gas detection.

The stage in the lifecycle will dictate the level of analysis required. This may range from simple empirical correlations and engineering judgement to sophisticated modelling. The more complex and detailed methods of analysis will take time and require a very high level of design definition. Therefore their use as a tool to develop and refine the early stages of design is limited. The characterisation analysis will identify the most severe events and the analysis process can be used to enhance the effectiveness of the control measures listed above in limiting the size, scale and intensity of the fires and explosions.


33


The results should be presented so tat they clearly convey a realistic picture of the anticipated hazardous events, and their potential for escalation. This is particularly important for the preparation of an appropriate emergency response plan and the development of an awareness of the possible h5~ardous events on the installation.

4.5.1

Design Fire and Explosion Loadings Selection of the representative design accident events. One of the most important decisions taken in the hazard management process is the selection of hazardous events from which the concept of an upper bound, or envelope, of conditions on which the design of control and mitigating systems are based. The analysis of these events will give the loading parameters for fires and for explosions as listed in Section 4.5. Alternatively the design could be based on standard criteria with the loads from the actual design events being checked at a later stage and compared to the design load. The characteristics of these loadings need to be defined in sufficient detail so that protection systems can be designed to match them. With a new design, the escalation analysis is also important in the selection of the design accident events, together with the perception of the extent and severity of the escalation. As the analysis proceeds, a picture of the range of initiating scenarios and escalating events throughout the platform will emerge. From this overview, it should be possible to select the design events based on the practicality of preventing larger initial events and stopping the escalation of smaller events to those of an extreme magnitude. In particular, a designer would need to consider the following when identifying a design event:

4.6

−

the scale of the incident relative to the installation size;

−

the options for reducing the frequency of an incident so that the resulting risk is ALARP;

−

the practicality of controlling and mitigating the event.

Consequence Analysis The purpose of the consequence analysis is to identify which plant, structure, safety systems and personnel are exposed to the initial and escalating events described in Section 4.5 and to assess the likely effects and failures.

4.6.1 Personnel Exposure Personnel may be directly exposed to an initiating event or to subsequent escalation. The assessment should attempt to quantify the numbers of people involved at each stage and the effects of exposure. These effects may include an inability to escape to the TR, a reduced ability to respond to the emergency, serious injury and death. These results would be collated to determine the risk to personnel from fires and explosions as input to the overall risk assessment for the installation.

34



In addressing the exposure, the following groups of personnel should be considered: −

those working in the area of the initiating event;

−

those working in adjacent areas which may be affected by the initiating event;

−

those who may be exposed as they attempt to reach the TR;

−

those within the TR, at muster areas or while evacuating who may be exposed to the effects of the escalating incident

−

those who may be exposed while carrying out their emergency response duties, e.g. control room personnel, emergency teams.

This information can be used to assess and where necessary modify escape routes and operating philosophies so that the exposure of personnel is reduced. The need for mitigating measures can also be reviewed.

4.6.2

Plant, Structure and Safety System Exposure An assessment of plant exposed to fire and explosion hazardous events should be carried out to determine if it would fail and lead to: −

loss of further inventory from vessels, storage tanks or pipework;

−

spread of fire (e.g. within the accommodation);

−

penetration of fire or blast walls allowing the passage of overpressure or flame;

−

catastrophic rupture or failure;

−

loss of or damage to safety systems required to control the incident:

−

loss or damage to mitigation systems, or impairment of evacuation and escape systems;

−

impairment of the TR, including the effects of smoke and heat;

−

loss of structural support leading to any of the above or progressive collapse.

In assessing the likelihood and manner in which these failures could occur, the following should be considered, the: −

likely exposure of the equipment;

−

extent and intensity of that exposure;


35


−

duration of the exposure;

−

time to failure;

−

inherent resistance of the equipment;

−

exposure of any critical elements which could cause an overall failure;

−

defined failure criteria of the plant or structure - see Sections 7.2.7 and 6.4.1.9;

−

protection systems.

The time to failure should be assessed as it may significantly affect the consequences; for example, gas plant may have already depressurised or a safety system may have fulfilled its role. The time of escalation is also important in predicting the development of the incident.

4.6.3

Safety System Vulnerability The purpose of this study is to identify and assess the vulnerability of those hazard management systems which may be needed during or after a particular hazardous event where that event might impair them. This may be used to define any protection to meet their survivability criteria - see Section 6.4.3. It may be appropriate to review the safety systems as part of a vulnerability study which examines their exposure to all hazardous events. Such a review may start either with the hazardous events as described above or with the systems. The later requires a full examination of all the hazardous events to which they may be exposed, the importance of that system to control these hazardous events and the likelihood and consequence of its failure. Particular attention should be paid to complex systems which are spread and interconnected throughout the platform. The effects of the failure of localised components on the overall performance should be considered. In particular, the following should be examined:

36

−

hydraulic systems;

−

electric cabling;

−

control panels, logic, relays and electronic systems;

−

piping, e.g. firewater ringmain, vent headers/flare lines

−

field devices;

−

engines, fuel systems, cooling and combustion air supplies;

−

Heating Ventilation and Air Conditioning (HVAC);



−

power supplies.

It is probable that in some cases only part of a system may be exposed and incapacitated. In such cases, the need to take action to reinstate the remainder of the system (such as closing of firewater ringmain isolation valves) and the practicality and likelihood of doing so in an emergency should be identified and assessed. The performance of the remainder of the system should then be assessed. The output of the analysis is primarily an awareness of any vulnerability by both Operators/Owners and designers. This allows measures and procedures to be prepared to address this situation. It also allows the vulnerable component to be eliminated (if offering no real contribution to the system performance), moved to a safer location or protected so that it can survive until it has completed its function. Alternatively, duplicated components or systems located in different areas may be considered such tat the simultaneous loss of both would be unlikely. However, care should be taken to ensure that the overall vulnerability of the system is not increased by exposing a greater number of components to a wider range of hazardous events. Duplication should be considered only if it adds significantly to the overall availability or realistic survivability of the system such that it is able to deliver its required functional performance - see Sections 6.4.2.5 and 6.4.3. Further guidance on the types of emergency systems which may be required during or following an incident is included in the UKOOA Guidelines on the Management of Emergency Response for Offshore Installations.

4.7

Escalation Analysis In addition to the effects of an initial fire or explosion it is important that a structured approach is taken to determine whether and how an event can escalate to endanger personnel. It is also the means to identify all the subsequent failures which would have to occur before personnel are put at risk. The primary objectives of the escalation analysis are to: −

identify mechanisms whereby an initial event may escalate to impinge on key systems or facilities, e.g. the TR and/or evacuation and escape facilities;

−

identify where control or mitigating measures could be used to prevent, delay or reduce escalation or protect life;

−

identify the combination of measures needed to deal with each major hazardous event and to provide an input to the development of associated performance standards;

−

evaluate the effects on the installation safety systems at each stage of escalation and how this may affect subsequent escalation;


37


−

evaluate the probability and hence the frequency of each escalation path which affects the key facilities or systems such as the TR and Escape, Evacuation and Rescue (EER) facilities and the time duration from the initial event.

This may be carried out as an event tree analysis. This can show the sequence of failures which need to occur to result in a particular level of consequence and give designers and Operator/Owner the opportunity to add, to or enhance the safety systems to break the sequence of events. Experience has shown that often only a relatively small number of escalating scenarios contribute significantly to the major accident risk on an installation. Therefore the escalation analysis is an important aspect of hazard assessment and risk management. It is important that the location, frequency, timing and duration of different scenarios previously established are fully considered so that mechanisms and routes by which a fire or explosion could escalate to cause ‘critical failure’ can be identified. This involves identifying those critical components or systems which, if they fail, have significant consequences regarding: −

threat to life;

−

environmental damage;

−

loss of assets (plant/production).

Input data from the previous steps of the assessment include: −

the location and description of the initial event especially its size, severity, duration and frequency;

−

the means by which the initial event may escalate and, at each escalation stage, the corresponding probability and time to escalation;

−

the effects of the events on the installation including the safety systems at each stage of escalation and how this affects subsequent event progression;

−

the contribution of safety systems to reducing the consequences and the probability of their successful operation;

−

the effects on the key facilities or systems such as the TR and EER facilities in terms of impairment, time to impairment and impairment frequency;

−

the fatality levels associated with each scenario.

In assessing the contribution of safety systems, the characteristics of each stage of the event should be considered if it is possible that systems may fail to operate successfully or could be damaged. Such systems may include:

38

−

emergency shutdown;

−

blowdown;



−

active/passive fire protection;

−

detection systems;

−

communications (internal and external);

−

essential control and instrumentation;

−

essential power supplies;

−

drainage;

−

overpressure protection;

−

active/passive explosion protection.

It may also be necessary to consider the actions and decisions of key personnel, in particular the OIM, in responding to an escalating situation. The decision to move personnel to different parts of the installation, to abandon the installation, to fight the fire, etc. and the time at which these decisions are made can have major implications. The need to take particular decisions should be reflected in the preparation of the Emergency Response Plan and in the provision of communication and evacuation systems. The ability to take decisions may be affected by smoke, heat and the scale of the incident. This should be taken into account, particularly if the TR and control centre are affected.

4.8

Risk Assessment The collation of the risks from each of the possible major accidents from fires and explosions should be integrated into the installation Safety Case risk assessment. This will assist the judgement of the adequacy of the high level performance standards and their achievement. An accepted level above which the overall risk is considered intolerable is an individual risk of greater than 10-3 per year or a TR impairment frequency of greater than 10-3 per year. The overall individual risk from all hazards must be less than this value. If risks are in the intolerable region then risk reduction measures must be implemented, irrespective of cost. Hence the risk from other hazards may indirectly affect the acceptability of risk from explosions and these may need to be considered in setting the target risk levels for the explosion hazard. In addition, installation screening is recommended to enable resources and time to be focussed where it is most appropriate when little detailed information is available for the specific hazards on the installation. It is also a useful exercise at the early stages of a project in order to focus attention on the safety issues at a time when the most benefit may be gained at the least cost.


39


The task consists of classifying the installation and its compartments into Low, Medium or High risk categories to determine the level of explosion assessment required. The complexity of the process in the compartment is taken as an important measure in the screening exercise. In this context, risk is defined as a measure of the product of the consequence and probability of an incident, (estimated from the previous sections), an example might be of an ignited release giving rise to a significant overpressure greater than 50 millibar.

Risk equals the product of Probability (or Likelihood) and Consequence (or Severity)

Likelihood is a more appropriate term in this context where a qualitative assessment is being performed, the terms probability and frequency imply that numerical values are available. Therefore, successful installation screening is achieved by early consideration of the vulnerability of the installation and the likelihood of an explosion event.

40



5

Inherent Safety and Prevention The concept of inherently safer design refers, to an approach to design in which hazards are ‘designed out at source. The primary means of prevention are the use of appropriate standards for design and operation, the optimisation of the layout for safety and the quality standards applied to design, construction and operation.

5.1

Inherently Options

Safer

Design

and

Process/Layout

Optimisation

The greatest opportunities to reduce risks are during the initial hazard identification stage during the conceptual design phase. Once into detail design there may be limited scope to apply hazard avoidance (as opposed to prevention) methods. Adoption of the following principles where possible will reduce hazards: -

use less hazardous materials (substitution);

-

use simpler process systems (simplification);

-

reduce the inventory of hazardous materials on the installations (intensification);

-

use hazardous materials at lower temperature and/or pressure, or use inert materials to dilute hazardous ones (attenuation).

Facilities designed on this basis can be described as intrinsically or inherently safer. The extraction and processing of hydrocarbons inevitably involves some hazards. Consideration of inherently safer design and process/layout optimisation may include the following but it must be recognised that the design will also depend very largely on economic criteria: -

choice of the concept; single or multiple jacket, floating production etc.;

-

choice of the operating philosophy; pre-drilling wells, manning, etc.;

-

reduction of hazardous inventories;

-

reduction of process pressures and temperatures;

-

minimisation of High Pressure/Low Pressure (HP/LP) interfaces;

-

use of non flammable or low flammability materials;

-

minimisation of the number of processing operations carried out on the installation;

-

selection of simpler processes;


41


-

reduction of particular causes of failure (e.g. dropped loads onto equipment);

-

control or avoidance of simultaneous hazardous operations;

-

physical separation of major components containing hydrocarbons (e.g. risers, wells, separators);

-

location of the TR remote from major hydrocarbon inventories, in particular wellheads, risers;

-

reduction of congestion in process areas;

-

reduction of external confinement and congestion of gas process areas;

-

siting of high pressure gas and Liquefied Petroleum Gas (LPG) inventories in well ventilated areas and away from large inventories;

-

location of risers to avoid supply boat impacts.

Further guidance on inherently safer design is given in HSE Report “Inherently Safer Design".

5.2

Design, Quality and Maintenance The likelihood of hydrocarbon release which could lead to a fire or explosion will depend, amongst other factors, on the quality of the design, the components, the construction of the plant and its maintenance/operation. The principles outlined for safety systems in Sections 6.4.2.1 and 6.4.2.2 also apply to process and other plant and should be used to eliminate or minimise the possibility of hydrocarbon release. The principles for the reduction of complexity and improving operability in Section 6.4.2.7 should also be used/applied to reduce the number of possible leak points and the likelihood of operator error.

5.3

Prevention Options Prevention in the context of an installation means avoiding uncontrolled releases of hydrocarbons and/or the accumulation of explosive atmospheres and avoiding fires and explosions from other sources, e.g. electrical fires and fires in the accommodation. As the risk from fires and explosions offshore is often dominated by releases of hydrocarbons, then the prevention of such releases represents the starting point followed by the consideration of preventing (or controlling) ignition. Effective prevention of hazardous events is dependent on aspects of the SMS, i.e.:

42

-

the use of appropriate design codes and standards, and

-

the implementation of good operating practice.



Prevention measures may be either engineered or procedural and may be specifically applied to a particular hazard or item of plant or generically applied throughout the installation.

Note: In this guidance, measures to prevent ignition are considered as preventive measures

although it is possible to regard them as control measures - see Section 7.2.

5.3.1

Prevent Release (Maintain Equipment Integrity) The primary prevention measure on plant containing hydrocarbon is the prevention of the unplanned release of inflamable liquids and gases under all circumstances including commissioning, operation, shutdown, maintenance and decommissioning. All foreseeable causes of failure should be identified and a combination of engineered and operational systems put in place to seek to avoid each cause. The likely causes of failure can be identified by a formal hazard identification process such as HAZID - see Section 4.3.1- which could consider aspects such as: −

mechanical overload/overstressing (external environmental);

loadings

including

−

overpressure (internal overloading);

−

internal corrosion/erosion;

−

external corrosion/erosion;

−

construction defect;

−

fire;

−

explosion;

−

impact (including dropped objects);

−

breaches of containment due to human error;

−

isolation failure;

−

decommissioning, in particular hazards associated with purging, breaches of containment or permanent isolation systems.

Most causes of failure will be addressed by the use of established codes and standards for the design and protection of process plant. However, it may be necessary to verify that these are appropriate for all the identified likely causes of failure. This verification may be achieved by the use of a formal Hazard and Operability Study (HAZOP) during design with an update on completion. Compliance with the chosen standards should be verified during construction and planned inspection throughout the life of the installation.


43


Typical prevention measures include: −

the integrity of hydrocarbon plant; including piping, vessels, pumps. compressors, etc. and supporting structures;

−

reduction of possible release points, e.g. use of welded joints and non invasive instruments;

−

overpressurisation protection systems;

−

process control and shutdown systems;

−

material selection, corrosion allowances, inspection and protection;

−

impact decks and control of heavy lifts;

−

breach of containment controls;

−

isolation valves, systems and procedures and associated competence of personnel;

−

interlocks;

−

controls on shipping;

−

operational procedures.

These prevention measures can impinge on all engineering and operation disciplines and this highlights the need for a fully integrated approach to hazard management. The need to provide measures to maintain integrity during maintenance and decommissioning of the installation should be considered at the design stage. These may include provision for:

44

−

draining down of vessels and the entire hydrocarbon containing system;

−

isolation, decontamination, purging and removal of pipeline risers and piping;

−

draining, decontamination and removal of oil storage tanks;

−

suspension or abandonment of wells;

−

inert gas or flushing systems.



5.3.2 Ignition Prevention The aim is to prevent the ignition and sustained combustion of solid, liquid and gaseous fuels. This includes reduction of ignition sources and the selection of materials that are less likely to be ignited or sustain combustion. The selection of materials and specification of appropriately classed equipment falls within the design remit but operational controls are needed to ensure that the selected approach is implemented throughout the operational life of the installation. The generic means of preventing ignition of minor releases of hydrocarbons is the classification of areas according to the probability, type and potential size of a release, the provision of suitable equipment in these areas, (Reference I.P. Model Code of Safe Practice Part 15 Area Classification Code for Petroleum Installations) the control of other sources of ignition and the specification of materials which are difficult to ignite or do not sustain combustion. Further reduction of ignition probabilities may be achieved as follows:

5.3.3

−

avoid any unnecessary electrical equipment in the area;

−

use suitably designed and approved electrical equipment for the classification of the area;

−

maximise the distance of any source of ignition from possible sources of release;

−

shutdown selected equipment on detection of gas;

−

control hot work and spark potential activities;

−

use non flammable or low flammability material;

−

avoid fired heaters in proximity to hazardous areas;

−

avoid processing hydrocarbons near their auto ignition temperature;

−

control of hot surfaces;

−

ensure adequate ventilation in the areas - see Section 5.6.3;

−

prevent gas ingress into internal combustion engines and non hazardous areas.

Reduction of a Flammable Atmosphere The reduction of the likelihood of the formation and the size of a flammable gas cloud will both reduce the possibility of ignition and any consequent explosion overpressure or fireball. The following should be considered: −

locate hazardous plant in the open air;


45


46

−

minimise congestion and ‘dead areas’ around likely leak sources;

−

optimise natural or mechanical ventilation;

−

reduce the distance from potential leak sources to the open air;

−

control of the size of process areas.



6

Selection and Specification of Systems for Fire and Explosion Detection, Control and Mitigation

6.1

Principles Detection, control and mitigation systems should be selected and specified according to the following principles:

i)

The assessment of fires and explosions should be used to determine the need for a system.

ii)

Each system should have a clearly defined role.

iii)

Systems should be selected and specified to provide an appropriate balance between prevention, detection, control and mitigation.

iv)

Systems should be resourced with regard to the risks from the particular hazardous event being addressed and their role and importance in reducing that risk.

v)

Mitigation systems should be specified after taking into account the contribution from the detection and control measures in reducing the extent and duration of the hazardous event.

vi)

Systems should preferably be specified in terms of functional parameters, reliability, availability and survivability.

vii) Systems should be capable of being operated, maintained, inspected and verified on the installation. The design should therefore take these needs into consideration. viii) Systems should be selected and specified after appropriate consultation with those responsible for their use and operation. ix)

6.2

Systems which may introduce a new hazard, exacerbate an existing one or impair the performance of another system should be avoided or the interaction should be addressed. These drawbacks must not offset the risk reduction provided by the system, i.e. there should be a significant overall benefit.

Selection and Specification Overview The purpose of this section is to assist those responsible for the selection and specification of detection, control and mitigation systems to select an appropriate combination of measures. The arrangements selected to manage each identified hazardous event should be such tat the risks to persons are reduced to a tolerable level and to ALARP. There are a number of options in the categories listed below. The provision of some systems may eliminate the need for others in the same or different categories. The quality of some systems will affect the need for, and standard of others.


47


In addition to the prevention measures discussed in Section 5, the categories are: -

detection and alarm measures to alert personnel and, where appropriate, to actuate systems

-

control measures to limit the scale of an event and avoid escalation to a major accident;

-

mitigation measures to minimise undesirable consequences of a major accident;

-

emergency response and manual intervention.

Systems should be chosen with a full understanding of the likely hazardous events, their means of escalation and the realistic expectation of the capability of the systems. The fire and explosion assessment process described in Section 4 can be used to identify where different systems may make a contribution and, by examining the frequency and eventual consequences, the need for, and performance standards of the system. The provision and quality of the prevention and avoidance measures may influence the frequency of occurrence of an initial event. The consequences of this event will be determined by the provision and effectiveness of the control systems. The provision of mitigation systems will limit the consequences of escalation. Detection systems may be used to initiate prevention, control and mitigation systems. The combined performance of each of these systems will determine the overall risks to life. The provision and performance of systems should be such that these risks are tolerable and reduced to ALARP. The selection process should follow Fig. 3.1. The system options are discussed in detail in Section 7. Evacuation, escape and rescue (EER) are dealt with in UKOOA Guidelines on the Management of Emergency Response for Offshore Installations. Each category may have both engineered and operational systems and may be either specifically designed for a particular hazardous event or a generically applied measure such as a code or procedure. The selection of an appropriate combination of measures in a new design will require the interaction of both designers and the Operator/Owner so that the relative contribution from, and dependence on, procedural measures and engineered systems is fully assessed and understood by all involved. In the case of existing installations, all the measures should already be in place but the relative dependence on engineered systems and operational measures should be understood by those responsible for the systems and for the overall safe operation. Factors to be taken into account in the selection and specification of systems include:

48

-

severity of the eventual consequences;

-

frequency and severity of the initiating events;

-

the functional role of the system and the suitability of that system for the fulfilment of that role;



-

applicability to the circumstances in which they will be used;

-

timescale and potential for escalation of an initial event to a major accident;

-

limitations that the systems may place on operations and vice versa;

-

hazards which may be introduced by the systems themselves;

-

requirements for, and practicality of maintenance, inspection and testing;

-

capital and maintenance costs;

-

availability, suitability and applicability of alternative systems;

-

performance of the combination of systems in meeting the risk criteria;

-

any adverse effect that the system may have on hazards or other safety systems.

Table 6.1 can be used as a suitable consistent method for describing systems to aid their appropriate selection and specification. The Table can be developed for individual systems so that there is a common "language" between designers, operators, Operators/Owners, vendors, auditors, etc. Each of the topics in the table is discussed in the remainder of this chapter.


49


Table 6.1 : System Selection and Specification SYSTEM:

ROLE:

Title of Hazard Management SystemStatement of purpose (6.3.2) Suitability:(6.3.3)

Applicability:(6.3.4)

A statement of the hazardous eventsA statement of the application, location and types for which the system may be of equipment for which using the system, may be suitable. appropriate. Types/Variations:(6.3.5)

Interactions/Limitations:(6.3.6)

Details of possible interactions resulting from the The different types or variations available of the particular system. use of the system. The interactions could be with plant, personnel or other safety systems. A listing of any limitations of the system. SPECIFICATION PARAMETERS Functionality:(6.4.1)

Reliability/Availability: (6.4.2)

A listing of essential parameters relevant to The overall reliability/ functional capability which availability requirement. should be considered when specifying the system to fulfil its identified role.

6.3

Survivability: (6.4.3) The parameters relating to hazardous events which the system may have to withstand or be considered when designing or specifying the system.

Selection of Systems The selection of safety systems from the range available will depend on the stage in the installation life cycle. Refer to Section 3 for guidance on the timing and sequencing of the selection. For an existing installation, the safety systems will a]ready be in place. The assessment carried out under the Safety Case will have identified those particular systems which are important with regard to reduction of the risk from identified hazardous events and judged their adequacy. It is advisable, initially, to concentrate any improvements on procedural measures to prevent the occurrence or reduce the frequency and, thereafter, to consider if further engineered systems are still required following the hierarchy listed in Section 2.3 and Section 6.2.

50



When an installation is modified, the principles of inherent safety should be applied. Thereafter the provision of systems should be examined to determine if they are adequate to address any new or changed hazardous events. The generic systems, design codes and procedures would normally be the same as those already in place unless they are no longer recognised as good industry practice. Any new systems should be chosen in line with the hierarchy in Sections 2.3 and 6.2.

6.3.1

The Definition of a System The extent of a system should be described so that its role and performance can be defined. This may range from an overall system such as an active fire protection system to a discrete part such as a deluge system. These may either have a direct role in counteracting a particular hazardous event such as preventing rupture of a vessel or a support role for these systems such as firewater supply or fire and gas detection.

6.3.2

The Role of a System The role of a system should be clearly defined by providing a statement of what the system is intended to achieve. A system may be required for more than one hazardous event and may also have more than one role, (e.g. a deluge system can reduce oil burn rate, or prevent catastrophic rupture of a pressure vessel under certain fire conditions). It should be clear how the system relates to its role in managing each particular event.

6.3.3

The Suitability of a System The systems chosen should be suitable for the role which they have to perform. If a system is required to detect, control, mitigate or survive a fire or explosion, it should be specified so that it is suitable for the range of hazardous events for which it is to be used. These are identified in the assessment of fires and explosions and it is important that they should be considered, as appropriate, for the system. in specifying a system, it may be appropriate to specify either the type of fire or explosion, the release and combustion conditions or particular characteristics such as: For Fires: −

flame temperature;

−

heat flux;

−

flame velocity;

−

type and concentration of products of combustion.

For Explosions:


51


−

overpressure;

−

pressure profile;

−

drag force;

−

missile velocity or energy.

Where practical, the system suitability should be verified by representative testing. Care should be taken when extrapolating results or basing a design on a purely theoretical analysis.

6.3.4

The Applicability of a System Each system should be designed to ensure it can be installed, maintained and tested effectively taking into account the working environment, access and site conditions. It should not introduce undue maintenance and repair requirements such that either the system will have limited availability or require disproportionate resources on the installation to maintain it. It should not seriously inhibit the day to day activities on the installation. A system should normally be capable of fulfilling the role for the anticipated life of the installation providing that the designated inspection, maintenance and repair requirements are carried out. If this is not practical, or cannot be guaranteed, it should have a predetermined lifespan at the end of which it should either be replaced or fully assessed to determine the extension of that lifespan.

6.3.5

Types and Variations There is a large variety of systems ranging from those operating on fundamentally different principles to subtle variations between different manufacturers. For example, there are a number of types of passive fire protection systems including demountable panels and spray applied systems and there are variations within these different options. The choice of a particular type of system should primarily be based on the list of parameters in Section 6.2 for selecting the system. These parameters should be assessed for the full lifecycle of the system taking into account the effects of the environment and site conditions. In considering the applicability, the ability to operate, maintain and repair it should be given equal consideration to the initial cost and ease of installation. Systems should, where possible, be simple and robust to enhance their long term effectiveness.

6.3.6

Interaction and Limitations System interactions are those characteristics of a system which may:

52

−

introduce a new hazard;

−

increase the frequency or consequence of an existing hazardous event;

−

reduce the effectiveness or reliability of another safety system.



These should be identified and, where necessary, either an alternative safety system selected or measures put in place to address the interactions. Interactions include:

6.4

−

increased direct risk to personnel operating, maintaining or testing the system;

−

increased numbers of leak points and breaches of containment due to the addition and testing of process safety systems;

−

increased explosion overpressures due to the obstruction caused by it or ladders / walkways / scaffolding needed for its inspection, maintenance or operation;

−

corrosion caused by the system; for example due to deluge system testing or increased by passive fire protection;

−

corrosion due to increased saline exposure resulting from free ventilation and open venting to reduce explosions;

−

increased probability of ignition for example due to deluge water ingress to electrical systems;

−

limitations on inspection, maintenance and non-destructive testing of plant, equipment or structure as a result of passive fire protection materials or enclosures;

−

deterioration of passive fire protection systems caused by repeated removal for inspection of the protected plant;

−

increased explosion overpressure caused by firewalls;

−

reduced ventilation caused by ftrewalls;

−

projectiles created by safety systems such as vent panels.

Specification of a System Systems should be specified by identifying the critical parameters which define their ability to fulfil the role and the likelihood of success. These parameters have been divided into three groups: functionality, availability/reliability and survivability. Different parameters will be required for different systems. In some cases numerical values may be appropriate and in others they may be described qualitatively.


53


The designer and Operator/Owner must determine the performance standards for the system. There is a balance between the extent of risk reduction and what is reasonably practical in terms of cost and manning. Over specification of systems should normally be avoided as this may misdirect expenditure and apply disproportionate resources to particular hazardous events or particular safety systems. It may also introduce overcomplexity and detract from the system’s reliability.

6.4.1 Functional Parameters These are the parameters which define whether or not a system will fulfil its role and its effectiveness. A list of parameters is given in Sections 6.4.1.1 to 6.4.1.9. Each system should be examined to identify which of these parameters are needed to define functional specification. These may then be used as the basis of design, for initial verification that the identified role is fulfilled and for continued verification during the life of the installation. They represent the minimum acceptable performance standard to be achieved during routine testing. Failure to achieve this performance would require remedial action or justification.

6.4.1.1 Fire or Explosion Type and Characteristics It may be appropriate to define either a particular hazard condition or a characteristic as described in Section 6.3.3, whichever is more suitable for system specification or verification. It may also be necessary to define a maximum fire size or explosion overpressure (for protection) or a minimum fire/gas cloud size (for detection) in accordance with the design accident loadings or boundary. Where a system has to detect, extinguish, suppress or protect against one or more particular hazardous event, it should be specified so that it is effective for all these events.

6.4.1.2 Coverage This is a definition of the equipment or areas to which the system is applied. It may be a list of equipment, a discrete part of the installation or a part of a module.

6.4.1.3 Response Time The response time should be considered for all active systems which are required to respond to emergency or hazardous events. The time should be taken from the start of the event until full functional performance is achieved. It is not necessary to set response times for the individual components as it is the system response which is important. However, individual component responses may be useful as an aid to system confirmation through component test. The time taken to detect an event should also be taken into account in determining the systems overall response time.

54



6.4.1.4 Duration Duration is the length of time during which a system is required to operate to fulfil its role until the hazardous event is adequately reduced or persons moved to a place of safety.

6.4.1.5 Logic Logic is the sequential activation of parts of a system to cause it to operate in accordance with its role. As well as ensuring actions it can also prevent actions until certain others have taken place.

6.4.1.6 Sensitivity/Preset Values Systems which are required to operate at a particular level should have this value defined, together with the acceptable limit of tolerance. This can apply to preventive measures which alarm or operate when equipment or process characteristics deviate from their design or operating specification and to detection systems which alarm and possibly actuate control and mitigation systems.

6.4.1.7 Flow/Application Rates/Concentration This applies to active systems where a minimum or maximum flow, application rate or concentration is required to fulfil the defined role. It should be clear whether or not it includes an allowance for losses during the application of the fluid, for example, loss of deluge water due to thermal effects, or losses after application such as gaseous extinguishing agent leakage from an enclosure.

6.4.1.8 Environmental Conditions It may be necessary to specify the range of environmental conditions such as air velocity, temperature, humidity, visibility or contaminants in which a system is required to operate.

6.4.1.9 Failure Criteria Where a system is provided to prevent a failure, this may have to be defined by a particular characteristic. This may also be associated with duration, as the role may be achieved so long as failure does not occur within a specified time. Examples include a limiting structural steel temperature in a fire, or impairment criteria within a TR which may be defined as a limiting combination of heat, asphyxiant and toxic gases.

6.4.2

Availability and Reliability It may be necessary to define the likelihood that a system will operate and fulfil its role whenever required to do so.


55


The need to specify this criteria for a particular system should be determined during the assessment of the fires and explosions and by the required risk reduction from the system. Systems provided to protect against those hazardous events which make the greatest contribution to the total risk level will generally need a high reliability or availability to ensure that they perform the necessary functions when required to do so. Where there is a heavy dependence on a single safety system to reduce the risks from a particular major accident, it may be appropriate to consider duplication of the system to reduce the likelihood of failure on demand. This criterion can be developed in three ways: i)

By identifying the required probability of success of a system in order to achieve a given level of risk reduction. Based on this, the system can be specified and designed to achieve the required probability of success. This approach is generally only relevant when new systems are to be provided.

ii)

By reviewing the design of an existing system and assessing the probability of successful operation. This approach is most relevant to existing installations.

iii)

By applying a generic classification such that the systems are ranked in accordance with industry practice, standards, codes or by internal company standards.

The ranking of systems may be variously described as System Integrity Levels, Criticality Ratings or Safety System Categorisation. One approach is given in Appendix 2. These ranking systems should ensure an expected probability of success by predefining the parameters given below. It has the advantage that it can clearly identify the most critical safety systems on the installation so that due attention can be paid to them. It can also demonstrate the relative importance of different types of safety systems. It is used to apply a standardised approach for design, construction and operation to systems in the same category avoiding the need for individual assessment of each system. It has the disadvantage that it is well developed for some types of system - e.g. Instrumented Protection Systems but not for all the prevention, control and mitigation systems. Applying a ranking system to one group of systems in isolation should be treated with care to avoid over specification or over concentration on these systems. Whichever approach is chosen the following parameters should be defined or assessed:

6.4.2.1 Design and Build Quality The long term reliability of the system will be reflected in the quality of the components, sub systems and in the design.

56



The components should be suitable for long term exposure to the environmental and operating conditions either through their design, material qualities or their protective coatings or enclosures. They should have a proven reliability which may be demonstrated by appropriate representative inspection and testing during design and manufacture. The design should integrate the components into an effective system which achieves its functional performance standard throughout its life. There should be clear design responsibility for the whole system where components and sub systems are sourced from different suppliers and different parties carry out parts of the design All parties involved in the design should be competent and have a clear understanding of the purpose and functional requirement of the whole system. Systems should not be over complex or enhanced with features which are not essential to the fulfilment of the role. Adequate integrated operating and maintenance information about the whole systems should be provided for the operator in order to overcome failures due to lack of understanding. The whole system should be commissioned and subject to full representative testing of the functional parameters to verify that it fulfils its role and will continue to do so throughout its life providing it is maintained and tested to a given schedule.

6.4.2.2 Maintenance, Inspection and Testing All safety systems should be inspected, tested and maintained to a particular standard at predetermined intervals by competent personnel. These intervals will be determined by the required probability that the equipment will not have an unrevealed fault (e.g. would not start or continue to operate when required). These intervals and standards should be determined after taking into account the required reliability or the criticality of the system, historical information on the likelihood of failure, known causes of failure and the environmental conditions.

6.4.2.3 Non-Availability (Downtime) Systems may not be available because of maintenance, testing, repair, breakdown or impairment while other unrelated activities are being carried out. They may also be partially impaired during some activities such that the functional parameters may not be fully achieved; for example a system may be switched to manual from automatic thereby extending its response time or scaffolding may limit the coverage of deluge and optical fire detection systems.


57


There should be clearly defined limits for the periods when a system may be out of commission. In some cases, it may be appropriate to have duplicate systems or to shutdown or curtail hazardous operations whenever a system is not available. In others, it may be appropriate to set a maximum continuous period when a system may be disabled or a maximum cumulative downtime over a given period such as a year. It may be appropriate to set controls on hazardous activities in areas covered by the safety systems which are not available, or to have contingency measures to provide alternative cover. In the circumstances where the functional performance of the system may be impaired by activities in the area, such limitations should be identified and assessed. Where necessary, controls on hazardous activities or contingency measures should be considered.

6.4.2.4 Actuation The method of actuation of a system may influence the probability that it will operate. It may be automatic (e.g. from a fire and gas detection or process instrumentation signal) or manual (e.g. a remote operation from a control room or an external walkway or local to the equipment such as a valve handle). With automatic systems, the probability will depend on the reliability of the detection and of the interface logic and systems between it and the system. Where practical, full functional actuation tests should be can-led out between detectors and the system. Where this is not practical, representative tests of all the links and the logic of the system should be undertaken. For manual action the probability will depend on; the availability and capability of personnel at the time of the initial event, the reasonable expectation of their performance in an emergency, other duties which they may have to perform and accessibility to the actuation point in the emergency. Where such actions are critical, they should be documented in emergency procedures, competent personnel specifically assigned to the task and the actions simulated in exercises.

6.4.2.5 Duplication Duplication will normally only need to be considered for those systems where it may not be acceptable to continue operations when a system or part of it is disabled, It may also be considered where part of the system is damaged in a fire or explosion - see Section 4.6. Duplication is likely to add significantly to the system cost and it may also add to the vulnerability and complexity of the system. It should only be used where the reliability and availability of a single simple system is not sufficient to achieve the required risk reduction.

58



In some cases, a system may have a variable demand, for example, firewater supply. With multiple pumps, there may be effective duplication for smaller incidents but the total capacity may be needed for larger events. In these cases, this should be fully documented and, where necessary, analysed, to ensure that the systems can deliver the required functional performance for the different events and provide adequate availability and reliability for the frequency of the particular events.

6.4.2.6 Diversity Diversity is the provision of different type components such that they are not vulnerable to similar failure mechanisms. This would overcome any common mode failure associated with one manufacturer, design or maintenance activities. Diversity would normally only be considered if there was a total dependence on one system to prevent a major accident and a very high reliability was required from that system.

6.4.2.7 Over Complexity/Operability The overall reliability of a system may be impaired if the level of complexity raises the numbers of components that can fail or makes it difficult to operate and maintain. Any reduction in reliability through the addition of system features or enhancements should be identified and, where necessary, justified. It may be necessary for designers to consult with the Operators/Owners to determine an appropriate balance between dependence on complex engineered systems and on installation personnel. Where complex systems are provided, documentation should be sufficient to enable them to be operated, and maintained effectively.

6.4.2.8 False Alarms/Spurious Systems which are subject to false alarms or spurious operations due to their oversensitivity, poor design or response to normal installation activities are likely to lose the mast of the Operators. As a result they are more likely to be locked out and have reduced availability. Designers should seek to overcome this by talcing account of all foreseeable operation and maintenance activities. Systems should be operable under these conditions where practicable. Where such problems become apparent during operations, alternative arrangements should be considered to reduce risks.


59


6.4.3

Survivability The exposure of parts of control or mitigation systems to a hazardous event is identified by the assessment process, see Sections 4. S to 4. 7. The need for that system to survive the event should be determined by examining the likelihood of the system failing and the frequency and consequence of the escalation without its contribution. Safety systems such as ballast control systems on a floating installation should also be considered. Survival is important only where that system is specifically needed to counteract the hazardous event which causes its failure or to preserve life during and after the event. Protection may be achieved in four ways: i)

by re-locating the system so that it is not exposed to the hazardous event;

ii)

by constructing the system so that it has sufficient inherent resistance to withstand the event;

iii)

by shielding the system with fire or explosion protection;

iv)

by providing redundant components which are widely separated so that sufficient parts of the system remain operable.

In a new design, systems should be positioned following an assessment of the hazardous events so that exposure can be reduced. Where a system is duplicated, it may be necessary to locate duplicated components or sub systems m different areas with alternative routings for distribution systems such as cabling and firewater systems. Duplication will only increase survivability if failure 5T the duplicated component does not cause total system failure or the damage can be effectively isolated and the system reinstated during the emergency. The latter requires a method of determining the location and extent of the damage, access and availability of competent personnel. Those persons responsible for emergency response should confirm that it would be practicable to reinstate the system during an emergency - see Section 4.6. Where protection is provided, the characteristics and severity of the event should be defined and the system or enclosure designed to withstand it.

60



7

Guidance on Systems for the Detection, Control and Mitigation of Fires and Explosions

7.1

Detection Options Detection measures can be used to identify hazardous conditions on the plant such as excess process pressure, an unignited release of flammable gas or a fire. Detection should provide information to personnel to enable them to identify and, to a limited extent assess the nature and magnitude of the hazardous event. This enables control or mitigation measures and emergency response to be initiated. This section does not address the detection of incipient hazardous conditions. such as corrosion. This is addressed in Section 5. The need for detection systems is identified in the assessment process and also by the need for particular systems to be actuated. Detection systems may range from visual inspection only, to a filly automatic system which integrates into the installation emergency shutdown system. The degree of sophistication and sensitivity will depend on the likelihood of the occurrence and the consequences of it either remaining undetected or there being a delay in detection. Particular attention should be paid to the selection of a system with respect to the conditions and characteristics of the hazardous event (Section 6.3.3) and the environmental and operating conditions in the area. The following parameters should be determined when specifying the system; coverage (Section 6.4.1.2), response time (Section 6.4.1.3) and sensitivity (Section 6.4.1.6). Where control action may be initiated, the logic should also be specified. The following detection options may be considered for the particular roles.

7.1.1 Process Monitoring This will identify deviations outside the normal operating envelope which, if allowed to continue or deteriorate, could cause failure of the hydrocarbon containment system. It may include detection of pressure, temperature, level or composition. In using this updated Fire and Explosion Guidance, the results of the fire and explosion assessment process should be used to determine the demand rate of the system. Further guidance will be given in UKOOA Guidance for Instrument Based Safety Systems (to be published in 1995).

7.1.2 Fire Detection The fire detection systems should be suitable for the identified fire types and their combustion characteristics. The following types of detection may be considered.

7.1.2.1 Optical Flame Detectors These may be of either the ultraviolet or infra-red type or a combination. In selecting, specifying, locating and maintaining the system, attention should be paid to the following: −


nature of the fire type and combustion characteristics;

61


−

location and size of fires which require detection;

−

obscuration by equipment and temporary obstruction;

−

obscuration/effectiveness in smoke;

−

reduction of performance e.g. with dirty lenses;

−

the ability to perform representative function testing on site;

−

false alarms e.g. those due to welding, hot surfaces, sun or flaring (both direct and reflected);

−

the need for, and control over, lockouts;

−

the detection of fires outside the area resulting in other control actions, e.g. deluge actuation due to flame extension from adjacent modules.

7.1.2.2 Heat Detection These may be either point or linear detectors and operate on electrical, pneumatic or hydraulic systems. They can be used to actuate control systems directly through loss of pneumatic or hydraulic pressure, or by electrical contacts. In selecting, specifying and locating the system, attention should be paid to the following points: −

the location of the primary fire sources;

−

the location of the detectors with respect to the size of fire which requires detection;

−

the movement of the flames and hot combustion products taking account of ceilings, obstructions and ventilation;

−

the required actuation temperature.

7.1.2.3 Smoke detection Smoke detection may use point optical or ionisation sensors or it may assess the obscuration of a beam. It can give early warning of the incipient stages of a fire. The following points should be considered in selecting a system:

62

−

the type and quantity of the products of combustion (POC) emission from the identified fires;

−

the suitability and sensitivity of the detector to that type of smoke or POC;



−

the alarm level, taking into account the associated levels of other potentially more dangerous products of combustion such as carbon monoxide;

−

the likely time to detection and the response time, taking into account the time to impair personnel or the TR;

−

the ventilation regime and the associated movement of smoke or POC. (Note: the design codes used should be appropriate and take into account any forced ventilation.)

7.1.3 Gas Detection Gas detection systems commonly employ point and beam type detectors which use the infra-red absorption or catalytic sensor principle. Other technologies are required for certain hazards, e.g. electro chemical, semiconductor sensors for hydrogen sulphide. Point detectors are normally deployed in congested areas of plant or in air intake ducts. Beam detectors are most usefully employed to monitor the open spaces around congested plant, where the main air flows will carry a plume of released gas. They may also be used in large ducts. The following points should be considered when selecting, specifying, operating and maintaining these systems: −

the location of possible releases;

−

the type of gas;

−

the shape, movement and extent of the resultant gas cloud taking into account ventilation systems and obstructions;

−

the consequences of ignition of the foreseeable range of gas clouds;

−

the sensitivity of the system; the size, concentration (if appropriate) and location of the gas clouds;

−

the effects of dust, chemicals and the environmental conditions on the effective life of the sensor (this is particularly important for catalytic gas and H2S detectors);

−

obscuration of the detectors (beam type);

−

effects of contaminants on lenses and reflectors (beam type);

−

limitation of the local air flow, e.g. by temporary enclosures (point types);

−

over-sensitivity (beam type).


63


7.1.4

Flammable Liquid Release There are few systems which have been specifically designed for this purpose. However, there may be a number of measures which may indicate that an unintended release of hydrocarbons has occurred. These include:

7.2

−

low level alarm in process vessels and storage tanks;

−

high level alarms in the open drain systems;

−

oil mist detection;

−

seal leakage alarms in double seal pumps;

−

visual inspection.

Control Options Control measures are the means of planned intervention to contain a developing situation and hence limit escalation. This includes systems which prevent fires or explosions from spreading to other areas, causing further significant release of hydrocarbons or increasing the fire load. The specification of such active and passive fire protection measures is covered under mitigation systems. Specific control options are listed in Sections 7.2.1 to 7.2.7. For active control measures, process and/or fire and gas detection systems are also required to activate these systems either manually or automatically. The control systems can limit the following: -

quantity of inventory released;

-

rate of release and size of the fire;

-

intensity of the fire or explosion;

-

spread and burn rate of a fire.

These systems offer greatest scope for limiting the size and scale of an incident. This is preferable to accepting the size of an event and providing an excess amount of protection to mitigate its effects. During quantification of the characteristics of the fires and explosions, the effects or contribution of each of these systems would normally be taken into account. The escalation analysis should indicate the scale and consequence of the events if these systems do not work. The difference is the contribution of the particular system. These systems are normally included in the design and specified according to standard codes such as API RP 14C or API RP 520. However, these codes only take into account a nominal consideration of the hazardous events before defining the system requirements and this provision may be optimised to further reduce risks.

64



The particular contribution of each system is as follows:

7.2.1

Emergency Shut Down (ESD) Systems An effective ESD system will limit the inventory released in an incident and therefore the size and duration any resulting fire. The location of the ESD valves will determine the areas where each particular inventory could be released.

7.2.2 Depressurisation Systems These systems reduce the pressure within a system and in doing so dispose of a portion of the inventory and, if the integrity of the system has failed, reduces the release rate of the remainder. In the case of pressurised liquid releases this reduces the fire intensity by causing spray fires to change into running or pool fires. These may be controlled by bunding and drainage systems and possibly even be extinguished. It is important that the flare system design should take into account emergency depressurisation events and recognise that its failure could lead to a release of all the gaseous inventories from a failed section. Gas and fire detection systems covering areas containing primarily flare system components such as liquid knockout vessels should not cause automatic depressurisation on detection.

7.2.3

Liquid Inventory Disposal These systems are not in common use offshore but they are a means to be considered in seeking to limit the available inventory. Disposal to the sea has significant environmental implications which need to be carefully considered and taken into account. Disposal to a safe reservoir may be considered. Any such system should taken into account any dissolved gases in the liquid to be dumped. Inventory disposal should not normally be considered unless the benefits significantly outweigh the inherent hazards and vulnerability of the collection, disposal and recovery system.

7.2.4

Bunding and Drainage Systems Bunding and drainage limits the size of a liquid release and location and size of a pool fire. The extent of bunding should take account of any liquid trajectory from the points of release. Bunding drains should be capable of collecting and disposing of all or most of the hydrocarbon release and the applied firewater.

7.2.5

Well Control Systems These can reduce and control the likelihood, rate and location of release of fluids from a well. They include Christmas trees, downhole safety valves, blowout preventers, mud systems and diverters.


65


7.2.6 Explosion Control Explosion control may include the following: −

limitation of the size of the flammable gas cloud - see Section 5.3;

−

design of layout and obstructions;

−

blast relief vent panels;

−

blast resistant walls;

−

reduction of potential flame propagation distances through congested volumes;

−

suppression systems.

In addition the need to control escalation should be considered. The considerations for these systems include:

7.2.6.1 Layout and Obstruction The layout of a module should be designed to reduce the maximum over-pressure which could be achieved. Detailed guidance is given in the SCI Interim Guidance Notes but the following points should be considered:

66

−

arrange ventilation to reduce the likely build-up of the most probable releases;

−

reduce number of ignition sources;

−

keep ignition sources near to the ventilation openings;

−

reduce congestion;

−

where possible, align equipment and vessels parallel to the direction of venting;

−

minimise obstructions across openings in the module boundaries both during design and operation;

−

maximise venting capability, where possible, particularly in floors and ceilings by, for example, using grating (See Section 7.2.6.3);

−

restrict module aspect ratios.



7.2.6.2 Blast Resistant Walls These should be designed to withstand a specified explosion overpressure and blast pulse. The following should be considered when specifying blast walls or assessing the adequacy of existing walls: −

deflection of the wall;

−

effects on and of equipment on the other side, particularly items supported on the wall;

−

continued effectiveness of any passive fire protection;

−

method and extent of failure (missiles, etc.);

−

integrity of penetrations such as doors, pipes and cables;

−

transfer of load to the primary structure

7.2.6.3 Vent Areas These are designated openings through which the explosion can vent. They may be open or covered by specially designed vent panels or normal cladding. These can limit the maximum overpressure and ensure preferential venting in a particular direction. A range of panel types are available including those with fire ratings from both sides, and reclosable, retained and free types. In specifying such a system, the following points should be considered: −

the relationship between the mass of the panel and its ability to efficiently vent an overpressure within the timescale of the pressure pulse;

−

the initial breakout load of any panel or cladding;

−

verification of the breakout load throughout the life of the panel;

−

the effects of venting through openings or panels on other areas such as escape routes;

−

the maintenance of a clear vent path on the outside;

−

the external effects of the flame front progressing through any unburnt gas which is ejected through the vent;

−

the effect of the vent on the gas flow and flame propagation direction.


67


7.2.6.4 Preactivated Suppression Systems These are suppression systems which are activated on detection of gas and maintained while the gas is present. They can include inerting gas systems, chemicals which interfere with the combustion process and water spray systems. The following should be considered in specifying such systems: −

the concentration required and distribution of the agent;

−

the rate of flammable gas build-up and the speed of response of the gas detection and suppression system;

−

the maintenance of an effective concentration during the period of gas release and dispersion;

−

possible increased risk of ignition caused by the system, for example by static discharge or a water system causing an electrical short circuit;

−

the likely explosion characteristics (low/high velocity) and the suitability of the system for those characteristics;

−

the speed of response to achieve effective coverage.

7.2.6.5 Reactive Suppression System These are suppression systems which are released following sensing of an explosion characteristic such as flash or pressure pulse. The detectors of these systems are often highly sensitive and may be susceptible to accidental activation. This could be overcome by pre-arming them with a signal from the gas detection system. The following should be considered when designing or assessing a system:

68

−

the speed of detection of a gas release;

−

the sensitivity of detectors taking into account the unpredictability of the point of ignition and its obstruction by plant or temporary equipment;

−

the speed of response from detection to effective agent distribution (this must be greater than the flame/pressure front);

−

the explosion characteristics and flame propagation velocity;

−

continued protection following suppression and continuing gas release.



7.2.6.6 Design to Prevent Escalation This covers both structural integrity as described in Section 7.2.7, and the integrity of the hydrocarbon containing plant. Where explosions could cause failure of vessels, valves, piping or instruments which may lead to a further major hydrocarbon release, their effects should be reduced or, alternatively where reasonably practicable, structures and plant reinforced or protected to withstand the loadings. The following points may be considered in addition to those suggested in Section 5: −

the location of instruments, piping and ESD valve actuators away from explosion vent paths;

−

the adequacy of pipe and vessel supports;

−

the securing of pressure vessels so that the fixed end support points towards the explosion source thereby seeking to avoid the rotation of the vessel around the fixed end support.

7.2.7 Structural Integrity The maintenance of the integrity of the structure can reduce the escalation described in Sections 4.6.2 and 4.7. This may be for either direct support, such as that providing stability or for plant which may collapse on to or against equipment. Particular failures which should be addressed include: −

loss of integrity leading to a major or continuous hydrocarbon release, e.g. riser, well, fuel storage, separator and flare system;

−

loss of support of large structures, e.g. derrick and flare;

−

loss of support of the TR;

−

loss of support of safety system components.

Strategies to maintain structural integrity in the event of fire and explosion include: −

limiting the exposure of critical structural components to fire and explosion conditions (e.g. by suitable location);

−

physical protection (e.g. by active means such as water deluge or passive means such as insulation);

−

provision of inherent strength such that the resultant deformation when exposed to the design fire and explosion loadings is unlikely to lead to escalation;

−

provision of sufficient overall reserve strength so that even though an identified structure fails it should not result in escalation.


69


The following should be considered when determining or assessing the level of structural integrity: −

failure criteria such as steel temperature, deflection (both elastic and plastic) and the remaining strength at the anticipated temperatures;

−

verification of the initial build strength;

−

inspection to determine any deviation from the original strength.

It may be necessary to evaluate the response of the structure to fire and explosion events to determine where failures may occur and which strategy(s) to adopt. The following points should be considered:

7.3

−

the potential for failures to lead to escalation;

−

the overall structural response to larger hazardous events;

−

the actual exposure to fires and explosions taking into account obstruction and realistic combustion conditions;

−

the effect of protection systems;

−

overall and local loads, e.g. direct loads on blast walls and blast reaction forces on modules and topsides, including loads arising from thermal expansion, changes of stiffness and any redistribution of externally applied or internally transmitted loads;

−

dynamic response, both local and global. This is most likely to result from explosions, but could also result from localised structural failure and rapid load re-distributions;

−

the combined effects of other loads, having regard to the likelihood of concurrence.

Mitigation Options This Section discusses the choice and specification of systems to protect personnel and equipment from a range of fires and explosions. For the purposes of this document, it includes all fire protection systems including those to control escalation by protecting plant. Explosion protection is covered under Section 7.2.6. The equipment and structure which could be exposed for long enough to cause impairment or failure is identified in the consequence analysis - Section 4.6. This analysis also identifies the type of fire or explosion and the loadings. Systems should be selected on the basis of suitability for each hazardous event and applicability to tie operational conditions taking due account of interactions with other plant and systems; see particularly Sections 6.3.3, 6.3.4 and 6.3.6.

70



7.3.1

Active Fire Protection These are systems which require to be activated in order to perform their roles to extinguish or limit the effects of fires and explosions. The roles of commonly used systems are listed below together with specific points which should be considered during their specification, design, operation and maintenance.

7.3.1.1 Fire Pumps and Distribution of Fire The role of the fire pumps and distribution system is to supply sufficient water to the various systems and outlets to allow them to perform their role. The functional parameters will be flow, pressure, response time and duration. These will be derived from the range of hazardous events and different demands for each one. In some cases, it may be necessary to carry out a “scenario analysis” for a selection of the larger hazardous events where a combination of demands may be required. These demands will determine the flow and pressure envelope for the pumps and ringmain, and the response time and duration parameters. For example a small flow with a rapid response but limited duration may be required for a helideck foam system whereas a large flow with slower response and prolonged delivery may be needed for a major process fire.

7.3.1.2 Water Deluge Systems Water deluge systems may have a range of roles in fires, - see Section 7.2.6 regarding explosions including: −

the protection of structural integrity;

−

the protection of hydrocarbon plant to prevent further release of hydrocarbons;

−

the reduction of the burn rate of hydrocarbon pool fires;

−

the reduction of flame and module temperatures;

−

the extinguishment of heavy oil pool fires by emulsification;

−

the control of the movement of smoke and flame (water curtains)

−

the reduction of radiation;

−

the prevention of catastrophic rupture including BLEVE.

The system should be suitable for its intended role. In the case of existing systems, the effectiveness of the system in achieving the identified roles should be reviewed. The following factors should be considered:


71


−

the suitability for the fire type and its characteristics;

−

the effectiveness in the anticipated conditions, e.g. wind;

−

the coverage of the plant and the location of the nozzles with respect to it - see Section 6.4.1.2;

−

the droplet size, velocity and effective application rate - see Section 6.4.1.7;

−

the safe drainage of the water and any associated hydrocarbon liquid;

Standard design codes, application rates and parameters should be checked to ensure their suitability for the hazardous events and chosen role. The method of actuation should be appropriate for the likelihood and severity of the hazardous event - see Section 6.4.2.4.

7.3.1.3 Foam Systems Foam may be used either as an extinguishing or vapour suppression system. A deluge system may be enhanced by adding foam concentrate to improve the probability of extinguishment or to further reduce the burn rate in pool fires. Aspirated foam can also prevent ignition of an oil spill, suppress vapours and secure a flammable liquid following extinguishment. The design of the system should reflect the chosen roles and address the following: −

the effective coverage, spread and application rate with respect to the anticipated location of the liquid hydrocarbons;

−

the type of foam, application rate, aspiration and concentration with respect to the fuel type;

−

the life of the foam (water retention and drainage);

−

the duration of application.

7.3.1.4 Helideck Systems The need for a fixed extinguishing system will be determined by the number of flights, the likelihood of a crash and the practicality of providing an effective system given an installation infrastructure (water supplies) and anticipated manning. The primary role of the helideck system is to save the lives of the passengers in a crashed aircraft. In doing so, the helideck crew should not be unnecessarily exposed to aircraft activity and crash debris. If a system is specified, the most common is the use of foam monitors. The particular points in Sections 7.3.1.3 and 73.1.7 should be considered in addition to the following:

72



−

the speed of control and extinguishment compared with the survival time of the occupants of the aircraft;

−

security following extinguishment (the maintenance of an effective foam blanket) and during rescue of trapped personnel.

More detailed guidance can be found in the UKOOA Guidelines on the Management of Helideck Operations and the Civil Aviation Authority Guidelines CAP 437 - Offshore Helicopters Landing Areas: A Guide to Criteria, Recommended Minimum Standards and Best Practice.

7.3.1.5 Sprinklers Sprinklers can be used for accommodation, office/utility or storage areas. They are unlikely to have adequate response to protect personnel from the immediate effects of an initial incident but can be used to prevent escalation and to limit damage. In selecting a system the following should be considered −

the suitability for the types of fire which may occur and the choice of the appropriate design code;

−

the location of the sprinkler heads/detectors to ensue actuation by the heat plume from the anticipated fires;

−

the effective coverage of the hazardous events;

−

the restriction of coverage onto particular unsuitable types of fires (deep fat flyers, etc.).

7.3.1.6 Fixed Extinguishing Fixed extinguishing systems (in addition to sprinklers, foam and deluge) include gaseous agents, dry powder and water mist systems. Systems should be selected according to the following: −

the suitability for the types of fire;

−

their effectiveness in the particular environment and ventilation conditions;

−

their ability to maintain post extinguishing security, particularly if a gaseous explosion may occur;

−

the safety of personnel.

Halons should not be specified on new installations see OGP (formerly E&P Forum) Guidance on Halon Free Fire Protection. Where such a system already exists, see UKOOA Guidelines on Halon Firefighting Equipment and Systems, and UKOOA Guidelines on Halon Utilisation, Removal and Disposal.


73


Recent developments in extinguishing systems should be carefully scrutinised to ensure their suitability and applicability. Where there are no recognised approval or design standards, the effectiveness should be demonstrated by representative testing.

7.3.1.7 Manual Response This may be appropriate for the majority of smaller fires. It requires a combination of sufficient suitable equipment and competent personnel. The following equipment may be considered: −

extinguishers;

−

hose reels;

−

fixed and portable monitors;

−

hydrants, hoses, water and foam branch-pipes.

In specifying and arranging the equipment, the following should be considered: −

its location in a safe position with respect to the hazardous event so as to organize an effective response;

−

training and personnel;

−

the safety of emergency response personnel including the provision of sufficient appropriate clothing and breathing apparatus.

leadership

of

specialist

emergency

response

While most of these arrangements have limited capacity with respect to the size of fires, fixed monitors may have a role in larger incidents such as the control of smoke movement or blowouts. They can also be effective in open areas such as the top deck and used to perform or support some of the roles of deluge systems. They should be carefully located, taking into account the effects of smoke and radiant heat, when considering Operator access. Aspects of manual response should also be addressed in the preparation of the emergency response plan. This may include the provision of trained personnel with breathing equipment for search and rescue and the assistance with evacuation in fire conditions. See UKOOA Guidelines on the Management of Emergency Response for Offshore Installations.

74



7.3.2

Passive Fire Protection Passive fire protection can be used to limit the effects of a fire, to prevent escalation through critical failures as identified in Section 4.6 or to mitigate the effects on personnel. Careful consideration must be given to any potential reduction in safety due to increased bidden corrosion as a result of coatings or lagging. The following may be protected: −

the TR;

−

structural steelwork;

−

process vessels and their supports;

−

walls;

−

valves and actuators;

−

risers;

−

safety systems and plant.

There are a range of available systems including spray or trowel applied coatings, panels, tiles and enclosures. They should be selected and specified by considering: −

their suitability for the fire type;

−

duration of the protection in the specified fire;

−

failure criteria of the protected item;

−

practicality of their application and repair;

−

operability and inspection of the protected item;

−

corrosion of the protected item;

−

resistance to wear and tear;

−

the ability to remain effective following explosions;

−

their anticipated life.


75


8

Implementation And Verification The essential information from the FEHM process must be communicated to operations personnel. This enables responsibilities to be identified, competency assessed and the safety systems maintained and tested to verify tat they meet their functional, availability, reliability and survivability performance standards. The use of the word verification in this guidance does not imply the application of the scheme of verification developed for the Design and Construction Regulations / Safety Case Regulations.

8.1

Communication There must be adequate communication and documentation from each stage of a project to the next so that the hazard management decisions are understood, recorded and auditable. One way of achieving this is by summarising the key information about the management of the fire and explosion hazardous events on the installation. Such a summary may be incorporated into the documentation for the management of hazardous events on the installation. An example is given in Table 8.1; the format and layout should be developed to suit individual company needs.

8.1.1

Preparation of a Summary of the FEHM Process Any summary should contain, in a brief and concise manner, sufficient information to demonstrate that all major hazardous events relating to the installation have been identified and considered and appropriate measures put in place to prevent, control and mitigate potential consequences. It should include a listing of the primary fire and explosion hazardous events (e.g. separator fire). For each of these major hazardous events, the information may include: −

a description of the hazardous events, an indication of their likelihood and their consequences;

−

a list of the prevention, control and mitigation measures for the particular hazardous events;

−

reference to operational management (personnel) systems, e.g. permit to work, needed to manage the hazardous event;

The summary should be a living document which in its simplest form may be a compilation of tables similar to Table & I within this section. It should convey information to all those who are responsible for operations, in a form which is concise and easily read.

76



The preparation of summary information should commence at the design stage when the major hazardous events are identified. As the project progresses, other hazardous events may be identified, strategies selected and protective measures specified. The summary information may need to be amended as new information becomes available. The summary should also be included in the Safety Case. Any summary information document should be periodically reviewed and updated whenever there is a significant change.


77


M E T S Y S T N E M E G A N A M D R A Z A H

N O I T A G I T I M

f o e c n a t is s re t s la B

d n a lls a w , re u t c ru t s

L O R T N O C

ry ra o p m e t f o e s u e h t it m i L

g in d l o ff a c s . g . e n io t c ru t s b o

n io t s e g n o c it ilm , a re a t n e v h ig H

s re u d e c ro p

n o ti lia t n e v l ra u t a n e is im t p O

N O I T N E V E R P

y r a m m u S t n e m e g a n a M d r a z a H m o fr e l p m a x :E 1 . 8 e l b a T

78

t n la p n o rb a c ro d y h rd a d n a t S

Y C N E U Q E R F

e t o m e R

N O I T A L A C S E

o t e g a m a d l ra u t c ru t S

ll a w rie f s ie it ilt u

Y G E T A R T S

e is im in M

e r u s s re rp e v o

S U O D R A Z A H

; k c e D in a M

a re A s s e c ro P

E G A M A D

T N E V E

st r o p p u s r o t ra a p e s

e s n o p s re y c n e rg e m E

e t ai r p ro p p a t o N

y n a f o st c e ff e s s e s s a / e is im in M

n io t a icf i d o m t n e n a m r e p

e t ia it n i o t n io t c e t e d s a g t le in

in h ti w n io t la o si l a c rit c le E

D / S n io t a ilt n e v

R T s n io t a icf i d o m f o l ro t n o C

ts in o p e s a le re s a g g in g n ri b

s ie it ilt u / R T o t r e s lo c

s ie it ilt u / R T

t n la p n o rb a c ro d y H

d u lo c r u o p a V

n io s lo p x e

m ro f e s a le re r e h rt u F

r to ra a p e S P L & P H

m e t s y s n io t a s ri u s s re p e D

t n a l p il o e v li/ s a g o t d e li p p a

s ie it ilt u / R T f o m 0 3 in h it w

t n la p n o rb a c ro d y h rd a d n a t S

re u t c ru t s re a fl

n io t c e t e D G & F

G & F / n io t a s ri u s s re p e d / D S E

st u o k c lo

st f li y v a e h f o l ro t n o C

s re u d e c ro p

l a n io s a c c O

le b a b ro p Im s e il s is m le ib s s o P

s re u d e c ro p

m e t s y s D S E

ls ro t n o c d n a s re u d e c ro p

o t n io t c e t ro p e iv s s a P

o t e g a m a d r o s s o L

s e it i ilt u r o R T

s s re g in t n e v re P

n io it n ig d n a

, e t la o Is

o t s s re g in s a G

s ie it ilt u / R T

; k c e D p o T

f o ry ju in r o h t a e D

st n a p u c c o

f o y ilt i ib s s o p w o L

g in n e k a e w l ra u t c ru t s e s ri u s s re p e d t je s a g r o s s re p m o c

o t w o ll a d n a

re fi

.t u o rn u b

o t l e n n o rs e P

R T in r e lt e h s

icf i c e p s a p lo e v e d ld u o h s n io t a is n a rg o h c a E . e s u in y d a rle a e n o o t r a il im s le p m a x e n a is 1 . 8 le b a T f o t u o y la d n a t a m r o f e h T i)

. s ie it ivt c a t n e m e g a n a m rd a z a h icf i c e p s r o f s ie it il ib s n o p s s re d e e e in n f n e d w d o n ir a e y h t ift r n o f e d le i b ld a it u o u w s t S n e t M n S o y c n d a n p a m t o a c m r e h fo T ) ii

y c n e rg e m e ; m e t s y s h c a e f o ) yt li a ci t ri (c e c n tra o p m i e h t f o n io t a ic d in n a ; le ro e h t e d u l c in o t d e d n a p x e e b ld u o c e l b a t e h T i) ii

n io t a m r o f in h c u m o s in a t n o c t o n ld u o h s t n e m u c o d e th r e v e w o H . ct e , k irs o t n o ti u b rit n o c l; a it n e t o p n o ti la a c s e ; s n io t c a e s n o p s re

le b a e g a n a m n u is it t a th

.t n e id c in e h t f o e iz s e th n o g in d n e p e d le b a ri a v e b y a m e s e h T . y c n e u q re f f o s n o it a ic d in r o f II ix d n e p p A in 1 . 2 . A le b a T o t r e f e R ) iv



8.1.2 Operational Documentation The following should be documented for the prevention, control, mitigation measures, both hardware and software (as appropriate). −

8.2

specification criteria: −

functionality

−

availability

−

reliability

−

interactions with other equipment

−

survivability

−

criticality;

−

controls and limitations on operations during maintenance or non availability of the hazard management systems;

−

documentation of software/procedural measures;

−

maintenance procedures and frequencies;

−

inspection and test procedures/intervals.

Competence Personnel should have adequate qualifications, knowledge, experience and training to undertake their responsibilities. These include: −

managers;

−

designers;

−

those who control and implementation of procedural systems;

−

those responsible for operation, maintenance and test of engineered systems.

Changes in the personnel or procedures should be reviewed to ensure that there are sufficient competent personnel to continue to meet the responsibilities. The requirements for competence are outlined in the OGP (formerly E&P Forum) Guidelines on “Health, Safety and Environmental Management Systems”, Section 3.4.


79


8.3

Commissioning and Routine Testing All systems should have a commissioning and operational plan encompassing the inspection and test programme. This should be developed by the designers in conjunction with the Operator/Owner (or by Operator/Owner alone in the case of existing installation) in the light of the required role and specification parameters of the system. The maintenance and testing requirements and frequencies should be determined from Section 6.4.2.2. Commissioning testing should be carried out, not only to verify that individual system components meet the specification, but also that the performance of the system is achieved. This includes the training of personnel in the inspection and maintenance, and the use of systems in an emergency. With new or novel technologies, particularly on critical systems, an enhanced inspection/test programme may be needed during its early life to identify unexpected loss of performance or failure. The minimum functional criteria should be the level at which repair or change-out is required.

8.4

Audit Audit of the systems provided is advisable. This may be achieved either through a specific audit of the management system, maintenance/training/test records etc.; an individual examination of selected elements; or by the use of independent/competent personnel to routinely verify all of the systems. Independent audit personnel may be provided by the Operator/Owner or from an external organisation. If they are employed by the Operator/Owner they should be independent of the line management for the installation being audited. See “A Guide to the Offshore Installations (Safety Case) Regulations 1992 "

8.5

Modifications Any modifications to the installation either through an engineering change or a change in the management system may affect the fire/explosion hazardous events on the installation or the ability to prevent, control and mitigate them. The Operator/Owner should review these proposed modifications to determine whether or not the systems provision should be revised. Where revision is necessary the hazard management process as described (Fig. 3.1) should be followed. The degree of modification and change will determine the re-entry point in the hazard management process. In some cases only a minor alteration to the performance of a mitigation system may be needed, in others such as a process modification, it may be necessary to start at the beginning and review several design concepts.

80



9

Special features Installations

for

the

Assessment

of

Existing

In the UK sector of the North Sea, it is a requirement (SCR) that significant changes to an installation or its operation will necessitate the Safety Case being updated and in turn requiring a re-assessment including the consideration of explosion hazards. Even if an installation has not been modified or its use has not been changed, a reassessment is required every three years when the Safety Case is updated (triennial submission). Existing mobile installations entering UK waters also require assessment. The assessment of existing structures differs from the assessment of a structure during design in three important respects, ie. 1. There is less scope for the reduction of the frequency of a release and scope for mitigation of the severity of an explosion may be limited. 2. Intervention may give rise to an additional hazard which must be assessed. 3. Information may be available relating to expected explosion loads, structural and equipment response from the detailed design or construction stage for the installation. Information should be available from the previously submitted Safety Cases, Approved For Construction (AFC) or as-built structural, piping and layout drawings, operational structural integrity support computer models and design or post-design analysis reports of the facility. Use may be made of experience gained from the operation of an un-modified installation and from similar installations. The computer data files and design reports should be checked to confirm that they are a faithful representation of the present state of the facility and that the methods used for explosion loading and response are currently acceptable. Should modifications be necessary to improve the safety performance of the facility, then the work to be undertaken should not in itself pose such hazards and risk to personnel that this compromises the gains to be achieved by such modifications. All modification work should be accompanied by hazard identification, assessment and other controls as determined by the Safety Management System as well as method statements for their implementation. All temporary structures and equipment utilised during the modification work should be removed as soon as practicable after completion of the work. The HSE have indicated that it should be borne in mind that reducing the risks from an existing plant to ALARP may still result in a level of residual risk which is higher than that which would be achieved by reducing risks to ALARP in a similar, new plant. Factors which could lead to this difference include the practicality of retrofitting a measure on an existing plant, the extra cost of retrofitting measures compared to designing them on the new plant, the risks involved in installation of the retrofitted measure (which must be weighed against the benefits it provides after installation) and the projected lifetime of the existing plant.


81


Therefore, it may not be reasonably practicable to apply measures retrospectively to existing plant, that may represent good practice for new plant. The overall individual risk and the TR Impairment Frequency (TRIF) from all hazards must still be less than 10-3 per year. If risks are in this intolerable region then risk reduction measures must be implemented, irrespective of cost. The following sub-sections focus on the specific aspects relevant to the assessment of existing installations.

82



9.1

Installation Risk Screening It is recommended that a screening of an installation or compartment is performed giving a low, medium or high risk classification for the facility. This may be achieved by using information gained from previous explosion assessments or by following a prescribed methodology. This will enable the efficient targeting of resources according to the risk level of the installation and identify the important safety issues at an early stage of the assessment. The ALARP framework requires dutyholders to always seek to reduce risks, and only to argue against implementation of a measure if it is not reasonably practicable. Here the number of options available are likely to be limited. The assessment tools described in this Guidance should be used to assess existing risk, rank different options, and review the reasonable practicability of implementation of any proposed changes. For existing installations, the individual risk (IR) per annum from fire and explosion events will have been used in the demonstration of ALARP in the existing Safety Case for the installation. The total IR will be a good indicator of the appropriate level of sophistication of analysis and whether the installation is in the low, medium or high risk category. Proposed modifications to the facility may result in changes to these IR values. A low potential of loss of life (PLL) for the installation may not be a good indicator for normally unmanned installations and ageing platforms with extended life, because of low occupancy. However, assuming the risks to any group of individuals is acceptable, the effort and cost involved in assessing risks and incorporating risk reduction measures should largely be justified on the basis of the potential for reducing the overall PLL. It should be borne in mind that the methods considered adequate for hazard mitigation during preparation of a previous Safety Case may no longer be adequate or correct, as a consequence of improved understanding of technical integrity behaviour and loading, or new research. Details of the existing Safety Critical Elements should be available enabling their classification into categories 1, 2 or 3. The high level performance standards for the facility should be defined or confirmed at this stage. The general approach should be to bring the SCEs up to the same level of integrity taking into account the criticality or consequences of failure and the difficulty in achieving the level of performance desired. The number or proportion of existing SCEs vulnerable to explosion loads is also an indicator of the risk category for the installation. The risk associated with TR impairment under direct and indirect explosion loads combined with impairment of means of escape is Key.

9.2

Explosion Hazard Review For an explosion hazard, the first task to be performed is to review any previous hazard reviews and the impact of any changes or new knowledge. This may involve design basis checks and may also involve a survey of the installation.


83


A review should also consider which elements of the facility may be improved with respect to inherently safer design principles and what additional measures may be taken to improve the detection, control and mitigation of the explosion hazard. Fire hazard events will usually be considered in parallel as some scenarios will fall into either class depending on the ignition time relative to the release.

9.3

Scenario Definition New scenarios relating to intervention/process change/changes in process operating parameters will need to be identified and considered. New scenarios could arise during preparation, performance of the modifications these should be identified before design approval is granted. The scenarios considered during design may be materially changed due to consequent changes in layout, confinement and congestion.

9.4

Prevent, Detect, Control, Mitigate The most effective way of dealing with a hazard is to eliminate it. If this is not possible, investigations into the means of reduction of the frequency of the initiating events should be considered. Mitigation of the consequences should then be investigated. (see Section 3.3).

9.5

Determination of Explosion Loads The explosion scenario used in the design of the facility may have been derived as a worst credible event assuming a gas cloud of maximal extent with stoichiometric composition ignited at the worst time in the worst position. Where the design basis for overpressure determination does not take into account recent developments (post 1997), re-calculation of the DLB and SLB overpressures and dynamic pressures will be necessary using best practice as described in Section 3.4 and Chapter 5 of the Commentary. ALARP arguments will need to be been used to justify new explosion loads and any additionally required mitigation. It is recommended that a probabilistic arguments as described in Section 3.4 and Chapter 5 of the Commentary should be used to develop appropriate design loads and a reliability or risk arguments be used to justify design load levels. If these levels are still not able to be accommodated by the structure and other SCEs, then a further ALARP iteration may then have to be made.

9.6

Response to Explosions For high and some medium risk installations, the structural assessment will be performed against the strength level blast (SLB) and the ductility level blast (DLB). The structural assessment will include the consideration of the capacities of the structure, including barriers, decks, supporting structures and other safety critical elements at the appropriate level of criticality. SCEs of criticality level 1 and 2 will be assessed against the SLB, and SCEs of criticality 1 will also be assessed against the DLB. For low risk installations, the checks need only be made against the DLB.

84



One method of the demonstration of ALARP using a strength level analysis is to apply a static pressure load to the structure and observe, through code checks, when member failures occur. If the pressure is then ramped up in stages, there will come a point where the incidence of failures rapidly starts to increase and begins to take in the majority of the members. At this point it may be argued that it would be unreasonable to strengthen or change the member properties as it would impact on members designed by the other load cases. Design to this equivalent static pressure could then be said to be ALARP. It is, however, unlikely that the differing levels of response to dynamic loads at the same peak level as determined by the natural periods of the target structural elements will be adequately represented without undue conservatism. The variability of pressure in the explosion load cases is also not represented in this method. The validity of this method will depend on the severity of other load cases which have been used in the original design of the structure.

9.7

Evaluation For each hazard or scenario which has been identified, an evaluation should be made of the possible consequences and risk to personnel, the environment and the asset. If the installation or any of the SCEs do not meet the performance standards or the level of risk is unacceptable, the ALARP process must be continued. Failure to achieve the performance standards, or to demonstrate ALARP for any identified hazard, will require modification to the installation or its operating procedures and a return to the prevention, control and mitigation activities. The overall individual risk and the TR impairment frequency (41) from all hazards must be less than 10-3 per year. If risks are in this intolerable region then risk reduction measures must be implemented, irrespective of cost.


85


Appendix 1

Glossary Of Abbreviations, Terms And Definitions

Term

Definition

API

American Petroleum Institute.

API RP

American Petroleum Institute, Recommended Practice

Availability

The proportion of the total time that a component, equipment, or system is performing in the desired manner

BCECA

British Chemical Engineering Contractors Association

Blast Wave

A pressure pulse formed by an explosion

BLEVE*

The sudden rupture due to lire impingement of a vessel/system containing liquefied flammable gas under pressure. The pressure burst and the flashing of the liquid to vapour creates a blast wave, potential missile damage, and immediate ignition of the expanding fuel-air mixture leads to intense combustion creating a fireball. *

boiling liquid expanding vapour explosion

BROA

British Rig Owners Association

Confined Explosion

An explosion of a fuel-oxidant mixture inside a closed system (e.g. vessel or module).

Control

Means of intervention permitted by the design (e.g. pressure relief valves, emergency power supplies) safety hardware (e.g. dump tanks, coolant sprays), or the presence of manually or automatically initiated ESD procedures which are intended to contain a developing situation so that escalation and a major accident may be avoided.

Design Accidental Events

The Hazardous Events that define the most severe fire and explosion loadings whiich the control and mitigation systems are designed to withstand or counteract.

ESD

Emergency Shut Down.

E&P Forum

The Oil Industry International Exploration & Production Forum now renamed the International Association of Oil and Gas Producers (OGP)

ER

Emergency Response

EER

Escape, Evacuation and Rescue.

Explosion

A release of energy which causes a pressure discontinuity or blast wave


i


Fire

A process of combustion characterised by heat or smoke or flame or any combination of these

Flash Fire

The combustion of a flammable vapour and air mixture in which flame passes through that mixture and negligible damaging overpressure is generated.

Frequency

The number of occurrences per unit time.

Functionality

The ability of a system to perform its specified role. This may be characterised and demonstrated by identifying critical functional parameters.

HSE

Health and Safety Executive.

Hazard

The potential to cause harm, including ill health or injury; damage to property, plant, products or the environment; production losses or increased liabilities (e.g. pressurised hydrocarbons, high voltage equipment).

Hazardous Event

An incident which occurs when a Hazard is realised whether or not it causes harm (e.g. a release of gas, fire explosion, short circuit of high voltage equipment).

Hazard Analysis

The identification of undesired events that lead to the realisation of a hazard, the analysis of the mechanisms by which these undesired events could occur and usually the estimation of the extent, magnitude and likelihood of any harmful effects (see also Risk Analysis).

HAZOP

Hazard and Operability Study; a systematic method utilising a multidiscipline team to identify deviation from the design intent and assess the consequences of these deviations.

HVAC

Heating, Ventilation and Air Conditioning.

IADC

International; Association of Drilling Contractors (North Sea Chapter)

IEC

International Electrotechnical Commission.

IP

Institute of Petroleum

ISO

International Standards Organisation.

Individual Risk

The frequency at which an individual may be expected to sustain a given level of harm from the realisation of specified hazards.

Jet Fire (Flame)

The combustion of material emerging with significant momentum from an orifice.

Lifecycle

The systematic portrayal of the sequencing and interaction of the steps in the design and operational life of an installation.

ii



LPG

Liquefied Petroleum Gas

Major Accident

With respect to fires and explosions, this is defined in the UK Safety Case Regulations (SI 1992 No. 2885) to be: A fire, explosion or the release of a dangerous substance a) involving death or serious personal injury to persons on the installation or engaged in an activity on, or in connection with it. Any event involving major damage to the structure of the b) installation or plant affixed thereto and any loss in stability of the installation. c)

The collision of a helicopter with the installation.

Mitigation

Means taken to minimise the consequences of a major accident to personnel and the installation after the accident has occurred.

OIM

Offshore Installation Manager.

Overpressure

In a pressure pulse (blast wave), the pressure developed above atmospheric pressure at any stage or location is called the overpressure. Overpressure is also sometimes used to describe exposure of equipment to internal pressure in excess of its design pressure, but the term overpressurisation is preferred.

Performance Standard

A performance standard is a statement, which can be expressed in qualitative or quantitative terms, of the performance required of a system, item of equipment, person or procedure, and which is used as the basis for managing the hazard - e.g. planning, measuring, control or audit - through the lifecycle of the installation

PFD

Process Flow Diagrams

P&ID

Piping and Instrumentation Diagram

POC

Products of Combustion

Pool Fire

The combustion of material evaporating from a layer of liquid at the base of the fire.

Prevention

Means intended to prevent the initiation of a sequence of events which could lead to a hazardous outcome of significance (i.e. major accident). Such means include management systems applied to the design, engineering and construction standards, the operation of the installation, and its inspection and maintenance.

Probability

A number in a scale from 0 to 1 which expresses the likelihood that one event will succeed another.

Redundancy

The performance of the same function by a number of identical but independent means.


iii


Reliability

The probability that an item is able to perform a required function under stated conditions for a stated period of time or for a stated demand.

Risk

The product of the frequency of a specified undesired event and the consequences of that event.

Risk Analysis

The quantified calculation of probabilities and risks without taking any judgements about their relevance.

Risk Assessment

The quantitative evaluation of the likelihood of undesired events and the likelihood of harm or damage being caused together with the value judgements made concerning the significance of the results.

SC

Safety Case.

SCI

Steel Construction Institute.

SI

Statutory Instrument

Spray Fire

The combustion of hydrocarbon liquid emerging with significant momentum from an orifice such that full combustion will occur without liquid dropping out to form a pool.

TR

Temporary Refuge

UKCS

United Kingdom Continental Shelf

UKOOA

U.K. Offshore Operators Association

iv



Appendix 2 A.2

Categorisation Of Hazard Management Systems Using Safety Integrity Level Approach

Categorisation Of Hazard Management Systems Using Safety Integrity Level This section has been included to describe principles and concepts which are worthy of bringing to the wider attention of the industry. However there is little experience in applying these principles/concepts in the offshore industry and care must be taken in their application.

A.2.1 Introduction Systems provided as part of the hazard management process need to match both the hazard and the resulting risk. This Appendix describes an approach to enable designers and others to provide safety systems which are fit for purpose. It also helps to convey the importance of the system to the platform Operators and those responsible for lockouts, maintenance and inspection of the system. The approach is based on material from: -

Draft IEC 1508 Parts I - 6; Functional Safety: Safety Related Systems.

-

Ministry of Defence, Hazard Analysis and Safety Classification of the Computer and Programmable Electronic System Elements of Defence Equipment

A.2.2 Classifying Risks and Applying a Criticality to Associated Safety Systems To enable the effective management of fire and explosion hazardous events there is a need for means of relating the risk from a fire or explosion to the expected performance of the hazard management systems provided. Categorising the importance of systems in terms of their contribution to risk reduction is one way of trying to achieve this. For example, if on a particular installation the emergency shut down system (ESD) contributed significantly more to risk reduction than say firefighting arrangements, then the rigour of ESD design, construction, commissioning and maintenance should be greater than tat of the fire-fighting system. It may also guide the need for duplicate or redundant systems or the provision of additional safeguards or plant shutdowns whenever a system is not available because of breakdown or maintenance. There is no standard way of categorising the safety criticality of hazard management systems, but relevant guidance is provided in ISO (Draft), Requirements and Guidelines for the Prevention, Control and Mitigation of Fire and Explosion in Offshore Oil and Gas Installations. Qualitative methods are available to classify or rank the risk of a particular incident or identified major accident. Tables A.2.1 to A.2.4 provide an example of one possible ranking. Such a method can be adapted to categorise the importance of systems. For example, systems provided to protect against a probable-fatal accident (Class A in table A.2.3 and A.2.4) could have a higher safety criticality rating than systems to protect against an improbable-minor accident (Class D in Table A.2.3 and A.2.4).


v


Table A.2.1 Likelihood Ranges for Incidents (during the operational life of installation) Likelihood

Definition

Frequent

Likely to occur repeatedly

Probable

Likely to occur from time to time

Occasional

Likely to occur once

Remote

Unlikely to occur

Improbable

Very unlikely to occur

Implausible

Extremely unlikely to occur

Table A.2.2 Incident Severity Categories

vi

Accident Category

Definition

Catastrophic

Multiple deaths

Fatal

A single death and/or multiple severe injuries

Severe

A single severe injury and/or multiple minor injuries

Minor

At most a single minor injury



Table A.2.3 Incident Risk Classification Matrix Accident Severity Likelihood Catastrophic

Fatal

Severe

Minor

Frequent

A

A

A

B

Probable

A

B

B

C

Occasional

A

B

C

C

Remote

B

C

C

D

Improbable

C

C

D

D

Implausible

D

D

D

D

Table A.2.4 Example of Risk Class Definitions Risk Class

Interpretation

A

Intolerable Risk

B

Undesirable Risk (and tolerable only if risk reduction is impracticable or if the costs are grossly disproportionate to the improvement gained)

C

Tolerable Risk (if the cost of reduction would exceed the improvement gained)

D


Negligible Risk

vii


Note that the use of the term ‘Negligible Risk” must be used with care when addressing Catastrophic or Fatal Accidents. This would normally only be considered negligible if the frequency of these events is of the order of 10-6/yr. or lower. Once hazards have been ranked as described, then an appropriate safety integrity level (criticality rating) can be applied to the systems specifically assigned to manage it. If there is only one system standing between the hazardous event and the consequence, then the criticality should be commensurate with the consequence and frequency. However, if multiple system failures are required before the consequences are realised, the individual system criticality may be lower. This gives greater flexibility in the design and operation of the plant. A system of criticality with, say 3, 4 or 5 levels allows a standardised approach to systems of the same rating. This may cover the need for duplication, the need to shutdown a plant when the system is not available or otherwise, or the level and quality of inspection and maintenance. Most importantly it gives, to all those responsible for safe operation, a perception of the importance of the system. This technique is described in IEC 1508 where bands of reliability/availability are used to give safety integrity levels. The levels of availability described may not be appropriate for offshore systems, but the concept could be adapted to suit this industry and the hazardous events and systems in it.

viii



Appendix 3

References

Legislation The Offshore Installation (Safety Case) Regulations (SCR). The Offshore Installations (Prevention of Fire and Explosion, and Emergency Response) Regulations (PFEER). Management of Health and Safety at Work Regulations (MHSWR). Provision and Use of Work Equipment Regulations (PUWER).

HSE Publications The Tolerability of Risks from Nuclear Power Stations - ISBN 0 11 886368-9. HS(G)65, Successful Health and Safety Management - ISBN 0 11-885988-9. A Guide to the Offshore Installations (Safety Case) Regulations 1992 - ISBN 0 11-882055-9. Inherently Safer Design – AEA/CS/HSE 1916- ISBN 0-85356415-9.

UKOOA Publications Management of Emergency Response for Offshore Installations - 1995 Safety Management Systems for the Oil & Gas Production Industry - 1991 Safety Management System Interfacing - 1993 Instrument-Based Safety Systems [Draft] - Expected date for publication late 1995 Halon Firefighting Equipment and Systems - 1992 Halon Utilisation, Removal and Disposal - 1993 Management of Offshore Helideck Operations - 1993


ix


Other Publications API Recommended Practice 14C API Recommended Practice 520 CAA Guidelines CAP 437 Offshore Helicopter Landing Areas: A Guide to Criteria, Recommended Minimum Standards and Best Practice. OGP (formerly E&P Forum) Guidance on I-Ialon Free Fire Protection OGP (formerly E&P Forum) Guidelines on Hea]th, Safety and Environmental Management Systems, Report No. 6.3 6/210. International Electrotechnical Commission Guidance on Functional Safety; Safety Related Systems; (IEC 1508 Parts 1-6) IEC 65A (Ref. A1) I.P. Model Code of Safe Practice Part 15 : Area Classification Code for Petroleum Installations ISBN 0471 921603 ISO 9000 Quality Management and Quality Assurance Standards - Guidelines for Selection and Use ISO (Draft). Requirements and Guidelines for the Prevention, Control and Mitigation of Fire and Explosion in Offshore Oil and Gas Installations; Reference CD 13702 Ministry of Defence, Hazard Analysis and Safety Classification of the Computer and Programmable Electronic System Elements of Defence Equipment. SCI Interim Guidance Notes

x



Appendix 4

Informative Sections

A4.1 Additional Detail on Explosions The explosion hazard

For an explosion to occur a gas cloud with a concentration between the upper flammability limit (UFL) and lower flammability limit (LFL) must be ignited. The overpressure caused by the explosion will depend, amongst other things, on: 1. The gas or gas mixture present 2. The cloud volume and concentration 3. Ignition source type and location 4. The confinement or venting surrounding the gas cloud 5. The congestion or obstacles within the cloud (size, shape, number, location) 6. Cloud density inhomogeneity 7. Ignition timing Confinement is defined as a measure the proportion of the boundary of the explosion region which prevents the fuel/air mixture from venting which is the escape of gas through openings (vents) in the confining enclosure. Congestion is a measure of the restriction of flow within the explosion region caused by the obstacles within the region. Gas explosions in more open environments can also lead to significant overpressures depending on the rate of combustion and the mode of flame propagation in the cloud. All of the above points from 1 to 5 can affect the explosion overpressures in this type of environment. Two types of explosion can be identified depending on the flame propagation rate: •

•

A deflagration is propagated by the conduction and diffusion of heat. It develops feedback with the expansion flow. The disturbance is subsonic relative to the unburnt gas immediately ahead of the wave. Typical flame speeds range from 11000m/s and overpressures may reach values of several bars. The overpressures are not limited to the 8 bar maximum typical of completely confined explosions. A detonation is propagated by a shock that compresses the flammable mixture a state where it is beyond its auto-ignition temperature. The combustion wave travels at supersonic velocity relative to the un-burnt gas immediately ahead of the flame. The shock wave and combustion wave are coupled and in a gas-air cloud the detonation wave will typically propagate at 1500-2000m/s and result in overpressures of 15-20bar.

Most vapour cloud explosions offshore would fall into the category of deflagrations. The duration of the positive phase in an explosion can vary greatly with shorter durations often associated with higher overpressure explosions. Typical durations range from 50 to 200milliseconds with longer durations common in large open areas such as the decks of FPSOs.


xi


For smaller objects, such as piping, the overpressures applied to the front and reverse side of such items will be of approximately the same magnitude at any moment in time and in this case the overpressure difference will not be the only load component on the object. For this type of object the dynamic pressure associated with the gas flow in the explosion will dominate. Small objects may be picked up during the explosion, creating secondary projectiles. The peak energy for typical projectiles may be calculated from the dynamic pressure load time history and their mass. Secondary, external explosions may result as the unburnt fuel/air mixture comes into contact with the external (oxygen rich) atmosphere. These can affect the venting of the compartment and enhance the overpressure within. A blast wave will be generated which will propagate away from the explosion region and may impinge on adjacent structures.

Load cases for explosion response

Two levels of explosion loading are recommended for medium and high risk installations by analogy with earthquake assessment: The ductility level blast (DLB) and the strength level blast (SLB). Low risk installations may be assessed using only the DLB, as the overpressures are likely to be low and the SLB is not likely to be critical in the design. The risk levels and frequencies may not be the same as for earthquake analysis. This reflects the fact that an explosion is perceived as a preventable event. The ductility level blast is the design level overpressure used to represent the extreme design event. This is a high consequence event important for the establishment of survivability. The strength level blast represents a more frequent design event where it is required that the structure does not deform plastically and that the SCEs remain operational. This load case is suggested for the following reasons:• •

• •

An SLB event may give rise to an unexpected DLB by escalation if it is not consi in the assessment. The prediction of equipment and piping response in the elastic regime is much understood than the conditions which give rise to rupture. The SLB enables these checks to be made at a lower load level often resulting in good performance at the higher level (strength in depth). The SLB offers a degree of asset protection. The SLB is a low consequence event important for the establishment of operability.

Determination of explosion design loads

Design explosion loads in the past have been derived from the a worst credible event assuming a gas cloud of maximal extent with stoichiometric composition ignited at the worst time in the worst position.

xii



Frequently the ultimate peak overpressure ‘Pult’ derived in this way is too large to be resisted by the structure. Checks should be made to ascertain whether the cloud of maximal extent is feasible with respect to the shutdown philosophy and the isolatable inventories. ALARP arguments are appropriate and can be used to demonstrate that risk levels have been reduced to satisfactory levels which itself relies on frequency and risk arguments. Pult will often correspond to an event with a return period out of proportion to the design life of the installation. A single event frequency of exceedance between 10 -4 and 10-5 per year is considered a reasonable frequency for the ductility level design event or DLB, by analogy with the treatment of environmental and ship impact loads which are often considered at the 10 -5 level. In order to determine the DLB, an exceedance curve must be constructed which represents the frequency of exceedance of a given space averaged peak overpressure. This curve will enable the DLB overpressure case to be identified. If the event impinges directly on the TR, escape routes or means of escape then the target level should be the 10-5 level. If the event impinges on one or more barriers before impinging on these SCEs then it may be argued that the 10-4 level is more appropriate. The space averaged peak overpressure for the compartment is used for determination of the design explosion load cases as it is more generally representative of the severity of the event. A local overpressure peak may be used to generate exceedance curves for the determination of load cases for local design of a blast wall for instance. Impulse exceedance curves may also be generated which take into account the duration of the load and its peak value; these give a better measure of the expected response of the target which will be dynamic in nature. The SLB may then be identified from a space averaged peak overpressure exceedance curve, as that overpressure corresponding to a frequency one order of magnitude more frequent or with a magnitude of one third of the DLB overpressure whichever is the greater. The reason for the reduction factor of one third is related to the expected reserves of strength in the structure and the observation that the primary structure will often only experience received loads of this reduced magnitude.

Loads on equipment items

The explosion loads on equipment items and pipework must be determined and are referred to as dynamic pressure loads, which may be directly obtained from CFD simulation results and consist of: •

• • •

Drag loads (similar to the Morison drag loads experienced in fluid flow) proportional to the square of the gas velocity, its density and the area presented to the flow by the obstacle. Inertia loads proportional to the gas acceleration and the volume of the obstacle. Pressure difference loads. Loads generated by differential movement of the supports.

Drag loads dominate for obstacles with dimensions less than 0.3m or on cylindrical obstacles less than 0.3m in diameter and, in particular, in regions of high gas velocity near vents. Pressure difference loads become important for obstacles with dimensions greater than 0.3m where they must be added to the drag loads. Care must be taken in interpreting the results of CFD simulations as the cell size/obstacle size ratio may make it difficult to obtain accurate pressure and flow information at points near the obstacle.


xiii


Equipment items in the interior of a compartment away from the vents will experience loads composed mostly of inertia loads due to gas accelerations. It is likely that these loads will, however, be lower than the drag and pressure difference loads experienced by items in the vent paths.

xiv



Exceedance curves for local dynamic pressures may be developed from simulations and used in the same way as for overpressures in deriving design dynamic overpressures for the DLB and SLB load cases. It is recommended that the DLB dynamic pressures are applied to SCEs of criticality 1 and that both the DLB and SLB overpressures are applied to SCEs of criticality 1 and 2 with the requirement for elastic response of the supports and that the SCEs would remain functional. Design explosion event peak overpressures and durations (or time histories) with known frequencies of occurrence will be required for the response analyses. A number of explosion loading experts have suggested that a suitable load level for the representation of dynamic pressure loads is 1/3 of the smoothed peak overpressure local to the equipment item. The duration of the load should be chosen to match the impulse of the overpressure trace. This load must also be applied in the reverse direction. In open areas, such as the decks of FPSOs, these loads should also be applied in the vertical plane. In general equipment items should be located to minimise obstruction of vents and be inline with the predominant flow direction. Piping runs should be located behind structural elements if near vent areas. Supports and equipment items should be made as resistant to explosion loads as is reasonably practicable. The low risk methodology appropriate for some medium and all low risk installations, follows that described earlier except that the simplifications described below may be acceptable. • • •

The strength level blast (SLB) overpressure is recommended but need not considered. If a valid nominal overpressure is available for this installation type then use as the DLB. If a nominal overpressure can be accommodated then use this overpressure with the corresponding duration and dynamic pressures for design and assessment.

It must be borne in mind that nominal overpressures will only be representative values; which do not represent the variability of the overpressure distribution. This variability may be significant both for the structure and for equipment items, this must be established and considered for both overpressure and dynamic pressure loads. Dynamic pressure loads for the DLB should be generated for criticality level 1 safety critical elements and vulnerable piping run locations. A comparative assessment method may be used drawing on experience from a demonstrably similar structure geometry and scenario. The nomination of a typical installation to represent a fleet of demonstrably similar, low risk platforms is acceptable.


xv


Response to explosions

Over the last ten years, many structures have been designed to resist uncertain explosion loads by the calculation of the capacity of the structure and the SCEs and the demonstration of robustness in the structure as reflected in an insensitivity of response to variations in load. This approach is to an extent scenario independent and may give added protection against unidentified scenarios and in particular combined fire and explosion scenarios. The ‘robustness’ approach is still valuable and may be considered in addition to the more rigorous probabilistic methods now available which enable design explosion loads to be determined which should be accommodated by the structure and SCEs. Assessment based on prior exposure is applicable to explosion events, although it is unlikely that this information will be available unless the platforms are nearly identical and an explosion has been experienced on a similar platform which represents the DLB.

Load cases for explosion response

It is recommended that the structural assessment should performed against the strength level blast (SLB) and the ductility level blast (DLB). The structural assessment should include the consideration of the capacities of the structure, including barriers, decks, supporting structures and other safety critical elements (SCEs) at the appropriate level of criticality. For installations and compartments of medium or high risk, equipment items which are SCEs of criticality level 1 and 2 should be assessed against the SLB. SCEs of criticality 1 should also be assessed against the DLB. If the general level of overpressure for the DLB is below the threshold overpressure Pth then the primary structure may be deemed to be designed by other load cases with no further analysis of this element being required. The threshold overpressure will be defined and determined in Part 3 of the Guidance. The structural checks for the SLB consist of strength checks for the primary and secondary structure with the requirement of elastic response.

Simplified structural assessment methods

The structural checks for the DLB will consist of displacement and integrity checks for the primary and secondary structure taking into account the reserves of strength offered by ductile response and allowable local damage. For medium and low risk installations, these checks may be accomplished by the implementation of modified code checks. This should be followed by a non-linear ‘ductility level’ dynamic response analysis if the checks show failure to satisfy the relevant performance standards or ALARP cannot be demonstrated. In all cases, it is imperative that connections and joints are suitably detailed to provide the ductility required to develop their reserves of strength. For barriers such as fire and blast walls, it will be necessary to check the ability of these elements to resist the DLB directly. These elements are often non-load bearing and it is often possible to check them in isolation.

xvi



One method of the demonstration of ALARP using a strength level analysis is to apply a static pressure load to the structure and observe, through code checks, when member failures occur. If the pressure is ramped up in stages, there will come a point where the incidence of failures rapidly starts to increase and begins to take in the majority of the members. At this point, it may be argued that it would be unreasonable to strengthen or change the member properties, as it would affect members designed by the other load cases. Design to this equivalent static pressure could then be said to be ALARP. It is, however, unlikely that the differing levels of response to dynamic loads at the same peak level as determined by the natural periods of the target structural elements will be represented adequately without undue conservatism. The variability of pressure in the explosion load cases is also not represented in this method. The validity of this method will depend on the severity of other load cases, which have been used in the original design of the structure. The transfer of conclusions and load characteristics from the analysis of a geometrically similar installation with similar structural and process characteristics is acceptable. The nomination of a typical installation to represent a fleet of low explosion risk platforms is acceptable. The use of a typical installation will be limited to the identification of general levels of severity of credible explosion events and is unlikely to be suitable for the local design of blast barriers for example. For low risk installations and compartments, the structural assessment may be performed against the ductility level blast (DLB) only.The performance of the structure and SCEs for these scenarios must then be tested against the appropriate high level and equipment specific (or low level) performance standards.


xvii


A4.2 Additional Detail on Fires To be completed during 2004.

xviii


Part 0 Guidance 03

Recommend Documents