Fire and explosion guidance Part 0: Fire and explosion hazard management

ISSUE 2 October 2003

Whilst every effort has been made to ensure the accuracy of the information contained in this publication, neither UKOOA, nor any of its members will assume liability for any use made thereof. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the publishers. Crown copyright material is reproduced with the permission of the Controller of Her Majesty’s Stationery Office. Copyright © 2002 UK Offshore Operators Association Limited

UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management

1995 Edition - In publishing these Guidelines UKOOA gratefully acknowledges the support and assistance given to their preparation by the Health & Safety Executive (USE), British Chemical Engineering Contractors Association (BCECA) British Rig Owner’s Association BROA), and International Association of Drilling Contractors (North Sea Chapter) (IADC). 2003 Edition – UKOOA gratefully acknowledges the continuing support and assistance provided by the Health & Safety Executive during the production of the Fire and Explosion Guidance Update.

This document is part of a series being produced by UKOOA and HSE on fires and explosions, the full series being: Part 0 Hazard management (formerly FEHM) Part 1 Avoidance and mitigation of explosions Part 2 Avoidance and mitigation of fires Part 3 Detailed design and assessment guidance This Part 1 document is taken from MSL Engineering Reports C26800R006 Rev 2 and C26800R007 Rev 2.
Part 0:- Fire and explosion hazard management
Describes Hazard Management principles and practices with particular emphasis on the management of fire and explosion hazards

Part 0

Part 1:- Avoidance and mitigation of explosions
Describes design considerations for the prevention, control and mitigation of explosions

Part 1

Part 2

Part 2:- Avoidance and mitigation of fires
Describe design considerations for the prevention, control and mitigation of fires

Part 3

Part 3:- Design practices for fire and explosion engineering
Contains advice on the engineering implementation of the measures outlined in principle in Parts 1 & 2

Basis Documents for Parts 1, 2 & 3
Contains base position papers as guidance was developed. Available on for those wishing to understand the logic and data gathered for the positions taken in the guidance


Issue 2, October 2003

UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management

1 2 Introduction................................................................................................................................. 1 Aims and Principles.................................................................................................................... 4 2.1 2.2 2.3 2.4 2.5 3 Aims of Fire and Explosion Hazard Management (FEHM) ............................................... 4 Principles........................................................................................................................... 4 Overview of the Management Process ............................................................................. 5 Reasonable Practicability .................................................................................................. 7 Performance Standards .................................................................................................. 10

The Lifecycle Approach to Fire and Explosion Hazard Management....................................... 14 3.1 3.2 3.3 Introduction...................................................................................................................... 14 The Use of the Fire and Explosion Assessment during the Installation Lifecycle ........... 14 Stages of the Installation Lifecycle .................................................................................. 17


The Assessment of Fire and Explosion Hazardous Events ..................................................... 26 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 Introduction...................................................................................................................... 26 Timing and Detail of the Assessment.............................................................................. 27 Hazard Identification........................................................................................................ 28 Initiating Frequency Analysis........................................................................................... 31 Characterisation of Fire and Explosion Hazardous Events ............................................. 32 Consequence Analysis.................................................................................................... 34 Escalation Analysis ......................................................................................................... 37 Risk Assessment............................................................................................................. 39


Inherent Safety and Prevention................................................................................................ 41 5.1 5.2 5.3 Inherently Safer Design and Process/Layout Optimisation Options................................ 41 Design, Quality and Maintenance ................................................................................... 42 Prevention Options.......................................................................................................... 42

6 Selection and Specification of Systems for Fire and Explosion Detection, Control and Mitigation......................................................................................................................................... 47 6.1 6.2 6.3 6.4 7 Principles......................................................................................................................... 47 Selection and Specification Overview ............................................................................. 47 Selection of Systems....................................................................................................... 50 Specification of a System ................................................................................................ 53

Guidance on Systems for the Detection, Control and Mitigation of Fires and Explosions........ 61 7.1 7.2 7.3 Detection Options............................................................................................................ 61 Control Options ............................................................................................................... 64 Mitigation Options............................................................................................................ 70


Implementation And Verification............................................................................................... 76 8.1 8.2 Communication ............................................................................................................... 76 Competence .................................................................................................................... 79

Issue 2, October 2003


UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management

8.3 8.4 8.5 9

Commissioning and Routine Testing............................................................................... 80 Audit ................................................................................................................................ 80 Modifications ................................................................................................................... 80

Special features for the Assessment of Existing Installations .................................................. 81 9.1 9.2 9.3 9.4 9.5 9.6 9.7 Installation Risk Screening .............................................................................................. 83 Explosion Hazard Review ............................................................................................... 83 Scenario Definition .......................................................................................................... 84 Prevent, Detect, Control, Mitigate ................................................................................... 84 Determination of Explosion Loads................................................................................... 84 Response to Explosions.................................................................................................. 84 Evaluation........................................................................................................................ 85


Issue 2, October 2003

UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management


The updated Fire and Explosion Guidance has been prepared to encourage an integrated approach to the management of Fires and Explosions. As such, it complements the Safety Case and should help those persons with responsibilities for the safe design, construction and operation of installations to manage fire and explosion hazards. It should also assist duty holders to comply with the Offshore Installation (Safety Case) Regulations (SCR), the .Offshore Installations (Prevention of Fire and Explosion, and Emergency Response) Regulations (PFEER), the Management of Health and Safety at Work Regulations (MHSWR) and the Provision and Use of Work Equipment Regulations (PUWER). Part 0 of the Fire and Explosion Guidance Update is complemented by other industry and UKOOA guidance; they constitute a suite of information to support the design, operational and regulatory efforts to manage fire and explosion hazards effectively. The updated Fire and Explosion Guidance applies to new and existing, fixed and mobile installations. It has been written specifically for the United Kingdom Offshore Oil and Gas industry but may be applied elsewhere, both on and offshore. The principles may also be applied to the management of other hazardous events. The updated Fire and Explosion Guidance outlines a particular structured approach to the management of fires and explosions. Operators/Owners of existing installations should examine their management system to see how they comply with the overall aims outlined in Section 2.1. They should then assess the need for change, the benefits, extent and timing. Mobile installations will also have to comply with their flag administration and international maritime requirements. The updated guidance should be used in addition to those requirements, to ensure that their management systems are adequate for all the fire and explosion hazards which may be encountered. The updated Fire and Explosion Guidance aims to promote understanding of hazardous events involving fires and explosions by both designers and Operators/Owners. It is through understanding of the causes, characteristics and likelihood of such events that an effective management system can be put in place for each. The management system would include inherently safer design and operation and a combination of suitable prevention, detection, control and mitigation measures. The updated guidance shows how the Operator/Owner, operators of plant and each engineering discipline play a part in managing hazards and hazardous events. Effective management starts with the initial studies and continues until the installation is decommissioned. The guidance uses the lifecycle safety management concept and outline the role that each person should play in the process.

Issue 2, October 2003


UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management

The updated Fire and Explosion Guidance outlines the management process, the analyses and decisions that need to be taken and the factors to be considered when making those decisions. Above all, the aim is to encourage a balanced approach to hazard management by ensuring that the resources provided to manage fires and explosions are commensurate with the risks of these events. The guidance provides a framework whereby everyone, managers, designers, Operators/Owners, contractors and auditors, can work effectively together to understand and manage the hazardous events. The updated Fire and Explosion Guidance sets out what is generally regarded in the industry as good practice. They are not mandatory and Operators/Owners may adopt different standards in a particular situation where to do so would maintain an equivalent level of safety. More specific guidance is available to support this Part 0 (“Fire and Explosion Hazard Management”) of the updated guidance; further information is available in the informative sections at the back of this document and there are three further guidance documents which cover the design considerations for fires and explosions which can be found on the UKOOA or websites; The three further guidance documents for design considerations and implementation cover the following topics: • • • Part 1 Guidance on design and operational considerations for the avoidance and mitigation of explosions Part 2 Guidance on design and operational considerations for the avoidance and mitigation of fires Part 3 Guidance on design practices for fire and explosion engineering

Part 1 is currently available, a completed Part 2 will be available in December 2004 and a completed Part 3 is scheduled to be available the following year. One intent of this Guidance is to move the decision-making processes within the fire and explosion design field as much as possible towards a ‘Type A’ process from ‘Type B or C’ as defined in the UKOOA document the “Risk Based Decision Making Framework”, the main figure of which is illustrated overleaf.


Issue 2, October 2003

The UKOOA Risk Based Decision Making Framework The framework defines the weight given to various factors within the decision making process. October 2003 3 . Issue 2. A glossary of terms used and definitions is given in Appendix 1.1 . ranging from decisions dominated by purely technical matters to those where company and societal values predominate.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management Figure 1. A substantial number of installations will lie in Areas A or B of the chart resulting in an approach which involves codes and Guidance based on experience and ‘best practice’ as described in this document and supplemented by risk based arguments where required.

operation.1. detection.2 Principles Effective. economic FEHM depends on the appropriate timing and use of resources This can be achieved by following the principles for identification and assessment of the foreseeable hazardous events. October 2003 . The following summarise the main principles: − fire and explosion assessment should commence very early in the design and should be used as one of the bases of hazard management throughout the installation lifecycle.1: This approach is structured around the life cycle concept described in Section 3. and for selection and specification of safety systems see Section 6. − − − 2. and-be "as low as reasonably practicable" (ALARP). analysed and understood.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 2 2. any changes to the installation which may effect the likelihood or consequences of fires and explosions should be identified. everyone involved in the design.1 Aims and Principles Aims of Fire and Explosion Hazard Management (FEHM) These are that: − − − all fire and explosion hazards should be identified. an appropriate combination of prevention. overall risk from all major accidents including fires and explosion should be assessed. commissioning. see Section 4. assessed and the systems revised to take them into account as necessary. the systems provided to protect personnel from the effects of fires and explosions should be suitable for these hazardous events and have performance standards commensurate with the required risk reduction. the design. operation and maintenance of the systems be undertaken by competent staff who understand their responsibilities in the management of the hazards and possible hazardous events. − − 4 Issue 2. the principles of inherent safety should be applied early in the design so as to eliminate or reduce hazards so far as is reasonably practicable. maintenance and modification of the installation should have sufficient knowledge of the hazards and their contribution to the overall risks. control and mitigation systems should be implemented and maintained throughout the lifecycle of the installation.

resources should be assigned to systems taking account of the risks from the hazardous events and the role of the system in reducing them. identification and specification of the particular prevention.). This overall process is outlined in the OGP (formerly E&P Forum) “Guidelines for the Development and Application of Health Safety and Environment Management Systems”.Guidelines for Selection and Use. detection. verification.3 Overview of the Management Process A thorough understanding of all hazards and hazardous events. ISO 9000 Quality Management and Quality Assurance Standards .1). control and mitigation measures needed for each hazardous event confirmation of the suitability and effectiveness of each of the measures selected. hazardous events and safety systems provided to manage them. including fires and explosions. documentation. analysis and assessment of the hazardous events (type. For these hazardous events the management process is given below: − − − − − − − − − − identification of the hazardous events (coarse assessment). detection. areas affected. control and mitigation.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management − − − safety systems should be selected based on the hierarchy of prevention.g. intensity. the principles of quality management should be followed. − 2. likelihood. scale. duration. October 2003 5 . design to reduce the likelihood. duration and effects of each hazardous event. etc. specification of the measures adopted. the hazard management process should be documented and communicated to operations personnel so that they have adequate information about both the hazards. Issue 2. is at the heart of the Safety Management System (SMS) and it should be proactive to reduce risks. e. communication and implementation. magnitude of the consequences. reduction of the risks from fires and explosions through inherently safer design (see Section 5. Part 0 of this guidance adds more detail to this process and applies it to fires and explosions.

understand the hazards and are involved during the appropriate stages of the lifecycle. for an existing installation the process should be applied to current arrangements and modifications. Section 3 provides details of the lifecycle for an installation. it is used to assess these arrangements to make sure that the high level performance standards have been achieved. − The management of hazards to reduce the risks involves many interests which may often appear to conflict with each other. involving all levels of personnel from senior management to junior staff from a number of different organisations. severity and likelihood of each hazardous event. control and mitigation measures. It is essential that all parties who can contribute to the reduction of hazards. particularly design engineering disciplines and those who will have to operate and maintain the plant. Table 2. These should be assessed to determine if the high level performance standards are achieved and that risks are as low as is reasonably practicable. The process is a multi-disciplinary activity. 6 Issue 2.e. The FEHM process can be applied to new or existing installations: − for new installations it should start during feasibility studies and be fully developed during detail design. followed by prevention of identified fire and explosion hazardous events and then by the selection of detection. from design through commissioning and operations to decommissioning. i. It outlines the timing and interaction of the activities so that the overall safety of the installation can be improved. This is developed firstly by inherently safer design. Thereafter. The lifecycle approach shows how to prepare and implement a strategy for the management of fire and explosion on an offshore installation throughout its life. The fire and explosion assessment process is used in the lifecycle to provide information on which to base decisions and design systems. October 2003 . It is important that the input and activities of these personnel are fully coordinated and managed. can operate them properly and that adequate maintenance schemes are in place. The results should then be communicated to personnel operating the installation to ensure that they know the purpose and capability of all the systems. and describes the hazard management process.1 outlines a typical range of tasks for these personnel.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management The hazard management process should be employed in a timely manner and in accordance with the type. The SMS of each organisation should identify the relevant responsibilities.

In weighing the costs of risk reduction measures the principle of reasonable practicability applies so that there should be no gross disproportion between the cost of preventative or protective measures and the reduction of the risk that they would achieve to those already in place. These should be appropriate to the hazards and hazardous events on the particular installation so that they contribute significantly to the reduction of risk. This must be a “top down process” starting with the hazard identification and consideration of areas for improvement and not a “bottom up’ process starting with the safety systems. The ALARP principle can be demonstrated by quantification or qualitatively by using experienced judgement. see the figure below. then implementation of the measure may be inappropriate.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 2. It should be based on the need for improvements or enhancements and not on the ready availability of particular systems. For all hazardous events including fires and explosions a more formal demonstration of quantified risk assessment may be required. The issues of risk levels and ALARP are more fully discussed in HSE publications “A Guide to the Offshore Installations (Safety Case) Regulations 1992” and “The Tolerability of Risks from Nuclear Power Stations ALARP can be described as the process of striving to reduce risks to a negligible level while taking due consideration of the economic and schedule implications of this goal. If the overall costs are ‘grossly disproportionate’ to the benefits. In endeavouring to reduce risks to ALARP. However. October 2003 7 . care should be taken not to miss reasonably practical ways of reducing the risk from apparently less serious events.4 Reasonable Practicability Operators/Owners of offshore installations must demonstrate that the risks to personnel from all major accidents have been reduced to a level which is ‘as low as reasonably practicable” (the ALARP principle). Issue 2. cost and difficulties in implementing it) must be compared with the amount of risk reduction it brings. although concentrating on the primary risk contributors. The cost of a measure (in terms of the time. Appropriate standards and accepted industry practice are tools to achieve and demonstrate reasonably practicable risk reduction. resources should be concentrated on the primary risk contributors and on the areas or systems where the greatest risk reduction can be achieved for the expenditure.

htm HSE Books have published a guide which sets out an overall framework for decision taking by the HSE (R2P2). • 8 Issue October 2003 .hse.1 . which is available in hard copy form (28) and as a free download from http://www.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management Unacceptable region 10-3 Per annum Risk cannot be justified except in extraordinary circumstances The ALARP or tolerability region (risk is undertaken only if a benefit is desired) Tolerable only if further risk reduction is impractical. • Policy and Guidance on reducing risks to ALARP in Design http://www.pdf .uk/dst/alarp1.The ALARP Triangle Further guidance on the demonstration of ALARP is available from the following or the cost is not proportionate to the benefit gained Broadly acceptable region Negligible risk Risks closer to the unacceptable region merit a closer examination of potential risk reduction measures Figure Principles and Guidelines to Assist HSE in its Judgement that Duty Holders Have Reduced Risk as Low as Reasonably Practicable http://www.

Table 2.1: Typical Allocation of Tasks in a Management System DESIGNERS SENIOR MANAGEMENT OFFSHORE CONTRACTORS INSPECTORS/AUDIT ORS Issue 2. Wh t ki i dt th f l th h ld kt th t th t it i i d t . October 2003 DESIGN AND PLANT MANAGERS − − − − − − Verify that an adequate SMS is in place for the installation Verify that risk criteria are met Ensure integration of the contractor and Operator/Owner SMS Ensure contractors understand the hazards and hazardous events as well as their own role in managing these events Ensure personnel are competent to carry out their duties Identify. TECHNICIANS AND PLANT OPERATORS − − Understand the hazards which may affect them and their response to the hazardous events Perform their role (if any) in the management of these hazardous events − − − − Verify that there is an adequate understanding of the hazards Verify that adequate systems are in place to manage the hazards Verify that the systems meet their performance standards Feedback the results to the operator OPERATORS − − − − − Set overall performance standards Ensure that effective systems and adequate resources are in place Maintain an overview off all major hazardous events Ensure effective communication within their own and external organisations Initiate and ensure adequate response to audits − − − − − Ensure the hazards and hazardous events are identified . They may work within the same organisation or work separately. effectively managed and that risk criteria are achieved Establish document and communicate the hazard management process Integrate all design disciplines and operator input to achieve an acceptably safe design Set performance standards Provide and deploy adequate resources and competent personnel to develop and carry out hazard management − − − Understand the hazardous events on the installation Select the safety system Set the system design specification − − − Develop and work to procedures needed to manage the hazards − operate the plant to the performance standards − Develop designs to meet the system specification Provide information to allow the Operator to input and maintain the systems to meet the performance standards Communicate the purpose and documentation on the system to the Operator UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 9 The columns with the table are applications for three levels of personnel. manage and bring to attention of the Operator any hazards concerned with their work which may not have been identified INDIVIDUALS: DESIGNERS.

g. which may contribute to the high level performance standards. October 2003 . it is helpful to consider a hierarchy of performance standards. When characterising “performance” in relation to the whole range of operational activities associated with an installation.5 Performance Standards The principle behind the “goal setting” approach is that it should be possible to define overall goals for design and operation. person or procedure. the Temporary Refuge (TR) or the fire and explosion arrangements). Thus caution should be exercised to avoid setting performance standards for systems. which can be expressed in qualitative or quantitative terms. planning. control or audit . measuring. An important principle to be adopted in setting performance standards is that their number and level of detail should be commensurate with the magnitude of the risk being managed. plastic deformation of the structure is acceptable provided collapse does not occur allowing barriers to remain in-place and adequately resist any subsequent fires or other hazards.through the lifecycle of the installation. Further general guidance on performance standards may be found in the HSE publication “Successful Health and Safety Management” (see Appendix 3). system (including computer software) or component part whose failure could cause or contribute substantially to a major accident. Lower level performance standards are used to describe the required performance of lesser systems. For example. The Safety Critical Element (SCE) is defined as any structure. plant. High level performance standards are applied to the installation as a whole or to the major systems that comprise the installation (e. and thus includes any measure which is intended to prevent or limit the effect of a major accident. together with a method for assessing the extent to which these are realised.g.e. item of equipment. equipment. sub-systems or components of systems that contribute little to the management of overall risk reduction associated with the installation. of the performance required of a system.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 2. SCEs should have fulfilled their function or remain operational. and which is used as the basis for managing the hazard . Performance Standards are particularly important (and legally required in the UK) for defining the performance of elements that help to manage or defeat a specific hazard. For any goal it is usually possible to identify one or more measures whose performance will be a reasonable indicator of how successfully the goal is achieved These can be described as performance standards and defined as follows: Performance Standard: A performance standard is a statement. 10 Issue 2.

2. even when not directly measurable they should be auditable in order to fulfil their principal role which is to provide a benchmark so that the adequacy of the arrangements may be assessed. The appropriate application of low level performance standards may significantly reduce the risks from fires and explosions. the parameters chosen should be directly relevant to the achievement of the system goal. and thirdly. three key characteristics should apply. Performance standards at this level may relate to the principal systems. Firstly. control and mitigate fires and explosions. Issue 2.2 Low Level Performance Standards Having completed the development and assessment of the FEHM arrangements and demonstrated that risks to persons using these arrangements are ALARP. It may not be possible to measure these standards directly but they should be capable of verification from the results of assessments of low level performance standards. Nevertheless. October 2003 11 . Secondly. (HSE Publication “A Guide to the Offshore Installations (Safety Case) Regulations 1992 “) These are the goals for safety of the installation and relate to the overall risk to persons on the installation.5. the selected items should make a significant contribution to the overall acceptability of the FEHM arrangements.5. it can be useful to establish detailed “low level” performance standards to ensure that this position is both initially verified and subsequently maintained. Fires and explosions will contribute to some of this risk. The performance of the systems and arrangements provided to manage major accidents involving fires and explosions will contribute to meeting this standard and it may also be appropriate to set standards for these major systems. used to detect. the performance standard should be capable of expression in terms of parameters that are verifiable.1 High Level Performance Standards The Safety Case regime requires that performance standards should be set.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 2. However whatever performance standards are selected.

Criticality 2 Items whose failure could lead to major hydrocarbon release and escalation affecting more than one module or compartment.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management The process of setting the detailed low level performance standards therefore involves a review of the required performances under the anticipated emergency conditions of the systems. In the setting of the low level performance standards it may be helpful to consider FEHM arrangements in hierarchical terms. These are described in more detail in Section 6. Performance standard – These items must not fail during the DLB or SLB. It is also important when undertaking this review to determine what effective barriers to the occurrence of a particular hazard are provided. equipment or functions) requiring detailed assessment are classified into three levels of criticality. assessment should indicate the most important factors contributing to the success of that system. It is suggested that the number of SCEs (systems. They should relate to the overall ability of a system to fulfil its role. First. October 2003 . ductile response of the support structure is allowed during the DLB. sub-systems or equipment that make up the fire and explosion prevention. detection. For engineered systems. availability.4. reliability and survivability. Moving down the hierarchy. Performance standard – These items must have no functional significance in an explosion event and these items and their supports must respond elastically under the strength level blast (SLB) 12 Issue 2. control and mitigation arrangements. (Indirect impact on the TR is possible through subsequent fire). those items of systems performance that are primarily important in the achievement of the overall objectives should be identified. using the Ductility Level Blast (DLB) and Strength Level Blast (SLB) defined later in this document. these can be expressed in terms of functionality. these are illustrated with respect to the explosion hazard as below. The purpose of this review is to identify those items that make the most significant contribution to the overall acceptability of the arrangements. Criticality 1 Items whose failure would lead direct impairment of the TR or emergency escape and rescue (EER) systems including the associated supporting structure. It is necessary to identify those items where significant performance deviation would jeopardise the arrangements to the extent that the strategic objectives set for the installation would not be satisfied. It may be is helpful to consider a hierarchical approach to the identification of SCEs. The number and integrity of these should take into account the magnitude of the hazardous event and the likelihood of the initiating event in the absence of these barriers. the probability of the system operating successfully when required and its ability to continue to function during a fire or following an explosion.

with potential for inventories outside the module contributing to a fire due to blowdown and or pipework damage. Issue 2. October 2003 13 . Performance standard – These items have no functional significance in an explosion event and must not become or generate projectiles.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management Criticality 3 Items whose failure in an explosion may result in module wide escalation.

the steps of the assessment shown in boxes 5 to 8 and 11 should be carried out as a discrete activity so that a full picture of the fire and explosion hazardous events can be developed. These are described in Section 3. many or all of the systems will already be specified or in place and the relevant lifecycle activities will have been completed. before the need for any changes can be determined. the different design disciplines. Each numbered step of the assessment process for fires and explosions as outlined in Section 4 is linked with the relevant stage of the lifecycle. that the high level performance standards have been achieved and risks are ALARP. FEHM is a continuous process rather than a series of discrete steps.. commissioning and operation phases with earlier decisions reviewed and revised as necessary. This has been broadened in scope in this document so that it both highlights opportunities for enhancing inherent safety and also addresses all safety systems. 7. 6. The lifecycle is made up of the general stages of concept selection. It can also be used to integrate the work of all contributors to the risk management process including. Operators and auditors.3 detailing the approximate timing and sequencing of particular activities. these should be reviewed to ensure that all reasonably practicable risk reduction options have been considered. 8 and 11 with the associated activity alongside. There will be overlaps and iterations between the various stages of the design. In these cases. With an operating field or a partially completed design.1 The Lifecycle Approach to Fire and Explosion Hazard Management Introduction The updated Fire and Explosion Guidance proposes the use of the lifecycle approach to implement hazard management (Fig 3. risk assessors. The need to revise the assessment and repeat elements of the lifecycle is identified in boxes 19 and 20.2 The Use of the Fire and Explosion Assessment during the Installation Lifecycle FEHM is an integral part of the SMS Throughout the installation lifecycle. It summarises those activities which need to be carried out.1 shaded in boxes 1. The concept is outlined in the International Electrotechnical Commission ‘~Guidance on Functional Safety. These steps are shown in Fig. October 2003 . operation. Some main feedback loops are shown but other stages may also require feedback. 3. detail design. the decisions which need to be taken and The optimum timing in the lifecycle. 3. construction and commissioning. The lifecycle approach can be applied at any stage of the installation life.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 3 3. At each step of the lifecycle where critical decisions are taken. particularly box 11. fire and explosion specialists. 5. 14 Issue 2. However the effective use of data from the fire and explosion assessment process at the appropriate stage should reduce the need for continual changes .see Section 4.1). modifications and decommissioning. Safety Related Systems” (Parts 1-6).

Figure 3.1 Issue 2.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management Fire and Explosion Hazard Management The Life Cycle . October 2003 15 .

avai labi li ty and survi vability param et ers f or engi neered systems 10 Def i ne rol es. October 2003 . 9 rel iabi li ty. st andards and s af et y m anagement systems 5 Conf i rm al l hazards are i dentified Opt i m i se desi gn to improve t he i nherent safety 6 I dent i f y t he causes of t he hazardous events V eri f y t hat t he design codes are sui t abl e f or t he haz ardous events and sel ect speci f i c prevention methods 7 Det erm i ne fire and expl os i on loadings S el ect / opti mi se control systems to l i m i t t he escal at ion of hazardous events Concept ual and detail design 8 I dent i f y vul nerable plant. personnel and rout es t o escalation S el ect mi ti gati on systems Def i ne t he rol es and functionality. m ai nt enence and testing 16 V eri f y t hat sys t em s are effective and rel i abl e duri ng commissioning and t hroughout t he i nstallation life 17 E nsure personnel are trained and com pet ent t o i m pl ement / operate M odif icat ion 18 Operat e and maintain systems t o achi eve cont i nued ef f ectiveness Operation 19 F i re and Explosion A ssessm ent Process 21 I dent i f y and assess any change / m odification / det eri oration 20 Revi se as sessment and syst em provision Updat e assessm ent and safety syst em provi si on to address decom m i ssi oning hazards A bandonment 22 Decom mi ssion pl ant using ef f ec t i ve safety systems 16 Issue 2.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management E xi stin g In stal lati ons New I nstall atio ns 1 I dent i f y f i re and explosion hazards on di f f erent concepts A ppl y i nherent safe desi gn principles Concept selection 2 S et t he high level perf orm ance standard 3 S el ect concept t aki ng i nt o account risks from all possi bl e hazards i ncl udi ng fires and explosions 4 Def i ne t he desi gn and operat ional regime . syst em s are equi pm ent . manning and c om pet ence requi rements for procedural systems Devel op escalation 11 anal y si s and risk ass essment V eri f y t hat al l haz ardous events are addressed. and t he overal l perf orm ance is achieved Const ruct i on and Com mi ssining 13 P l an f ut ure verification 12 Desi gn hardware to meet param eters 14 Devel op procedural saf et y systems 15 P rovi de / i dent i f y procedures and schedules for operat i on.

Each of the steps shown in The process is explained as follows: 3.1. Whenever an installation is modified or changes take place.1 APPLY INHERENT SAFE DESIGN PRINCIPLES 1 Hazard Identification Inherently Safer Design During the review of the alternative development concepts. The hazards associated with decommissioning should. IDENTIFY FIRE AND EXPLOSION HAZARDS DIFFERENT CONCEPTS Reference Section 4. operation. decommissioning.3 5.3. October 2003 17 .1 Individual Steps See figure 3. an identification and coarse quantification of the risks from the hazardous events should be carried out. This information should be used as part of the overall consideration for concept selection and also to optimise the layout and guide the selection of hydrocarbon processing methods for each concept. detail design. Issue 2. modification and change. commissioning.3 Stages of the Installation Lifecycle The lifecycle includes a number of stages: − − − − − − concept design. so far as reasonably practicable. be taken into account during detail design. the hazard management process should be repeated to a level of detail commensurate with the change.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 3.

At this stage.2 5. October 2003 .3 System Selection Prevention Options 4 This is the definition of which codes and standards will be used to design the structure. Performance Standards may also be defined for major systems such as Temporary Refuge (TR) impairment frequencies. STANDARDS AND SAFETY MANAGEMENT SYSTEMS Reference Section 6. 18 Issue 2. DEFINE THE DESIGN AND OPERATIONAL REGIME CODES. These would be relevant if the reduction of fire and explosion risks contributes to meeting these targets. plant and equipment These include the primary prevention measures which ensure the technical integrity of the plant The appointment of the designer and Operator/Owner management systems including structure and responsibilities should also be defined. 7 Escalation Analysis 3 The selection process should include consideration of the risks of major accidents of the different concepts and the particular contribution from fires and explosions. environmental standards and targets for reducing damage to the platform. Attention should be paid to the primary risk contributors and the practicality and cost of preventing.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 2 SET HIGH LEVEL PERFORMANCE STANDARD Reference Section 2. controlling or mitigating tern. SELECT THE CONCEPT TAKING INTO ACCOUNT RISKS FROM ALL POSSIBLE HAZARDS INCLUDING FIRES AND EXPLOSIONS Reference Section 4.5 Performance Standards This is the statement of the standards of the installation as a whole for the safety of personnel.

1. On an existing installation.1 6.follow feedback loop to Step 4 as shown in Fig 3. Procedural systems or operating parameters may be changed and.2 VERIFY THAT THE DESIGN CODES ARE SUITABLE FOR THE HAZARDOUS EVENTS AND SELECT SPECIFIC PREVENTION METHODS Hazard identification Initiating Frequency Analysis Prevention Options System Selection 6 The assessment requires that initiating events are identified.4 5. concentrating particularly on those hazards which make the predominant contribution to the overall risks.8 5. if necessary.2 OPTIMISE THE DESIGN TO IMPROVE THE INHERENT SAFETY Hazard Identification Risk Assessment Inherently Safe Design System Selection This is the start of the formal assessment of the fire and explosion hazardous events. Where they are found to have shortfalls.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 5 CONFIRM ALL FIRE AND EXPLOSION HAZARDS ARE IDENTIFIED Reference Section 4. it may be possible to identity ways of reducing the risks through changes in operational practices.3 6. This allows the causes to be identified and a check of the design codes and standards and SMS and operating parameters to ensure that they are suitable to address the causes and adequate to deal with their severity.3 4. For a new design. the codes and standards may be changed or enhanced.3 4. Issue 2. IDENTIFY THE CAUSES OF HAZARDOUS EVENTS Reference Section 4. October 2003 19 . the identification of possible hazardous events should be used to review the layout and process design so as to eliminate or reduce all hazards to meet the high level performance standards. new specific prevention measures may be added. It may use the output from the conceptual selection studies as a start point. This may lead to a further review of previous lifecycle steps .

20 Issue 2. The reliability and availability may need some iteration with the escalation and risk assessment in Step 11.2 7.2 7. intensity and duration of representative hazardous events and the contribution of control measures. An assessment of the likelihood and consequence of these failures determines the need for protection and. PERSONNEL AND ROUTES TO ESCALATION Reference Section 4.1 7.5.2 7. October 2003 .3 8 SELECT MITIGATION SYSTEMS Consequence Analysis Escalation Analysis System Selection Control Options Mitigation Options The plant and equipment which could fail when exposed to fire and explosion in the characterised events should be identified. AVAILABILITY AND SURVIVABILITY PARAMETERS FOR ENGINEERED SYSTEMS Reference Section 6.1. This enables the most severe events to be identified and their control measures to be enhanced or augmented to reduce their severity. EQUIPMENT. For existing installations this may be a formalisation of the original design standards and objectives. At this point those events to be used as the basis of design for mitigation systems are chosen.6 4. DEFINE THE ROLE AND FUNCTIONALITY.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 7 DETERMINE FIRE AND EXPLOSION LOADINGS SELECT / OPTIMISE CONTROL SYSTEMS TO LIMIT THE ESCALATION OF HAZARDOUS EVENTS Hazard Characterisation System Selection DetectIon Options Control Options Reference Section 4. its provision and adequacy.5 6. Particular attention should be paid to the guidance in Section 4.4 Specification of a System 9 This applies to hardware (engineered) systems and is the definition of the overall purpose of the systems and the essential parameters to be met by the system so that it fulfils its role. IDENTIFY VULNERABLE PLANT. RELIABILITY.2 The characterisation of the hazardous events identifies the size. 7 6. in the case of existing installations.

On new designs it is carried out prior to proceeding to detail design to ensure that the proposed systems are suitable for the hazardous event and will be sufficient to reduce.6 6. These results may lead to a review of other lifecycle steps follow feedback look to Steps 4. VERIFY THAT ALL HAZARDOUS EVENTS ARE ADDRESSED. the risks from each hazardous event. October 2003 21 .3 6. On existing installations it is the determination of the adequacy and contribution of the safety systems provided. This information is essential to determining if remedial measures or improvements are needed to the existing or proposed system provision.3. 7 4.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 10 DEFINE THE ROLE.4 8.1-7.4 7. 12 DESIGN HARDWARE TO MEET THE REQUIREMENTS Reference Section 6.8 Escalation Analysis Risk Assessment This is the overall review of the fire and explosion risks and their acceptability.3 Types of systems Interactions and limitations Specifications System Options The design contractor and suppliers should co-operate in designing the systems and components to meet the functional parameters and the availability and reliability requirements and ensure that any interactions and also limitations are addressed. The cumulative risks from all major accident hazardous events should be within the high level performance standard and ALARP. It requires confirmation that the manning and competence levels are or will be available to the extent necessary. as shown in Fig. MANNING AND COMPETENCE REQUIREMENTS FOR PROCEDURAL SYSTEMS Reference Section 6. as far as is reasonably practicable. SYSTEMS ARE SUITABLE AND THE HIGH LEVEL PERFORMANCE IS ACHIEVED 11 DEVELOP FIRE AND EXPLOSION ESCALLATION ANALYSIS AND RISK ASSESSMENT Reference Section 4.3. It formalises the escalation analysis which will have been developing as part of the assessment process. Specification of a System Implementation This defines the role and the essential parameters required to be met by procedural systems. 7 or 9 as applicable. Issue 2. 3.1.

preparation of effective operation. 14 DEVELOP PROCEDURAL SAFETY SYSTEMS Reference Section 6. provision of specialist test and maintenance equipment. The tasks may include: − − − − − provision of access. inspection 8. the existence and quality of these procedures should be assessed. MAINTENANCE AND TESTING Reference Section 64. On an existing installation.2 8 Functional specification Availability and reliability Implementation 15 This is to ensure that the systems can be properly operated and maintained and that they achieve the functional parameters. There is no point in specifying a performance standard which cannot be verified.4.1 6. Functional specifications Implementation This includes the provision of specific procedures to complement the generic procedures and practices associated with the SMS.2. 22 Issue 2. PROVIDE / IDENTIFY PROCEDURES AND SCHEDULES FOR OPERATION. it is necessary to ensure that these facilities are in place.4. October 2003 .2 Maintenance. setting of maintenance and test frequencies.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 13 PLAN FUTURE VERIFICATION Reference Section 6. maintenance and test procedures. On an existing installation. Implementation The requirements for verifying tat the design has been properly executed and that systems can be fully inspected and tested at appropriate intervals during their life should be determined.1 8.4. identification of training and competence requirements.

OPERATE AND MAINTAIN SYSTEMS TO ACHIEVE CONTINUED EFFECTIVENESS Reference Section 8. so as to act as a base line for trouble shooting throughout the remainder of the lifecycle. maintain or test the plant. On an existing installation it may be appropriate to review the training and competence of existing personnel. ENSURE PERSONNEL ARE TRAINED AND COMPETENT TO IMPLEMENT. Implementation 17 18 This requires the continued maintenance and operation of the plant so that the engineered and procedural systems continue to meet their original intent as developed during the design and initial assessment process. October 2003 23 .2. MAINTAIN AND TEST SYSTEMS Reference OGP (formerly E&P Forum) “Guidelines for the Development and Application of Health. Safety and Environmental Management Systems” Section 3. during commissioning.2 Maintenance. prior to-start-up. inspection 8. implementation This is function testing which should be carried out prior to installation. It may be necessary to prepare training courses and schedules and to have sufficient personnel trained prior to start-up. OPERATE.4 This applies both to personnel training and competence for procedural systems and for the operation.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 16 VERIFY THAT SYSTEMS ARE EFFECTIVE AND RELIABLE DURING COMMISSIONING AND THROUGHOUT THE INSTALLATION LIFE Reference Section 6. The function testing during commissioning will normally cover the full range of operational performance. maintenance and testing of engineered systems. Issue 2. and at predetermined intervals during the system life. This applies not only to regular installation personnel but also to individuals who may visit the installation to operate.4.

3. UPDATE ASSESSMENT AND SAFETY SYSTEM PROVISION TO ADDRESS DECOMMISSIONING HAZARDS Reference Section 4. for example changes in the produced fluids from the reservoir. 24 Issue 2. All changes should be assessed to determine the effects on the high level performance standards and. Alternatively a safety system may deteriorate so that it is unlikely to continue to achieve its intended functional performance. as shown in Fig. It may also lead to a review of the other lifecycle steps affected by the change including the hardware. these should be addressed by following the relevant steps in the lifecycle. Where the existing systems or procedures are deficient. 20 REVISE THE ASSESSMENT AND SYSTEM PROVISION Reference Section 4. procedures and documentation and to a revision of the Safety Case.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 19 IDENTIFY AND ASSESS ANY CHANGE. October 2003 . where necessary.2 8. reliability and availability. These should be formally reviewed prior to decommissioning of either part or all the plant to ensure that all hazards are identified and adequately addressed. 6. Follow feedback loop to Steps 4. Assessment of Fire and Explosion Hazardous Events System selection and specification 21 The design process should have considered likely decommissioning hazards and identified the relevant procedures or systems. improvements should be considered to the systems provision. Assessment of Fire and Explosion Hazardous Events Systems selection Implementation During the life of the installation. Assessment of Fire and Explosion Hazardous Events This is the update of the assessment required by a relevant significant change identified in Step 19. 6. changes may be considered or arise naturally through.1. MODIFICATION OR DETERIORATION Reference Section 4. 7 or 9 as applicable.

These should be in place and sufficient competent persons be available to operate and implement them.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 22 DECOMMISSION THE PLANT USING EFFECTIVE SAFETY SYSTEMS Reference Section 6. October 2003 25 .2 System selection and specification The safe decommissioning of the plant and eventual abandonment of the installation may be dependent on special hardware or particular procedures. Issue 2.

control and mitigation measures. it should be documented to give a clear overall picture of the possible hazardous events and of the role of the safety systems in their control and mitigation. control and mitigation measures can be applied to reduce the risks. characteristics. This information is fundamental to managing the hazards and reducing risks to people from fires and explosions. it relies on a thorough hazard identification. it should be continuous and recognise the need for revision of the assessment as more information becomes available and the design evolves. if the arrangements to manage the hazardous events are judged to be inadequate. it should identify all foreseeable events with the potential to cause a major accident. 26 Issue 2. The assessment process should be used as a design and operational tool to understand the hazards and hazardous events and to identify when prevention. 3.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 4 4.1 shows where and when the assessment should provide information into the lifecycle and management process. The flowchart Fig.1 The Assessment of Fire and Explosion Hazardous Events Introduction The assessment of fire and explosion hazardous events is the process whereby these events are identified. probabilities and consequences are determined and a judgement is made on the adequacy of the risk reduction measures. It provides critical information which should be the basis for effective FEHM. involves modifying them and revising the assessment. The output of the Fire and Explosion Assessment process also provides information on the hazards and hazardous events for those responsible for safety. This information includes the causes. a representative selection of events should be analysed to encompass the range of foreseeable hazardous events. October 2003 . it should be used to assist in identification of prevention. to ALARP. It is an iterative process which. The following principles should be applied to the assessment process: − − − − − − − it should start early in the conceptual design. managers. designers and Operators. likelihood and the means to prevent and limit the events and to protect personnel.

4. The assessment progressively builds a picture of the fire and explosion hazardous events as the design develops from the feasibility studies.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 4. particularly in terms of analysing initiating frequency and consequence. the analysis and assumptions of the critical’ events identified should be reviewed.1 Timing The lifecycle approach in Section 3 and Fig 3. On an existing installation. or if more detailed analysis is required to resolve a particular concern. the level of information available at that time.2 Timing and Detail of the Assessment The timing and detail of the assessment will depend on the stage in the lifecycle. that large numbers of events of low frequency are not discarded without due consideration being given to the cumulative risk which they may pose. as appropriate and/or sensitivity analysis. As a result. Those events which result in the major risks to life will deserve the greatest attention. These should be clearly stated. Modification should follow the lifecycle approach. In performing scoping calculations. At an early stage of the conceptual design of an installation the details required for an in-depth consequence analysis may not be available. this will depend upon the extent of information available. only broad scoping predictions would be undertaken with the aim of identifying those scenarios which have the potential to cause a major accident. As the design of the installation progresses and further information becomes available.2. selection and detail design. through concept development. Also. including particular assumptions about the provision and effectiveness of prevention and control systems. It is important that apparently low consequence events are not discarded at this stage if their consequences may be underestimated as a result of limited information. and the frequency and severity of the hazardous events. the assessment should already have been carried out as part of the Safety Case. October 2003 27 . Issue 2. and performance.1 shows where information is needed from particular steps in the assessment in order to make decisions on the need for. Parts of the analysis may have to be repeated as the design evolves and more information becomes available. of risk reduction measures. Up-to-date results should be available and communicated to designers and Operators/Owners for consideration. This may include more sophisticated validated modelling techniques. In practice it may be necessary to revisit a stage a number of times as a design progresses and new information becomes available. The major accident scenarios should then be examined in sufficient detail to verify that it would be reasonably practicable to provide systems to control and mitigate them and that the risks would be tolerable. However. It may also enable the effective screening out of many events which are of low consequence or very low frequency and therefore unlikely to contribute significantly to overall risk levels. it will be necessary to make a range of assumptions.

including any relevant experimental data and the competence of those undertaking the assessment. systematic and auditable approach which addresses both process and non-process fires and explosions and covers all parts of the installation including pipelines. design engineers and safety specialists. the validity and accuracy of the analysis tools used to characterise the hazardous events and the response of the plant. 28 Issue 2. particularly where their risks may be significant. The quality of the analysis is dependent on the following: − − − − the quality of the available information.2 Detail and Accuracy The level of detail and accuracy of an assessment is determined by the need for precise information on which to base decisions and designs.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 4. In some cases. The method employed should be a structured process.1 Means of Identification The identification of fire and explosion hazardous events is the start point for the rest of the assessment and of the whole hazard management process. the stage in the lifecycle.2. events will be subjected to specific assessment.3 Hazard Identification Hazard identification should commence at the early stages of a design while there is still sufficient flexibility to change the design and layout to reduce hazards by inherently safer design or to reduce their scale and impact. risers and wells. it may be acceptable to group smaller events together and subject them to generic assessment 4. which involves a suitable combination of operations personnel. October 2003 . A simple assessment with appropriate pessimistic assumptions resulting in a conservative level of provisions may be equally appropriate in place of a refined assessment resulting in greater accuracy. to justify more targeted risk reduction measures. The decision as to which type of assessment should be undertaken is likely to be determined by the capabilities and technical resources of the organisation undertaking the assessment as well as purely technical factors. the sensitivity and accuracy of the figures for initiating event frequency and safety system performance. 4. It should use a structured. In others. availability of data. The quality of the assessment is dependent upon the identification and quality of assumptions. Such simple assessments may also be appropriate for some of the smaller relatively simple installations.3. validation of models.

plastics). Industrial explosives and detonators.) and lubricants. combustible inventory. The materials considered during the fire and explosion hazardous event identification phase are likely to include: − − − − − − − Process oil/gas/condensate. etc. Equipment lists. Process additives (e. propane. Process Flow Diagrams (PFDs). Fuels (diesel. Laboratory and process chemicals. Combustible material (e. Plot plans and plant layouts. These may include: − − System pressure. This process should be fully documented including all of the foreseeable causes of initial release as these should be addressed when identifying the need for specific prevention measures. Bottled gas (e.g. The information required to carry out the initial hazard identification may include the following (as available): − − − − − − Operating and maintenance philosophy. October 2003 29 .UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management The hazard identification process should address all foreseeable fires and explosions and. Piping and Instrumentation Diagrams (P&IDs). Other information such as incident statistics or records may also be useful. methanol and tri-ethylene glycol). the installation may be divided into discrete areas in which hazards are identified by considering the process or utilities systems. fixtures. in particular. In identifying hazards the parameters which define the type of hazardous event should be identified and documented. those involving releases of hydrocarbons. aviation fuel.g. Issue 2.g. acetylene). Process data sheets. wood. etc. Isolated and non-isolated inventory. Potential external initiators of fires and explosions such as a helicopter crash are also important and should be considered. To structure the process. furnishings. within each. paper. plant.

Electrical equipment fire. missile fragments and fireball) see Appendix 1. Typical events are: − − − − − Pool fire Jet fire Spray fire Blowout Flash fire (combustion of a flammable liquid pool). Density. − Explosion − BLEVE − − Cellulosic fire (fire involving material. such as wood. (combustion of flammable gas/vapour in which confinement and/or flame velocities are sufficient to result in damaging overpressure). The fire or explosion events identified will vary depending on the hazardous material involved and the conditions relevant to the particular system or inventory being considered. (rapid ignited release of flammable pressurised contents of a heated vessel resulting in blast overpressure. Likely release points and their size. Combustible load. etc. Flash point. 30 Issue 2. Users of this guidance should decide what information is relevant to their particular needs. (combustion of a pressurised liquid release).). (combustion of high pressure gas or liquid). (combustion of a flammable gas where the flame propagates at a speed insufficient to result in damaging overpressures). October 2003 . paper. (wellhead spray or jet fire). Ignition sources.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management − − − − − − − − Temperature. Composition of material. Oxidising agents.

For example. arrangement and location of the failures.5. In the case of fires. and multiplying by failure rate data appropriate to the type. Each identified hazardous event will have a range of possible scenarios. use and operating conditions. standard or design. the provision of prevention measures.e.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 4. This may initially be obtained from historical UKCS data (or more specific data if available). the Operator/Owner safety culture and SMS should endeavour to reduce these initial estimates.4 Initiating Frequency Analysis The initiating frequency estimate is derived from the causes of incidents and should be used to identify both generic and specific prevention measures. there needs to be sufficient inventory to burn for long enough to cause failure of equipment or structure. In the case of flammable release events. shape. Issue 2.3. it is not reasonable to examine every one. October 2003 31 . representative cases should be chosen to cover the range of foreseeable events. In selecting the events. but protected or equipment exposed only to thermal radiation may survive for considerable periods.1and to support the Safety Case and PFEER. Therefore. pipework leak source might range from that of a poorly fitted flange gasket through to a full bore rupture. The probability of ignition and detection of a hazardous event should also be taken into account. i. The most important are those foreseeable events where the initial release and ignition characteristics are likely to cause the most extensive damage and the greatest risks to personnel. the release frequency may be estimated by counting all relevant system components which could give rise to a flammable release within a specified area. The type of events chosen for each purpose will depend on the information required. It may be appropriate under some particular circumstances to examine the sequence of events which may lead to a failure. The range of events considered should cover the larger ones which may cause extensive damage to the installation and those smaller events which could cause local damage leading to escalation. As the design develops. Personnel and delicate equipment may be injured or damaged after a short fire exposure. modified where necessary to take account of any particular considerations for the installation which may affect the likelihood or frequency. Techniques such as Fault Tree Analysis may be used to estimate the frequency of these events.2 Choice of Events for Analysis A range of hazardous events should be analysed both to provide information on which to base the design of control and mitigation systems . 4. Steelwork should survive for several minutes under the worst case conditions.see Section 4. The relative importance of initiating events should be evaluated from their severity and expected frequency of occurrence. the design features of the plant and the resultant size. the engineering specifications used. due regard should also be taken of the likely causes of initial failure. risk.

The estimate of the initial size. flame length. both within and outside gas cloud) (location of flammable gas cloud and the pattern severity and extent of the overpressure and impulses both within the module and beyond). Both initiating event and those stages of an escalating event when further hydrocarbons are likely to be released should be characterised. smoke concentration/toxicity) (the location and direction of the release. A range of representative scenarios should be considered in detail with justification given for the choice. shape and size of flame extension into other areas and the outside of the platform). for example due to reduction in release pressure). it is necessary to clearly define the parameters listed below such that the resultant event can be analysed with the appropriate accuracy and realism. It is also required as an input to the preparation of the emergency response plan. high flame speed explosions. jet. spray.5 Characterisation of Fire and Explosion Hazardous Events This is the quantification of the characteristics of the particular fire and explosion events which are chosen for analysis. − Duration − Variation with time (the change in the above characteristics with time. severity and duration of fire and explosion events requires different levels of analysis depending of their perceived importance. remote heat flux levels. October 2003 . and cellulosic) (diameter. shape and volume) (emissive power. The information available from this part of the analysis may include: For Fires: − − Type Size − Severity − Location (hydrocarbon. engulfment heat flux. For Explosions: − Type − Size − Severity − Location (confined explosions.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 4. For initiating events. chemical explosions) (extent of flammable gas cloud) (maximum overpressure. direction of flame spread. 32 Issue 2. It provides information to identify which plant and personnel are exposed and to judge the effects of exposure. pool. spread. location and spread of pool fires. impulse pressure pulse rise time.

type and rate of release. inventory. ventilation. Control and detection measures and their response time where appropriate: − − − − − Emergency Shut Down (ESD). wind direction and strength. October 2003 33 . Therefore their use as a tool to develop and refine the early stages of design is limited. This may range from simple empirical correlations and engineering judgement to sophisticated modelling. such as emergency isolation. The stage in the lifecycle will dictate the level of analysis required. The characterisation analysis will identify the most severe events and the analysis process can be used to enhance the effectiveness of the control measures listed above in limiting the size. where that failure could lead to significant increase in the consequences. drainage and bunding. depressurisation. In carrying out the analysis. scale and intensity of the fires and explosions. fire and gas detection. for example. obstacles and boundaries. The more complex and detailed methods of analysis will take time and require a very high level of design definition. further multiple releases and safety system failures may occur following an explosion or structural weakening. ignition sources. electrical isolation. Issue 2. more general assumptions may need to be made where. type and composition of the fuel. the following parameters should be taken into account: Installation and process parameters: − − − − − − − − location. It may also be necessary to characterise the initiating events taking account of the failure of a safety system.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management For escalating events.

From this overview. As the analysis proceeds. 4. the escalation analysis is also important in the selection of the design accident events. One of the most important decisions taken in the hazard management process is the selection of hazardous events from which the concept of an upper bound. In particular. the options for reducing the frequency of an incident so that the resulting risk is ALARP.5.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management The results should be presented so tat they clearly convey a realistic picture of the anticipated hazardous events. of conditions on which the design of control and mitigating systems are based. These effects may include an inability to escape to the TR. 4. October 2003 .1 Design Fire and Explosion Loadings Selection of the representative design accident events. structure.6. These results would be collated to determine the risk to personnel from fires and explosions as input to the overall risk assessment for the installation. and their potential for escalation. serious injury and death. This is particularly important for the preparation of an appropriate emergency response plan and the development of an awareness of the possible h5~ardous events on the installation.6 Consequence Analysis The purpose of the consequence analysis is to identify which plant. it should be possible to select the design events based on the practicality of preventing larger initial events and stopping the escalation of smaller events to those of an extreme magnitude.5. the practicality of controlling and mitigating the event. safety systems and personnel are exposed to the initial and escalating events described in Section 4. 4. With a new design.5 and to assess the likely effects and failures. together with the perception of the extent and severity of the escalation. 34 Issue 2. The analysis of these events will give the loading parameters for fires and for explosions as listed in Section 4. a designer would need to consider the following when identifying a design event: − − − the scale of the incident relative to the installation size.1 Personnel Exposure Personnel may be directly exposed to an initiating event or to subsequent escalation. Alternatively the design could be based on standard criteria with the loads from the actual design events being checked at a later stage and compared to the design load. a reduced ability to respond to the emergency. The characteristics of these loadings need to be defined in sufficient detail so that protection systems can be designed to match them. a picture of the range of initiating scenarios and escalating events throughout the platform will emerge. The assessment should attempt to quantify the numbers of people involved at each stage and the effects of exposure. or envelope.

the following should be considered. those within the TR. storage tanks or pipework. or impairment of evacuation and escape systems. penetration of fire or blast walls allowing the passage of overpressure or flame. October 2003 35 . The need for mitigating measures can also be reviewed. spread of fire (e. Structure and Safety System Exposure An assessment of plant exposed to fire and explosion hazardous events should be carried out to determine if it would fail and lead to: − − − − − − − − loss of further inventory from vessels. including the effects of smoke and heat. the following groups of personnel should be considered: − − − − − those working in the area of the initiating event. emergency teams. Issue 2. those working in adjacent areas which may be affected by the initiating event. This information can be used to assess and where necessary modify escape routes and operating philosophies so that the exposure of personnel is reduced.g. those who may be exposed as they attempt to reach the TR.2 Plant.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management In addressing the exposure. e. extent and intensity of that exposure. 4.6. at muster areas or while evacuating who may be exposed to the effects of the escalating incident those who may be exposed while carrying out their emergency response duties. catastrophic rupture or failure.g. loss of or damage to safety systems required to control the incident: loss or damage to mitigation systems. loss of structural support leading to any of the above or progressive collapse. the: − − likely exposure of the equipment. control room personnel. within the accommodation). impairment of the TR. In assessing the likelihood and manner in which these failures could occur.

Particular attention should be paid to complex systems which are spread and interconnected throughout the platform. protection systems. firewater ringmain. The effects of the failure of localised components on the overall performance should be considered. exposure of any critical elements which could cause an overall failure. logic. engines. The time of escalation is also important in predicting the development of the incident. control panels. electric cabling. 4. vent headers/flare lines field devices.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management − − − − − − duration of the exposure. Heating Ventilation and Air Conditioning (HVAC).1.3. the following should be examined: − − − − − − − hydraulic systems.9. piping. October 2003 .6.4.g. 36 Issue 2. Such a review may start either with the hazardous events as described above or with the systems.see Sections 7. fuel systems. relays and electronic systems. It may be appropriate to review the safety systems as part of a vulnerability study which examines their exposure to all hazardous events. for example. time to failure. defined failure criteria of the plant or structure . The later requires a full examination of all the hazardous events to which they may be exposed.see Section 6.2. cooling and combustion air supplies.3 Safety System Vulnerability The purpose of this study is to identify and assess the vulnerability of those hazard management systems which may be needed during or after a particular hazardous event where that event might impair them. the importance of that system to control these hazardous events and the likelihood and consequence of its failure. This may be used to define any protection to meet their survivability criteria . inherent resistance of the equipment. The time to failure should be assessed as it may significantly affect the consequences. In particular.7 and 6. e.4. gas plant may have already depressurised or a safety system may have fulfilled its role.

moved to a safer location or protected so that it can survive until it has completed its function.2.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management − power supplies. The primary objectives of the escalation analysis are to: − − − identify mechanisms whereby an initial event may escalate to impinge on key systems or facilities. The performance of the remainder of the system should then be assessed.see Sections 6. Alternatively. It also allows the vulnerable component to be eliminated (if offering no real contribution to the system performance). It is probable that in some cases only part of a system may be exposed and incapacitated. care should be taken to ensure that the overall vulnerability of the system is not increased by exposing a greater number of components to a wider range of hazardous events. identify the combination of measures needed to deal with each major hazardous event and to provide an input to the development of associated performance standards. e. This allows measures and procedures to be prepared to address this situation. Further guidance on the types of emergency systems which may be required during or following an incident is included in the UKOOA Guidelines on the Management of Emergency Response for Offshore Installations.4. In such cases. the need to take action to reinstate the remainder of the system (such as closing of firewater ringmain isolation valves) and the practicality and likelihood of doing so in an emergency should be identified and assessed. duplicated components or systems located in different areas may be considered such tat the simultaneous loss of both would be unlikely. The output of the analysis is primarily an awareness of any vulnerability by both Operators/Owners and designers. identify where control or mitigating measures could be used to prevent.g.7 Escalation Analysis In addition to the effects of an initial fire or explosion it is important that a structured approach is taken to determine whether and how an event can escalate to endanger personnel. delay or reduce escalation or protect life.4. It is also the means to identify all the subsequent failures which would have to occur before personnel are put at risk. 4. evaluate the effects on the installation safety systems at each stage of escalation and how this may affect subsequent escalation.3.5 and 6. − Issue 2. the TR and/or evacuation and escape facilities. However. Duplication should be considered only if it adds significantly to the overall availability or realistic survivability of the system such that it is able to deliver its required functional performance . October 2003 37 .

October 2003 . This can show the sequence of failures which need to occur to result in a particular level of consequence and give designers and Operator/Owner the opportunity to add. This involves identifying those critical components or systems which. It is important that the location. the effects of the events on the installation including the safety systems at each stage of escalation and how this affects subsequent event progression. timing and duration of different scenarios previously established are fully considered so that mechanisms and routes by which a fire or explosion could escalate to cause ‘critical failure’ can be identified. Therefore the escalation analysis is an important aspect of hazard assessment and risk management.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management − evaluate the probability and hence the frequency of each escalation path which affects the key facilities or systems such as the TR and Escape. the contribution of safety systems to reducing the consequences and the probability of their successful operation. Such systems may include: − − emergency shutdown. have significant consequences regarding: − − − threat to life. if they fail. the means by which the initial event may escalate and. This may be carried out as an event tree analysis. 38 Issue 2. blowdown. Evacuation and Rescue (EER) facilities and the time duration from the initial event. the corresponding probability and time to escalation. loss of assets (plant/production). the effects on the key facilities or systems such as the TR and EER facilities in terms of impairment. duration and frequency. the characteristics of each stage of the event should be considered if it is possible that systems may fail to operate successfully or could be damaged. environmental damage. In assessing the contribution of safety systems. the fatality levels associated with each scenario. Input data from the previous steps of the assessment include: − − − − − − the location and description of the initial event especially its size. Experience has shown that often only a relatively small number of escalating scenarios contribute significantly to the major accident risk on an installation. frequency. severity. to or enhance the safety systems to break the sequence of events. at each escalation stage. time to impairment and impairment frequency.

4. active/passive explosion protection. This will assist the judgement of the adequacy of the high level performance standards and their achievement. October 2003 39 . and the time at which these decisions are made can have major implications. in particular the OIM. Hence the risk from other hazards may indirectly affect the acceptability of risk from explosions and these may need to be considered in setting the target risk levels for the explosion hazard. In addition. The need to take particular decisions should be reflected in the preparation of the Emergency Response Plan and in the provision of communication and evacuation systems. The ability to take decisions may be affected by smoke. It is also a useful exercise at the early stages of a project in order to focus attention on the safety issues at a time when the most benefit may be gained at the least cost. to fight the fire. detection systems. overpressure protection. to abandon the installation.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management − − − − − − − − active/passive fire protection. heat and the scale of the incident. An accepted level above which the overall risk is considered intolerable is an individual risk of greater than 10-3 per year or a TR impairment frequency of greater than 10-3 per year. Issue 2. The decision to move personnel to different parts of the installation. essential power supplies. drainage. essential control and instrumentation. irrespective of cost. This should be taken into account. installation screening is recommended to enable resources and time to be focussed where it is most appropriate when little detailed information is available for the specific hazards on the installation. etc. particularly if the TR and control centre are affected. communications (internal and external). It may also be necessary to consider the actions and decisions of key personnel. in responding to an escalating situation.8 Risk Assessment The collation of the risks from each of the possible major accidents from fires and explosions should be integrated into the installation Safety Case risk assessment. If risks are in the intolerable region then risk reduction measures must be implemented. The overall individual risk from all hazards must be less than this value.

successful installation screening is achieved by early consideration of the vulnerability of the installation and the likelihood of an explosion event. October 2003 . risk is defined as a measure of the product of the consequence and probability of an incident. Medium or High risk categories to determine the level of explosion assessment required. Therefore. 40 Issue 2. (estimated from the previous sections).UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management The task consists of classifying the installation and its compartments into Low. In this context. the terms probability and frequency imply that numerical values are available. an example might be of an ignited release giving rise to a significant overpressure greater than 50 millibar. Risk equals the product of Probability (or Likelihood) and Consequence (or Severity) Likelihood is a more appropriate term in this context where a qualitative assessment is being performed. The complexity of the process in the compartment is taken as an important measure in the screening exercise.

1 Inherently Options Safer Design and Process/Layout Optimisation The greatest opportunities to reduce risks are during the initial hazard identification stage during the conceptual design phase. etc. Adoption of the following principles where possible will reduce hazards: use less hazardous materials (substitution). single or multiple jacket. use of non flammable or low flammability materials. reduction of process pressures and temperatures. reduce the inventory of hazardous materials on the installations (intensification). Consideration of inherently safer design and process/layout optimisation may include the following but it must be recognised that the design will also depend very largely on economic criteria: choice of the concept. minimisation of the number of processing operations carried out on the installation.. Issue 2. 5. use simpler process systems (simplification). manning. construction and operation. Once into detail design there may be limited scope to apply hazard avoidance (as opposed to prevention) methods. to an approach to design in which hazards are ‘designed out at source. floating production etc. The extraction and processing of hydrocarbons inevitably involves some hazards. minimisation of High Pressure/Low Pressure (HP/LP) interfaces. October 2003 41 . Facilities designed on this basis can be described as intrinsically or inherently safer. choice of the operating philosophy. selection of simpler processes. reduction of hazardous inventories.. The primary means of prevention are the use of appropriate standards for design and operation.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 5 Inherent Safety and Prevention The concept of inherently safer design refers. use hazardous materials at lower temperature and/or pressure. pre-drilling wells. or use inert materials to dilute hazardous ones (attenuation). the optimisation of the layout for safety and the quality standards applied to design.

electrical fires and fires in the accommodation.4.2 also apply to process and other plant and should be used to eliminate or minimise the possibility of hydrocarbon release.2. 5. i.e. reduction of external confinement and congestion of gas process areas. location of the TR remote from major hydrocarbon inventories.g. risers. siting of high pressure gas and Liquefied Petroleum Gas (LPG) inventories in well ventilated areas and away from large inventories.2.2. 5.g. The principles for the reduction of complexity and improving operability in Section 6. location of risers to avoid supply boat impacts. on the quality of the design. amongst other factors.g. the construction of the plant and its maintenance/operation. and the implementation of good operating practice. reduction of congestion in process areas. wells. separators).3 Prevention Options Prevention in the context of an installation means avoiding uncontrolled releases of hydrocarbons and/or the accumulation of explosive atmospheres and avoiding fires and explosions from other sources. October 2003 .: the use of appropriate design codes and standards. As the risk from fires and explosions offshore is often dominated by releases of hydrocarbons. the components. 42 Issue 2. Quality and Maintenance The likelihood of hydrocarbon release which could lead to a fire or explosion will depend. The principles outlined for safety systems in Sections 6. risers.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management - reduction of particular causes of failure (e. control or avoidance of simultaneous hazardous operations.4. dropped loads onto equipment).4.1 and 6. e.2 Design. then the prevention of such releases represents the starting point followed by the consideration of preventing (or controlling) ignition. Effective prevention of hazardous events is dependent on aspects of the SMS. in particular wellheads.7 should also be used/applied to reduce the number of possible leak points and the likelihood of operator error. physical separation of major components containing hydrocarbons (e. Further guidance on inherently safer design is given in HSE Report “Inherently Safer Design".

construction defect. Issue 2.1.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management Prevention measures may be either engineered or procedural and may be specifically applied to a particular hazard or item of plant or generically applied throughout the installation. This verification may be achieved by the use of a formal Hazard and Operability Study (HAZOP) during design with an update on completion. breaches of containment due to human error. The likely causes of failure can be identified by a formal hazard identification process such as HAZID .2.3. October 2003 43 . (external loadings including Most causes of failure will be addressed by the use of established codes and standards for the design and protection of process plant. shutdown. impact (including dropped objects). breaches of containment or permanent isolation systems. explosion. external corrosion/erosion. maintenance and decommissioning.3. it may be necessary to verify that these are appropriate for all the identified likely causes of failure. However.which could consider aspects such as: − − − − − − − − − − − mechanical overload/overstressing environmental).1 Prevent Release (Maintain Equipment Integrity) The primary prevention measure on plant containing hydrocarbon is the prevention of the unplanned release of inflamable liquids and gases under all circumstances including commissioning. decommissioning. All foreseeable causes of failure should be identified and a combination of engineered and operational systems put in place to seek to avoid each cause. in particular hazards associated with purging. fire. measures to prevent ignition are considered as preventive measures although it is possible to regard them as control measures . Compliance with the chosen standards should be verified during construction and planned inspection throughout the life of the installation.see Section 4.see Section 7. overpressure (internal overloading). Note: In this guidance. 5. isolation failure. operation. internal corrosion/erosion.

overpressurisation protection systems. interlocks. The need to provide measures to maintain integrity during maintenance and decommissioning of the installation should be considered at the design stage. These prevention measures can impinge on all engineering and operation disciplines and this highlights the need for a fully integrated approach to hazard management. corrosion allowances. breach of containment controls. decontamination and removal of oil storage tanks. October 2003 . isolation valves. pumps. inspection and protection. 44 Issue 2. compressors. including piping. vessels. isolation. draining. systems and procedures and associated competence of personnel. impact decks and control of heavy lifts. material selection. These may include provision for: − − − − − draining down of vessels and the entire hydrocarbon containing system. decontamination. inert gas or flushing systems. controls on shipping. operational procedures. purging and removal of pipeline risers and piping.g.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management Typical prevention measures include: − − − − − − − − − − − the integrity of hydrocarbon plant. e. suspension or abandonment of wells. reduction of possible release points. etc. process control and shutdown systems. and supporting structures. use of welded joints and non invasive instruments.

the provision of suitable equipment in these areas. Issue 2. The following should be considered: − locate hazardous plant in the open air.3 Reduction of a Flammable Atmosphere The reduction of the likelihood of the formation and the size of a flammable gas cloud will both reduce the possibility of ignition and any consequent explosion overpressure or fireball. The selection of materials and specification of appropriately classed equipment falls within the design remit but operational controls are needed to ensure that the selected approach is implemented throughout the operational life of the installation. This includes reduction of ignition sources and the selection of materials that are less likely to be ignited or sustain combustion. maximise the distance of any source of ignition from possible sources of release. Model Code of Safe Practice Part 15 Area Classification Code for Petroleum Installations) the control of other sources of ignition and the specification of materials which are difficult to ignite or do not sustain combustion.3. control hot work and spark potential activities.P.6. use suitably designed and approved electrical equipment for the classification of the area. type and potential size of a release. Further reduction of ignition probabilities may be achieved as follows: − − − − − − − − − − − avoid any unnecessary electrical equipment in the area. avoid fired heaters in proximity to hazardous areas.3. October 2003 45 .see Section 5. prevent gas ingress into internal combustion engines and non hazardous areas.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 5. 5. shutdown selected equipment on detection of gas. control of hot surfaces. The generic means of preventing ignition of minor releases of hydrocarbons is the classification of areas according to the probability. (Reference I. liquid and gaseous fuels.2 Ignition Prevention The aim is to prevent the ignition and sustained combustion of solid. ensure adequate ventilation in the areas . avoid processing hydrocarbons near their auto ignition temperature.3. use non flammable or low flammability material.

October 2003 . optimise natural or mechanical ventilation. control of the size of process areas. 46 Issue 2. reduce the distance from potential leak sources to the open air.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management − − − − minimise congestion and ‘dead areas’ around likely leak sources.

inspected and verified on the installation. The design should therefore take these needs into consideration. and standard of others. Systems should preferably be specified in terms of functional parameters. Systems should be resourced with regard to the risks from the particular hazardous event being addressed and their role and importance in reducing that risk. Control and Mitigation Principles Detection. viii) Systems should be selected and specified after appropriate consultation with those responsible for their use and operation. The quality of some systems will affect the need for. Issue 2.2 Selection and Specification Overview The purpose of this section is to assist those responsible for the selection and specification of detection. Systems should be selected and specified to provide an appropriate balance between prevention. control and mitigation systems should be selected and specified according to the following principles: i) ii) iii) iv) v) vi) The assessment of fires and explosions should be used to determine the need for a system. October 2003 47 . reliability. These drawbacks must not offset the risk reduction provided by the system.1 Selection and Specification of Systems for Fire and Explosion Detection.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 6 6. Mitigation systems should be specified after taking into account the contribution from the detection and control measures in reducing the extent and duration of the hazardous event. Each system should have a clearly defined role. detection. 6. There are a number of options in the categories listed below. there should be a significant overall benefit. control and mitigation. ix) Systems which may introduce a new hazard. availability and survivability. control and mitigation systems to select an appropriate combination of measures. exacerbate an existing one or impair the performance of another system should be avoided or the interaction should be addressed. vii) Systems should be capable of being operated. i.e. The provision of some systems may eliminate the need for others in the same or different categories. The arrangements selected to manage each identified hazardous event should be such tat the risks to persons are reduced to a tolerable level and to ALARP. maintained.

escape and rescue (EER) are dealt with in UKOOA Guidelines on the Management of Emergency Response for Offshore Installations. their means of escalation and the realistic expectation of the capability of the systems. In the case of existing installations. and performance standards of the system. emergency response and manual intervention. 48 Issue 2. Each category may have both engineered and operational systems and may be either specifically designed for a particular hazardous event or a generically applied measure such as a code or procedure. The selection of an appropriate combination of measures in a new design will require the interaction of both designers and the Operator/Owner so that the relative contribution from. October 2003 . The consequences of this event will be determined by the provision and effectiveness of the control systems. The system options are discussed in detail in Section 7. all the measures should already be in place but the relative dependence on engineered systems and operational measures should be understood by those responsible for the systems and for the overall safe operation. The fire and explosion assessment process described in Section 4 can be used to identify where different systems may make a contribution and. the functional role of the system and the suitability of that system for the fulfilment of that role. The provision and quality of the prevention and avoidance measures may influence the frequency of occurrence of an initial event. by examining the frequency and eventual consequences. the need for. Evacuation. control and mitigation systems. 3. and dependence on.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management In addition to the prevention measures discussed in Section 5. frequency and severity of the initiating events. to actuate systems control measures to limit the scale of an event and avoid escalation to a major accident. Detection systems may be used to initiate prevention. Systems should be chosen with a full understanding of the likely hazardous events. where appropriate.1. The selection process should follow Fig. the categories are: detection and alarm measures to alert personnel and. The provision and performance of systems should be such that these risks are tolerable and reduced to ALARP. procedural measures and engineered systems is fully assessed and understood by all involved. The combined performance of each of these systems will determine the overall risks to life. Factors to be taken into account in the selection and specification of systems include: severity of the eventual consequences. mitigation measures to minimise undesirable consequences of a major accident. The provision of mitigation systems will limit the consequences of escalation.

Each of the topics in the table is discussed in the remainder of this chapter. suitability and applicability of alternative systems.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management - applicability to the circumstances in which they will be used. Operators/Owners. capital and maintenance costs. requirements for. and practicality of maintenance. inspection and testing. limitations that the systems may place on operations and vice versa. Issue 2.1 can be used as a suitable consistent method for describing systems to aid their appropriate selection and specification. auditors. vendors. availability. hazards which may be introduced by the systems themselves. performance of the combination of systems in meeting the risk criteria. operators. The Table can be developed for individual systems so that there is a common "language" between designers. any adverse effect that the system may have on hazards or other safety systems. October 2003 49 . etc. timescale and potential for escalation of an initial event to a major accident. Table 6.

2) The overall reliability/ availability requirement.4. It is advisable.3.3) A statement of the hazardous events for which the system may be suitable. initially.5) The different types or variations available of the particular system. 50 Issue 2.4.1 : System Selection and Specification SYSTEM: Title of Hazard Management System Suitability:(6. location and types of equipment for which using the system. to consider if further engineered systems are still required following the hierarchy listed in Section 2.1) A listing of essential parameters relevant to functional capability which should be considered when specifying the system to fulfil its identified role.3. Interactions/Limitations:(6. SPECIFICATION PARAMETERS Functionality:( and Section 6. the safety systems will a]ready be in place.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management Table 6. to concentrate any improvements on procedural measures to prevent the occurrence or reduce the frequency and. Refer to Section 3 for guidance on the timing and sequencing of the selection.6) Details of possible interactions resulting from the use of the system. Reliability/Availability: (6. Survivability: (6.2) Applicability:(6. may be appropriate.3 Selection of Systems The selection of safety systems from the range available will depend on the stage in the installation life cycle. The assessment carried out under the Safety Case will have identified those particular systems which are important with regard to reduction of the risk from identified hazardous events and judged their adequacy. A listing of any limitations of the system. thereafter.3. Types/Variations:(6.3. For an existing installation. The interactions could be with plant. October 2003 .4) A statement of the application. 6. personnel or other safety systems. ROLE: Statement of purpose (6.3) The parameters relating to hazardous events which the system may have to withstand or be considered when designing or specifying the system.

If a system is required to detect. mitigate or survive a fire or explosion. These are identified in the assessment of fires and explosions and it is important that they should be considered. the principles of inherent safety should be applied. design codes and procedures would normally be the same as those already in place unless they are no longer recognised as good industry practice. in specifying a system. heat flux.3 and 6. Any new systems should be chosen in line with the hierarchy in Sections 2. as appropriate. For Explosions: Issue 2.g. 6. These may either have a direct role in counteracting a particular hazardous event such as preventing rupture of a vessel or a support role for these systems such as firewater supply or fire and gas detection. A system may be required for more than one hazardous event and may also have more than one role.2 The Role of a System The role of a system should be clearly defined by providing a statement of what the system is intended to achieve.2. 6. (e. Thereafter the provision of systems should be examined to determine if they are adequate to address any new or changed hazardous events. control. flame velocity. type and concentration of products of combustion.3. a deluge system can reduce oil burn rate.3.1 The Definition of a System The extent of a system should be described so that its role and performance can be defined.3 The Suitability of a System The systems chosen should be suitable for the role which they have to perform. The generic systems. it should be specified so that it is suitable for the range of hazardous events for which it is to be used. This may range from an overall system such as an active fire protection system to a discrete part such as a deluge system. or prevent catastrophic rupture of a pressure vessel under certain fire conditions). the release and combustion conditions or particular characteristics such as: For Fires: − − − − flame temperature.3. for the system. It should be clear how the system relates to its role in managing each particular event.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management When an installation is modified. it may be appropriate to specify either the type of fire or explosion. 6. October 2003 51 .

missile velocity or energy. For example. These parameters should be assessed for the full lifecycle of the system taking into account the effects of the environment and site conditions. It should not seriously inhibit the day to day activities on the installation. 6. access and site conditions. It should not introduce undue maintenance and repair requirements such that either the system will have limited availability or require disproportionate resources on the installation to maintain it.5 Types and Variations There is a large variety of systems ranging from those operating on fundamentally different principles to subtle variations between different manufacturers. be simple and robust to enhance their long term effectiveness. where possible. maintain and repair it should be given equal consideration to the initial cost and ease of installation. A system should normally be capable of fulfilling the role for the anticipated life of the installation providing that the designated inspection. 52 Issue 2. reduce the effectiveness or reliability of another safety system. drag force. Where practical.2 for selecting the system. 6. Systems should. there are a number of types of passive fire protection systems including demountable panels and spray applied systems and there are variations within these different options. the system suitability should be verified by representative testing. If this is not practical. it should have a predetermined lifespan at the end of which it should either be replaced or fully assessed to determine the extension of that lifespan. The choice of a particular type of system should primarily be based on the list of parameters in Section 6.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management − − − − overpressure. or cannot be guaranteed. Care should be taken when extrapolating results or basing a design on a purely theoretical analysis. In considering the applicability. the ability to operate. October 2003 . maintenance and repair requirements are carried out. maintained and tested effectively taking into account the working environment.3. pressure profile.6 Interaction and Limitations System interactions are those characteristics of a system which may: − − − introduce a new hazard. 6.4 The Applicability of a System Each system should be designed to ensure it can be installed.3. increase the frequency or consequence of an existing hazardous event.3.

where necessary. either an alternative safety system selected or measures put in place to address the interactions. limitations on inspection. corrosion due to increased saline exposure resulting from free ventilation and open venting to reduce explosions. reduced ventilation caused by ftrewalls. In some cases numerical values may be appropriate and in others they may be described qualitatively. increased probability of ignition for example due to deluge water ingress to electrical systems. increased explosion overpressure caused by firewalls. projectiles created by safety systems such as vent panels. for example due to deluge system testing or increased by passive fire protection.4 Specification of a System Systems should be specified by identifying the critical parameters which define their ability to fulfil the role and the likelihood of success. maintaining or testing the system. These parameters have been divided into three groups: functionality. October 2003 53 . corrosion caused by the system. Different parameters will be required for different systems. maintenance or operation. availability/reliability and survivability. deterioration of passive fire protection systems caused by repeated removal for inspection of the protected plant. maintenance and non-destructive testing of plant. equipment or structure as a result of passive fire protection materials or enclosures.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management These should be identified and. Issue 2. Interactions include: − − − increased direct risk to personnel operating. − − − − − − − − 6. increased numbers of leak points and breaches of containment due to the addition and testing of process safety systems. increased explosion overpressures due to the obstruction caused by it or ladders / walkways / scaffolding needed for its inspection.

3. extinguish. They represent the minimum acceptable performance standard to be achieved during routine testing. it should be specified so that it is effective for all these events. 6. whichever is more suitable for system specification or verification. It may also introduce overcomplexity and detract from the system’s reliability.1. for initial verification that the identified role is fulfilled and for continued verification during the life of the installation. a discrete part of the installation or a part of a module.4. 6. These may then be used as the basis of design.1. However. Failure to achieve this performance would require remedial action or justification.4. The time should be taken from the start of the event until full functional performance is achieved. It may also be necessary to define a maximum fire size or explosion overpressure (for protection) or a minimum fire/gas cloud size (for detection) in accordance with the design accident loadings or boundary.4.1 to 6.4.2 Coverage This is a definition of the equipment or areas to which the system is applied. 6.3.3 Response Time The response time should be considered for all active systems which are required to respond to emergency or hazardous events. individual component responses may be useful as an aid to system confirmation through component test.1 Fire or Explosion Type and Characteristics It may be appropriate to define either a particular hazard condition or a characteristic as described in Section 6. A list of parameters is given in Sections 6.4.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management The designer and Operator/Owner must determine the performance standards for the system. Each system should be examined to identify which of these parameters are needed to define functional specification. suppress or protect against one or more particular hazardous event.1 Functional Parameters These are the parameters which define whether or not a system will fulfil its role and its effectiveness. There is a balance between the extent of risk reduction and what is reasonably practical in terms of cost and manning. 54 Issue 2.4. Over specification of systems should normally be avoided as this may misdirect expenditure and apply disproportionate resources to particular hazardous events or particular safety systems.1. It may be a list of equipment. The time taken to detect an event should also be taken into account in determining the systems overall response time.1.9.1. October 2003 . 6. It is not necessary to set response times for the individual components as it is the system response which is important. Where a system has to detect.

Issue 2.2 Availability and Reliability It may be necessary to define the likelihood that a system will operate and fulfil its role whenever required to do so.4.6 Sensitivity/Preset Values Systems which are required to operate at a particular level should have this value defined. application rate or concentration is required to fulfil the defined role. 6. this may have to be defined by a particular characteristic. visibility or contaminants in which a system is required to operate. This may also be associated with duration. humidity.1.1. As well as ensuring actions it can also prevent actions until certain others have taken place. temperature. Examples include a limiting structural steel temperature in a fire. This can apply to preventive measures which alarm or operate when equipment or process characteristics deviate from their design or operating specification and to detection systems which alarm and possibly actuate control and mitigation systems.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 6. 6.1. together with the acceptable limit of tolerance.4. or losses after application such as gaseous extinguishing agent leakage from an enclosure. loss of deluge water due to thermal effects. It should be clear whether or not it includes an allowance for losses during the application of the fluid. for example.5 Logic Logic is the sequential activation of parts of a system to cause it to operate in accordance with its role.9 Failure Criteria Where a system is provided to prevent a failure.1. asphyxiant and toxic gases.8 Environmental Conditions It may be necessary to specify the range of environmental conditions such as air velocity.4 Duration Duration is the length of time during which a system is required to operate to fulfil its role until the hazardous event is adequately reduced or persons moved to a place of safety. October 2003 55 .7 Flow/Application Rates/Concentration This applies to active systems where a minimum or maximum flow.4. 6. as the role may be achieved so long as failure does not occur within a specified time. 6. 6. or impairment criteria within a TR which may be defined as a limiting combination of heat.4.4.4.

sub systems and in the design. control and mitigation systems. Systems provided to protect against those hazardous events which make the greatest contribution to the total risk level will generally need a high reliability or availability to ensure that they perform the necessary functions when required to do so.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management The need to specify this criteria for a particular system should be determined during the assessment of the fires and explosions and by the required risk reduction from the system. standards. Criticality Ratings or Safety System Categorisation. These ranking systems should ensure an expected probability of success by predefining the parameters given below. This approach is most relevant to existing installations. Based on this. 56 Issue 2. construction and operation to systems in the same category avoiding the need for individual assessment of each system. Applying a ranking system to one group of systems in isolation should be treated with care to avoid over specification or over concentration on these systems.2. Where there is a heavy dependence on a single safety system to reduce the risks from a particular major accident.4. Instrumented Protection Systems but not for all the prevention.g. it may be appropriate to consider duplication of the system to reduce the likelihood of failure on demand. It is used to apply a standardised approach for design. It has the disadvantage that it is well developed for some types of system . By reviewing the design of an existing system and assessing the probability of successful operation.e. ii) iii) The ranking of systems may be variously described as System Integrity Levels. This approach is generally only relevant when new systems are to be provided. It has the advantage that it can clearly identify the most critical safety systems on the installation so that due attention can be paid to them. codes or by internal company standards. This criterion can be developed in three ways: i) By identifying the required probability of success of a system in order to achieve a given level of risk reduction. the system can be specified and designed to achieve the required probability of success. It can also demonstrate the relative importance of different types of safety systems. One approach is given in Appendix 2. October 2003 . By applying a generic classification such that the systems are ranked in accordance with industry practice. Whichever approach is chosen the following parameters should be defined or assessed: 6.1 Design and Build Quality The long term reliability of the system will be reflected in the quality of the components.

Systems should not be over complex or enhanced with features which are not essential to the fulfilment of the role. The design should integrate the components into an effective system which achieves its functional performance standard throughout its life. for example a system may be switched to manual from automatic thereby extending its response time or scaffolding may limit the coverage of deluge and optical fire detection systems. Inspection and Testing All safety systems should be inspected. The whole system should be commissioned and subject to full representative testing of the functional parameters to verify that it fulfils its role and will continue to do so throughout its life providing it is maintained and tested to a given schedule.2. These intervals and standards should be determined after taking into account the required reliability or the criticality of the system.3 Non-Availability (Downtime) Systems may not be available because of maintenance. There should be clear design responsibility for the whole system where components and sub systems are sourced from different suppliers and different parties carry out parts of the design All parties involved in the design should be competent and have a clear understanding of the purpose and functional requirement of the whole system. October 2003 57 .4. testing. repair. 6. They may also be partially impaired during some activities such that the functional parameters may not be fully achieved.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management The components should be suitable for long term exposure to the environmental and operating conditions either through their design. They should have a proven reliability which may be demonstrated by appropriate representative inspection and testing during design and manufacture.g. known causes of failure and the environmental conditions. historical information on the likelihood of failure. Adequate integrated operating and maintenance information about the whole systems should be provided for the operator in order to overcome failures due to lack of understanding. 6. material qualities or their protective coatings or enclosures.2 Maintenance. tested and maintained to a particular standard at predetermined intervals by competent personnel.4. breakdown or impairment while other unrelated activities are being carried out. Issue 2. would not start or continue to operate when required).2. These intervals will be determined by the required probability that the equipment will not have an unrevealed fault (e.

2. Where practical.see Section 4. Duplication is likely to add significantly to the system cost and it may also add to the vulnerability and complexity of the system.5 Duplication Duplication will normally only need to be considered for those systems where it may not be acceptable to continue operations when a system or part of it is disabled.g.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management There should be clearly defined limits for the periods when a system may be out of commission. Where necessary. It may also be considered where part of the system is damaged in a fire or explosion .6. from a fire and gas detection or process instrumentation signal) or manual (e.4. full functional actuation tests should be can-led out between detectors and the system. or to have contingency measures to provide alternative cover. competent personnel specifically assigned to the task and the actions simulated in exercises. With automatic systems. October 2003 .2. it may be appropriate to have duplicate systems or to shutdown or curtail hazardous operations whenever a system is not available. Where this is not practical. It may be automatic (e. It may be appropriate to set controls on hazardous activities in areas covered by the safety systems which are not available. such limitations should be identified and assessed. controls on hazardous activities or contingency measures should be considered. the reasonable expectation of their performance in an emergency. other duties which they may have to perform and accessibility to the actuation point in the emergency.4. Where such actions are critical. it may be appropriate to set a maximum continuous period when a system may be disabled or a maximum cumulative downtime over a given period such as a year. In the circumstances where the functional performance of the system may be impaired by activities in the area.g. 6. 58 Issue 2. In some cases. 6. the availability and capability of personnel at the time of the initial event. For manual action the probability will depend on.4 Actuation The method of actuation of a system may influence the probability that it will operate. they should be documented in emergency procedures. a remote operation from a control room or an external walkway or local to the equipment such as a valve handle). the probability will depend on the reliability of the detection and of the interface logic and systems between it and the system. representative tests of all the links and the logic of the system should be undertaken. It should only be used where the reliability and availability of a single simple system is not sufficient to achieve the required risk reduction. In others.

Issue 2.8 False Alarms/Spurious Systems which are subject to false alarms or spurious operations due to their oversensitivity. As a result they are more likely to be locked out and have reduced availability. there may be effective duplication for smaller incidents but the total capacity may be needed for larger events. It may be necessary for designers to consult with the Operators/Owners to determine an appropriate balance between dependence on complex engineered systems and on installation personnel. a system may have a variable demand. this should be fully documented and. design or maintenance activities.2.2. In these cases.6 Diversity Diversity is the provision of different type components such that they are not vulnerable to similar failure mechanisms. where necessary. Systems should be operable under these conditions where practicable. where necessary. documentation should be sufficient to enable them to be operated. and maintained effectively. justified. This would overcome any common mode failure associated with one manufacturer.4. Where such problems become apparent during operations. Where complex systems are provided. With multiple pumps. Designers should seek to overcome this by talcing account of all foreseeable operation and maintenance activities.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management In some cases. analysed. October 2003 59 .4. poor design or response to normal installation activities are likely to lose the mast of the Operators. firewater supply. 6. Any reduction in reliability through the addition of system features or enhancements should be identified and. for example. to ensure that the systems can deliver the required functional performance for the different events and provide adequate availability and reliability for the frequency of the particular events. 6. Diversity would normally only be considered if there was a total dependence on one system to prevent a major accident and a very high reliability was required from that system.4. alternative arrangements should be considered to reduce risks.7 Over Complexity/Operability The overall reliability of a system may be impaired if the level of complexity raises the numbers of components that can fail or makes it difficult to operate and maintain. 6.2.

by constructing the system so that it has sufficient inherent resistance to withstand the event. see Sections 4. systems should be positioned following an assessment of the hazardous events so that exposure can be reduced. October 2003 .4. Where a system is duplicated.3 Survivability The exposure of parts of control or mitigation systems to a hazardous event is identified by the assessment process. The need for that system to survive the event should be determined by examining the likelihood of the system failing and the frequency and consequence of the escalation without its contribution. by providing redundant components which are widely separated so that sufficient parts of the system remain operable. In a new design. by shielding the system with fire or explosion protection. the characteristics and severity of the event should be defined and the system or enclosure designed to withstand it.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 6. 7. Duplication will only increase survivability if failure 5T the duplicated component does not cause total system failure or the damage can be effectively isolated and the system reinstated during the emergency.see Section 4. Protection may be achieved in four ways: i) ii) iii) iv) by re-locating the system so that it is not exposed to the hazardous event. 60 Issue 2. Survival is important only where that system is specifically needed to counteract the hazardous event which causes its failure or to preserve life during and after the event. The latter requires a method of determining the location and extent of the damage. it may be necessary to locate duplicated components or sub systems m different areas with alternative routings for distribution systems such as cabling and firewater systems. Those persons responsible for emergency response should confirm that it would be practicable to reinstate the system during an emergency .6. Where protection is provided. Safety systems such as ballast control systems on a floating installation should also be considered. access and availability of competent personnel. S to 4.

1.1 Process Monitoring This will identify deviations outside the normal operating envelope which. The following parameters should be determined when specifying the system. This section does not address the detection of incipient hazardous conditions.1.2).3) and sensitivity (Section 6. response time (Section 6.6).1. locating and maintaining the system.1. 7. In selecting.4. an unignited release of flammable gas or a fire. This enables control or mitigation measures and emergency response to be initiated. temperature.4.3. to a filly automatic system which integrates into the installation emergency shutdown system. Control and Mitigation of Fires and Explosions Detection Options Detection measures can be used to identify hazardous conditions on the plant such as excess process pressure. This is addressed in Section 5.2.1. to a limited extent assess the nature and magnitude of the hazardous event.3) and the environmental and operating conditions in the area. 7. The following detection options may be considered for the particular roles. The degree of sophistication and sensitivity will depend on the likelihood of the occurrence and the consequences of it either remaining undetected or there being a delay in detection.1. the logic should also be specified. coverage (Section 6. level or composition.1 Optical Flame Detectors These may be of either the ultraviolet or infra-red type or a combination. October 2003 61 . could cause failure of the hydrocarbon containment system. In using this updated Fire and Explosion Guidance. attention should be paid to the following: − nature of the fire type and combustion characteristics. 7. Detection should provide information to personnel to enable them to identify and. Particular attention should be paid to the selection of a system with respect to the conditions and characteristics of the hazardous event (Section 6. the results of the fire and explosion assessment process should be used to determine the demand rate of the system. specifying. It may include detection of pressure. such as corrosion. Detection systems may range from visual inspection only.4. if allowed to continue or deteriorate. The need for detection systems is identified in the assessment process and also by the need for particular systems to be actuated.1 Guidance on Systems for the Detection.2 Fire Detection The fire detection systems should be suitable for the identified fire types and their combustion characteristics.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 7 7. Issue 2. Further guidance will be given in UKOOA Guidance for Instrument Based Safety Systems (to be published in 1995). Where control action may be initiated. The following types of detection may be considered.

2 Heat Detection These may be either point or linear detectors and operate on electrical. pneumatic or hydraulic systems.g. or by electrical contacts.3 Smoke detection Smoke detection may use point optical or ionisation sensors or it may assess the obscuration of a beam. October 2003 . and control over. It can give early warning of the incipient stages of a fire. false alarms e. the required actuation temperature. obscuration by equipment and temporary obstruction. e. the need for.2. 62 Issue 2. 7.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management − − − − − − − − location and size of fires which require detection. with dirty lenses. the detection of fires outside the area resulting in other control actions. 7. In selecting. the suitability and sensitivity of the detector to that type of smoke or POC. sun or flaring (both direct and reflected). They can be used to actuate control systems directly through loss of pneumatic or hydraulic pressure. those due to welding. obstructions and ventilation.2. attention should be paid to the following points: − − − − the location of the primary fire sources. the movement of the flames and hot combustion products taking account of ceilings. specifying and locating the system. lockouts. the location of the detectors with respect to the size of fire which requires detection.g. obscuration/effectiveness in smoke. reduction of performance e. the ability to perform representative function testing on site. The following points should be considered in selecting a system: − − the type and quantity of the products of combustion (POC) emission from the identified fires. hot surfaces.1. deluge actuation due to flame extension from adjacent modules.g.1.

where the main air flows will carry a plume of released gas. e. the consequences of ignition of the foreseeable range of gas clouds. obscuration of the detectors (beam type).UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management − the alarm level.1. concentration (if appropriate) and location of the gas clouds. electro chemical. effects of contaminants on lenses and reflectors (beam type). movement and extent of the resultant gas cloud taking into account ventilation systems and obstructions. October 2003 63 . taking into account the time to impair personnel or the TR. over-sensitivity (beam type). limitation of the local air flow. the shape. taking into account the associated levels of other potentially more dangerous products of combustion such as carbon monoxide. operating and maintaining these systems: − − − − − − the location of possible releases. specifying.g. by temporary enclosures (point types). Beam detectors are most usefully employed to monitor the open spaces around congested plant.3 Gas Detection Gas detection systems commonly employ point and beam type detectors which use the infra-red absorption or catalytic sensor principle. the size. chemicals and the environmental conditions on the effective life of the sensor (this is particularly important for catalytic gas and H2S detectors). The following points should be considered when selecting. e. the effects of dust. Other technologies are required for certain hazards. They may also be used in large ducts.g. the ventilation regime and the associated movement of smoke or POC. the type of gas. semiconductor sensors for hydrogen sulphide.) − − 7. − − − − Issue 2. the likely time to detection and the response time. (Note: the design codes used should be appropriate and take into account any forced ventilation. the sensitivity of the system. Point detectors are normally deployed in congested areas of plant or in air intake ducts.

causing further significant release of hydrocarbons or increasing the fire load. seal leakage alarms in double seal pumps. During quantification of the characteristics of the fires and explosions. For active control measures. spread and burn rate of a fire. The specification of such active and passive fire protection measures is covered under mitigation systems. oil mist detection. process and/or fire and gas detection systems are also required to activate these systems either manually or automatically. Specific control options are listed in Sections 7. visual inspection. These systems offer greatest scope for limiting the size and scale of an incident.2 Control Options Control measures are the means of planned intervention to contain a developing situation and hence limit escalation. This includes systems which prevent fires or explosions from spreading to other areas. The control systems can limit the following: quantity of inventory released. the effects or contribution of each of these systems would normally be taken into account. high level alarms in the open drain systems. rate of release and size of the fire. The difference is the contribution of the particular system. However. The escalation analysis should indicate the scale and consequence of the events if these systems do not work. October 2003 . these codes only take into account a nominal consideration of the hazardous events before defining the system requirements and this provision may be optimised to further reduce risks.1.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 7. These systems are normally included in the design and specified according to standard codes such as API RP 14C or API RP 520.2. However.7. intensity of the fire or explosion. This is preferable to accepting the size of an event and providing an excess amount of protection to mitigate its effects.1 to 7. 7.2. 64 Issue 2. there may be a number of measures which may indicate that an unintended release of hydrocarbons has occurred.4 Flammable Liquid Release There are few systems which have been specifically designed for this purpose. These include: − − − − − low level alarm in process vessels and storage tanks.

October 2003 65 . disposal and recovery system. blowout preventers. Inventory disposal should not normally be considered unless the benefits significantly outweigh the inherent hazards and vulnerability of the collection. Any such system should taken into account any dissolved gases in the liquid to be dumped. rate and location of release of fluids from a well. The location of the ESD valves will determine the areas where each particular inventory could be released. Disposal to a safe reservoir may be considered. mud systems and diverters. Issue 2.2 Depressurisation Systems These systems reduce the pressure within a system and in doing so dispose of a portion of the inventory and. Bunding drains should be capable of collecting and disposing of all or most of the hydrocarbon release and the applied firewater. 7.1 Emergency Shut Down (ESD) Systems An effective ESD system will limit the inventory released in an incident and therefore the size and duration any resulting fire. 7. In the case of pressurised liquid releases this reduces the fire intensity by causing spray fires to change into running or pool fires. The extent of bunding should take account of any liquid trajectory from the points of release. 7.2. It is important that the flare system design should take into account emergency depressurisation events and recognise that its failure could lead to a release of all the gaseous inventories from a failed section. Gas and fire detection systems covering areas containing primarily flare system components such as liquid knockout vessels should not cause automatic depressurisation on detection.2.2.4 Bunding and Drainage Systems Bunding and drainage limits the size of a liquid release and location and size of a pool fire.5 Well Control Systems These can reduce and control the likelihood.3 Liquid Inventory Disposal These systems are not in common use offshore but they are a means to be considered in seeking to limit the available inventory. 7. They include Christmas trees. if the integrity of the system has failed. downhole safety valves. Disposal to the sea has significant environmental implications which need to be carefully considered and taken into account. These may be controlled by bunding and drainage systems and possibly even be extinguished.2.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management The particular contribution of each system is as follows: 7.2. reduces the release rate of the remainder.

reduce congestion. blast relief vent panels.see Section 5.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 7.2. for example. In addition the need to control escalation should be considered. The considerations for these systems include: 7. suppression systems.1 Layout and Obstruction The layout of a module should be designed to reduce the maximum over-pressure which could be achieved. 66 Issue 2.2. design of layout and obstructions. where possible. blast resistant walls.3). reduction of potential flame propagation distances through congested volumes. using grating (See Section 7.6. maximise venting capability. reduce number of ignition sources. restrict module aspect ratios. align equipment and vessels parallel to the direction of venting. where possible. particularly in floors and ceilings by.6. minimise obstructions across openings in the module boundaries both during design and operation. Detailed guidance is given in the SCI Interim Guidance Notes but the following points should be considered: − − − − − − − − arrange ventilation to reduce the likely build-up of the most probable releases.2.6 Explosion Control Explosion control may include the following: − − − − − − limitation of the size of the flammable gas cloud . keep ignition sources near to the ventilation openings.3. October 2003 .

particularly items supported on the wall. These can limit the maximum overpressure and ensure preferential venting in a particular direction.2. etc. − − − − − − Issue 2. verification of the breakout load throughout the life of the panel.). method and extent of failure (missiles. effects on and of equipment on the other side. the maintenance of a clear vent path on the outside.6. the initial breakout load of any panel or cladding. In specifying such a system. They may be open or covered by specially designed vent panels or normal cladding. integrity of penetrations such as doors. The following should be considered when specifying blast walls or assessing the adequacy of existing walls: − − − − − − deflection of the wall. transfer of load to the primary structure 7. continued effectiveness of any passive fire protection. the effects of venting through openings or panels on other areas such as escape routes. the effect of the vent on the gas flow and flame propagation direction.2 Blast Resistant Walls These should be designed to withstand a specified explosion overpressure and blast pulse. retained and free types. the external effects of the flame front progressing through any unburnt gas which is ejected through the vent. October 2003 67 .UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 7.6. A range of panel types are available including those with fire ratings from both sides.3 Vent Areas These are designated openings through which the explosion can vent. the following points should be considered: − the relationship between the mass of the panel and its ability to efficiently vent an overpressure within the timescale of the pressure pulse. pipes and cables. and reclosable.2.

− − 7. The detectors of these systems are often highly sensitive and may be susceptible to accidental activation. the explosion characteristics and flame propagation velocity. October 2003 . the speed of response to achieve effective coverage.5 Reactive Suppression System These are suppression systems which are released following sensing of an explosion characteristic such as flash or pressure pulse. continued protection following suppression and continuing gas release. This could be overcome by pre-arming them with a signal from the gas detection system.6.4 Preactivated Suppression Systems These are suppression systems which are activated on detection of gas and maintained while the gas is present. The following should be considered in specifying such systems: − − − − the concentration required and distribution of the agent. for example by static discharge or a water system causing an electrical short circuit. the sensitivity of detectors taking into account the unpredictability of the point of ignition and its obstruction by plant or temporary equipment. chemicals which interfere with the combustion process and water spray systems.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 7.2. possible increased risk of ignition caused by the system. They can include inerting gas systems.6. the likely explosion characteristics (low/high velocity) and the suitability of the system for those characteristics. the rate of flammable gas build-up and the speed of response of the gas detection and suppression system. − − − 68 Issue 2. the speed of response from detection to effective agent distribution (this must be greater than the flame/pressure front). The following should be considered when designing or assessing a system: − − the speed of detection of a gas release.2. the maintenance of an effective concentration during the period of gas release and dispersion.

October 2003 69 .6. provision of sufficient overall reserve strength so that even though an identified structure fails it should not result in escalation. loss of support of safety system components. such as that providing stability or for plant which may collapse on to or against equipment. derrick and flare. well. by suitable location).g. Where explosions could cause failure of vessels. Strategies to maintain structural integrity in the event of fire and explosion include: − − − limiting the exposure of critical structural components to fire and explosion conditions (e. valves. fuel storage.7. piping and ESD valve actuators away from explosion vent paths. − Issue 2. alternatively where reasonably practicable. the adequacy of pipe and vessel supports. the securing of pressure vessels so that the fixed end support points towards the explosion source thereby seeking to avoid the rotation of the vessel around the fixed end support. Particular failures which should be addressed include: − − − − loss of integrity leading to a major or continuous hydrocarbon release.2 and 4.7.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 7. structures and plant reinforced or protected to withstand the loadings. The following points may be considered in addition to those suggested in Section 5: − − − the location of instruments. e.2.g. e.2. their effects should be reduced or. loss of support of the TR.2.7 Structural Integrity The maintenance of the integrity of the structure can reduce the escalation described in Sections 4. This may be for either direct support.6 Design to Prevent Escalation This covers both structural integrity as described in Section 7. loss of support of large structures. 7. and the integrity of the hydrocarbon containing plant. separator and flare system. piping or instruments which may lead to a further major hydrocarbon release. provision of inherent strength such that the resultant deformation when exposed to the design fire and explosion loadings is unlikely to lead to escalation. physical protection (e.6.g.g. riser. by active means such as water deluge or passive means such as insulation).

3. having regard to the likelihood of concurrence. 70 Issue 2.3. the actual exposure to fires and explosions taking into account obstruction and realistic combustion conditions. This is most likely to result from explosions. it includes all fire protection systems including those to control escalation by protecting plant. inspection to determine any deviation from the original strength. October 2003 .3 Mitigation Options This Section discusses the choice and specification of systems to protect personnel and equipment from a range of fires and explosions.Section 4. − − 7.6. dynamic response. the combined effects of other loads. direct loads on blast walls and blast reaction forces on modules and topsides. It may be necessary to evaluate the response of the structure to fire and explosion events to determine where failures may occur and which strategy(s) to adopt. The equipment and structure which could be exposed for long enough to cause impairment or failure is identified in the consequence analysis . verification of the initial build strength.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management The following should be considered when determining or assessing the level of structural integrity: − − − failure criteria such as steel temperature.6.3. Systems should be selected on the basis of suitability for each hazardous event and applicability to tie operational conditions taking due account of interactions with other plant and systems. e.2.3. the overall structural response to larger hazardous events. the effect of protection systems. see particularly Sections 6. Explosion protection is covered under Section 7. For the purposes of this document.4 and 6. including loads arising from thermal expansion.6. The following points should be considered: − − − − − the potential for failures to lead to escalation. overall and local loads. This analysis also identifies the type of fire or explosion and the loadings. deflection (both elastic and plastic) and the remaining strength at the anticipated temperatures. both local and global. but could also result from localised structural failure and rapid load re-distributions. changes of stiffness and any redistribution of externally applied or internally transmitted loads. 6.g.

October 2003 71 . the prevention of catastrophic rupture including BLEVE. The functional parameters will be flow. the protection of hydrocarbon plant to prevent further release of hydrocarbons.1. . The roles of commonly used systems are listed below together with specific points which should be considered during their specification. the extinguishment of heavy oil pool fires by emulsification. In some cases. In the case of existing systems. the effectiveness of the system in achieving the identified roles should be reviewed.3.1 Active Fire Protection These are systems which require to be activated in order to perform their roles to extinguish or limit the effects of fires and explosions.see Section 7. These demands will determine the flow and pressure envelope for the pumps and ringmain. 7.1. the control of the movement of smoke and flame (water curtains) the reduction of radiation.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 7. design.3. These will be derived from the range of hazardous events and different demands for each one.3. and the response time and duration parameters. The following factors should be considered: Issue 2.1 Fire Pumps and Distribution of Fire The role of the fire pumps and distribution system is to supply sufficient water to the various systems and outlets to allow them to perform their role. For example a small flow with a rapid response but limited duration may be required for a helideck foam system whereas a large flow with slower response and prolonged delivery may be needed for a major process fire.2 Water Deluge Systems Water deluge systems may have a range of roles in fires. response time and duration.2. The system should be suitable for its intended role. pressure. operation and maintenance. the reduction of the burn rate of hydrocarbon pool fires. the reduction of flame and module temperatures. it may be necessary to carry out a “scenario analysis” for a selection of the larger hazardous events where a combination of demands may be required. 7.6 regarding explosions including: − − − − − − − − the protection of structural integrity.

4. If a system is specified.4.3.1. suppress vapours and secure a flammable liquid following extinguishment. the droplet size.1. Standard design codes. the duration of application. In doing so. application rate.4. the likelihood of a crash and the practicality of providing an effective system given an installation infrastructure (water supplies) and anticipated manning. the safe drainage of the water and any associated hydrocarbon liquid.g.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management − − − − − the suitability for the fire type and its characteristics. spread and application rate with respect to the anticipated location of the liquid hydrocarbons. A deluge system may be enhanced by adding foam concentrate to improve the probability of extinguishment or to further reduce the burn rate in pool fires.3 and 73.2. Aspirated foam can also prevent ignition of an oil spill. the helideck crew should not be unnecessarily exposed to aircraft activity and crash debris. The primary role of the helideck system is to save the lives of the passengers in a crashed aircraft. The design of the system should reflect the chosen roles and address the following: − − − − the effective coverage. wind. October 2003 . velocity and effective application rate . the effectiveness in the anticipated conditions. e. 7.4. the life of the foam (water retention and drainage).3 Foam Systems Foam may be used either as an extinguishing or vapour suppression system.see Section 6. The method of actuation should be appropriate for the likelihood and severity of the hazardous event . the type of foam.1.see Section 6.1. the most common is the use of foam monitors.see Section Helideck Systems The need for a fixed extinguishing system will be determined by the number of flights. the coverage of the plant and the location of the nozzles with respect to it .7. aspiration and concentration with respect to the fuel type. The particular points in Sections 7.1.7 should be considered in addition to the following: 72 Issue 2.3. application rates and parameters should be checked to ensure their suitability for the hazardous events and chosen role. 7.1.

Systems should be selected according to the following: − − − − the suitability for the types of fire. the safety of personnel. etc. and UKOOA Guidelines on Halon Utilisation. 7.Offshore Helicopters Landing Areas: A Guide to Criteria. Halons should not be specified on new installations see OGP (formerly E&P Forum) Guidance on Halon Free Fire Protection. security following extinguishment (the maintenance of an effective foam blanket) and during rescue of trapped personnel. Removal and Disposal.3. particularly if a gaseous explosion may occur. their ability to maintain post extinguishing security. Issue 2. office/utility or storage areas. More detailed guidance can be found in the UKOOA Guidelines on the Management of Helideck Operations and the Civil Aviation Authority Guidelines CAP 437 . Where such a system already exists. They are unlikely to have adequate response to protect personnel from the immediate effects of an initial incident but can be used to prevent escalation and to limit damage.6 Fixed Extinguishing Fixed extinguishing systems (in addition to sprinklers. the location of the sprinkler heads/detectors to ensue actuation by the heat plume from the anticipated fires.3. the effective coverage of the hazardous events.). their effectiveness in the particular environment and ventilation conditions. dry powder and water mist systems. see UKOOA Guidelines on Halon Firefighting Equipment and Systems.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management − − the speed of control and extinguishment compared with the survival time of the occupants of the aircraft. October 2003 73 .1. Recommended Minimum Standards and Best Practice.1. 7. the restriction of coverage onto particular unsuitable types of fires (deep fat flyers. foam and deluge) include gaseous agents.5 Sprinklers Sprinklers can be used for accommodation. In selecting a system the following should be considered − − − − the suitability for the types of fire which may occur and the choice of the appropriate design code.

This may include the provision of trained personnel with breathing equipment for search and rescue and the assistance with evacuation in fire conditions. hydrants.1.3. taking into account the effects of smoke and radiant heat. 7. the following should be considered: − − − its location in a safe position with respect to the hazardous event so as to organize an effective response. hose reels. They can also be effective in open areas such as the top deck and used to perform or support some of the roles of deluge systems. Where there are no recognised approval or design standards. hoses. Aspects of manual response should also be addressed in the preparation of the emergency response plan. water and foam branch-pipes. They should be carefully located. See UKOOA Guidelines on the Management of Emergency Response for Offshore Installations. fixed monitors may have a role in larger incidents such as the control of smoke movement or blowouts. when considering Operator access. fixed and portable monitors. In specifying and arranging the equipment. leadership of specialist emergency response the safety of emergency response personnel including the provision of sufficient appropriate clothing and breathing apparatus. The following equipment may be considered: − − − − extinguishers. While most of these arrangements have limited capacity with respect to the size of fires.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management Recent developments in extinguishing systems should be carefully scrutinised to ensure their suitability and applicability. 74 Issue 2.7 Manual Response This may be appropriate for the majority of smaller fires. It requires a combination of sufficient suitable equipment and competent personnel. the effectiveness should be demonstrated by representative testing. October 2003 . training and personnel.

duration of the protection in the specified fire. Issue 2. They should be selected and specified by considering: − − − − − − − − − their suitability for the fire type. risers. resistance to wear and tear. October 2003 75 .3. tiles and enclosures.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 7. The following may be protected: − − − − − − − the TR.6 or to mitigate the effects on personnel. Careful consideration must be given to any potential reduction in safety due to increased bidden corrosion as a result of coatings or lagging. process vessels and their supports. operability and inspection of the protected item. valves and actuators. practicality of their application and repair. corrosion of the protected item. the ability to remain effective following explosions. There are a range of available systems including spray or trowel applied coatings. safety systems and plant. to prevent escalation through critical failures as identified in Section 4. their anticipated life.2 Passive Fire Protection Passive fire protection can be used to limit the effects of a fire. failure criteria of the protected item. walls. structural steelwork. panels.

g. the information may include: − − − a description of the hazardous events.1. availability. This enables responsibilities to be identified. recorded and auditable. e. needed to manage the hazardous event. The summary should be a living document which in its simplest form may be a compilation of tables similar to Table & I within this section. Such a summary may be incorporated into the documentation for the management of hazardous events on the installation. competency assessed and the safety systems maintained and tested to verify tat they meet their functional. It should include a listing of the primary fire and explosion hazardous events (e. One way of achieving this is by summarising the key information about the management of the fire and explosion hazardous events on the installation. a list of the prevention. separator fire). the format and layout should be developed to suit individual company needs.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 8 Implementation And Verification The essential information from the FEHM process must be communicated to operations personnel.1 Preparation of a Summary of the FEHM Process Any summary should contain. in a form which is concise and easily read. reliability and survivability performance standards. It should convey information to all those who are responsible for operations. An example is given in Table 8. control and mitigation measures for the particular hazardous events. For each of these major hazardous events. The use of the word verification in this guidance does not imply the application of the scheme of verification developed for the Design and Construction Regulations / Safety Case Regulations.1 Communication There must be adequate communication and documentation from each stage of a project to the next so that the hazard management decisions are understood. an indication of their likelihood and their consequences.1. permit to work. 8. October 2003 . in a brief and concise manner. 8. 76 Issue 2. reference to operational management (personnel) systems.g. sufficient information to demonstrate that all major hazardous events relating to the installation have been identified and considered and appropriate measures put in place to prevent. control and mitigate potential consequences.

The summary information may need to be amended as new information becomes available. The summary should also be included in the Safety Case. Any summary information document should be periodically reviewed and updated whenever there is a significant change. other hazardous events may be identified.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management The preparation of summary information should commence at the design stage when the major hazardous events are identified. Issue 2. October 2003 77 . strategies selected and protective measures specified. As the project progresses.

scaffolding Blast resistance of structure. October 2003 iv) The format and layout of Table 8. These may be variable depending on the size of the incident. The table could be expanded to include the role. etc. limit congestion Minimise/assess effects of any permanent modification Standard hydrocarbon plant procedures Limit the use of temporary obstruction e. an indication of the importance (criticality) of each system.78 ESCALATION DAMAGE PREVENTION Remote Optimise natural ventilation High vent area. Each organisation should develop a specific format and content suitable for their own needs The company SMS would identify and define responsibilities for specific hazard management activities.g.1 in Appendix II for indications of frequency. walls and separator supports CONTROL MITIGATION FREQUENCY HAZARD MANAGEMENT SYSTEM Improbable Not appropriate TR inlet gas detection to initiate Control of modifications ventilation S/D bringing gas release points closer to TR/utilities Electrical isolation within Hydrocarbon plant TR/utilities procedures and controls applied to gas/live oil plant within 30m of TR/utilities Occasional Standard hydrocarbon plant procedures Control of heavy lifts ESD system Depressurisation system F&G Detection ESD/depressurisation/F&G lockouts Emergency response procedures Passive protection to flare structure Table 8. escalation potential. Process Area Vapour cloud explosion Possible missiles Further release from HP & LP Separator Gas ingress to TR/utilities Prevent ingress Loss or damage to and ignition TR or utilities Death or injury of occupants Isolate. Low possibility of Top Deck. However the document should not contain so much information that it is unmanageable Refer to Table A. emergency response actions. compressor gas jet depressurise structural weakening and allow to fire burn out.1 is an example similar to one already in use. Personnel to shelter in TR i) ii) iii) UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management Issue 2.1:Example from Hazard Management Summary HAZARDOUS EVENT STRATEGY Minimise Structural damage to overpressure utilities firewall Main Deck. .2. contribution to risk.

knowledge.1. designers. maintenance and test of engineered systems. those responsible for operation. those who control and implementation of procedural systems. documentation of software/procedural measures. inspection and test procedures/intervals. Safety and Environmental Management Systems”.2 Competence Personnel should have adequate qualifications. The requirements for competence are outlined in the OGP (formerly E&P Forum) Guidelines on “Health.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 8. experience and training to undertake their responsibilities. Issue 2. mitigation measures. These include: − − − − managers. both hardware and software (as appropriate).2 Operational Documentation The following should be documented for the prevention. October 2003 79 . control. − specification criteria: − − − − − − − − − − functionality availability reliability interactions with other equipment survivability criticality.4. Changes in the personnel or procedures should be reviewed to ensure that there are sufficient competent personnel to continue to meet the responsibilities. maintenance procedures and frequencies. controls and limitations on operations during maintenance or non availability of the hazard management systems. 8. Section 3.

1) should be followed. and the use of systems in an emergency. control and mitigate them.2.4 Audit Audit of the systems provided is advisable. 3. particularly on critical systems. 8. an enhanced inspection/test programme may be needed during its early life to identify unexpected loss of performance or failure. in others such as a process modification. This should be developed by the designers in conjunction with the Operator/Owner (or by Operator/Owner alone in the case of existing installation) in the light of the required role and specification parameters of the system. not only to verify that individual system components meet the specification. See “A Guide to the Offshore Installations (Safety Case) Regulations 1992" 8. 80 Issue 2. October 2003 . an individual examination of selected elements. The minimum functional criteria should be the level at which repair or change-out is required. The Operator/Owner should review these proposed modifications to determine whether or not the systems provision should be revised.3 Commissioning and Routine Testing All systems should have a commissioning and operational plan encompassing the inspection and test programme. This includes the training of personnel in the inspection and maintenance. it may be necessary to start at the beginning and review several design concepts.4. maintenance/training/test records etc. This may be achieved either through a specific audit of the management system.2. or by the use of independent/competent personnel to routinely verify all of the systems. With new or novel technologies. but also that the performance of the system is achieved. Commissioning testing should be carried out. The degree of modification and change will determine the re-entry point in the hazard management process. If they are employed by the Operator/Owner they should be independent of the line management for the installation being audited. The maintenance and testing requirements and frequencies should be determined from Section 6.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 8.. Independent audit personnel may be provided by the Operator/Owner or from an external organisation. In some cases only a minor alteration to the performance of a mitigation system may be needed. Where revision is necessary the hazard management process as described (Fig.5 Modifications Any modifications to the installation either through an engineering change or a change in the management system may affect the fire/explosion hazardous events on the installation or the ability to prevent.

The computer data files and design reports should be checked to confirm that they are a faithful representation of the present state of the facility and that the methods used for explosion loading and response are currently acceptable. 3. There is less scope for the reduction of the frequency of a release and scope for mitigation of the severity of an explosion may be limited. Information may be available relating to expected explosion loads.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 9 Special features Installations for the Assessment of Existing In the UK sector of the North Sea. The assessment of existing structures differs from the assessment of a structure during design in three important respects. Even if an installation has not been modified or its use has not been changed. new plant. piping and layout drawings. Issue 2. Information should be available from the previously submitted Safety Cases. Factors which could lead to this difference include the practicality of retrofitting a measure on an existing plant. structural and equipment response from the detailed design or construction stage for the installation. Intervention may give rise to an additional hazard which must be assessed. Approved For Construction (AFC) or as-built structural. assessment and other controls as determined by the Safety Management System as well as method statements for their implementation. Use may be made of experience gained from the operation of an un-modified installation and from similar installations. Existing mobile installations entering UK waters also require assessment. All modification work should be accompanied by hazard identification. 2. The HSE have indicated that it should be borne in mind that reducing the risks from an existing plant to ALARP may still result in a level of residual risk which is higher than that which would be achieved by reducing risks to ALARP in a similar. the extra cost of retrofitting measures compared to designing them on the new plant. 1. October 2003 81 . it is a requirement (SCR) that significant changes to an installation or its operation will necessitate the Safety Case being updated and in turn requiring a re-assessment including the consideration of explosion hazards. a reassessment is required every three years when the Safety Case is updated (triennial submission). Should modifications be necessary to improve the safety performance of the facility. All temporary structures and equipment utilised during the modification work should be removed as soon as practicable after completion of the work. ie. the risks involved in installation of the retrofitted measure (which must be weighed against the benefits it provides after installation) and the projected lifetime of the existing plant. then the work to be undertaken should not in itself pose such hazards and risk to personnel that this compromises the gains to be achieved by such modifications. operational structural integrity support computer models and design or post-design analysis reports of the facility.

October 2003 . irrespective of cost. it may not be reasonably practicable to apply measures retrospectively to existing plant. that may represent good practice for new plant. The following sub-sections focus on the specific aspects relevant to the assessment of existing installations. If risks are in this intolerable region then risk reduction measures must be implemented.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management Therefore. 82 Issue 2. The overall individual risk and the TR Impairment Frequency (TRIF) from all hazards must still be less than 10-3 per year.

Details of the existing Safety Critical Elements should be available enabling their classification into categories 1. This will enable the efficient targeting of resources according to the risk level of the installation and identify the important safety issues at an early stage of the assessment.2 Explosion Hazard Review For an explosion hazard. rank different options. medium or high risk category. For existing installations.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management 9. This may involve design basis checks and may also involve a survey of the installation. The ALARP framework requires dutyholders to always seek to reduce risks. A low potential of loss of life (PLL) for the installation may not be a good indicator for normally unmanned installations and ageing platforms with extended life. It should be borne in mind that the methods considered adequate for hazard mitigation during preparation of a previous Safety Case may no longer be adequate or correct. This may be achieved by using information gained from previous explosion assessments or by following a prescribed methodology. The general approach should be to bring the SCEs up to the same level of integrity taking into account the criticality or consequences of failure and the difficulty in achieving the level of performance desired.1 Installation Risk Screening It is recommended that a screening of an installation or compartment is performed giving a low. 9. and review the reasonable practicability of implementation of any proposed changes. October 2003 83 . because of low occupancy. The risk associated with TR impairment under direct and indirect explosion loads combined with impairment of means of escape is Key. The high level performance standards for the facility should be defined or confirmed at this stage. medium or high risk classification for the facility. The total IR will be a good indicator of the appropriate level of sophistication of analysis and whether the installation is in the low. as a consequence of improved understanding of technical integrity behaviour and loading. The number or proportion of existing SCEs vulnerable to explosion loads is also an indicator of the risk category for the installation. and only to argue against implementation of a measure if it is not reasonably practicable. 2 or 3. Here the number of options available are likely to be limited. The assessment tools described in this Guidance should be used to assess existing risk. assuming the risks to any group of individuals is acceptable. Proposed modifications to the facility may result in changes to these IR values. However. or new research. the individual risk (IR) per annum from fire and explosion events will have been used in the demonstration of ALARP in the existing Safety Case for the installation. Issue 2. the effort and cost involved in assessing risks and incorporating risk reduction measures should largely be justified on the basis of the potential for reducing the overall PLL. the first task to be performed is to review any previous hazard reviews and the impact of any changes or new knowledge.

the checks need only be made against the DLB. then a further ALARP iteration may then have to be made.3).4 and Chapter 5 of the Commentary should be used to develop appropriate design loads and a reliability or risk arguments be used to justify design load levels. and SCEs of criticality 1 will also be assessed against the DLB. October 2003 . Control.4 Prevent.4 and Chapter 5 of the Commentary. 9.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management A review should also consider which elements of the facility may be improved with respect to inherently safer design principles and what additional measures may be taken to improve the detection. 9. performance of the modifications these should be identified before design approval is granted. 9. 84 Issue 2. Mitigate The most effective way of dealing with a hazard is to eliminate it.3 Scenario Definition New scenarios relating to intervention/process change/changes in process operating parameters will need to be identified and considered. re-calculation of the DLB and SLB overpressures and dynamic pressures will be necessary using best practice as described in Section 3. SCEs of criticality level 1 and 2 will be assessed against the SLB. If this is not possible. Fire hazard events will usually be considered in parallel as some scenarios will fall into either class depending on the ignition time relative to the release. If these levels are still not able to be accommodated by the structure and other SCEs. Where the design basis for overpressure determination does not take into account recent developments (post 1997). control and mitigation of the explosion hazard. The scenarios considered during design may be materially changed due to consequent changes in layout. decks. For low risk installations.5 Determination of Explosion Loads The explosion scenario used in the design of the facility may have been derived as a worst credible event assuming a gas cloud of maximal extent with stoichiometric composition ignited at the worst time in the worst position. Mitigation of the consequences should then be investigated. investigations into the means of reduction of the frequency of the initiating events should be considered. supporting structures and other safety critical elements at the appropriate level of criticality. New scenarios could arise during preparation. (see Section 3. Detect. It is recommended that a probabilistic arguments as described in Section 3. confinement and congestion.6 Response to Explosions For high and some medium risk installations. 9. including barriers. ALARP arguments will need to be been used to justify new explosion loads and any additionally required mitigation. the structural assessment will be performed against the strength level blast (SLB) and the ductility level blast (DLB). The structural assessment will include the consideration of the capacities of the structure.

the environment and the asset. October 2003 85 .7 Evaluation For each hazard or scenario which has been identified. there will come a point where the incidence of failures rapidly starts to increase and begins to take in the majority of the members. or to demonstrate ALARP for any identified hazard. however. control and mitigation activities. Design to this equivalent static pressure could then be said to be ALARP. The variability of pressure in the explosion load cases is also not represented in this method. If the pressure is then ramped up in stages. will require modification to the installation or its operating procedures and a return to the prevention. If the installation or any of the SCEs do not meet the performance standards or the level of risk is unacceptable. The validity of this method will depend on the severity of other load cases which have been used in the original design of the structure. an evaluation should be made of the possible consequences and risk to personnel.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management One method of the demonstration of ALARP using a strength level analysis is to apply a static pressure load to the structure and observe. At this point it may be argued that it would be unreasonable to strengthen or change the member properties as it would impact on members designed by the other load cases. Issue 2. It is. Failure to achieve the performance standards. the ALARP process must be continued. through code checks. 9. irrespective of cost. when member failures occur. If risks are in this intolerable region then risk reduction measures must be implemented. unlikely that the differing levels of response to dynamic loads at the same peak level as determined by the natural periods of the target structural elements will be adequately represented without undue conservatism. The overall individual risk and the TR impairment frequency (41) from all hazards must be less than 10-3 per year.


The Hazardous Events that define the most severe fire and explosion loadings whiich the control and mitigation systems are designed to withstand or counteract. coolant sprays). and immediate ignition of the expanding fuel-air mixture leads to intense combustion creating a fireball. pressure relief valves. Evacuation and Rescue. or system is performing in the desired manner British Chemical Engineering Contractors Association A pressure pulse formed by an explosion The sudden rupture due to lire impingement of a vessel/system containing liquefied flammable gas under pressure. or the presence of manually or automatically initiated ESD procedures which are intended to contain a developing situation so that escalation and a major accident may be avoided. Means of intervention permitted by the design (e.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management Appendix 1 Term API API RP Availability BCECA Blast Wave BLEVE* Glossary Of Abbreviations.g. equipment. American Petroleum Institute.g. dump tanks. The Oil Industry International Exploration & Production Forum now renamed the International Association of Oil and Gas Producers (OGP) Design Accidental Events ESD E&P Forum ER EER Explosion Emergency Response Escape.g. vessel or module). Emergency Shut Down. Terms And Definitions Definition American Petroleum Institute. emergency power supplies) safety hardware (e. October 2003 i . The pressure burst and the flashing of the liquid to vapour creates a blast wave. potential missile damage. A release of energy which causes a pressure discontinuity or blast wave Issue 2. Recommended Practice The proportion of the total time that a component. * boiling liquid expanding vapour explosion BROA Confined Explosion Control British Rig Owners Association An explosion of a fuel-oxidant mixture inside a closed system (e.

An incident which occurs when a Hazard is realised whether or not it causes harm (e. The number of occurrences per unit time. The potential to cause harm. a release of gas. Health and Safety Executive.g.g. The systematic portrayal of the sequencing and interaction of the steps in the design and operational life of an installation. Frequency Functionality HSE Hazard Hazardous Event Hazard Analysis HAZOP HVAC IADC IEC IP ISO Individual Risk Jet Fire (Flame) Lifecycle ii Issue 2. October 2003 . damage to property. Association of Drilling Contractors (North Sea Chapter) International Electrotechnical Commission. This may be characterised and demonstrated by identifying critical functional parameters. Ventilation and Air Conditioning. The ability of a system to perform its specified role. The combustion of material emerging with significant momentum from an orifice. fire explosion. a systematic method utilising a multidiscipline team to identify deviation from the design intent and assess the consequences of these deviations. short circuit of high voltage equipment). plant. high voltage equipment). magnitude and likelihood of any harmful effects (see also Risk Analysis). The frequency at which an individual may be expected to sustain a given level of harm from the realisation of specified hazards. The identification of undesired events that lead to the realisation of a hazard. Institute of Petroleum International Standards Organisation. including ill health or injury. Hazard and Operability Study. International. products or the environment.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management Fire Flash Fire A process of combustion characterised by heat or smoke or flame or any combination of these The combustion of a flammable vapour and air mixture in which flame passes through that mixture and negligible damaging overpressure is generated. Heating. production losses or increased liabilities (e. pressurised hydrocarbons. the analysis of the mechanisms by which these undesired events could occur and usually the estimation of the extent.

measuring. but the term overpressurisation is preferred. control or audit . or in connection with it. The performance of the same function by a number of identical but independent means.e.g. In a pressure pulse (blast wave). person or procedure. Overpressure is also sometimes used to describe exposure of equipment to internal pressure in excess of its design pressure. b) Any event involving major damage to the structure of the installation or plant affixed thereto and any loss in stability of the installation. Performance Standard PFD P&ID POC Pool Fire Prevention Probability Redundancy Issue 2. engineering and construction standards. c) The collision of a helicopter with the installation. and its inspection and maintenance. A number in a scale from 0 to 1 which expresses the likelihood that one event will succeed another.through the lifecycle of the installation Process Flow Diagrams Piping and Instrumentation Diagram Products of Combustion The combustion of material evaporating from a layer of liquid at the base of the fire. 2885) to be: a) A fire. this is defined in the UK Safety Case Regulations (SI 1992 No. of the performance required of a system. Mitigation OIM Overpressure Means taken to minimise the consequences of a major accident to personnel and the installation after the accident has occurred. the pressure developed above atmospheric pressure at any stage or location is called the overpressure. Offshore Installation Manager. October 2003 iii . item of equipment. Such means include management systems applied to the design. the operation of the installation. major accident).UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management LPG Major Accident Liquefied Petroleum Gas With respect to fires and explosions. planning. which can be expressed in qualitative or quantitative terms. A performance standard is a statement.e. and which is used as the basis for managing the hazard . explosion or the release of a dangerous substance involving death or serious personal injury to persons on the installation or engaged in an activity on. Means intended to prevent the initiation of a sequence of events which could lead to a hazardous outcome of significance (i.

K. The quantified calculation of probabilities and risks without taking any judgements about their relevance. Safety Case. Statutory Instrument The combustion of hydrocarbon liquid emerging with significant momentum from an orifice such that full combustion will occur without liquid dropping out to form a pool. Steel Construction Institute. Offshore Operators Association Risk Risk Analysis Risk Assessment SC SCI SI Spray Fire TR UKCS UKOOA iv Issue 2.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management Reliability The probability that an item is able to perform a required function under stated conditions for a stated period of time or for a stated demand. The product of the frequency of a specified undesired event and the consequences of that event. Temporary Refuge United Kingdom Continental Shelf U. October 2003 . The quantitative evaluation of the likelihood of undesired events and the likelihood of harm or damage being caused together with the value judgements made concerning the significance of the results.

2. It may also guide the need for duplicate or redundant systems or the provision of additional safeguards or plant shutdowns whenever a system is not available because of breakdown or maintenance. This Appendix describes an approach to enable designers and others to provide safety systems which are fit for purpose.2.4 provide an example of one possible ranking. commissioning and maintenance should be greater than tat of the fire-fighting system.2.4) could have a higher safety criticality rating than systems to protect against an improbable-minor accident (Class D in Table A. Such a method can be adapted to categorise the importance of systems. then the rigour of ESD design. Functional Safety: Safety Related Systems.2.2. Hazard Analysis and Safety Classification of the Computer and Programmable Electronic System Elements of Defence Equipment A.3 and A.2.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management Appendix 2 A.2 Classifying Risks and Applying a Criticality to Associated Safety Systems To enable the effective management of fire and explosion hazardous events there is a need for means of relating the risk from a fire or explosion to the expected performance of the hazard management systems provided. Control and Mitigation of Fire and Explosion in Offshore Oil and Gas Installations. However there is little experience in applying these principles/concepts in the offshore industry and care must be taken in their application. There is no standard way of categorising the safety criticality of hazard management systems.2 Categorisation Of Hazard Management Systems Using Safety Integrity Level Approach Categorisation Of Hazard Management Systems Using Safety Integrity Level This section has been included to describe principles and concepts which are worthy of bringing to the wider attention of the industry.4).2. The approach is based on material from: Draft IEC 1508 Parts I .3 and A. It also helps to convey the importance of the system to the platform Operators and those responsible for lockouts. Qualitative methods are available to classify or rank the risk of a particular incident or identified major accident.1 Introduction Systems provided as part of the hazard management process need to match both the hazard and the resulting risk. Categorising the importance of systems in terms of their contribution to risk reduction is one way of trying to achieve this.6. if on a particular installation the emergency shut down system (ESD) contributed significantly more to risk reduction than say firefighting arrangements. For example. Ministry of Defence. October 2003 v . Requirements and Guidelines for the Prevention.1 to A. maintenance and inspection of the system. Issue 2. For example. construction. systems provided to protect against a probable-fatal accident (Class A in table A.2. A. but relevant guidance is provided in ISO (Draft). Tables A.

2.1 Likelihood Ranges for Incidents (during the operational life of installation) Likelihood Frequent Probable Occasional Remote Improbable Implausible Definition Likely to occur repeatedly Likely to occur from time to time Likely to occur once Unlikely to occur Very unlikely to occur Extremely unlikely to occur Table A.2 Incident Severity Categories Accident Category Catastrophic Fatal Severe Minor Definition Multiple deaths A single death and/or multiple severe injuries A single severe injury and/or multiple minor injuries At most a single minor injury vi Issue 2.2. October 2003 .UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management Table A.

UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management Table A. October 2003 vii .4 Example of Risk Class Definitions Risk Class A Interpretation Intolerable Risk Undesirable Risk (and tolerable only if risk reduction is impracticable or if the costs are grossly disproportionate to the improvement gained) Tolerable Risk (if the cost of reduction would exceed the improvement gained) Negligible Risk B C D Issue 2.2.3 Incident Risk Classification Matrix Accident Severity Likelihood Catastrophic Frequent Probable Occasional Remote Improbable Implausible A A A B C D Fatal A B B C C D Severe A B C C D D Minor B C C D D D Table A.2.

to all those responsible for safe operation. Once hazards have been ranked as described. then an appropriate safety integrity level (criticality rating) can be applied to the systems specifically assigned to manage it. This gives greater flexibility in the design and operation of the plant. This may cover the need for duplication. However. A system of criticality with.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management Note that the use of the term ‘Negligible Risk” must be used with care when addressing Catastrophic or Fatal Accidents. Most importantly it gives. if multiple system failures are required before the consequences are realised. or the level and quality of inspection and maintenance. a perception of the importance of the system. The levels of availability described may not be appropriate for offshore systems. say 3. October 2003 . or lower. 4 or 5 levels allows a standardised approach to systems of the same rating. If there is only one system standing between the hazardous event and the consequence. then the criticality should be commensurate with the consequence and frequency. the need to shutdown a plant when the system is not available or otherwise. This would normally only be considered negligible if the frequency of these events is of the order of 10-6/yr. This technique is described in IEC 1508 where bands of reliability/availability are used to give safety integrity levels. but the concept could be adapted to suit this industry and the hazardous events and systems in it. viii Issue 2. the individual system criticality may be lower.

The Offshore Installations (Prevention of Fire and Explosion. HS(G)65.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management Appendix 3 Legislation References The Offshore Installation (Safety Case) Regulations (SCR).1995 Safety Management Systems for the Oil & Gas Production Industry . A Guide to the Offshore Installations (Safety Case) Regulations 1992 . UKOOA Publications Management of Emergency Response for Offshore Installations .1993 Issue 2. and Emergency Response) Regulations (PFEER). Removal and Disposal . Successful Health and Safety Management .ISBN 0 11-882055-9.1991 Safety Management System Interfacing .Expected date for publication late 1995 Halon Firefighting Equipment and Systems .1993 Management of Offshore Helideck Operations . Management of Health and Safety at Work Regulations (MHSWR).1992 Halon Utilisation. HSE Publications The Tolerability of Risks from Nuclear Power Stations .ISBN 0 11-885988-9.ISBN 0 11 886368-9.ISBN 0-85356415-9.1993 Instrument-Based Safety Systems [Draft] . Inherently Safer Design – AEA/CS/HSE 1916. Provision and Use of Work Equipment Regulations (PUWER). October 2003 ix .

3 6/210. Requirements and Guidelines for the Prevention. 6.P.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management Other Publications API Recommended Practice 14C API Recommended Practice 520 CAA Guidelines CAP 437 Offshore Helicopter Landing Areas: A Guide to Criteria. A1) I. Model Code of Safe Practice Part 15 : Area Classification Code for Petroleum Installations ISBN 0471 921603 ISO 9000 Quality Management and Quality Assurance Standards . Safety and Environmental Management Systems. Report No. SCI Interim Guidance Notes x Issue 2. Reference CD 13702 Ministry of Defence. Safety Related Systems. (IEC 1508 Parts 1-6) IEC 65A (Ref.Guidelines for Selection and Use ISO (Draft). OGP (formerly E&P Forum) Guidance on I-Ialon Free Fire Protection OGP (formerly E&P Forum) Guidelines on Hea]th. Hazard Analysis and Safety Classification of the Computer and Programmable Electronic System Elements of Defence Equipment. Control and Mitigation of Fire and Explosion in Offshore Oil and Gas Installations. International Electrotechnical Commission Guidance on Functional Safety. October 2003 . Recommended Minimum Standards and Best Practice.

The disturbance is subsonic relative to the unburnt gas immediately ahead of the wave. Issue 2. Typical durations range from 50 to 200milliseconds with longer durations common in large open areas such as the decks of FPSOs. 7. 3. on: 1. 6. location) Cloud density inhomogeneity Ignition timing Confinement is defined as a measure the proportion of the boundary of the explosion region which prevents the fuel/air mixture from venting which is the escape of gas through openings (vents) in the confining enclosure. The overpressures are not limited to the 8 bar maximum typical of completely confined explosions. 2. Congestion is a measure of the restriction of flow within the explosion region caused by the obstacles within the region. amongst other things.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management Appendix 4 Informative Sections A4. shape. The shock wave and combustion wave are coupled and in a gas-air cloud the detonation wave will typically propagate at 1500-2000m/s and result in overpressures of 15-20bar. October 2003 xi . The overpressure caused by the explosion will depend.1 Additional Detail on Explosions The explosion hazard For an explosion to occur a gas cloud with a concentration between the upper flammability limit (UFL) and lower flammability limit (LFL) must be ignited. • A detonation is propagated by a shock that compresses the flammable mixture to a state where it is beyond its auto-ignition temperature. 5. number. It develops by feedback with the expansion flow. Typical flame speeds range from 11000m/s and overpressures may reach values of several bars. Gas explosions in more open environments can also lead to significant overpressures depending on the rate of combustion and the mode of flame propagation in the cloud. 4. Two types of explosion can be identified depending on the flame propagation rate: • A deflagration is propagated by the conduction and diffusion of heat. The gas or gas mixture present The cloud volume and concentration Ignition source type and location The confinement or venting surrounding the gas cloud The congestion or obstacles within the cloud (size. The combustion wave travels at supersonic velocity relative to the un-burnt gas immediately ahead of the flame. The duration of the positive phase in an explosion can vary greatly with shorter durations often associated with higher overpressure explosions. Most vapour cloud explosions offshore would fall into the category of deflagrations. All of the above points from 1 to 5 can affect the explosion overpressures in this type of environment.

This is a high consequence event important for the establishment of survivability. the overpressures applied to the front and reverse side of such items will be of approximately the same magnitude at any moment in time and in this case the overpressure difference will not be the only load component on the object. creating secondary projectiles. external explosions may result as the unburnt fuel/air mixture comes into contact with the external (oxygen rich) atmosphere. Low risk installations may be assessed using only the DLB. For this type of object the dynamic pressure associated with the gas flow in the explosion will dominate. A blast wave will be generated which will propagate away from the explosion region and may impinge on adjacent structures. The risk levels and frequencies may not be the same as for earthquake analysis. such as piping. The SLB is a low consequence event important for the establishment of operability. The prediction of equipment and piping response in the elastic regime is much better understood than the conditions which give rise to rupture. Small objects may be picked up during the explosion.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management For smaller objects. The strength level blast represents a more frequent design event where it is required that the structure does not deform plastically and that the SCEs remain operational. Secondary. The ductility level blast is the design level overpressure used to represent the extreme design event. Load cases for explosion response Two levels of explosion loading are recommended for medium and high risk installations by analogy with earthquake assessment: The ductility level blast (DLB) and the strength level blast (SLB). The SLB enables these checks to be made at a lower load level often resulting in good performance at the higher level (strength in depth). The SLB offers a degree of asset protection. The peak energy for typical projectiles may be calculated from the dynamic pressure load time history and their mass. as the overpressures are likely to be low and the SLB is not likely to be critical in the design. • • Determination of explosion design loads Design explosion loads in the past have been derived from the a worst credible event assuming a gas cloud of maximal extent with stoichiometric composition ignited at the worst time in the worst position. xii Issue 2. October 2003 . This reflects the fact that an explosion is perceived as a preventable event. This load case is suggested for the following reasons:• • An SLB event may give rise to an unexpected DLB by escalation if it is not considered in the assessment. These can affect the venting of the compartment and enhance the overpressure within.

UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management

Frequently the ultimate peak overpressure ‘Pult’ derived in this way is too large to be resisted by the structure. Checks should be made to ascertain whether the cloud of maximal extent is feasible with respect to the shutdown philosophy and the isolatable inventories. ALARP arguments are appropriate and can be used to demonstrate that risk levels have been reduced to satisfactory levels which itself relies on frequency and risk arguments. Pult will often correspond to an event with a return period out of proportion to the design life of the installation. A single event frequency of exceedance between 10-4 and 10-5 per year is considered a reasonable frequency for the ductility level design event or DLB, by analogy with the treatment of environmental and ship impact loads which are often considered at the 10-5 level. In order to determine the DLB, an exceedance curve must be constructed which represents the frequency of exceedance of a given space averaged peak overpressure. This curve will enable the DLB overpressure case to be identified. If the event impinges directly on the TR, escape routes or means of escape then the target level should be the 10-5 level. If the event impinges on one or more barriers before impinging on these SCEs then it may be argued that the 10-4 level is more appropriate. The space averaged peak overpressure for the compartment is used for determination of the design explosion load cases as it is more generally representative of the severity of the event. A local overpressure peak may be used to generate exceedance curves for the determination of load cases for local design of a blast wall for instance. Impulse exceedance curves may also be generated which take into account the duration of the load and its peak value; these give a better measure of the expected response of the target which will be dynamic in nature. The SLB may then be identified from a space averaged peak overpressure exceedance curve, as that overpressure corresponding to a frequency one order of magnitude more frequent or with a magnitude of one third of the DLB overpressure whichever is the greater. The reason for the reduction factor of one third is related to the expected reserves of strength in the structure and the observation that the primary structure will often only experience received loads of this reduced magnitude.

Loads on equipment items
The explosion loads on equipment items and pipework must be determined and are referred to as dynamic pressure loads, which may be directly obtained from CFD simulation results and consist of: • • • • Drag loads (similar to the Morison drag loads experienced in fluid flow) proportional to the square of the gas velocity, its density and the area presented to the flow by the obstacle. Inertia loads proportional to the gas acceleration and the volume of the obstacle. Pressure difference loads. Loads generated by differential movement of the supports.

Drag loads dominate for obstacles with dimensions less than 0.3m or on cylindrical obstacles less than 0.3m in diameter and, in particular, in regions of high gas velocity near vents. Pressure difference loads become important for obstacles with dimensions greater than 0.3m where they must be added to the drag loads. Care must be taken in interpreting the results of CFD simulations as the cell size/obstacle size ratio may make it difficult to obtain accurate pressure and flow information at points near the obstacle.

Issue 2, October 2003


UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management

Equipment items in the interior of a compartment away from the vents will experience loads composed mostly of inertia loads due to gas accelerations. It is likely that these loads will, however, be lower than the drag and pressure difference loads experienced by items in the vent paths.


Issue 2, October 2003

UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management

Exceedance curves for local dynamic pressures may be developed from simulations and used in the same way as for overpressures in deriving design dynamic overpressures for the DLB and SLB load cases. It is recommended that the DLB dynamic pressures are applied to SCEs of criticality 1 and that both the DLB and SLB overpressures are applied to SCEs of criticality 1 and 2 with the requirement for elastic response of the supports and that the SCEs would remain functional. Design explosion event peak overpressures and durations (or time histories) with known frequencies of occurrence will be required for the response analyses. A number of explosion loading experts have suggested that a suitable load level for the representation of dynamic pressure loads is 1/3 of the smoothed peak overpressure local to the equipment item. The duration of the load should be chosen to match the impulse of the overpressure trace. This load must also be applied in the reverse direction. In open areas, such as the decks of FPSOs, these loads should also be applied in the vertical plane. In general equipment items should be located to minimise obstruction of vents and be inline with the predominant flow direction. Piping runs should be located behind structural elements if near vent areas. Supports and equipment items should be made as resistant to explosion loads as is reasonably practicable. The low risk methodology appropriate for some medium and all low risk installations, follows that described earlier except that the simplifications described below may be acceptable. • • • The strength level blast (SLB) overpressure is recommended but need not be considered. If a valid nominal overpressure is available for this installation type then use this as the DLB. If a nominal overpressure can be accommodated then use this overpressure with the corresponding duration and dynamic pressures for design and assessment.

It must be borne in mind that nominal overpressures will only be representative values; which do not represent the variability of the overpressure distribution. This variability may be significant both for the structure and for equipment items, this must be established and considered for both overpressure and dynamic pressure loads. Dynamic pressure loads for the DLB should be generated for criticality level 1 safety critical elements and vulnerable piping run locations. A comparative assessment method may be used drawing on experience from a demonstrably similar structure geometry and scenario. The nomination of a typical installation to represent a fleet of demonstrably similar, low risk platforms is acceptable.

Issue 2, October 2003


For barriers such as fire and blast walls. xvi Issue 2. it will be necessary to check the ability of these elements to resist the DLB directly. supporting structures and other safety critical elements (SCEs) at the appropriate level of criticality. decks. The structural checks for the SLB consist of strength checks for the primary and secondary structure with the requirement of elastic response. including barriers. Assessment based on prior exposure is applicable to explosion events. The ‘robustness’ approach is still valuable and may be considered in addition to the more rigorous probabilistic methods now available which enable design explosion loads to be determined which should be accommodated by the structure and SCEs. these checks may be accomplished by the implementation of modified code checks. equipment items which are SCEs of criticality level 1 and 2 should be assessed against the SLB. If the general level of overpressure for the DLB is below the threshold overpressure Pth then the primary structure may be deemed to be designed by other load cases with no further analysis of this element being required. it is imperative that connections and joints are suitably detailed to provide the ductility required to develop their reserves of strength. many structures have been designed to resist uncertain explosion loads by the calculation of the capacity of the structure and the SCEs and the demonstration of robustness in the structure as reflected in an insensitivity of response to variations in load. October 2003 .UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management Response to explosions Over the last ten years. The threshold overpressure will be defined and determined in Part 3 of the Guidance. For installations and compartments of medium or high risk. These elements are often non-load bearing and it is often possible to check them in isolation. SCEs of criticality 1 should also be assessed against the DLB. Simplified structural assessment methods The structural checks for the DLB will consist of displacement and integrity checks for the primary and secondary structure taking into account the reserves of strength offered by ductile response and allowable local damage. although it is unlikely that this information will be available unless the platforms are nearly identical and an explosion has been experienced on a similar platform which represents the DLB. Load cases for explosion response It is recommended that the structural assessment should performed against the strength level blast (SLB) and the ductility level blast (DLB). In all cases. This should be followed by a non-linear ‘ductility level’ dynamic response analysis if the checks show failure to satisfy the relevant performance standards or ALARP cannot be demonstrated. This approach is to an extent scenario independent and may give added protection against unidentified scenarios and in particular combined fire and explosion scenarios. The structural assessment should include the consideration of the capacities of the structure. For medium and low risk installations.

For low risk installations and compartments. unlikely that the differing levels of response to dynamic loads at the same peak level as determined by the natural periods of the target structural elements will be represented adequately without undue conservatism. The validity of this method will depend on the severity of other load cases. there will come a point where the incidence of failures rapidly starts to increase and begins to take in the majority of the members. It is. as it would affect members designed by the other load cases. At this point. which have been used in the original design of the structure. The variability of pressure in the explosion load cases is also not represented in this method. If the pressure is ramped up in stages. however. the structural assessment may be performed against the ductility level blast (DLB) only. The transfer of conclusions and load characteristics from the analysis of a geometrically similar installation with similar structural and process characteristics is acceptable. through code checks.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management One method of the demonstration of ALARP using a strength level analysis is to apply a static pressure load to the structure and observe. Issue 2.The performance of the structure and SCEs for these scenarios must then be tested against the appropriate high level and equipment specific (or low level) performance standards. it may be argued that it would be unreasonable to strengthen or change the member properties. Design to this equivalent static pressure could then be said to be ALARP. when member failures occur. The use of a typical installation will be limited to the identification of general levels of severity of credible explosion events and is unlikely to be suitable for the local design of blast barriers for example. October 2003 xvii . The nomination of a typical installation to represent a fleet of low explosion risk platforms is acceptable.

2 Additional Detail on Fires To be completed during 2004.UKOOA FIRE AND EXPLOSION GUIDANCE Part 0: Fire and Explosion Hazard Management A4. October 2003 . xviii Issue 2.


org. Albyn Terrace. Tel: 020 7802 2400 Fax: 020 7802 2401 Aberdeen Office: 9. 232-242 Vauxhall Bridge Road.PUBLISHED BY UK OFFSHORE OPERATORS ASSOCIATION London Office: 2nd Floor. Website: www. London. AB10 1YP Tel: 01224 626652 Fax: 01224 626503 Email: info@ukooa.oilandgas. SW1V .co.