6

Analysis Techniques
Chapter 5 has presented an overview of all the steps involved in performing a
QRA. This chapter is devoted to the main analysis techniques that may be used.
6.1 Hazard Identification
Identification of hazards was shown in Chapter 5 to be the first step in a QRA. This
is often called Hazard Identification or HAZID. The purpose of hazard identifi-
cation is to:
- Identify all the hazards associated with the planned operations or activities
- Create an overview of the risk picture, for planning the further analysis
work
- Provide an overview of the different types of accidents that may occur, in
order to document the range of events, which give rise to risk
- Provide assurance, as far as possible, that no significant hazard is
overlooked.
It is therefore important that hazard identification provides a good overview, which
can be reviewed by a number of people with different experience. The following
methods may be used to identify hazards:
- Check lists
Lists developed by specialists to assist in the
review of the planned operations.
- Previous studies
Lists of hazards from similar studies are often
used as a starting point for a new study.
- Accident and failure
statistics
Lists and case stories which resemble check lists,
but which are based on actual failures and/or
accidents. An example is shown overleaf.
- Hazard and Opera-
bility Study
A technique to identify in detail sequences of
failures and conditions that may cause accidents.
162 Offshore Risk Assessment
- SAFOP
A technique to review procedures in order to
identify sequences of failures and conditions that
may cause accidents.
- Preliminary Hazard
Analysis
A technique often used as an initial screening
study, but may also be used alone. PHA is
described in the subsequent subsection.
- Comparison with
detailed studies
Detailed studies used in similar situations may be
used to identify which sequences that may give
rise to hazardous situations.
Section 3.1 has presented an overview of accidents on the Norwegian Continental
Shelf, which may also be used as input to hazard identification.
The level of detail to be considered in hazard identification is sometimes uncer-
tain and the approach to be adopted has to be determined prior to commencing the
work.
Hazards should be identified for equipment as well as operations. For the
hazards associated with equipment, there are three levels of detail:
- Equipment level: All individual equipment items, valves, instruments,
vessels, etc. are identified separately as possible ha-
zards.
- Subsystem level: All subsystems, such as separation stages, compres-
sion stages, etc. are identified separately as possible
hazards.
- System level: All systems, such as separation, compression, mete-
ring, etc. are identified separately as possible hazards.
It is obvious that the number of hazards identified on each level will decrease at
lower levels of detail. At equipment level in the order of 500–1000 hazards may be
identified for a large installation. At system level perhaps only 20 hazards would
be identified while 50–100 hazards may be identified at subsystem level.
The main problem working at equipment level is the high number of hazards
created, most of which will be similar apart from the equipment identified. Thus
the overview is very easily lost. System level on the other hand may be too coarse,
and distinctions and important differences may easily be lost. The subsystem level
is therefore normally the most suitable.
For hazards associated with operations, there is only one level, as each
operation has to be considered in detail.
The most difficult aspect of the hazard identification is to ensure that signifi-
cant hazards are not overlooked. This is a challenge to achieve. Structured analy-
tical techniques that could assist in achieving this objective have been searched for,
but so far without success. It may be argued that performing very detailed
HAZOPs may be able to achieve the objective. However, the resources required to
complete such a programme would be prohibitive.
Consider the following example. More than 15 years ago, a semi-submersible
platform experienced uncontrolled ballasting operations, to the extent that severe
listing developed and the crew were considering whether to evacuate or not. It was
Analysis Techniques 163
later found that the root cause of the problem was a minor fire in one leg of the
platform, which had resulted in heating up of the hydraulic fluid used in the control
system for the ballast valves. The return lines were too narrow to relieve the
additional pressure generated by the heat sufficiently rapidly, thus causing uncon-
trolled valve operation. When the fire was extinguished, the problem disappeared.
The critical question to consider is whether hazard identification could have
identified such a hazard.
6.1.1 HAZOP
HAZOP is an analytical technique used to identify hazards and operability
problems. The technique is being applied generally to any situation involving the
interface between hardware, software and operators, although initially developed
for evaluation of process plants. The approach may also be used in order to identify
hazards.
In HAZOP analysis, an interdisciplinary team uses a systematic approach to
identify hazards and operability problems occurring as a result of deviations from
the intended range of process conditions. An experienced team leader systema-
tically guides the team through the plant design using a fixed set of ‘guide words’
which are applied to specific ‘process parameters’ at discrete locations or ‘study
nodes’ in the process system. For example the guide word ‘High’ combined with
the process parameter ‘level’ results in questions concerning possible ‘high-level’
deviations from the design intent. Sometimes, a leader will use check lists or
process experience to help the team develop the necessary list of deviations that the
team will consider in the HAZOP meetings. The team analyses the effects of any
deviations at the point in question and determines possible causes for the deviation
(e.g. operator error, blockage in outflow etc.), the consequences of the deviations
(e.g. spillage of liquid, pollution etc.), and the safeguards in place to prevent the
deviation (e.g. level control, piped overflow, etc.). If the causes and consequences
are significant and the safeguards are inadequate, the details are recorded so that
follow-up action can be taken.
Access to detailed information concerning the design and operation of a process
is necessary before a detailed HAZOP analysis can be carried out and thus it is
most often used at the detailed design stage after preparation of the P&IDs or
during modification and operation of existing facilities. A HAZOP analysis also
requires considerable knowledge of the process, instrumentation, and operation
either planned or actual, this information is usually provided by team members
who are experts in these areas. A HAZOP team typically consists of five to seven
people with different background and experience in such aspects as engineering,
operations, maintenance, health safety and environment and so forth. It is normal
for the team member who leads the analysis to be assisted by another, often
referred to as the secretary, who records the results of the team's deliberations as
the work proceeds.
The HAZOP relates to the following process parameters: Flow, temperature,
pressure, level, react, mix, isolate, drain, inspect, maintain, start-up, shutdown. The
HAZOP guide words focus the attention upon a particular aspect of the design
intent or a process parameter or condition:
164 Offshore Risk Assessment
- No (no flow)
- Less (less pressure, flow, etc.)
- More (more temperature, flow, etc.)
- Reverse (reverse flow)
- Also (additional flow)
- Other (flow)
- Fluctuation (flow)
- Early (commencement).
Reporting is particularly important from a HAZOP, in particular with respect to
documentation of actions that have been agreed. An efficient secretary is therefore
essential. There are also several software packages available in order to assist in
the administration of the HAZOP. More extensive documentation of the HAZOP
may be found in Crawley et al. (2000) and Lees (2004).
6.1.2 PHA
Preliminary Hazard Analysis is an analytical technique used to identify hazards
which, if not sufficiently prevented from occurring, will give rise to a hazardous
event. Typical hazardous energy sources considered include high-pressure oil and
gas, other high-temperature fluids, objects at height (lifted items), objects at
velocity (helicopters, ships), explosives, radioactive materials, noise, flammable
materials, toxic materials etc. etc.
Preliminary Hazard Analysis is often used to evaluate hazards early in a project
being undertaken at the conceptual and front end engineering stage. It does not
require detailed design to be complete but allows the identification of possible
hazards at an early stage and thus assists in selection of the most advantageous
arrangement of facilities and equipment. The general process adopted involves the
following steps:
- definition of the subsystems and operational modes
- identification of the hazards associated with the particular subsystem or
operation
- definition of the particular hazardous event resulting from realisation of the
hazard
- estimation of the probability of the event occurring and the possible conse-
quence of each of the hazardous situations, and then using a particular rule
set to categorise the probabilities and consequences
- identify and evaluate actions to be taken to reduce the probability of the
hazardous event occurring or to limit the consequence
- evaluate the interaction effect of different hazardous events and also consi-
der the effects of common mode and common cause failures.
Preliminary Hazard Analysis is undertaken in a structured manner usually using
some form of table. Each hazardous event that has been identified for the particular
subsystem or operation is studied in turn and recorded in one line of the table
arriving at a ‘risk rating’ either for that particular hazardous event or the subsystem
or operation.
Analysis Techniques 165
6.1.3 SAFOP
Safe Operations (SAFOP) study is an adaptation of the HAZOP technique for ana-
lysing work processes and procedures in order to identify and evaluate risk factors.
SAFOP is a powerful tool for risk assessment of new (planned) or changed opera-
tions and is applicable for all activities where a procedure will be used, such as
process interventions, material handling, crane operations, maintenance, marine
activities. The SAFOP checklist as described by Scandpower Risk Management
(2004) has the following guidewords (for marine operations):
Preop. checks: Necessary equipment, tugs not available on schedule
Necessary equipment checking/testing not performed
Weather: Unclear weather restrictions or unexpected deterioration of
weather (abortion of operation). Weather forecasting, low
temperatures
Current: Problems related to strong, unexpected currents
Position: Object, grillage, tugs or vessel not in correct position
Power: No power or insufficient power (tugs, electrical, hydraulic,
air)
Equipment: Malfunction or lack of equipment
Instruments: Malfunction or lack of instruments
Responsibility: Undefined/unclear responsibilities (tugs, vessel, port)
Communication: Malfunction or lack of communication equipment.
Communication lines, noise, shift changes
Execution: A work task is executed in a wrong way, timing, speed
Procedures: Missing or unclear procedures
Visibility: Can the operator(s) see sufficiently?
Movement: Objects, tugs or vessels move in an uncontrolled way
Stability: Unstable conditions
Tolerances: Tolerances for positioning, etc.
Interfaces: Wrong, contamination, corrosion, marine growth, etc.
Stuck: Movement cannot be performed
Rupture: Rupture of critical equipment, overloading
Access: Insufficient access/space on tugs, vessel, port
Escape routes: Sufficient, checked against requirements, protected
Contingency: Back-up procedures/equipment not available
Other: Other items not covered by the above guidewords
Impact: Impact between objects, squeezing (personnel)
Drop: Drop of objects from a higher level
Fall: Fall of personnel to lower level
Energy release: Electric, pressure, heat, cold, radioactive
Toxic release: Release of hazardous substances
6.1.4 Bow-tie
The Bow-tie methodology is a process which can be used to effectively demon-
strate how a facility’s Safety Management System can be implemented. It assists
166 Offshore Risk Assessment
companies/operators in the analysis and management of the hazards and risks to
which their business is exposed, and through the use of graphics, display and illu-
strates the relationship between hazards, controls, risk reduction measures and a
business’s HSE activities.
Bow-ties, Figure 6.1, depict the relationship between hazards, threats, barriers,
escalation factors, controls, consequences, recovery preparedness measures and
critical tasks. Bow-ties have become a preferred tool in many circumstances, in
order to illustrate the relationship between various factors. The most well-known
tool for this purpose is THESIS, originally conceived by Shell International and
now jointly owned and developed by ABS Consulting Ltd and Shell International.
(see also Appendix A).
The relationship between all the involved aspects as mentioned above has been
an area of fault or weakness in many organisations – using the bow-tie method can
help to display all the interactions and links that are often found to be loosely rela-
ted over a number of various documents.
Escalation
factors
Control of
escalation
factor
Barriers to
prevent
threat
Control of
escalation
factor
Escalation
factors
Consequences
Recovery
preparedness
measures
Threat
that could
release
hazard
Activities & tasks
= HSE-critical task
Top event
Consequences
Consequences
H
a
z
a
r
d
Figure 6.1. A typical bow-tie display
Essentially a bow-tie is a combination of the traditionally used fault and event
trees, whereby the fault tree constitutes the left-hand side of a bow-tie and the
event tree the right-hand side.
What a bow-tie presents in addition however, are the ‘barriers’ in place that
prevent ‘threats’ from releasing a hazard and ‘recovery preparedness measures’
that reduce the severity of the hazard consequences.
6.2 Cause, Probability and Frequency Analysis
Cause, probability, and frequency analysis techniques are used in QRA in order to
determine many different parameters, such as:
Analysis Techniques 167
- Potential causes that may lead to accidents.
- Frequency of initiating events.
- Conditional probability of failure of safety systems, in the case of an
accident.
- Probability that operating and/or environmental conditions are specially
adverse.
- Probability that a particular severe accidental consequence occurs.
- Probability that personnel are present in an area when the accident occurs.
For quantitative purposes there are many tools that may be used in order to calcu-
late probability or frequency, including simulation methods, theoretical modelling,
and formal methods such as Fault Tree Analysis and Event Tree Analysis.
Frequencies are often based on statistical analysis of failure and accident data.
Failure Mode and Effect Analysis may also be employed for qualitative analysis. A
brief overview of the most important methods is given below.
6.2.1 Fault Tree Analysis
There are several good textbooks available which provide instruction on Fault Tree
Analysis (FTA). In-depth introduction may be found in these sources, a brief intro-
duction is provided below:
- Høyland and Rausand (1994)
- Henley and Kumamoto (1981)
- Vesely et al (1981)
- Aven (1992)
Fault tree analysis is a logical, structured process that can help identify potential
causes of system failure, such as causes of initiating events or failure of barrier
systems.
The technique was developed to identify causes of equipment failure and was
used primarily as a tool in reliability and availability assessment. The fault tree is a
graphical model displaying the various combinations of equipment failures and
human errors that can result in the occurrence of the hazardous event, usually
referred to as the top event. The strength of the fault tree technique is its ability to
include both hardware failures and human errors, and thereby allow a realistic
representation of the steps leading to a hazardous event. This allows an holistic
approach to the identification of preventive and mitigative measures, and will
result in attention being focused on the basic causes of the hazardous event,
whether due to hardware or software.
FTA is particularly well suited to the analysis of complex and highly redundant
systems. For systems where single failures can result in hazardous events, single-
failure-oriented techniques such as FMEA and HAZOP analysis are more appro-
priate. For this reason fault tree analysis is often used in situations where another
hazard evaluation technique, such as HAZOP analysis, has pin-pointed the possible
occurrence of a hazardous event which requires further investigation.
168 Offshore Risk Assessment
The output of a fault tree analysis is a failure-logic diagram based upon
Boolean logic gates (i.e. AND, OR) that describes how different combinations of
events lead to the hazardous situation. A large number of fault trees may be neces-
sary to adequately consider all the identified top events for a large process plant,
and the analyst needs to exercise judgement when selecting the top events to be
considered.
The fault tree illustrated in Figure 6.2, shows some indicative causes of why a
LAN server in an office may be stolen. This simple example focuses on either
random theft or planned theft, in the latter case both the order and knowledge have
to be available.
G1
LAN server theft
D0
Planned theft by
criminal
D2
Random theft by
criminal
Criminal receives
order for LAN
server
Criminal has
knowledge of
actual LAN server
D3 D4
D1
G2
Figure 6.2. Fault tree illustration
The following are characteristics of a fault tree:
- Top event: Event D0
- Gates: G1; G2
- Undeveloped event: D1
- Basic events: D3; D4
The two gates are different, as shown by the graphics in the diagram, and may be
characterised as follows:
- Gate G1: OR gate, Boolean OR, output occurs if any of the input events
occur.
- Gate G2: AND gate, Boolean AND, output occurs if all the input
events occur.
The events are also different, as shown by the graphics in the diagram. All events
are shown as rectangles, with different coding below. The differences may be
characterised as follows:
Analysis Techniques 169
- Undeveloped event D1: diamond, causes not developed further.
- Basic events D3; D4: circle, lowest level of fault tree, where relia-
bility data is applied.
The top event D0 occurs if any of D1 or D2 (or both) occurs. Event D2 occurs if
both of D3 and D4 occur.
By reviewing the fault trees, it is possible to identify the different combination
of failures or errors which give rise to the hazardous event. The different failure
combinations may be qualitatively ranked depending upon the type and number of
failures necessary to cause the top event. Inspection of these lists of failure combi-
nations can reveal system design or operational weaknesses for which possible
safety improvements can be considered by the introduction of additional barriers.
It is easy to observe from Figure 6.2 that the top event will occur in case of the
following event combinations:
- D1
- D3 and D4.
This implies that there are two minimal cut sets in Figure 6.2; D1 is a cut set of
order one, D3 and D4 together constitute a minimal cut set of order two. A cut set
is a fault tree set of events which will cause the top event to occur if all events in
the set occur. A minimal cut set is a cut set that cannot be reduced further and still
maintain its capability as a cut set. For illustration; the set {D1; D3, D4} is a cut
set, but not a minimal cut set, because it may be reduced further. {D1; D3 } is also
a cut set, but not a minimal cut set.
In order to undertake fault tree analysis, it is necessary to have a detailed under-
standing of how the plant or system functions, detailed process drawings,
procedures, and knowledge of component failure modes and their effects. Experi-
enced and well-qualified staff should always be used to ensure an efficient and
high-quality evaluation.
6.2.2 Event Tree Analysis
There is no extensive text material available for instruction in the construction,
analysis and use of event trees. This topic is therefore discussed at some length in
Section 6.3 below.
6.2.3 Failure Mode and Effect Analysis
Failure Mode and Effect Analysis is a simple technique that does not require
extensive theoretical description, but should rather be based on practice in conduc-
ting such studies. Useful descriptions and overview may be found in the following:
- Høyland and Rausand (1994)
- Stamatis (1995).
170 Offshore Risk Assessment
6.2.4 Statistical Simulation Analysis
The best known simulation technique is the so-called Monte Carlo method, which
is described in several textbooks. This topic is therefore not repeated here,
interested readers may be pointed to:
- Høyland and Rausand (1994)
- Ripley (1987).
6.2.5 Analytical Methods
A typical example of an analytical approach is the modelling of collision
frequency, which is discussed in Chapter 10.
6.2.6 Operational Risk Analysis
The offshore petroleum industry has for a long time invested considerable resour-
ces in engineering defences, or barriers, against fire and explosion hazards on the
installations. The performance of barriers is to some extent followed up through
performance standards and Key Performance Indicators, though often not exten-
sively. Safety systems are usually addressed on a one-by-one basis, not allowing
dependencies and common mode/cause failures to be identified.
Half of the leaks from hydrocarbon containing equipment occur in connection
with manual activities in hazardous areas, during which engineered defences often
are partially inhibited or passivated, in order not to cause disruption of stable pro-
duction. The occurrence of these leaks is a clear indication that system and human
defences relating to containment of leaks are not functioning sufficiently well du-
ring these operations. There is an obvious need to understand better the perfor-
mance of barriers, particularly non-technical, during execution of manual activities.
In a paper presented at ESREL 2003 (Vinnem et al., 2003a), operational risk
assessments were discussed. It was concluded that there is a clear need for
improvement of the analysis of barriers. These aspects form the outset for an
extensive research activity called the BORA (Barrier and Operational Risk
Analysis) project (Vinnem et al., 2003b). A PSAM7 paper (Vinnem et al., 2004)
gave some preliminary observations and introduced a proposed approach.
Two case studies with modelling and analysis of physical and non-physical
barriers on offshore production installations have been carried out. Barriers inten-
ded to prevent the incident occurring along with those intended to eliminate/reduce
consequences are included, and particular emphasis is placed on barriers during
execution of operational activities. The results from the studies should enable both
industry and authorities to improve safety through:
- Knowledge about performance of barriers and improvement potentials
- Identification of the need to reinforce the total set of barriers, especially
during operational activities
- Identification of efficient risk reduction measures for barriers, together
with effective modifications and configuration changes.
Analysis Techniques 171
The analysis has been quantitative as far as possible. Barriers are in general charac-
terised by reliability/availability, functionality and robustness. All of these perfor-
mance measures are addressed. The Norwegian regulations require that dependen-
cies between barriers shall be known. The analysis is therefore performed such
that, where relevant, common cause or mode failures and dependencies between
barrier elements are accounted for.
6.2.6.1 BORA Methodology
The BORA project has proposed a methodology in order to analyse failure of ope-
rational barriers, as outlined in Vinnem (2004), and presented in detail in Aven,
Sklet and Vinnem, (2006), which presents the BORA methodology as well as the
sources for scoring of RIFs. The methodology has three main processes:
- Qualitative analysis of scenarios, basic causes and RIFs
- Quantification of average frequencies/probabilities
- Quantification of installation specific frequencies/probabilities.
This is shown in Figure 6.3. Also the sources for the installation specific quanti-
fication of frequencies and probabilities are presented in Figure 6.3. The following
sources are available:
- TTS/TST verifications
- MTO (Man, Technology and Organisation) investigations
- RNNS (Risk Level Project) questionnaire surveys
- RNNS barrier performance data
- Detailed assessments (Expert input)
- General background studies.
The TTS/TST verifications (Thomassen and Sørum, 2002) are focused on technical
and documentation aspects of barriers. These verifications were developed by
Statoil, and the approach has been adopted by several Norwegian offshore opera-
ting companies in Norway. MTO investigations (Tinmannsvik et al., 2005) are
investigations with special emphasis on human and organizational aspects that
have been conducted for many accidents and incidents in the past few years,
mainly by or on behalf of the Petroleum Safety Authority (PSA) in Norway. RNNS
is a project conducted annually by PSA for the entire Norwegian Continental Shelf
(PSA, 2006a and b), which for the purpose of the BORA methodology has two
applicable activities:
- Biannual questionnaire survey
- Annual collection of barrier performance data.
The questionnaire survey has extensive questions relating to working environment
factors as well as a number of aspects relating to perceived risk and safety culture.
The barrier performance data, see PSA (2006a), is concerned with a selection of
barrier elements, most of which are technical barriers.
172 Offshore Risk Assessment
Sources for assessments
Basic barrier
modelling
Quantification of
average
frequencies/
probabilities
Identification and
classification of
RIFs
Scoring of RIFs
Adjustment due to
dependencies
between RIFs
Quantification of
importance
(weights) of RIFs
Quantification of
specific frequencies/
probabilities
Complete barrier
model
General
background
studies
TTS/TST
verification
MTO
investigations
RNNS
questionnaire
survey results
RNNS barrier
performance
data
Detailed
assessments
Figure 6.3. Summary of main aspects of the BORA methodology
Traditionally, the event modelling in QRA starts with loss of containment as the
initiating event, and the barriers to limit the potential consequences of the leak are
modelled. In the BORA project we want to visualise the barrier elements in place
to prevent the leak itself. For this purpose ‘barrier block diagrams’ have been deve-
loped for different conditions which may cause loss of containment. For the case
‘loss of containment due to incorrectly fitted equipment’, see Figure 6.4.
The basic risk model in the BORA project may be seen as an extended QRA-
model, however, there are several extensions compared to typical offshore QRA
studies:
- Event trees and fault trees are linked in one common risk model.
- Detailed modelling of the loss of containment barrier, including initiating
events reflecting different causes of HC release and safety barriers aimed
to prevent release of HC.
- Incorporation of operational activities functioning as operational barriers
such as use of checklists, third party control of work, and manual inspec-
tion in order to detect corrosion in the risk model.
Analysis Techniques 173
Valve incorrectly
fitted during
maintenance
Control /
inspection of work
reveals the error
Pressure testing
before start up
reveals the error
OK
OK
Potential
Loss of
containment
YES
NO
Initiating
event
Barrier
element
Consequence
Figure 6.4. Barrier block diagram, ‘incorrectly fitted equipment’
The calculated release frequencies from the different release scenarios constitute
the input to the analyses of the consequences. The BORA methodology may use
release statistics in order to calibrate the quantitative numbers obtained by analysis
of the release scenarios. Also other ways to calibrate the numbers are considered.
However, it is the possibility to evaluate the relative importance of the different
release preventive barriers and the effect of changes that is important regarding
control of risk and prioritization of risk reducing measures.
It should be noted that at the time of preparing the manuscript, there is no
commercially available software which may be used for the BORA analysis.
6.2.6.2 Bayesian Belief Network
The use of Bayesian belief networks (BBN) is gaining popularity among risk ana-
lysts as they are flexible and well suited to taking the performance of human and
organisational factors into consideration, and they provide a more precise quanti-
tative link between the performance of risk influencing factors. Jensen (2001) and
Pearl (2001) present this approach.
Recently a methodology called Hybrid Causal Logic (HCL) has been develo-
ped, allowing Bayesian belief networks to provide input information to fault trees
and event trees. The basic approach is presented by Mosleh et al. (2004), and some
suggestions for application to the offshore industry are presented by Røed et al.
(2007). Figure 6.5 shows a simple illustration of the Bayesian belief network.
The example case is the following accidental event, ‘release due to incorrect
fitting of flanges or bolts during flowline inspection’. The assembling of the flow-
lines occurs after inspection, but prior to start-up. The event sequences caused by
the initiating event are presented as a barrier block diagram in Figure 6.4. There are
three barrier functions to prevent the initiating event to occur. The technician car-
ries out self control after assembling the flowlines, followed by independent (third
party) control. Finally a leak test is carried out prior to start-up.
174 Offshore Risk Assessment
Leak test
Self
control
Initiating
event
3rd party control
Failure to
detect leak in
leak test
Leak test
result
interpretation
Procedures for
leak test
Leak test not
specified in
program
Use of self
control/check list
specified, but not
performed
Use of self
control/check list
not specified in
program
Technician fails to
detect incorrect
fitted flange by self
control use of check
lists
Leak test
specified, but
not performed
Incorrect fitting
of flanges or
bolts
Third party
checker fails to
detect incorrect
fitting of flanges
Third party
control of work
specified, but not
performed
Use of thrid party
control of work not
specified in
program
Execution of
leak test
Test
medium
Training/
experience of
technician
Communication
between
technician and
control room
Program for
leak test
Work
permit Time
pressure
Training/
experience of
technician
Flange
layout
Process
complexity/
accessibility
Program for
self control
Procedures for
self control
Procedures for
third party
control
Training/
experience for
third party
checker
Program for
third party
control
Mechnical
tension, tension
calculations/tables
Figure 6.5. Bayesian belief network for example (Røed et al., 2007)
6.3 Event Tree Analysis
6.3.1 Basics of Event Tree
An event tree is a visual model describing possible event chains which may deve-
lop from a hazardous situation. Initiating events (sometimes called top events) are
defined and their frequency or probability of occurrence calculated. Possible
outcomes from the initiating event are determined by using a list of questions
where each question is answered ‘yes’ or ‘no’. The questions will often correspond
to safety barriers in a system such as ‘isolation failed?’ The method therefore
reflects the designer's way of thinking.
The probability of alternative outcomes is calculated for each question which
forms a branching point in a logic diagram. These branching points are often called
the ‘nodes’ of the event tree. The probability or frequency of alternative end events
(also often called terminal events) is calculated based on the probability or frequ-
ency of the initiating event and the conditional probability associated with each
branch. End events may be gathered in groups having similar consequences to give
on overall risk picture.
The event tree is quite similar to a cause consequence diagram although the
latter uses more text and a few more graphical symbols. The cause consequence
diagram is somewhat easier to read, but significantly less information can be com-
pressed into one sheet. This may be part of the reason why event trees appear to be
preferred. From event trees the following are often performed:
Analysis Techniques 175
- Frequency calculation for consequence classes
- Sensitivity analyses (effect of variations of some parameters)
- Identification of major contributions to each consequence class.
In addition to frequency/probability prediction, an event tree may also be used for
direct calculations of consequences. A simple way to carry out a fatality risk
assessment, is to assign a number of fatalities to the branching points (in case of
branching one way), and these are summed to find the number of fatalities for the
end events. The most typical way to calculate consequences is to carry out separate
calculations associated with the different branches and/or terminal events.
The theory on which the event tree methodology is based is very simple and
requires only limited explanation. The following sections outline both the theory
and the practical application of event tree analysis.
6.3.1.1 Accident Sequence Modelling
One of the most crucial tasks of QRA (and also probably the most difficult) is the
modelling of the potential accident sequences. This is demonstrated by the incident
involving the maloperation of ballast valves due to build-up of pressure in hydrau-
lic system return lines, as a result of a fire (see page 162). In most situations it is a
challenge to identify the possible hazard, and to accurately represent the possible
accident sequences. The following are the main difficulties in such modelling:
- The process is normally highly time dependent.
- Escalation involves complex interactions between different processes and
different equipment.
- Human intervention may sometimes have extensive effects on the
development.
- Small differences in circumstances may often lead to vastly different final
scenarios.
Dynamic situations are probably the main challenge. Tools and approaches need to
be able to reflect dynamics in the most accurate way, in order to achieve realistic
modelling. It is recognised that an event tree model is usually too static a tool to be
really suitable for detailed analysis of accident sequences and the dynamics of such
a process. Very little effort however has so far been devoted to the development of
alternative tools and approaches. One such alternative, PLATO
®
, is briefly descri-
bed in Section 6.5.1.
6.3.1.2 Event Tree Illustration
The event tree used for initial illustration (Figure 6.6) is an event tree for evalua-
tion of evacuation from a platform. The initiating event in the event tree is assumed
to be an event which requires evacuation from the platform, e.g. a blowout, a large
fire etc. From this initiating event, different scenarios may develop, depending
upon the circumstances. The different circumstances are described to the right of
the event tree, in the form of a number of questions relating to the nodes.
176 Offshore Risk Assessment
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
Evacuation
scenario
1. Precautionary
evacuation preformed
2. Escape prior to
ignition
3. Escape to TR
complete
4. Main LB launch
successful
5. Escape to secondary
LB possible
6. Secondary LB launch
successful
7. Successfully seaborn
Yes
Event number
Figure 6.6. Event tree for escape and evacuation
The first question considered is whether precautionary evacuation from the
platform has been performed. If this is the case, then we move to the left along the
first branch of the event tree, otherwise we move to the right.
The second question is whether escape has been performed prior to ignition.
Obviously, if precautionary escape has been performed, this question is super-
fluous. For the left branch from the first question, this second question is therefore
not considered. However, for the right branch it is relevant.
In this way, we can continue through the event tree, splitting the scenarios into
more and more detailed scenarios, depending on alternative outcomes to inter-
mediate situations.
6.3.1.3 Sequence of Events
The analysis of accidental scenarios includes the following elements in relation to
hydrocarbon leaks:
- Modelling of leaking media
- Event sequence analysis, including ignition and barrier modelling
- Escalation modelling
- Impairment modelling
- Consequence modelling.
The analysis of these processes is extremely complex on offshore platforms. In fact
offshore platforms are the most difficult objects to analyse for accidental event
development. Onshore petrochemical and chemical plants are more complex in
relation to the process design, but could be considered simpler, due to spacing
between units, and the way plants are laid on the ground level. Large offshore
platforms often have 3–4 levels of equipment with different kinds of interaction.
Also nuclear plants (and even space vehicles) are simpler than the largest offshore
installations with respect to escalation of accident consequences, although they are
more complicated with respect to the work processes.
Due to this, modelling of event sequences is the aspect of offshore QRA that
causes most of the uncertainty. Some R&D work has been going on in this regard,
Analysis Techniques 177
and there are one or two alternative options available to replace the traditional
approach to event sequence modelling. So far however there is no single technique
which has really been able to replace the use of event trees.
There are several aspects that need to be considered carefully, in constructing
an event tree, the most important of which is the sequence in which the escalation
factors are considered. The importance of sequence is closely coupled with the fact
that conditional probabilities are used in the event trees. This is discussed in more
detail in Section 6.5.2.
The sequence issue is especially important in respect of leaks from process
equipment because there are a number of safety systems and functions installed, all
of which are intended to reduce the risk associated with leaks.
6.3.1.4 Node Branching Rule
Another aspect which may be mentioned is that the rule of branching in two
mutually exclusive sequences from each node (binary output from nodes) is
sometimes broken, in order to save space. Consider the following alternatives with
respect to ignition of small gas leak:
- Immediate ignition (fire is implicit)
- Delayed ignition causing explosion
- Delayed ignition causing fire
- No ignition.
If the standard rule of dual branches from each node is followed, this leads to three
nodes being required:
- No ignition, vs.
- Ignition, which splits into
o Immediate ignition, vs.
o Delayed ignition, which splits into
ƒ Explosion
ƒ Fire.
These three nodes will occupy a lot of space in a graphical representation of the
event tree and a more condensed presentation is possible if one node is ‘allowed’ to
have all four sequences as outputs.
Figure 6.7 shows a simple example with binary division in each node, whereas
Figure 6.8 shows the same example redrawn such that one node has three outputs.
These two diagrams further show that event trees may be drawn horizontally as
well as vertically.
The requirement that all outputs are mutually exclusive is valid in all cases. For
instance, when considering failure or success of evacuation, the outcomes are
classified in binary states as either ‘failed’ or ‘success’, as shown in the event tree,
Figure 6.6.
When the standard rule of only two output branches from each node is applied
strictly, then there will always be one more end event than there are nodes in the
tree. When more branches are allowed from each node, then the number of end
events may be smaller than the number of nodes.
178 Offshore Risk Assessment
No
ign
Fire Expl Fire
1. Ignition
2. Immediate ignition
3. Explosion
Gas leak
Yes
Figure 6.7. Event tree example with binary division
No ignition
Delayed
Immediate Yes
No ign
Fire
Expl
Fire
Ignition Fire Gas leak
Figure 6.8. Event tree example with one combined node
6.3.1.5 Loops in the Tree
Since sequence is an important aspect, one might assume that loops in the event
tree could be quite useful. In the case of fire for instance, a typical node question is
whether automatic systems are capable of controlling the fire. If the automatic con-
trol is unsuccessful, it will often lead to further escalation. But in a looped fashion,
we could take extra fire fighting measures (activation of manual control) into con-
sideration, and loop back in order to improve on the chance that further escalation
is prevented. Looping could increase the realism in the modelled sequences. The
use of loops, however, complicates the calculation of frequencies quite substan-
tially, but there is theory available also to cover this aspect (Nielsen, 1976).
Despite this fact this alternative is virtually never used, although the theory has
been available for 30 years.
Although it is recognised that the event tree is far from ideal for modelling of
accident sequences, it has three very significant advantages, which compensate for
its shortcomings:
Analysis Techniques 179
- It is graphically easy to understand,
- it is easy to use, and
- it provides a good opportunity for integration of reliability analysis into the
accident sequence modelling.
Finally, it may be noted that event trees are commonly drawn either top-to-bottom
or left-to-right, as illustrated in Figure 6.8. The top-to-bottom convention is used
throughout this book, Figure 6.8 and Figure 6.9 being the exceptions to this rule.
N1
N2
N3
N4
N5
2.
1
2.
2
2.
3 2.
4
1
2
3
4
5
6
Figure 6.9. Illustration of integration between event tree and fault trees
6.3.1.6 Probability and Frequency Calculation
The event tree can also be used for quantification of the likelihood of different
scenarios. Probability values can be assigned to each branch and in this way we
build up a tree of conditional probabilities. If we return to the evacuation example
again (Figure 6.6), we may assume that the probability of precautionary evacuation
being performed is 0.6. This means that the probability that precautionary evacua-
tion is not performed will be 0.4. Secondly, given that precautionary evacuation
has not been performed, we may assume that the probability of escape before igni-
tion is 0.8, as the conditional probability. The total probability of escape before
ignition, given no precautionary escape, then becomes 0.4 x 0.8 = 0.32.
By continuing this logic through the tree, we can arrive at probabilities for the
terminal events in the event tree. If in addition we multiply with the frequency of
the initiating event, we arrive at the frequency for each terminal event.
6.3.1.7 Combination of Event Trees and Fault Trees
The RiskSpectrum
®
software is outlined in Section 6.4, noting that it allows an
integrated analysis of event trees and fault trees. A sketch showing the principles of
such integration is outlined in Figure 6.9.
180 Offshore Risk Assessment
6.3.2 Major Hazard Scenarios
The main use of event trees in offshore QRA is for modelling accident sequences
from hydrocarbon leaks and other major hazards. The following are the main types
of hazards for which event trees are used:
- Blowouts
- Hydrocarbon leak events from process equipment
- Hydrocarbon leak events from riser
- Fires in utility systems, mud process and quarters
- Structural and marine accidents
Separate event trees could be developed for each relevant leak category and for
each piece of equipment. The number of event trees would therefore be very
substantial for a large platform and it is therefore necessary to eliminate trees and
parts thereof that are not really required, in order to avoid losing the overview.
The discussion in this section is focused on hydrocarbon leaks, including
blowouts.
6.3.3 Initiating Event Frequency
The frequency of initiating events is shown in the event tree. Event trees are often
presented for the following categories of leaks:
Process Leaks:
- Small leak
- Medium leak
- Large leak
Riser and Pipeline Leaks:
- Small leak
- Medium leak
- Large leak
- Full Bore
Blowouts:
- Full flow
- Reduced flow
- Different flow paths/location of release
The number of categories may obviously change, depending on the circumstances
of the analysis. The leak categories may be based on:
- Mass flow, often in kg/s.
- Dimensions of the leak area, (often using an equivalent diameter circular
hole).
There is a unique relationship between the gas composition, the pressure, the mass
flow and the area of opening. A leak classification frequently used is:
Analysis Techniques 181
- Small leaks, 0.1–1 kg/s (sometimes from 0.05 kg/s)
- Medium leaks, 1–10 kg/s
- Large leaks, >10 kg/s.
In order to illustrate typical occurrence frequencies, the following values could be
observed for gas leaks from one installation during 10 years of operation:
- Large leaks; none
- Medium leaks; 1
- Small leaks; 19
- Over 250 registered seepages and other leaks below 0.1 kg/s.
Another way to illustrate frequencies is from the Risk Level project, which reports
the following average frequencies during the 10 year period 1996–2005:
- Large leaks (>10 kg/s): 0.0069 leaks per installation year
- Medium leaks(1–10 kg/s): 0.151 leaks per installation year
- Small leaks (0.1–1 kg/s): 0.45 leaks per installation year
6.3.3.1 How to Divide into Categories?
One potential problem associated with use of either of the two systems of categori-
sing leaks is that it may not truly reflect actual situations. This may be highlighted
by considering how escalation may be modelled (this phenomenon is sometimes
called ‘artefact’).
When leaks are grouped in categories, common characteristics are calculated
for each of the categories. Thus for small leaks, the flame length of jet fire may be
3 metres, and for a medium leak, 17 metres. If the distance to the next section of
process equipment is 7 metres, then the flame from small category leaks will not
impinge on the next section of equipment, whereas flames from medium sized
leaks will always impinge.
This, however, is an artificial situation brought about by grouping leaks and gi-
ving them a single representative size. In actuality the larger leaks in the small leak
category may have a jet flame length of over 7 metres and thus would give rise to
escalation. A logical system for categorising leaks would define the smallest leaks
as those below a size which causes jet fire impingement and subsequent escalation.
The next category of leak would be those that cause escalation to the next section
due to jet fire impingement. The principles are illustrated in Figure 6.10.
It is assumed that all these five vessels are installed in the same area. This illu-
stration is simplified in order to demonstrate the principles, in the sense that only
the distances between vessels are illustrated. Instruments and piping may result in
the real separation distances between vessels being shorter. With respect to process
segments, the following is assumed:
- Vessels A and B belong to the same ESD segment.
- Vessels C and D belong to the same ESD segment, which is different from
the segment which Vessels A and B belong to.
- Vessel E is a separate ESD segment from all the other vessels.
182 Offshore Risk Assessment
L3
Vessel B
Vessel A Vessel D
Vessel C
Vessel E
L2
L1
Figure 6.10. Simplified sketch of five process vessels and distances (in horizontal plane)
The leak categories should now be determined on the basis of jet fire flame lengths
in relation to the distances between the vessels. The leak categories may be defined
as follows:
- Since Vessels A and B belong to the same segment, the distance L1 is not
applicable as basis for these definitions.
- The distance L2 is used as the lower limit for significant leaks, smallest
category.
- The second category is based on the distance L3, which gives the lower
limit for the category.
- The third category should be based on the distance to a fire wall (not
shown).
6.3.3.2 Leak Frequencies for Selected Categories
Frequencies for initiating events are calculated separately for each piece of
equipment or system, and each leak category, based either on system or equipment
values. For detailed studies it is common to base the calculation of leak frequency
in an area on leaks from the following equipment, from which the total system leak
frequency is generated:
- valves
- flanges
- bends
- instrument connections
- welds
- piping
Analysis Techniques 183
- pressure vessels
- coolers and heaters
- risers
- pipelines.
Gas and oil leaks are considered separately for all systems and operations. Generic
data (typical average for industry standard equipment) are most commonly used.
Installation specific data should be used, whenever available, as discussed in
Section 5.10.
The approach indicated here is the traditional approach where leak frequencies
are calculated based on an equipment count i.e., without taking operations into
consideration. The BORA project has developed a general approach in order to
take activities and operations into account. This was outlined in Section 6.2.6.1.
For blowouts, the following operations are considered separately:
- shallow gas zone drilling
- exploration drilling
- well testing
- development drilling
- completion of production wells
- completion of injection wells
- regular production
- wireline operations
- coiled tubing operations
- snubbing operations
- workover operations.
The distinction is also often made between wells with regular deviation and so-
called horizontal wells (with sometimes very long horizontal sections), High Pres-
sure/High Temperature wells and wells with completion in multiple reservoir zones
(‘multibore’ wells).
6.3.4 Nodes in Event Trees
Event tree probabilities are provided at each branching point (node) in the event
trees. Typically the following aspects are considered:
- Detection of leaks
- Ignition
- Emergency shut down, blowdown, flaring
- Fire fighting system
- Explosion and fire
- Extent of escalation of accidental effects.
This list only shows the main categories that are considered and further categorisa-
tion may be required, in a detailed event tree. In a detailed event tree the following
184 Offshore Risk Assessment
active and passive safety systems and functions world be covered by the logic
nodes:
Safety Systems Reliability:
- ESD system, including valves
- Blowdown valves
- Gas detection
- High Integrity Pressure Protective System
- Fire detection
- Smoke detection
- Fire fighting, automatic and manual.
Passive Fire Protection:
- Escalation (mainly depending on passive fire protection)
- Ignition time and location.
There is some discussion as to whether all safety systems should be reflected in the
event trees as separate nodes or not. Some analysts would claim that not all safety
systems need to be reflected separately in the event trees. They will claim that it is
most efficient in many circumstances, to combine several systems into one node, to
avoid the event tree being too unmanageable.
The opposite view is that more focus is put on those safety systems that are
reflected explicitly as nodes in the event tree, and that this will help in meeting the
regulatory requirement to document the effect of barrier system failures. It will
often be most efficient to find a compromise between these two extreme positions.
Let us illustrate a case where there is a node stated as ‘ Closure of ESD valves’,
which then would include implicitly the following barrier elements; ESD valves;
ESD logic as well as auto gas detection and manual gas detection sub-functions.
The probability of failure to shut the ESD valves can be calculated for this node in
the following manner (if the elements and sub-functions are independent):
f
MANDET
f
GASDET
f
ESDL
f
ESDV
f
TOT
P P P P P + + = ( 6.1)
where
f
TOT
P = probability of failure to shut the ESD valves
f
ESDV
P = probability of failure of the actual ESD valve itself
f
ESDL
P = probability of failure of the ESD logic
f
GASDET
P = probability of failure of gas detection
f
MANDET
P = probability of failure of manual gas detection.
Equation 6.1 may be valid for many similar cases. It should be noted that this
equation assumes independence between [automatic] gas detection and manual de-
Analysis Techniques 185
tection. The individual elements of Equation 6.1 may be calculated by Fault Tree
Analysis or based on operational experience (or a combination).
The importance of the correct sequence by which the nodes are considered has
already been pointed out. It could be mentioned that one typical error in this
context is that ignition of a gas leak is considered as the first node in the tree, prior
to consideration of leak detection. But the probability of ignition is highly depen-
dent on whether the leak has been detected or not. The first node should therefore
in most cases be concerned with the detection.
6.3.5 End Event Frequency
The calculation of end event frequencies is mathematically straightforward, just
involving multiplication of the initiating event frequency by the appropriate condi-
tional probabilities. The amount of calculations may, however, make the use of
computerisation necessary. The following relationship between frequencies and
probabilities may be observed:
- Initiating event: Usually given by its frequency.
- Nodes: Probabilities are always used, principally these are
conditional probabilities.
- End events: Have the same dimension as the initiating event, there-
fore usually frequency.
The end event frequency may be expressed as:
I
=
K
k i j
p ì ì
( 6.2)
where

j
= frequency of end event j

i
= frequency of initiating event in the tree
p
k
= conditional probability of branch k
K = set of branches that defines the path from initiating event to end event j.
The initiating event frequency is usually considered to be constant, assuming for
instance a Poisson distribution of the occurrence of events. With this assumption, a
simple relationship between probability and frequency exists, as shown below.
If the annual frequency of small gas leaks is
i
, then the probability of at least 1
gas leak in a one year period, may be expressed as:
t e leak least at P
i
t
i
ì
ì
~ ÷ =
÷
1 ) 1 (
( 6.3)
The approximation is valid only if the probability is lower than 1% (the error at
10% is 0.05), the first expression is always valid. The probability of no gas leaks in
a year, is (with the same condition for the approximation):
186 Offshore Risk Assessment
t leaks P
i
ì ÷ ~1 ) 0 ( ( 6.4)
Equations 6.3 and 6.4 may be used for the end events as well as for the initiating
event.
The end, or terminal events in the tree, are sometimes called the ‘accidental
events’. The frequency of the end events are often multiplied by the impairment
[conditional] probability (in range 0.0–1.0) in order to determine the impairment
frequency i.e., the frequency of events which the safety functions are not designed
to sustain.
l j imp j l j imp
p
, , , ,
ì ì =
( 6.5)
where

imp,j,l
= impairment frequency for end event j
p
imp,j,l
= conditional probability of impairment for safety function l for end event j.
6.3.6 Gas Leak in Process Area
Hydrocarbon leaks are analysed to consider different fire and explosion scenarios.
Event trees are often constructed quite simplistically, but may also be more
sophisticated.
Figure 6.11 presents a simple event tree for process system medium sized leaks
in the range 1–10 kg/s. The sequence of events in the Piper Alpha accident (see
Section 4.7) has been marked with a thicker line in the event tree. This event tree
considers only one safety system, the ESD system. The nodes following the safety
system node involve the consideration of ignition inside the module as well as
different mechanisms of escalation including strong explosion.
The nodes (branching points) in the diagram are focused on the following
safety systems and important safety aspects:
- ESD system availability
- Ignition
- Explosion
- Escalation to nearby equipment
- Escalation to other areas.
The conditional probabilities of the terminal events are also shown. These reflect
typical conditions on a relatively modern production platform on the Norwegian
Continental Shelf.
It could be observed that the sequence of events in the Piper Alpha accident is
not particularly probable on a modern platform in the North Sea, due to the
probability distribution used. It would be expected that the probability of this
particular sequence would be higher on an old installation like Piper Alpha.
It may be observed that the Piper Alpha sequence is quite well reflected in the
simple event tree shown above. In event tree terms, Piper Alpha may be charac-
terised as follows:
Analysis Techniques 187
0.11
1 2 3 4 5 6 7 8 9 10 11 12
Medium
gas leak
1. ESD unsuccessful
2. Ignition inside
module
3. Strong explosion
4. Escalation to other
equipment
5. Escalation to other
areas
Yes
96.53 0.82 0.0075 0.0008 0.04 2.47 0.0202 0.0010 0.0001 0.0027 0.0010
Event number
Conditional probability (%)
Figure 6.11. Event tree for medium gas leak, with Piper Alpha sequence highlighted
- Medium gas leak.
- Operator in the area initiated ESD.
- Ignition occurred in spite of this (ESD probably not initiated until after the
explosion).
- The resulting explosion was not strong (it has been back calculated to 0.2–
0.4 bar).
- Escalation (probably due to fragments) was first to other equipment, set-
ting off an oil fire.
- Escalation then subsequently resulted in riser rupture.
Although the Piper Alpha events can be quite simply modelled it will often be
important to expand the hydrocarbon leak event tree into more details because only
in this way is it possible to model explicitly the influence of different protective
and/or detailed systems and functions. The following example shows a detailed
event tree for a medium gas leak, see Figure 6.12 and Figure 6.13.
This event tree has a considerably higher number of nodes than the simple
event tree in Figure 6.11, also including operator intervention. In fact it is shown
that this event tree involves a small extent of ‘looping’ in the event tree, in the
sense that ‘operator intervention’ is shown on a high level in Figure 6.12 and also
on a lower level, in Figure 6.13.
There are two subtrees shown in Figure 6.12, A and B. Figure 6.13 is prin-
cipally devoted to Subtree B, but contains in fact also Subtree A, as a subset of
Subtree B.
There are two additional subtrees inside Subtree B, which are used to simplify
the drawing of the subtrees. Transfer logic normally used in fault trees is used for
the subtree transfers. This implies for instance that the Subtree A to be inserted into
Figure 6.12 is the part of Subtree B in Figure 6.13, which could be denoted ‘Fire
detection successful’ (actually the ‘No’ outcome of ‘Fire detection failure’).
188 Offshore Risk Assessment
1 2 3 4 5 6 7
Medium
gas leak
1. Detection failure
2. Operator intervention
not successful
3. Ignition
4. Strong explosion
causing escalation to
other equipment
5. Strong explosion
causing escalation to
other areas
Yes
A B
Event number
Figure 6.12. Detailed event tree for small and medium gas leaks
The use of transfer symbols is not common in Event Tree Analysis. If the trees in
Figure 6.12 and Figure 6.13 were used for calculations, then the transfers cannot be
allowed, because the nodes may have different probabilities, according to where
they are in the event tree.
8 9 10 11 12 13 14
Subtree B
6. Fire detection failure
7. Operator intervention
not successful
8. ESD failure
9. Blowdown failure
10. Fire water not
effective
Yes
15 16 17 18 19 20
A
C
D
C
D
Event number
11. Spreading to
equipment
12. Spreading to other
area
Figure 6.13. Subtrees for detailed event tree for small and medium gas leaks
Analysis Techniques 189
The effectiveness of fire water activation (Level 10) is strongly dependent on the
circumstances that prevail in the scenario, reflecting what has been mentioned
earlier, that all probabilities in the event tree are conditional probabilities.
This detailed event tree is a real case, in the sense that it has been used in an
actual detailed QRA, and a point has been made to present it in the way it was
used. There is one aspect of this tree which is somewhat unfortunate, in the sense
that so-called ‘double negation’ is used. This implies that when the question ‘Fire
detection failure’ is posed, the ‘No’ branch actually implies a positive outcome,
‘Fire detection successful’. There is also a similar double negation for ‘detection
failure’. It is recommended to structure event trees such that ‘double negation’ is
avoided, and the wording of the event trees in Figure 6.12 and Figure 6.13 is there-
fore not a recommended solution.
The total number of nodes in the expanded (actually full) version of this event
tree is 48, implying that there is a total of 49 terminal events in this event tree.
6.3.7 Blowout Event Tree
The discussion of blowouts in this section deals only with the effect on personnel
and facilities. The modelling of aspects that determine the environmental
consequences fall outside the scope for this book, and are not discussed in detail.
A standard event tree is often used for the description of the relevant accident
scenarios. The same tree is often used for all blowout scenarios, irrespective of the
cause. The event tree is shown in Figure 6.14, and the nodes discussed in the text
below.
1 2 3 4 5 6 7 8 9 10 11
Blowout
1. Immediate ignition
2. Delayed ignition
3. Greatly delayed
ignition
4. Fire (=no explosion)
5. Fire on sea
Yes
12 13
Event number
Figure 6.14. Blowout event tree
6.3.7.1 Node: Immediate Ignition
Ignition is regarded as ‘immediate’ if the leak is ignited within the first seconds
(may be up to just a few minutes) after the leak occurs. In these cases ESD
isolation will often have limited effect, due to the rapid development. An explosion
190 Offshore Risk Assessment
may be less likely in these circumstances, as an explosive gas cloud may not have
had the time to form. This is not always the case, an explosive cloud may be
rapidly forming in some cases. The Piper Alpha accident may illustrate this aspect,
as it is likely that the explosion in this accident occurred only some 20 seconds
after the leak started.
6.3.7.2 Node: Delayed Ignition
Ignition is regarded as delayed if it normally takes some few minutes (perhaps up
to 30 minutes) for a leak to ignite. The possibility of strong explosion is much
higher in this case, as a cloud of considerable size may have been formed before
being ignited.
6.3.7.3 Node: Greatly Delayed Ignition
Greatly delayed ignition is of interest in the case of blowouts and riser/pipeline
leaks, where huge clouds may be generated, and travel some distance before fin-
ding an ignition source. (Consider for example one actual case when a blowout was
ignited 2–3 days after it started, by a work vessel which came in to tow the
wrecked platform away.)
If none of the ignition cases occur, then it is implied that the blowout is unig-
nited. This implies that the consequences mainly are spilled oil and/or gas releases
to the atmosphere. The size of the spill or dispersed cloud is completely dependent
on the duration of the blowout, and may range from a few tons up to tens of
thousands of tons of oil, or up to billions of m
3
for gas.
6.3.7.4 Node: Fire
On offshore platforms gas fires are often more significant than oil pool fires; the
latter are dealt with in Section 6.3.7.6 below. Authority requirements and offshore
design practices have often concentrated attention on protection against pool fires,
presumably under the assumption that protection against gas fires is impossible or
unrealistic.
Gas leaks may lead to jet fires, if rapidly ignited. Such fires are very heat inten-
sive, and have a significant effect on objects in the flame. This calls for a dedicated
assessment. There are no official definitions or standard regarding jet fires that are
appropriate, and thus realistic fire scenarios have to be judged. The measures
necessary to give adequate protection from jet fires also need to be determined.
6.3.7.5 Explosion
Explosions (‘No’ branch for the ‘Fire’ node) following a massive gas leak from a
blowout may involve a substantial amount of gas. Recent R&D programmes (SCI,
1998) have demonstrated that under the worst case conditions very strong
explosions may theoretically occur in such circumstances. The important aspects
related to occurrence of explosion is whether escalation occurs or not, whether it is
escalation to another segment, or to another area or deck. Usually this is not
directly expressed in the blowout event trees, probably because, due to the long
duration of the fire, escalation is virtually certain once a blowout is ignited. If
escalation occurs instantly because of the explosion, such early escalation may be
more critical, especially if it occurs prior to evacuation having been completed.
Analysis Techniques 191
The scenario could in such cases be similar to the Piper Alpha accident. Only one
such scenario with corresponding severity (37 fatalities) is known from the
accident records, namely an explosion and fire caused by a blowout in the US Gulf
of Mexico area in 1970.
6.3.7.6 Node: Fire on Sea
In the case of an offshore platform blowout, there is always a chance that some
amounts of oil may be spilled onto the sea surface without being completely
burned in the air. This oil may then burn on the sea surface. If the volume of oil
burning on the sea surface reaches a significant amount, then the radiation loads on
the underside of the deck may be quite high. The smoke production may also
prevent escape and evacuation from being completed.
Pool fires in the open are controlled by the evaporation rate from the fuel sur-
face. The liquid absorbs energy from the flame and evaporates. The vapour will
mix with the entrained air as it rises due to buoyancy effects. It is further heated to
ignition and reacts generating heat. Burned gases then radiate energy until they
reach some low temperature at which point they merely exchange heat with the
surroundings. The main characteristics of a pool fire which are important with
respect to safety, are:
- duration of the pool fire
- extent of the pool fire i.e., height and diameter of the flame
- radiation heat load on objects located outside the flame
- heat load on objects enveloped by the flame.
These characteristics are strongly dependent on the geometrical conditions at the
location where the oil spill occurs.
When a pool fire occurs inside an enclosure where the air supply is limited, the
actual extent of air supply will determine the intensity of the pool fire.
Fire on sea may in theory also be caused by a subsea blowout from a wellhead
on the seabed. A burning subsea blowout will only occur if the flow is ignited,
usually by equipment on the installation. Only gas has the possibility to be ignited
inside the installation, and the gas fraction will therefore influence the probability
of ignition.
6.3.8 Gas Leak from Riser/Pipeline
6.3.8.1 Leak and Outflow Conditions
A sudden rupture of a high-capacity gas/oil pipeline in air (i.e. above sea level) will
result in a massive release of highly combustible material. The amount of energy
stored in such a line may be enormous, and an accidental release of hydrocarbons
may give rise to substantial mechanical damage and/or fire. To assess the hazard it
is necessary to know the time-dependent rate of outflow and the characteristics of
the outflow when ignited. An example is illustrated in Figure 6.15.
The event tree for riser leaks is usually quite simple, because there are limited
possibilities for risk reduction. The best approach for the control of risk in this
context is to prevent the actual occurrence of the rupture itself.
192 Offshore Risk Assessment
1 2 3 4 5 6 7 8 9 10 11
Riser leak
1. Ignition
2. Strong explosion
3. Isolation available
4. Spreading to other
risers
5. Fire on sea
Yes
12 13 14
Event number
Figure 6.15. Riser leak event tree
6.3.8.2 Ignition
The flow rate in case of a gas leak will be very high if a riser rupture occurs above
the sea level; this was already indicated in Subsection 5.3.3. The size of the gas
cloud will therefore be quite extensive in a very short time, in fact it could be so
extensive that large parts of the cloud are above the upper explosive limit (UEL),
such that ignition is unlikely.
Ignition of a leak from an oil riser is quite different from a gas leak. The crude
oil is relatively incompressible and the outflow conditions will be much more
affected by friction, implying that expansion will be limited to an initial ‘gushing’.
The possibilities for ignition are therefore much more limited.
6.3.8.3 Isolation of Flow
Subsea isolation valves were installed quite extensively on gas pipelines in the first
few years after the Piper Alpha accident in 1988, and some 50 valves were
installed on existing pipelines. A subsea valve will act as a barrier stopping the out-
flow of gas from the pipeline, even if a leak develops in the riser. A possible fire
will therefore have short duration, if such a barrier is installed. After the Piper
Alpha accident much attention was given to the ESD-valves located on the
platform, in particular with regard to their survivability in various accidental
conditions. The most extensive protection is however provided by a subsea valve
location.
A subsea isolation valves is typically located 200–500 m away from the plat-
form. The reasons for this are that:
- It reduces the likelihood that the valve will be damaged by dropped objects
from the platform.
- The valve will be capable of blocking not only riser leaks but also leaks in
the section of the pipeline closest to the platform. This is also the part of
the pipeline which is clearly most likely to develop leaks.
Analysis Techniques 193
The disadvantage of this location is that the inventory in the pipeline/riser section
between the valve and the platform will be greater and thus represents a greater
risk. Figure 6.16 indicates a location of a subsea isolation valve on a gas export
pipeline from an FPSO installation. With such vessels, the connection between the
pipeline and the vessel is usually through flexible flowlines, which are considered
to have a higher probability of leakage, compared to a steel riser. Installation of
subsea isolation valves is therefore more common in these circumstances.
Possible leaks from the valve itself also have to be considered. A subsea valve
implies that several potential leak points are introduced in the pipeline. This means
that a gas leak may develop through the valve itself, and this leak can obviously
not be stopped by the valve. In practice, it can be expected that the expected leak
frequency is higher after the valve has been installed, and it is therefore important
that the valve is located sufficiently far away from the platform to avoid the
possibility of the development of a gas cloud around the platform in the event of a
leak from the valve.
SSIV
Riser
flowline
connection
Figure 6.16. Location of subsea isolation valves on gas pipelines
If a subsea valve is installed, then the focus in the operations phase must be on
maintaining high availability of the valve, such that the probability of failure to
close in an accident is minimised.
6.3.8.4 Spread to Other Risers
The consequences may be even more severe, if the accident escalates into
additional risers. The fire loads may be very extensive, and if the duration of the
fire is long, then the likelihood of rupture of a second riser is quite high. This was
also demonstrated in the Piper Alpha accident, see Section 4.7.
6.3.8.5 Fire on Sea
Fire on the sea surface is important, because the support structure may be damaged
in addition to the topside, as demonstrated by Piper Alpha, see Section 4.7.
194 Offshore Risk Assessment
6.4 Analysis of Dependencies Between Barriers
The way quantitative risk analysis in the petroleum industry has been conducted
for many years makes the comprehensive analysis of dependencies between bar-
riers impossible. Reliability analysis of barrier systems and elements is conducted
to a limited extent as input to the node probabilities in event trees. These reliability
studies are usually conducted separately for each node, often in a superficial man-
ner, and without consideration of the influence from utility systems.
An exception, where comprehensive analysis of barriers is usually conducted,
is when a HIPPS (High Integrity Pressure Protection System) is used, and reliabi-
lity is extremely crucial. The analysis is however often limited to the pressure
protection function.
In the QRA studies for nuclear power plants, it is common to perform extensive
event tree and fault tree analysis, to an extent where dependencies may be analysed
in detail. The most commonly used tool is RiskSpectrum
®
(Relcon, 2006). This
analysis tool has event trees and fault trees in a common manner, but has the ability
to transform event trees to fault trees, such that all fault trees for barriers then may
be integrated into a huge common fault tree. From this overall fault tree, depen-
dencies may be analysed in detail, using common techniques for analysis of cut
sets, common mode failures and importance calculations. The RiskSpectrum
®
ana-
lysis tool gives the following advantages:
- Dependencies may be identified, together with common mode failures.
- Importance measures may be calculated for components, systems and
failures.
- The analysis may be used to identify the requirements for barriers to be
effective.
- The analysis may be used in order to identify what compensating measures
are required if barrier systems are unavailable.
A pilot study was completed in order to demonstrate the advantages of application
of the RiskSpectrum
®
tool (Bäckström, 2003). For the installation in question, the
following were found to be the systems with highest importance with respect to
prevention of uncontrolled escalation of fire:
- Pneumatic power supply
- Two named electric power supply circuits.
Such results would usually never be found using traditional quantitative risk
analysis.
It was further found from the pilot study that the contribution from common
mode failures was lower than expected. As it was a quite limited pilot study, it is
unsure whether this is an observation which has wide ranging applicability.
It is usually physical barrier elements that are analysed with the use of Risk-
Spectrum
®
. This was also the limitation used in the pilot study. The regulations, on
the other hand, require that physical as well as non-physical barrier systems and
elements are considered in parallel. It would be possible to extend a RiskSpec-
trum
®
analysis also to include human and organisational barrier systems and ele-
ments.
Analysis Techniques 195
6.5 Event Sequence Analysis
6.5.1 Time Dependency
A ‘one-directional’ time development is often assumed when constructing an event
tree. For a gas leak this typically follows the sequence:
- Leak
- Gas detection
- Isolation
- Ignition (potential)
- Fire detection
- Fire fighting
- Secondary loss of containment.
In actuality the scenario development is seldom so simple if the scenario is
completely without control. Very often there will be loops, where secondary leaks,
explosions and escalation of the fire occur. In practice this cannot be integrated
into the event tree.
Cause–consequence analysis is another form of event tree which has the ability
to show time delays between steps, and to some extent couplings or combinations.
The time sequence is still assumed to be ‘one-directional’, however. The big
advantage of the event tree method, on the other hand, is the ease in communica-
ting the assumed accident sequence to non-analysts.
The event trees usually used in QRA are considered as ‘static’, in the sense that
the logic of the tree, its couplings etc. are fixed by the analyst prior to conducting
the actual analysis. The alternative to the static event tree is the dynamic event
tree, which can be programmed to alter its logic and construction to reflect the
modelled development of an accident. Commercially, there is only one package
available for modelling of such dynamic trees, namely PLATO
®
, developed by
Environmental Resources Management (formerly Four Elements Ltd.), London.
(Morris, Miles and Cooper, 1994). PLATO
®
is said to be a simulator for accident
development, but may perhaps better be explained as a dynamic event tree genera-
tor.
But the dynamics has its price. What would typically be an event tree with 50
terminal events, may in the dynamic analysis have 5,000 terminals.
The dynamic event tree generator in PLATO
®
will develop the branches in the
tree according to the results of the consequence calculations that are automatically
carried out as the process is developing. In the past the high number of outcomes
has apparently limited quite considerably what can be done in terms of conse-
quence calculation for each terminal event, in order for the computing time to be
realistic. It is a difficult choice to make, between representation of the dynamic tree
with simplified consequence calculations, or more static (and simpler) event trees
with more advanced consequence calculations. The benefits of the dynamic event
trees may be lost entirely, if oversimplified consequence calculations are used. An
independent review (Jones and Irvine, 1997) found that the models that are used
196 Offshore Risk Assessment
for combustion are suitable and sufficiently detailed for application to an offshore
installation. It may on the other hand be argued that since 1997, there has been an
increasing use of CFD calculations within QRA studies.
In spite of the severe restrictions on how the event tree may model the dyna-
mics in the accident sequence, the program is still being used extensively. But it
should be noted that further research and development work would be advan-
tageous in order to improve the accident sequence modelling.
6.5.2 Node Sequence in Event Tree Modelling
The sequence of nodes in an event tree is one of the most difficult aspects, where it
may be claimed that there is in fact no universal truth. It may appear that this is
unimportant as node probabilities are to be multiplied anyway, according to
Equation 6.2. But this is far from the case. The node probabilities are conditional
probabilities, and the sequence will therefore be of considerable importance.
In this field no absolute rules may be stated, because it will depend on the
structure of the tree, the safety systems and the functions that are involved. A
suggested rule to use is the following:
- If systems and actions have a time sequence in the development, they
should then be represented in the same sequence in the event tree.
- If activation of one system or function has an effect on the success of other
systems, then that one system should be considered first in the event tree.
Consider the following example: Detection of a gas leak will usually result in
emergency shutdown, which will isolate sections of the process plant, but also cut
power to all electrical equipment which could be an ignition source. The ignition
node therefore needs to follow the detection node, as the opposite would result in a
gross over-prediction of the risk associated with ignited leaks.
6.5.3 Directional Modelling
Another limitation of the normal event tree is that it becomes too complicated if
different flame directions are considered (applies mainly to jet fires). The event
tree is often modelled using a ‘typical’ direction, or the most probable direction or
the worst case direction. But how shall this be determined? In the case of a gas leak
from a flange on a piping system, all directions along the circumference of the
flange are equally likely.
PLATO
®
, the dynamic event tree generator mentioned above, is however also
able to handle escalation due to flames in different directions.
An alternative to this approach has been chosen by some analysts who use
event trees modelled in six different (Cartesian) directions, in order to provide an
approximate model of reality. The advantage of this approach is that directional
modelling may be accomplished with ‘normal’ trees using a PC, although the
resulting number of event trees becomes very high. The software ASAP
®
performs
such modelling, see Appendix A.
Analysis Techniques 197
6.5.4 MTO
MTO (Man, Technology and Organisation) analysis is primarily developed as a
technique for the investigation of accidents and incidents. It may, on the other
hand, also be used for analytical purposes, and a brief summary is therefore inclu-
ded. It may be noted that MTO investigation is the main investigation technique
used by Petroleum Safety Authority Norway for investigation of accidents on the
Norwegian Continental Shelf.
There are few sources available for a general description of the MTO-analysis,
one of which is by Tinmannsvik et al. (2005), on which the following summary is
based. The method is based on HPES (Human Performance Enhancement System)
from the nuclear industry, and has been developed by Jean-Pierre Bento. The
MTO-analysis is based on three methods:
1. Structured analysis by use of an event- and cause-diagram.
2. Change analysis by describing how events have deviated from earlier
events or common practice.
3. Barrier analysis by identifying technological and administrative barriers
which have failed or are missing.
Figure 6.17 illustrates the MTO-analysis worksheet, when used in an accident
investigation. The first step in an MTO-analysis is to develop the event sequence
horizontally and illustrate the event sequence in a block diagram. Then, the analyst
should identify possible technical and human causes of each event and insert these
vertically to the events in the diagram.
B
a
r
r
i
e
r
a
n
a
l
y
s
i
s
E
v
e
n
t
s

a
n
d

c
a
u
s
e
s

c
h
a
r
t
C
h
a
n
g
e

a
n
a
l
y
s
i
s
Normal Deviation
(Causes)
(Chain of events)
Normal Deviation
Figure 6.17. Illustrative MTO-diagram
198 Offshore Risk Assessment
The development of the event sequence is often referred to as a ‘timeline analysis’
i.e., an analysis of the sequence of events and their timing. This is a step in the
accident investigation which is common for many of the investigation techniques.
The next step is to make a change analysis i.e., to assess how events in the
accident progress have deviated from normal situation, or common practice. Nor-
mal situations and deviations are also illustrated in the Figure 6.17. Further,
determine which technical, human or organisational barriers that have failed or
were missing during the accident progress. All missing or failed barriers are shown
below the events in the diagram. The basic questions in the analysis are:
- What may have prevented the continuation of the accident sequence?
- What may the organisation have done in the past in order to prevent the
accident?
The last but important step in the MTO-analysis is to identify and present recom-
mendations. The recommendations should be as realistic and specific as possible,
and might be technical, human or organisational.
A classification system for basic causes has also been developed, in order to
enable trend analysis of accident causes. The causes are classified into the
following categories:
- Working environment
- Operational organisation
- Routines for change management
- Installation management
- MMI – Man Machine Interface
- Working schedules
- Communication
- Procedures, instructions
- Supervision
- Working practices
- Competence, training.
It should be noted that the MTO-analysis is not suitable for quantitative analysis.
Figure 6.18 and Figure 6.19 show a complete MTO diagram from an actual case.
6.6 HC Leak Modelling
The modelling of an accidental scenario associated with gas and oil starts with the
leaking medium. This may be from many sources, such as:
- pipes and associated fittings
- vessels
- pipelines/risers.
Analysis Techniques 199
N
o
r
m
a
l
J
o
b

i
s

p
l
a
n
n
e
P
r
e
p
a
r
a
t
i
o
n
o
f

w
o
r
k

s
i
t
e
W
P

i
s
r
e
c
e
i
v
e
d

b
y
m
e
c
h
a
n
i
c
a
l
c
r
e
w
T
o
o
l
s

a
r
e
c
o
l
l
e
c
t
e
d
J
o
b

s
t
a
r
t
s
u
s
i
n
g

w
r
o
n
g
t
o
o
l
s
J
o
b

l
e
a
d
e
r
a
p
p
r
o
v
e
s

w
o
r
k
s
i
t
e

w
h
e
n

c
o
r
r
e
c
t
t
o
o
l
s

a
r
e

i
n

p
l
a
c
e
J
o
b

l
e
a
d
e
r

a
p
p
r
.
s
i
t
e

b
e
f
o
r
e

c
o
r
r
e
c
t
t
o
o
l
s

a
r
e

i
n

p
l
a
c
e
N
o
r
m
a
l
D
e
v
i
a
t
i
o
n
E
v
e
n
i
n
g

p
l
a
n
n
i
n
g
m
e
e
t
i
n
g
A
r
e
a

r
e
s
p
o
n
s
i
b
l
e
&

j
o
b

l
e
a
d
e
r

s
i
g
n
W
P

a
t

s
i
t
e
D
e
c
i
d
e
d

t
o

u
s
e

w
r
o
n
g
t
o
o
l
s

n
o
t
c
o
m
m
u
n
i
c
a
t
e
d

t
o

j
o
b
l
e
a
d
e
r
U
s
e

H
y
p
e
r

M
a
t
e
t
o
o
l
U
s
e

o
f

a
i
r

d
r
i
v
e
n
i
m
p
a
c
t

t
o
o
l

a
n
d
s
l
e
d
g
e

h
a
m
m
e
r
N
o
r
m
a
l
D
e
v
i
a
t
i
o
n
J
o
b

l
e
a
d
e
r
d
e
l
i
v
e
r
s

W
P

t
o
S
S
I
J
o
b

l
e
a
d
e
r

f
i
l
l
s

i
n
a
p
p
l
i
c
a
t
i
o
n

f
o
r

W
P
J
o
b

l
e
a
d
e
r

h
a
n
d
s
o
u
t

W
P

&

i
n
s
t
r
u
c
-
t
i
o
n
s

(
i
n
c
l
.

t
o
o
l
)
J
o
b

l
e
a
d
e
r

r
e
c
e
i
v
s
W
P

f
r
o
m

C
C
R
D
e
c
i
d
e
d

t
o

s
t
a
r
t
j
o
b

u
s
i
n
g

w
r
o
n
g
t
o
o
l
s
C
o
r
r
e
c
t

t
o
o
l
s

n
o
t
e
f
o
u
n
d
D
o
w
n
g
r
a
d
i
n
g

o
f

W
P

i
s
c
o
m
m
u
n
i
c
a
t
e
d

t
o
O
F
M

f
o
r

a
p
p
r
o
v
a
l
D
o
w
n
g
r
a
d
i
n
g

o
f

W
P
i
s

n
o
t

c
o
m
m
u
n
i
c
a
t
e
d
t
o

O
F
M

f
o
r

a
p
p
r
o
v
a
l
N
o
r
m
a
l
D
e
v
i
a
t
i
o
n
J
o
b

c
a
r
r
i
e
d
o
u
t

u
s
i
n
g
w
r
o
n
g
m
e
t
h
o
d
M
o
v
e

b
o
l
t
s

i
n
c
r
o
s
s

p
a
t
t
e
r
n
M
o
v
e

b
o
l
t
s

i
n
s
e
r
i
a
l

p
a
t
t
e
r
n
D
e
v
i
a
t
i
o
n
C
r
e
w

m
e
m
b
e
r
s

d
o
n
o
t

k
n
o
w

g
o
o
d
w
o
r
k

p
r
a
c
t
i
c
e
/
m
e
t
h
o
d
N
o

i
n
s
t
r
u
c
t
i
o
n
g
i
v
e
n

a
b
o
u
t
s
e
q
u
e
n
c
e

f
o
r
m
o
v
i
n
g

b
o
l
t
s
Figure 6.18. MTO diagram for ‘Hot bolting’ incident, Part 1
The phase of the leaking medium is the next important aspect:
- 1 phase flow i.e., gas or oil (liquid) phase
- 2 phase flow i.e., usually gas and oil (liquid) mixed
- 3 phase flow i.e., gas, oil, water.
200 Offshore Risk Assessment
Job continued using
wrong tools and
wrong method
Job continued with
wrong tool and wrong
method
Job is
stopped
Area responsible
follows up work in
progress
Area responsible
does not follows up
work in progress
Normal Deviation
Job leader does
not react
Downgrading of WP
is communicated to
OFM for approval
Downgrading of WP
is not communicated
to OFM for approval
Normal Deviation
Flange is
checked for
gas leak (no
leak found)
Job leader follows
up work in
progress
Job leader does
not follows up
work in progress
Normal Deviation
Job leader receives info
that wrong tools are used
OSV decides to
stop job in
progress
OSV realises that
wrong tools &
methods are used
OSV performs
survey of work in
progress
Figure 6.19. MTO diagram for ‘Hot bolting’ incident, Part 2
Different models suitable for the different phase compositions and different sour-
ces (mainly reflecting the difference between outflow from a vessel or from a
pipeline or pipe section) have to be used. The models are primarily aimed at deter-
mining the flow rate as a function of time.
6.6.1 Leak Statistics
The Petroleum Safety Authority [Norway] has the last six years collected conside-
rable amounts of experience data for the Norwegian Continental Shelf, in particular
for hydrocarbon leaks from process equipment and operations. The last annual
update is presented in PSA (2006a and b). Details are only available in Norwegian;
the summary report is also published in English. The scientific approach has been
discussed in Vinnem et al. (2006b).
There is actually data available for a ten year period, 1996–2005 for all installa-
tions on the Norwegian Continental Shelf. The quality of the data is good for the
period 2001–2005, and this should be the main data basis. The overview of all
leaks exceeding 0.1 kg/s leak rate from all installations in the Norwegian sector is
shown in Figure 6.20.
Analysis Techniques 201
0
5
10
15
20
25
30
35
40
45
50
1996 1997 1998 1999 2000 2001 2002 2003 2004 2005
N
u
m
b
e
r

o
f

l
e
a
k
s
>10 kg/s
1-10 kg/s
0,1-1 kg/s
Figure 6.20. Overview of HC leaks > 0.1 kg/s, Norwegian sector, 1996–2005
The data in the project has been normalised in relation to several parameters, for
hydrocarbon leaks it is the number of installations and number of manhours
worked on the installations. The installations have been divided into categories:
- Fixed production installations
- Floating production installations
- Complexes, bridge linked production installations
- Normally unattended installations (production installations)
- Mobile units.
It should be noted that complexes are somewhat special. There may be from two to
more than ten bridge linked installations, of which several may in theory handle
hydrocarbons. But with respect to normalisation, complexes are counted as one
installation, irrespective of how many bridge linked installations there are, and how
many of them that handle hydrocarbons.
Figure 6.21 presents a cumulative leak rate distribution as average for all instal-
lation types in the entire Norwegian sector, expressed per installation years.
0,001
0,01
0,1
1
0 10 20
Leak rate (kg/s)
C
u
m
u
l
a
t
i
v
e

f
r
e
q
u
e
n
c
y

p
e
r

i
n
s
t
.
y
r
Figure 6.21. Leak rate distribution for Norwegian leaks, 2001–2005
202 Offshore Risk Assessment
The leak frequencies per installation year for the categories of production installa-
tions are shown in Table 6.1. It may be observed that the total frequency of leaks
above 0.1 kg/s is 0.31 per installation year for fixed production installations,
whereas the corresponding value for floating production installations is 0.57, for
complexes the value is the highest, 0.74 per installation year. The value for nor-
mally unattended installations is very low, 0.03.
Table 6.1. Overview of leak frequencies per installation year
Production installation 0.1–1 kg/s 1–10 kg/s >10 kg/s
Fixed production 0.25 0.047 0.0079
Floating production 0.44 0.12 0.012
Complex 0.46 0.26 0.020
Normally unattended 0.029 0 0
The Risk Level project (PSA, 2006a) also includes a comparison with UK opera-
tions. Figure 6.22 presents a comparison of the number of leaks > 1 kg/s for the
entire UK and Norwegian sectors.
The reason why 1 kg/s leak rate is used as cut-off limit is in order to eliminate
possible underreporting. One other source of uncertainty cannot be eliminated
though. The UK data collection performed by HSE, has some additional classifica-
tion criteria, which are not used in the Norwegian data collection, which are addi-
tional cut-off limits due to either very short duration of leak and/or very small total
amount. This implies that some of the leaks that exceed 1 kg/s are not included in
the statistics, and thus makes the comparison Figure 6.22 somewhat imprecise.
0
2
4
6
8
10
12
14
16
1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005
Year
N
u
m
b
e
r

o
f

l
e
a
k
s

p
e
r

y
r
Norw. shelf
UK shelf
Figure 6.22. Comparison of number of leaks > 1 kg/s for UK and Norwegian sectors
The Risk Level project performed an exercise in 2005, in order to compensate for
this. This exercise was focused on installations north of 59 ˚N, because the size and
complexity of the installations are similar in UK and Norwegian sectors. The
project has presented a comparison of leak frequencies per installation years, as
shown in Table 6.2.
Analysis Techniques 203
Table 6.2. Comparison of leak frequencies for UK and Norwegian sectors, 2000–04
Shelf Number of
leaks 2000–04
Number of
installation
years 2000–04
Number of leaks
per 100 installa-
tion years
Norwegian, north of 59 ˚N 24 172 14.0
UK, north of 59 ˚N 7 185 3.8
The Risk Level project has also analysed the leaks with respect to operational
condition on the installation when the leak occurred, as well as the type of failure
that caused the leak. Figure 6.23 shows the operational phase for the system
involved when the leak occurred based on leaks in the period 2001–05. It is shown
that leaks during normal operations accounts for less than 30% of the leaks. The
leaks are strongly dominated by loss of containment barriers during manual opera-
tions and start-ups, shut-downs and trips (which also are strongly influenced by
manual intervention.
0
10
20
30
40
50
60
Normal ops Startup/shutdown/trip Manual ops Not in operation
N
u
m
b
e
r

o
f

l
e
a
k
s
Figure 6.23. Operational phase recorded when leak occurred
It is demonstrated that under comparable conditions, the frequency per installation
years is almost four times higher in the Norwegian sector, compared to the UK
sector.
The next two diagrams focus on the causes of hydrocarbon leaks. Figure 6.24
shows the causes of leaks in the Norwegian sector, as an average percentage
distribution for the period 2001–05.
It is clearly demonstrated that where only equipment is involved i.e., no opera-
tions and manual interventions, is a fraction of 29%, which is virtually the same as
the ‘normal operation’ in Figure 6.23. Combinations where operational faults are
involved, account for as much as 70% of the leaks. Correspondingly, 32% of the
leaks involve some kind of procedural fault or weakness.
The final presentation in Figure 6.25 considers leaks caused by operational
faults in more detail. The two dominating contributions are ‘operational faults’ and
‘left open’. ‘Operational fault’ may in this connection be for instance, opening val-
ves in a wrong sequence, or not performing manual tasks according to procedures
or good practice. ‘Left open’ could typically imply that it was forgotten to close an
open valve, before starting opening other valves or starting pumping, etc.
204 Offshore Risk Assessment
Operational cause
26 %
Procedure related
cause
1 %
Equipment cause
29 %
Equipm&operational
cause
13 %
Operational&proced
ure cause
26 %
Equipm&operational
&procedure cause
5 %
Figure 6.24. Causes of hydrocarbon leaks, 2001–2005
0
5
10
15
20
25
Inspect
fault
Ops f ault Testing
f ault
Maint fault Install f ault Lef t open Opened
with HC
Opened w
latent fault
Other ops
f ault
Unknown
Operational causes
N
u
m
b
e
r

o
f

l
e
a
k
s
Figure 6.25. Causes of leaks with operational faults
6.6.2 Calculation of Leak Rates from Experience Data
One of the main parameters used in order to characterise a hydrocarbon leak, in
particular gas leaks, is the mass flow rate (often called the ‘leak rate’), usually
expressed in kg/s. It is therefore important to be able to calculate the leak rate for
hydrocarbon leaks that are observed on the installations.
A release in the liquid phase from a pressurised system will normally give a
small gas cloud compared to gas release with the same mass flow rate. This implies
that the probability of ignition will be lower, as will the probability of gas
explosion. But there are some aspects that may imply that the liquid release may be
just as dangerous as the gas leak, in some cases even worse:
- Some of the liquid will evaporate and result in a gas leak, often dominated
by heavy gas fractions, with a lower flammability limit and lower ignition
temperature or energy.
Analysis Techniques 205
- The release may constitute a spray of small droplets, which may behave
more or less as a gas cloud.
The mass flow rate will vary considerably as a function of time; what is reported as
the characteristic leak rate is usually the maximum leak rate. This is due to the fact
that the size of the gas cloud is usually the most important parameter for the hazard
characterisation of the gas leak, and the largest cloud usually occurs with the
highest leak rate.
One exception where this may not be the case is a leak with very short duration,
instantaneous leaks. The maximum gas cloud may then occur with some time delay
in relation to the release. In these cases, an ‘equivalent’ continuous gas leak is
considered, which would give a gas cloud with the same size. The flow rate given
as the characteristic leak rate is that of the equivalent continuous leak, implying
that the hazard potentials should be the same.
Measurements which may be used in order to calculate the mass flow rate are
typically related to the dimensions of the gas cloud, usually only the fraction above
the lower flammability limit is considered. Gas detector recordings may be used to
calculate the dimensions of the gas cloud, as a function of time if the detector
readings allow that.
Below follow some simple illustrations of how different leak sizes will result in
gas cloud of different sizes, based on some simple modelling with CFD tools,
based on PSA (2005b). More detailed cases may be calculated by means of studies
using CFD tools.
A leak rate of 0.1 kg/s gives a gas cloud above the lower flammability limit
with a typical volume of 0.5 m
3
, in the case of a free, unobstructed jet. If the jet is
without impulse (diffuse leak), the volume increases to 10 m
3
. The times to stable
conditions are 2 s in the case of a jet, and 20 s in the case of diffuse leak. Due to
the low leak rate, there is little or no difference between a leak in the open or inside
a process module with limited natural ventilation. For larger leak rates, however,
this distinction becomes an important parameter.
A large leak (around 10 kg/s) in open air will cause a gas cloud which is stable
after less than 5 seconds, whereas the time would be in the order of 60 seconds
inside a process module. The volume of the gas cloud (within flammable limits) is
also much larger in the latter case, as much as 20 times larger.
As an example, the following could be considered: a large leak in a process
module, starting at 10 kg/s, having decreased to 1 kg/s after 60 seconds. The maxi-
mum gas cloud occurs after 30 seconds, with a volume of 700 m
3
, within flam-
mable limits. This corresponds to a stationary leak of 4 kg/s, which would give a
stable gas cloud of the same size as the equivalent stable leak scenario.
6.6.3 Modelling of Leaks
There are several factors which influence the flow modelling and influence the
duration of the leak:
- Isolation of sections of the process systems into limited volumes.
- Depressurisation of one or more sections of the process system to limit the
volume of gas or oil escaping from the leak.
206 Offshore Risk Assessment
The depressurisation model is the most difficult aspect. There are simple as well as
complex models available for use in modelling this aspect. Multi-phase releases
from pipelines and risers really require complex computational tools such as
OLGA (see Appendix A).
Realistic modelling of the leak and its duration is obviously very important to
determine the size and duration of any fire that may occur, and the response of the
platform. Simpler models may be used for coarse evaluations.
6.7 Ignition Probability Modelling
Ignition probabilities are one of the most critical elements of risk quantification in
that the risk results are normally directly dependent on the probability of ignition.
There are limited accident statistics available on the subject of ignition probability,
most likely because such statistics are difficult to establish following an accident
involving an ignited release. It may be noted that the extent of available data for
the other critical element of the risk quantification, that is leak frequency, is quite a
bit better although not perfect.
Further, there is very little experimental data available, due to the difficulty or
impossibility of establishing realistic values through laboratory experiments. The
type of data that are available is limited to flash points, auto ignition temperatures,
etc.
Ignition probability models have been published in several textbooks and
papers. These models reflect leak rates and module volumes, but seldom include
anything approaching design and operation details. The collection of leak and
ignition data by UK HSE is the most extensive online data collection scheme in
existence.
6.7.1 Experience Data
There has been no ignited hydrocarbon leak with leak rate above 0.1 kg/s since 19
November 1992. In this incident a small gas leak, probably in the order of just
above 0.1 kg/s, was ignited most likely by grinding sparks during modification
work. Prior to that there was an oil leak from an export pump, where the leak
source was also the ignition source, a failed seal on the export pump during normal
operation. About 0.5 m
3
of crude oil leaked during a period of less than 2 minutes,
implying that the leak rate was considerable, around 5 kg/s.
HSE publishes data on leaks and ignitions (HSE, 2002), and has an extensive
overview of ignited leaks. It should be noted however, that the vast majority of
leaks has occurred for non-process leaks from utility systems of various types.
The summary below was based on a review of HSE statistics on ignited HC
leaks in the period 1992–2003, as summarised in Table 6.3. As seen from the sum-
mary, out of a total of eight ignited leaks, four were caused by welding, one by
faulty trace heating tape, one due to explosion in the pump exhaust, one by light-
ning and one was not a real ignition.
Comparison of UK and Norwegian leak rates was presented in Section 6.6.1
above, where it was shown that leak frequencies per installation year are substan-
Analysis Techniques 207
tially lower in the UK sector, when compared to the Norwegian sector. When the
comparison was repeated for ignited leaks, the situation was opposite. For the
period 1 October 1992 until 31 March 2005 the following gas and two-phase leaks
in the UK sector compares to no ignited leaks in the Norwegian sector:
- 480 gas/two-phase leaks > 0,1 kg/s
o Of which 187 leaks > 1 kg/s
- 6 gas/two-phase leaks > 0,1 kg/s have been ignited
o Of which 1 ignited leak > 1 kg/s
Table 6.3. Summary of ignited Leaks (HSE statistics in the period from 1992 to 2003)
# Description of Event Cause of ignition
1 Gas leak during construction activity, using cutting torch to
remove valve. Gas pocket remained even after nitrogen
purging.
Welding ignited a
pocket of gas that
had not been
inerted by nitrogen.
2 Internals of spool piece not checked for hydrocarbons prior to
work. Presence of hydrocarbons caused flash fire when
welding attempted. Flash fire disappeared up pipe and
extinguished itself.
Welding ignited the
gas. The equipment
was not checked for
hydrocarbons prior
to work.
3 Minor fire from instrument impulse line, gas leak ignited by
faulty trace heating tape, platform fire and gas system
detected, plant shutdown and depressurised, deluge auto
activated and fire extinguished.
The gas leak
ignited by faulty
trace heating tape.
4 Annual shutdown. The equipment was depressurised but not
entirely degassed. Gas release through a valve that was
marked closed but was open.
Welding ignited the
gas.
5 During normal ops a fuel changeover was being made on mol
pump turbine. The turbine tripped and some moments later an
explosion was heard. The source of the explosion was not
immediately clear. No fuel - gas control action took place and
eventually the source of the explosion was traced to the pump
exhaust. Two items of debris have been found on the platform
top deck. No muster was called as the engine was isolated
and the incident contained.
Explosion in the
pump exhaust.
6 While undertaking welding activities on the new tie-in pipe
work a spark ignited a small gas release from a flange on
valve XCV-46007, resulting in a torch fire approx. 3 to 4"
long. The flame was quickly put out by the fire watch and no
damage or injury occurred. The platform has been shutdown,
leak testing done to identify the source of the leak and
subsequently de-pressurised in order to change out the gasket.
Welding
7 The gas vented through, LT-Vent was ignited by lightning.
The fire was extinguished with fixed CO
2
system.
Lightning
8 During the start up sequence of G4500 (GT4) Avon Gas
Turbine driven generator incident is believed to be due to
excessive build up of fuel gas within the turbine unit during
the start up sequence.
Exhaust gas
activated smoke
detection
208 Offshore Risk Assessment
6.7.2 Cox Model
Cox et al. (1991) has presented a simplified model, and a framework for a more
sophisticated model to be used in determining the probability of ignition. The
model is based on relatively simple assumptions regarding the ignition probability
for the lowest leaks, and the observed ignition probability for blowouts as the ex-
treme.
6.7.3 Platform Specific Modelling
Use of the Cox model results in relatively high ignition probabilities. A more fun-
damental problem is that no actions taken to prevent ignition are reflected in the
model. It is therefore important that platform specific modelling is used, and pre-
ferably also operation specific modelling. The Cox’ model however, was for a long
time the only publicly available model and has therefore gained significant usage.
The objectives of platform specific modelling are to reflect the following aspects:
0.001
0.01
0.1
1
P
r
o
b
a
b
i
l
i
t
y
0.1 1 10 100
Flow rate (kg/s)
Ign.prob
Prob of expl
Figure 6.26. Simplified ignition model according to Cox et al.
- The probability of ignition of a HC leak, which is dependent upon the
likelihood and susceptibility of the leaking medium to ignite.
- The size and concentrations of the flammable cloud i.e., the leak rate in
relation to the module volume and the ventilation rate.
- Different types of equipment have different failure modes and frequencies
which may be susceptible to failure that leads to ignition. The likelihood of
ignition from different equipment units should therefore distinguish
between equipment types, and the location of the equipment in relation to
the leak.
- Ignition by manual operations (such as welding) should be considered
explicitly. The same also applies to permanent ignition sources, such as the
flare, burners, etc.
- The ignition probability should be expressed as a time dependent function.
Analysis Techniques 209
A 'baseline' (or 'background') probability of ignition is considered to exist in all
areas, irrespective of equipment and operations, due to miscellaneous activities and
equipment that is not possible to consider explicitly.
In addition to these main technical requirements for an ignition there is also a
need for a model which is not too complicated to use. Actual modelling will there-
fore always be a compromise.
6.7.4 Industry State-of-the-art Time Dependent Modelling
A joint industry project (JIP, DNV, 1998b) has been conducted to develop a
methodology for the prediction of ignition probabilities in offshore QRAs. The
main focus has been on the ignition of high pressure gas releases inside modules
and to external gas dispersion and ignition.
Both internal and external ignition models have been developed. Only a general
description of the models is, however, in the public domain and thus only brief
details can be presented here.
6.7.4.1 Internal Ignition Model
An approach has been selected which is capable of reflecting both the geometrical
conditions in an offshore module as well as the dynamic development of a hazar-
dous situation after a release occurs. It is therefore possible to incorporate the
effects of the location of release sources in relation to potential ignition sources as
well as safety measures which may be activated to control the release (detection,
ESD, BD) and prevent ignition. Three main modules have been established:
1. Prediction of gas dispersion and the likelihood of exposure of potential
ignition sources to flammable concentrations.
2. Representation of the different ignition sources reflecting experience data
and operational mode.
3. Integration into a time dependent ignition probability function.
The model originally involved simplified dispersion modelling, in which average
concentrations in four quadrants at two heights were calculated. This approach was
soon replaced by a more detailed approach, because it was considered to be too
coarse. In recent years, all studies have been based on dispersion calculations using
a CFD computer code.
The model is based upon release of a light hydrocarbon gas, but even so the use
of just two blocks in the vertical direction may give conservative results. An
example of how the results are presented is shown in Figure 6.27, presenting
continuous as well as discontinuous sources, and the total probability.
Figure 6.27 implies that the total ignition probability has two components, from
‘continuous’ and ‘discontinuous’ sources. The ignition probability due to continu-
ous sources has reached a stable level after typically some 90 seconds, after which
this mechanism does not contribute any further. The discontinuous sources contri-
bute to the ignition probability for typically some 6–8 minutes (400 seconds in the
diagram), after which no further ignition is likely.
For condensate leaks, the modelling is not representative, and may produce
non-conservative results.
210 Offshore Risk Assessment
6.7.4.2 External Ignition Model
A mathematical model has been developed in order to predict the complex pheno-
menon of flow of gas around an offshore platform. Within the limits of the
program, the dispersion of gas and the resulting ignition probability can be
calculated using generic models in a consistent manner. The mathematical model
has been developed based on correlations against a limited number of Compu-
tational Fluid Dynamics (CFD) cases and physical effects deduced from these
cases. The model therefore has quite severe limitations.
0
0,02
0,04
0,06
0,08
0,1
0,12
0,14
0,16
0 100 200 300 400 500 600 700
Time since leak (s)
I
g
n
i
t
i
o
n

p
r
o
b
a
b
i
l
i
t
y
Probability, discontinuous
Probability, continuous
Total probability
Figure 6.27. Illustration of time dependent ignition probabilities, including continuous and
discontinuous sources
6.7.4.3 Critical Aspects
It has been found that the model produces relatively high ignition probabilities. It
should be noted though, that the ignition probabilities are not high in relation to the
data from UK HSE’s leak and ignition database, nor high in relation to the Cox
model described above. Compared, however, to the ignition probabilities that some
consultants working in this field have been using, the ignition probabilities are
somewhat on the high side.
A revision of the model was therefore started in 2004. The intention with this
work has been to calibrate the model against the newest data available, and to
allow influence on the probabilities from design or operational aspects. The new
model is briefly introduced in Section 6.7.5.
Another critical aspect is the model for external ignition, which is a rather
coarse representation of flow outside the platform. The external ignition sources
can sometimes be continuous and not possible to isolate quickly (such as the flare).
It is therefore important that the modelling of this aspect is as realistic as possible.
6.7.4.4 Calibration of Ignition Model
A benchmark exercise (DNV, 1998c) was conducted in 1998, in order to calibrate
the ignition model by comparing the predicted number of fires as calculated from
Analysis Techniques 211
the model with the actual number of fires in the North Sea in recent years.
Regrettably it was found that insufficient data prevented any firm conclusion being
drawn from the exercise.
The following is, however, a simple illustration of the implications of the
ignition modelling, limited to the probability of explosion.
Since 1992 HSE have implemented a rigid system for reporting hydrocarbon
leaks, and have published annual statistics. The number of leaks may be estab-
lished quite precisely from this overview, limited to the installations on the UK
Continental Shelf.
The smallest leaks are excluded from the study, as these are not considered
capable of giving a gas cloud which is sufficiently large to produce a gas cloud
explosion. Thus the number of leaks in the period is 735 [non-minor] leaks.
Corresponding information is not available for the Norwegian sector, and thus
normalisation against the leak frequency can only be done for the UK sector.
The number of explosions is established through the explosion study which is
further described in Section 7.3.4.1 (Vinnem, 1998). For the UK sector, four explo-
sion incidents have occurred in the period, all being relatively trivial with limited
blast loads. Only two of these are relevant to process systems that are included in
the QRA studies. Similar values for the Norwegian sector are five and two, of
which one caused a blast load somewhat above 0.2 barg.
The most difficult aspect is to establish a prediction of the probability of
explosion on any Norwegian or UK installation, based upon the use of the ignition
model. Ideally, the model should be applied to all UK (and Norwegian) installa-
tions. This is an extremely time consuming activity, which is virtually impossible
to carry out. What has been done, however, is the following:
- The average explosion probabilities given process leaks using the time
dependent ignition model as well as the gas leak frequencies have been
calculated in detail for one installation.
- The explosion study referred to above (Vinnem, 1998), has calculated the
number of explosion areas (either a small platform with all equipment
installed in one area, or where an area is segregated from other process
areas by a fire/blast wall) for each installation in the North Sea. This
information is used to generate frequency predictions for the entire UK
North Sea sector, for process leaks and explosion probabilities.
- The average explosion probabilities are assumed to apply to all explosion
areas, irrespective of the platform type, as long as the number of explosion
areas exceeds one area per platform.
- For platforms with just one explosion area, some are very simple. This is
taken care of by applying an adjustment factor of 0.5 for UK platforms,
and 0.8 for Norwegian platforms, the difference due to fewer simple plat-
forms in the Norwegian sector than in the UK sector. These are relatively
coarse assumptions, and some sensitivity analyses are carried out in order
to compensate for this.
The results of two approaches are presented in the following.
212 Offshore Risk Assessment
6.7.4.5 Calibration of Actual Number of Explosions
First the actual number of explosions is predicted by the ignition model and
generic leak frequencies, and compared with the actual number of explosions, for
UK and Norway. The number of explosions is important. Some of the explosions,
as noted above, have been concerned with systems and mechanisms that are not
addressed in a QRA, and therefore have to be eliminated in the calibration. This
concerns the following:
- Two of the four cases in the UK were due to internal explosions inside the
flare system.
- Three of the five cases in the Norwegian sector were due to aspects that
fall outside the QRA studies, one due to construction work in a fire pump
room, one due to manual work in the wellhead area and one due to an
internal turbine explosion.
The comparison of the results is presented in Table 6.4.
Table 6.4. Comparison of predicted number of explosions in the North Sea with real
explosions
Explosions
Country
Predicted number of
explosions
Relevant explosions
that have occurred
All explosions
UK 8.2 2 4
Norway 3.6 2 5
Total 11.7 4 9
The ratio between predicted number of explosions and the number of relevant
explosions is 11.7:4 § 2.9.
The weak aspect of this approach is that the calibration actually includes both
the number of leaks and the probability of ignition leading to explosion given a gas
[or condensate] leak. The following comparison attempts to eliminate the gas leak
frequency.
6.7.4.6 Calibration of the Conditional Explosion Ignition Probability
The second calibration is done for the conditional probability of ignition of explo-
sion, given the occurrence of a gas leak.
The predicted value is taken from the QRA study referred to above, where the
ignition probability was calculated from the time dependent JIP model, and the
leak frequency calculated from the HSE database. The actual number of explosions
was related to the number of leaks for the UK sector, as mentioned above. The
elimination of non-relevant explosion cases was done as outlined above. The
results are presented in Table 6.5.
The ratio between conditional ignition probabilities based on the predicted
number of explosions and the number of relevant explosions is 1.52:0.272 § 5.6.
This approach is judged to be better with respect to actual calibration of the
ignition model, because the number of leaks is eliminated from the calibration. The
most relevant comparison implies that the JIP model overpredicts the ignition
probability with a factor of 5.6.
Analysis Techniques 213
Table 6.5. Comparison of predicted probability with actual ratios. UK sector
Probability of ignition causing explosion
Predicted, JIP model Relevant explosions All explosions
Mean value 1.52 x 10
-2
2.72 x 10
-3
5.44 x 10
-3
Prediction limits
Upper (90%)
Lower (10%)
1.45 x 10
-2
3.00 x 10
-3
It should nevertheless be pointed out that the number of cases included is low, only
two relevant explosions. It may nevertheless be seen that an 80% confidence
interval is entirely below the predicted value. In fact, the probability that the fre-
quency exceeds the value predicted by the JIP model is about 8.5%. It appears,
however, that the time dependent JIP ignition model overpredicts the probability of
explosion ignition by a factor typically in the range 2–3 or even more.
6.7.5 Revised JIP Model
The revised model is described in Scandpower Risk Management (2006). The
model has the following characteristics:
- The model parameters reflect 10 years (1992–2002) experience related to
gas leaks and ignitions on offshore installations on the Norwegian and UK
continental shelves.
- The model gives a contribution to immediate ignition (leak rate dependent)
- The model includes ignition as a function of gas cloud growth (for conti-
nuous ignition sources).
- The model considers ignition as a function of the size of the ignitable gas
cloud (discrete ignition sources).
- The model reflects isolation of ignition sources due to gas detection.
Input to the model is description of the gas cloud i.e., size/volume of flammable
mixture at a given time step and the increase in the gas cloud during that time step.
Also the time for gas detection and subsequent ignition source isolation has to be
entered into the model. The model has the following parameters
- Event ignition, P
event
- Ignition sources in the area, P
if
- Continuous vs. discrete ignition sources, i
a
; i
b
- Effect of ignition source isolation, P
iso
- Time delay, ignition by hot surfaces and isolation, P
hot.
The term ‘event ignition’ is used for ignitions that occur immediately and are typi-
cally related to the cause of the leak in some way. This may be equipment break-
down, impacts or operator intervention e.g., hot work.
214 Offshore Risk Assessment
The potential ignition sources that are distributed in the actual area are descri-
bed by the parameter P
if
. The P
if
parameter is defined such that it is comprised of
both continuous and discrete ignition sources.
The relative contributions to ignition probability for discrete ignition sources
are described by i
a
and i
b
. The parameter i
b
is applied before isolation, and i
a
after
isolation. With higher contribution from discrete sources, the explosion risk will
increase, as delayed ignition probability increases. The effect of ignition source
isolation will increase as well. Finally, the ignition probability for small leaks that
are hard to detect automatically due to their small gas cloud sizes will be higher.
The effect of ignition source isolation on ignition probability is quantified using
the parameter P
iso
. P
iso
= 0 means that ignition source isolation has no effect with
respect to ignition probability. P
iso
= 1 means that ignition source isolation effecti-
vely stops all ignition sources in the area. With effective ignition source isolation,
the probability for delayed ignition is reduced, but only for the scenarios that are
effectively detected. The explosion risk will also be reduced, because ignition of a
large gas cloud is less likely.
There is an additional delay related to the cooling time of hot surfaces, for con-
tinuous sources. The probability that the continuous source is still a potential igni-
tion source has been modelled exponentially decreasing. The fraction, P
hot
, is the
fraction of the isolated ignition sources that can still ignite a flammable gas cloud.
6.8 Escalation Modelling
Barriers are those systems and actions that prevent escalation from occurring. The
importance of barriers is well illustrated by comparison of the outcome from two
actual events each involving a medium sized gas leak in the compression area of a
platform. The worst case, the Piper Alpha disaster on 6.7.1988 is well known, the
explosion on the Brent Alpha platform on 5.7.1988 is less well known. This acci-
dent started in exactly the same way as the Piper Alpha accident. The result was a
gas fire following the explosion, brought under control in some 45 minutes due to
automatic systems, with only superficial damage to the compression module. The
dramatic difference between the two events arose because on the Brent Alpha
platform, the barriers functioned as intended, while on Piper Alpha they did not.
Some more details about these two accidents are presented in Subsection 8.1.1.
This section discusses the modelling of barriers in the event tree, with respect
to their functionality, reliability and availability as well as the survivability of the
systems, sometimes called, vulnerability to accidental loads.
6.8.1 Functionality
Analysis of the functionality of the barriers involves determining whether they are
capable of performing their intended function. As an example, gas detectors of the
catalyst type have often been ‘poisoned’ by salt and other contaminations. Fire
water systems may be clogged with dirt, rust and other particles, to an extent that
the required fire water capacity can no longer be provided.
Analysis Techniques 215
The analysis of functionality is a deterministic analysis of the capacity and/or
capability of the system in normal operating condition, including consideration of
operational premises and constraints. The results of the functionality analysis may
determine the probabilistic modelling of the barrier’s function.
Many aspects of functionality may be verified by testing, for instance by
performing a flow test of the fire water system, involving measuring the flow rates.
But it is at the same time important to distinguish between functionality under ideal
test conditions and under real-life accidental conditions, where the functionality
may be jeopardised by maloperation.
6.8.2 Availability and Reliability
Many of the nodes in an event tree are related to the performance of safety systems
which are normally passive, or ‘dormant’ systems, only intended to be activated
upon detection of a hazardous event or accident. Thus even though these systems
are repairable, and are being maintained, they function in an accident sequence as
unrepaired systems, in the sense that in a demand condition, there is usually no
time for repair.
This implies that both availability and reliability are crucial aspects. Let us
consider first the availability of a system required to operate upon detection of
particular conditions. This is often called the ‘on demand availability’. The state of
maintenance, inspection, and/or testing will determine its availability to function as
intended. Next, the reliability of the system i.e., the time to first failure, after the
system has been activated, is also of crucial importance for some systems.
There is considerable variation between systems, as to which of these two
aspects is most important or whether they have equal significance, as may be
illustrated by consideration of the gas detection system. It is very crucial that the
detection of a possible leak is as early as possible. The system’s availability is
therefore the crucial aspect when the leak starts. When detection has occurred,
there is really no further use of the detection system. Its reliability is unimportant.
The fire water system however, is a different matter. An immediate start is crucial
when the system is activated, but it is equally important that it continues to operate
as long as the fire lasts. Consequently, both the availability and the reliability are
important aspects.
When both the availability and the reliability are computed, all aspects of
preventive and curative maintenance, including inspection and testing, will have to
be considered. Fault tree analysis is a commonly used analysis technique.
Many of the barriers (safety systems) which relate to the control of hydrocar-
bon systems, are automatic and cannot be negatively affected by personnel in the
local control room. On the other hand some systems will require initiation by
control room personnel, most typically the blowdown system, which upon actua-
tion will depressurise the process equipment either sequentially or simultaneously.
The participation of operators in the actuation process means that human and
organisational factors need to be explicitly addressed in the availability and
reliability studies.
In fact the importance of HOF is sometimes even more vital for barriers related
to non-hydrocarbon systems. For instance, it has been shown that human errors are
216 Offshore Risk Assessment
the main cause of failure of barriers against marine hazards to FPSO vessels
(Vinnem and Hauge, 1999). It is therefore important that analysis of barrier avail-
ability and reliability is performed with due attention to the importance of HOF.
Most safety systems are periodically tested, which implies considerable experi-
ence data, if it is systematically collected and analysed. This may be used to produ-
ce installation specific availability data. Reliability data for the continued operation
of the system during the course of the accident can usually not be extracted from
test data.
6.8.3 Survivability
Survivability analysis may be considered to be a form of reliability analysis, except
that the operating conditions are the conditions of the accident. A severe explosion
will most probably damage the fire water distribution system, to such an extent that
fire water cannot be supplied to an area, even though its original functional
condition and state of maintenance is perfect and error free. It is however, worth
considering the experience from the so-called ‘large scale’ explosion tests in
1996/97 (SCI, 1998), from which it was observed that fire water piping survived
considerably higher overpressure loads than previously thought. This is briefly dis-
cussed in Section 9.3. Survivability is also important in relation to the integrity of
process piping and equipment, as well as blowdown and flare system piping.
If a fault tree analysis is carried out, survivability considerations may be inte-
grated into the reliability analysis. Due to the nature of the phenomena involved,
testing of survivability in realistic accidental conditions is virtually impossible.
6.8.4 Node Probability
The final value of a node conditional probability is a function of all the elements
mentioned above, and may as an example, be expressed as follows for gas
detection:
f
SURV
f
UNAVAIL
f
FUNCT
f
GASDET
P P P P + + = ( 6.6)
where
f
GASDET
P = probability of failure of gas detection
f
FUNCT
P = probability of gas detection not capable of functioning as
intended in the specific accident circumstances
f
UNAVAIL
P = probability of gas detection unavailable due to maintenance
problems
f
SURV
P = probability of gas detection not surviving the accident
conditions for the required period.
Analysis Techniques 217
6.9 Escalation Analysis
The entire process from an initial accidental event to the final end events, deter-
mined by consideration of the performance of protective systems and the responses
of equipment and structures, is sometimes called the ‘escalation process’. This is
the widest interpretation of ‘escalation’. Under this interpretation, escalation thus
involves determination of different accident sequences and the related loads and
responses applicable to each sequence.
A narrower interpretation of ‘escalation’ is to describe it as the secondary fai-
lure of containment, due to accidental effects. This is the interpretation of ‘escala-
tion’ used in this book, and the wide interpretation is replaced by the term ‘acci-
dent sequence’ modelling or analysis.
It may be important to carry out escalation analysis if the risk to assets is being
considered. An alternative, which may be carried out independently of the esca-
lation analysis, is the so-called impairment analysis, which involves an assessment
of the frequencies of impairment of the main safety functions. Both escalation
analysis and impairment analysis are focused on response to accidental loading,
mainly to fire and explosion loads.
6.9.1 Modelling of Fire Escalation
Escalation of fire from one area to another is required to predict whether a fire
spreads out of the original area. Secondary fire effects such as smoke or radiation
stemming from the original fire are not considered as escalation. It is assumed that
fires may escalate due to damage to the fire walls, by direct flow of fuel to the
adjacent area or by external flames. Escalation to other areas may be due to three
different escalation mechanisms:
- Heat impact from external flames
- Flames passing though penetrations and openings in the floor, walls or roof
- Failure of the segregating walls.
The ‘critical duration’ for external flames, is the transition point between a short
duration flash fire and a stable fire. If the fire duration exceeds this critical dura-
tion, the escalation probability increases from near zero to a value dependent upon
specific local conditions.
In such cases the effect of protective systems (which are focused on preventing
escalation to other equipment) is limited. The failure of segregating walls, ceilings,
and floors in the process areas will be strongly dependent on the loading and
passive fire protection. The likelihood of structural failure due to fires may be
considered in two ways:
- Coarse modelling based on simple heat transfer values
- Detailed modelling based on a comprehensive nonlinear structural analy-
sis.
The modelling of fire escalation in a process area is a complex task, which could
be a ‘never ending story’, unless limited in some way. Some extent of simplifi-
218 Offshore Risk Assessment
cation has to be used. The following example, taken from a detailed QRA (Vinnem
et al., 1996a), illustrates a fairly detailed fire escalation model. In the study refe-
renced, the fire escalation has been carried out in to the following steps:
1. A non-linear structural analysis of the failure times for piping was carried
out, using a range of parameters for; wall thickness, piping diameter, inter-
nal pressure, system medium and blowdown time.
2. A survey was carried out in the process areas to judge the conditional pro-
bability that fire from a certain process segment would impinge on piping
from other segments. This assessment included a consideration of the size
of the flame and the size of the adjacent piping.
3. An escalation probability was then calculated by considering the particular
circumstances of each scenario, according to Steps 1 and 2 above. Figure
6.28 (Vinnem et al., 1996a) presents an example of the results from the
non-linear stress analysis of the piping systems under fire loads.
0
1
2
3
4
5
6
7
8
50 100 150 200 250
T
i
m
e

t
o

f
a
i
l
u
r
e

(
m
i
n
)
BD=7.5
BD=15
BD=30
BD=60
Heat load (kW/m
2
)
Figure 6.28. Results from pipe failure study, times according to heat load and blowdown
(BD) time
The actual probability of escalation in a specific scenario, will depend upon:
- Fire dimensions in relation to the location of other equipment
- Type of fire
- Duration of fire
- Effect of active and/or passive fire protection.
6.9.2 Modelling of Explosion Escalation
Explosions, as a possible source of escalation, have come very much into the focus
in the recent years, mainly as a result of the so-called ‘large scale’ tests conducted
during 1996/7 (SCI, 1998). These tests found considerably higher blast loads than
those that had been found in smaller scale tests, and thus brought the existing
design methods into question. Explosions may lead to escalation in several
different ways:
Analysis Techniques 219
- Global structural collapse
- Rupture of explosion barriers (separating areas or modules)
- Excessive deformation of explosion barriers to the extent that they no
longer form functional barriers
- Excessive deformation of decks or walls causing loss of containment in
equipment units in other areas
- Excessive deformation of process equipment causing loss of containment
in equipment units in other areas
- Damage to safety systems which renders them non-functional, following
the explosion.
Escalation modelling has in the past been done extremely simplistically, in the
sense that it has been assumed that process equipment and fire water piping would
rupture at 0.3 bar overpressure, and that structures would collapse at an over-
pressure of 0.5 bar. This approach, however, has now been clearly shown to be
inadequate, in the sense that it is overly conservative. With the higher probability
of extensive blast loads, it will be extremely conservative (and costly), if such a
conservative approach is used for escalation modelling. A further drawback of this
approach is that such modelling is the opposite of platform specific modelling.
Escalation modelling therefore has to be done more specifically, and this results
in the need for a dedicated analysis to determine realistic explosion loads. How this
can be done is discussed further in Section 9.4, but it should be noted that current
experience indicates that analysis based on CFD has to be employed.
Modelling of escalation should therefore reflect the actual loads and the capa-
cities of the platform’s structure and equipment. This may be done in either of the
following ways:
- Convert the output from the explosion analysis to idealised dynamic loads
which may be then used as input to response calculations. (Often a triangu-
lar pressure pulse is used.)
- Discretise the output (pressure–time curves) from the explosion calcula-
tions into linear sections which may be used as input to structural analysis
software.
It is essential that the response calculations are carried out with due attention to the
dynamics of the system taking account of both elastic and plastic responses and the
effect of large deflections.
6.9.3 Damage Limitation
There are extensive possibilities to limit possible damage and thus limit escalation
potential. It will be important that these are reflected as far as possible in the
analysis, not the least because then the analysis will be capable of determining the
effects of any risk reducing measures that may be considered. Limitation of
damage is based upon the use of active and passive systems such as:
220 Offshore Risk Assessment
- Passive fire protection on structures, walls, decks, piping, and equipment
- Explosion relief systems for reducing explosion overpressure
- Active fire protection systems for cooling and/or fire suppression
- Active explosion protection systems for reduction of overpressure.
Traditionally, passive systems have been considered preferable because they are
independent of activation. The main problem for active systems has been the
failure to activate them in the case of an accident. There is also a trend that proba-
bility reducing measures are to be preferred over consequence reducing measures.
There may sometimes be a conflict between these two principles. The focus in the
following text is on how to model these systems. More thorough discussion of the
possibilities for risk reduction is provided in Section 9.5.
6.9.3.1 Passive Fire Protection
There are several software packages to analyse the protective function of passive
fire protection. These may be applied to structures as well as equipment. Given an
accidental fire load and a protective shielding, the resulting temperature loading on
the actual structure or equipment can be calculated with a reasonable degree of
precision and assurance.
These calculations will have to be based upon somewhat idealistic conditions
and often do not reflect possible mechanical failure of the fire protection material,
or ageing of the material. It is considered in spite of these limitations that the
accuracy of the predicted results is reasonably good.
6.9.3.2 Active Fire and Explosion Protection
The influence of active fire protection is difficult to model explicitly. It appears
that rather limited research has addressed this subject, and the application of active
fire protection has mainly been based on standards, regulations and industry accep-
ted guidelines. It is possible to calculate the cooling effect of active fire protection
under idealised conditions, but this is rarely done and moreover the effect of using
idealised conditions has probably a large effect on the applicability of the results.
The effect of active fire protection in damage limitation is often considered
rather simplistically without detailed calculations. The probable effect of this is the
introduction of further conservatism in the analysis.
The same considerations also apply to the use of active explosion protection, or
suppression, mainly by use of fire water deluge systems. This has recently changed
as a result of the large scale test programme, and the explosion simulation CFD
codes are now able to simulate the effect of water deluge systems on explosion
overpressure.
6.9.3.3 Explosion Relief
Explosion relief by panels and openings in module walls, roof and floor is
considered together with the actual load calculations as these two aspects are very
strongly interlinked. Modern CFD codes are able to take account of explosion
relief measures.
Analysis Techniques 221
6.9.3.4 Analytical Consideration
The sections above have demonstrated that the methods to analyse accidental loads
in a detailed and quantitative fashion are somewhat limited. This is further compli-
cated by the fact that practical circumstances would play an important role in order
to differentiate between what can actually happen following an accident and the
extent to which damage may be caused. When an analytical capability exists, it is
very often coupled with relatively idealistic considerations.
Damage due to projectiles is another aspect where detailed modelling is virtu-
ally impossible. Some coarse modelling based empirical data has been attempted,
but not detailed modelling on a case-by-case basis.
These are the main reasons why sophisticated analysis of accidental damage is
seldom attempted. Actually the situation is to some extent changing, in that the
damage following an explosion is now becoming possible to calculate with advan-
ced analytical tools. So far, however, these tools are not as effective as those used
for fire loads. Considerable resources however need to be devoted to such studies,
if they are to be effective.
6.9.4 Response of Equipment to Fire and Explosion
6.9.4.1 Fire Response
The critical part of pipe flanges is the bolts. The critical steel temperature for
flanges with ordinary bolts is approximately 450°C, while the critical temperature
for flanges with special bolts is 650°C (Gowan, 1978).
Vessels filled with flammable liquids will absorb heat during a fire. On the
‘wet’ part of the vessels the absorbed heat heats up and evaporates the liquid.
When the fire risk is considered, it is normal to consider the effect of a hydro-
carbon pool fire beneath the vessel. The pressure inside the vessel will increase as
a result of evaporation of the liquid phase. If the pressure relief system for the
vessel has insufficient capacity (the evaporation rate is higher than the relief rate),
a BLEVE (‘Boiling Liquid Expanding Vapour Explosion’) may occur.
There are quite considerable difference between an empty vessel, a vessel filled
with gas, and a vessel filled with liquid. In Gowan (1978) this is demonstrated by
reference to one specific case with 122 kW/m
2
heat load on a pipe, where the
following response times (time to temperature of the steel wall reached 600°C)
resulted:
- Pipe ( =14', thickness 20 mm) filled with gas: 4 minutes
- Pipe ( =32', thickness 43 mm) filled with gas: 7 minutes
- Pipe ( =32', thickness 43 mm) filled with liquid: 13 minutes
With several test series with pool fires as basis, calculation method for the
absorbed heat has been developed by API (API, 1976) based upon several series of
tests with pool fires. This is expressed in the formulas:
18 . 0
6 . 2 A F q = ( 6.7)
222 Offshore Risk Assessment
82 . 0
9 . 27 A F Q = ( 6.8)
where
q = average heat absorbed per m
2
surface of the wet part of vessel, kW/m
2
F = dimensionless factor
F = 1.0 for uninsulated tanks or vessels.
F < 1.0 for insulated tanks and vessels.
A = area of the wet part of the vessel, m
2
, and
Q = total absorbed heat by the wet part of the vessel, kW.
This formulation is based on the assumption that the flame from a pool fire will
impinge on 55% of the total surface of a spherical tank, 75% of a horizontal
cylindrical vessel, and up to 9 metres on the sides of a vertical cylindrical tank.
The part of the vessel that is not filled with liquid (‘dry’) will have a
temperature rise in the steel and at high temperatures steel plates may rupture.
Table 6.6 shows the time to rupture of uninsulated steel plates as a function of
the tension in the steel plates and the thickness of the plates. The values in the table
are calculated based upon an absorbed heat flux of 44 kW/m
2
. The steel plates are
exposed on one side.
Table 6.6. Time in minutes to rupture of uninsulated steel plates exposed to a pool fire (API,
1979)
Tension in the steel
plates
Thickness of the steel
plates
Time to rupture in minutes
from start of fire
70 MPa (N/mm
2
) 3 mm
13 mm
25 med mer
5 min.
13 min.
23 min.
140 MPa (N/mm
2
) 3 mm
13 mm
25 mm
2 min.
8 min.
17 min.
Literature often quotes 540°C as the critical steel temperature for load-bearing
elements based upon the fact that at this temperature the yield stress of steel is
approximately half that at ambient temperature (American Iron and Steel Institute,
1979). As a guideline 540°C can be used as the critical steel temperature for
process equipment in general. With an absorbed radiation flux of 30 kW/m
2
, the
equilibrium temperature in the steel will after some time (depending on thickness)
be 535°C. The time to reach this equilibrium temperature varies with the thickness
of the steel.
Another illustration of the behaviour of steel under fire loading can be found in
Figure 6.29. The diagram shows that reduction of yield strength is quite gradual. It
also shows that the ultimate strength (governed by the stress–strain relationship)
actually increases up to 250°C.
Structural response of an entire system may be calculated, using non-linear
finite element calculations.
Analysis Techniques 223
0
20
40
60
80
100
120
R
e
l
a
t
i
v
e
s
t
r
e
n
g
t
h
(
%
)
0 100 200 300 400 500 600 700
Steel temperatur (degC)
Yield strength
Ultimate strength
Figure 6.29. Properties of structural steel at elevated temperatures
6.9.4.2 Explosion Response
There is actually a considerable amount of data available regarding the response of
structures, equipment and humans to explosion overpressure loads. Much of the
data regarding the effect of explosions on people comes from work and experience
in the military. Structural response may be calculated, using non-linear finite
element calculations.
6.9.5 Tolerability Criteria for Personnel
6.9.5.1 Heat Radiation
API RP 521 (API, 1997) states a level of 6.3 kW/m
2
as permissible for exposure up
to 1 minute for personnel with ‘appropriate clothing’ (API, 1997). For ‘emergency
actions lasting several minutes’ 4.7 kW/m
2
is quoted as the exposure limit and
1.6 kW/m
2
for continuous exposure.
Some tests with voluntary participation of test personnel were conducted in
May 2003, in order to determine if the limits based on API were too conservative
or not. In general, there was insufficient data in order to conclude that the levels
were too conservative; the records indicated though that somewhat longer exposure
times could be accepted, without severe burns.
6.9.5.2 Oxygen Content in Air
When the oxygen concentration falls from 21% to 14% by volume, respiration and
pulse increase. The ability to maintain attention and think clearly is diminished and
muscular coordination is somewhat disturbed (Henderson and Haggard, 1943).
6.9.5.3 Carbon Monoxide (CO)
Sax (1984) quotes a lowest published ‘toxic’ limit of 650 ppm for 45 min expo-
sure. Lethal concentrations are generally quoted to be higher.
224 Offshore Risk Assessment
6.9.5.4 Air Temperature
High air temperatures can be sustained, providing that the humidity is low. In
saunas for example, temperatures in the order of 100°C are commonly used. In
desert climates temperatures can reach 50°C or more in the summer but usually
then with low humidity.
The criterion for impairment may taken as an air temperature exceeding 50°C.
The criterion applies mainly to TR as short term exposure of higher temperatures
may be allowed during escape and evacuation.
6.9.5.5 Smoke
Smoke may hinder escape and evacuation if the visibility is reduced to such an
extent that personnel are not able to orientate themselves or see whether the escape
way leads to safety or not. Sometime an ‘obscuration’ factor is used in order to
express the limitation of the visibility. The damage criterion could therefore be
phrased as follows:
- The safety function is considered to be impaired when the smoke concen-
tration is so high that the end of escape ways and corridors cannot be seen.
This is sometimes translated into a minimum distance of sight, say in order
of 10 metres.
6.9.6 Impairment Criteria for Safety Functions
Impairment criteria are necessary in order to judge when the safety functions are
unable to function adequately. The following text discusses the considerations of
impairment and the main aspects to be taken into account.
It is worth noting that most of these criteria are ‘soft’ i.e., they are not coupled
with hardware damage nor structural failure, but depend upon the effect of the
incident on personnel.
6.9.6.1 Impairment of Escape Ways
The probability of the escape ways being blocked is related to the time it takes for
the personnel to evacuate to the TR. It may also be useful to define what
constitutes ‘blocking’ of the escape ways. Normally, there will be three factors
which require consideration:
- Structural damage/debris
- High heat loads
- Combustion productions.
The first factor is mainly associated with severe structural impacts (collisions) or
the effects of explosions.
In many scenarios the heat load will be the most important factor when
evaluating the functioning of escape ways. A limiting value of 20–25 kW/m
2
is
normally accepted as the greatest heat load that humans can tolerate for more than
a few seconds. Lower values should be used, if exposure for longer periods is
considered (see Section 6.9.4.2 above).
Analysis Techniques 225
Impairment due to combustion products may cause impairment of larger areas.
The combustion products from a fire primarily have two effects:
- Reduced visibility due to soot production
- Toxicity, primarily associated with CO and CO
2
.
6.9.6.2 Impairment of Temporary Refuge (TR)
The following are the conditions constituting loss of integrity of the TR, as speci-
fied by the Health and Safety Executive (HSE, 1992):
- Loss of structural support.
- Deterioration of life support conditions.
- Loss of communication and command support.
- Unusable evacuation means for those taking shelter in TR.
Impairment of the Shelter Area under Norwegian legislation (corresponds to Tem-
porary Refuge in UK) is usually considered in the same way, except that evacua-
tion is considered separately, not as part of the TR.
All accidental events affecting the TR are evaluated and the probability of
‘impairment’ of the TR for each event is calculated in the same way as for escape
ways. The evaluation should include a study of possible smoke and gas ingress into
the living quarters and TR.
The TR must remain habitable until the personnel inside have been safely
evacuated. This means that the time the TR must remain intact is longer than the
corresponding time for the escape ways leading to the TR.
6.9.6.3 Impairment of Evacuation Systems
The vulnerability of the primary evacuation system is assessed for each accidental
event. There is sometimes some confusion about what constitutes the ‘primary
evacuation means’, because companies tend to state that the helicopter is the ‘pri-
mary means of evacuation’. This may often be true for precautionary evacuation,
but is seldom so for emergency evacuation, especially in the event of a gas leak or
fire. In these circumstances, the lifeboats must be considered the primary means of
evacuation. It is vitally important that there is no confusion about what the main
mode of evacuation shall be. Confusion about how to evacuate apparently
contributed to the high death tolls in the Piper Alpha disaster in 1988.
The impairment assessment of the primary evacuation system is similar to that
for escape ways. The assessment of impairment probabilities for the lifeboats takes
into account factors like possible explosion damage, extensive heat load, fire on
sea etc.
When assessing impairment of lifeboats, there are a number of factors to con-
sider. In some scenarios, the evacuation systems themselves may tolerate the acci-
dental loads they are exposed to while the personnel who are going to use the boats
are more vulnerable. Impairment of lifeboats is therefore not necessarily limited by
the ability of the lifeboat to survive the accidental effects. Effects which must be
considered include the following:
226 Offshore Risk Assessment
- Smoke effects: Toxic effects as well as reduced visibility. Smoke will
obviously not affect the lifeboat itself, but personnel may be unable to use
it because it is engulfed in heavy smoke, or possibly filled with smoke.
- Thermal effects: GRP lifeboats can tolerate 10–25 kW/m
2
without being
seriously affected or losing integrity. However, if a lifeboat is exposed to
high radiation levels in the range 10–25 kW/m
2
, the temperature is likely to
rise relatively rapidly. This means that personnel inside the lifeboat may be
exposed to unacceptably high air temperatures within a relatively short
time.
The discussion above is primarily related to the situation where the lifeboat is still
hanging in the davits on the side of the installation. After it is lowered to the sea,
the inbuilt sprinkler system on the boat itself will effectively cool the lifeboat.
Higher radiation levels are therefore likely to be sustainable without impairment,
unless the heat loads are very high, or the exposure time is very long.
Due to the normally short time it takes to lower the lifeboats, it is considered
that high heat loads, probably in excess of 50 kW/m
2
, may be tolerable for this
period of time. The limiting factor determining whether or not the lifeboats may be
used will therefore frequently be the ability of people to enter the lifeboats. In
some cases, access to the lifeboats is completely sheltered.
6.9.6.4 Impairment of Main Structure
The effects of high heat loads, explosion overpressure loads and impact loads on
the main support structure (or hull structure in the case of a floating installation)
have to be considered in relation to the capability of the structure to resist these
loads. This topic is discussed in more details in Chapter 8.
6.9.7 Required Intactness Times for Safety Functions
The last aspect to consider in relation to impairment is the time the safety functions
need to remain usable. The following aspects are part of a consideration of the
required intactness times for the safety functions.
- The mustering time for the installation must be based on the number of
personnel present, dimensions, etc., and be compared with the results of
drills (if available). 20 minutes is often used as a typical mustering time
(including confirmation of those missing) for emergency situations on
large platforms, 10 minutes is sometimes used for smaller installations.
- The time necessary for search and rescue of missing/wounded persons has
to be included in the required intactness times. For large platforms this
time is normally in the order of 15 to 20 minutes, less for smaller
platforms.
- The time required to enter and launch a conventional lifeboat is assessed to
be typically around 10 minutes. In predicting the required intactness time,
allowance is normally made for the time necessary to move to another
lifeboat and to launch that, in addition to the normal 10 minutes launching
time. Evacuation by several boats may have to be considered for larger
Analysis Techniques 227
platforms. The entire duration is usually considered to take somewhere in
the range 10 to 30 minutes, depending on the circumstances.
- The time required to carry out a helicopter evacuation is usually not inclu-
ded as an alternative to lifeboat evacuation. Helicopters are often used for
precautionary evacuation, when there is ample time available, but not for
time critical emergency evacuation. The helicopter evacuation time is
dependent on the mobilisation time for helicopter, their seat capacity, the
time for a round trip to a suitable offloading location (often another
installation), and the number of personnel to be evacuated. Several hours
may be needed, if one helicopter is to take care of more than 100 persons.
It may be noted that some of the times are relatively straightforward to calculate,
while others (especially the time to search for survivors) may only be subjectively
predicted.
Figure 6.30 shows the recorded muster times in exercises (PSA, 2006a) on
Norwegian installations, as a function of time. Observations for each installation
are shown, as well as a trend line. There is a clear relationship between the average
POB and the average time needed to complete mustering, including establishing
the status of personnel. When a similar correlation exercise was performed in
relation to required muster time, there was no visible correlation at all. ‘Required
muster time’ is in this context the muster time requirement that the operator has
defined in the emergency management system.
0
5
10
15
20
25
30
0 100 200 300 400 500
Average POB
R
e
c
o
r
d
e
d

m
u
s
t
e
r

t
i
m
e

(
m
i
n
s
)
Figure 6.30. Recorded muster times in exercises on Norwegian installations, as function of
average POB
In determining the time requirement for intactness of escape ways the following
need to be considered. If the escape ways need to be usable for the time it takes to
reach the SA (or TR), and to seek and rescue injured personnel, then the necessary
time will be in the range 10–30 minutes, but up to 60 minutes for large
installations.
The permissible heat loads for the escape ways may however, be based on short
exposure periods, from seconds up to 1–2 minutes. The arguments here are that
personnel will try to reach TR as rapidly as possible and thus will only be
subjected to high heat loads for short durations. Such an approach however, will
228 Offshore Risk Assessment
not allow time for attending to injured personnel, and survivors who may have to
await assistance to reach TR (or SA).
If maximum heat loads are to be based on the presence of an escape way up to
30 minutes, then only very low heat loads would be permitted. This would lead to
extensive protection requirements, which would be impracticable to implement.
The following required intactness times are presented as typical values for the
safety functions of a small platform, based on assumptions as presented above (all
including time for mustering, search and rescue as well as lifeboat evacuation):
Temporary Refuge: 40 minutes
Escape Ways: 20 minutes
Evacuation Means: 40 minutes
Control Room: 40 minutes.
6.10 Analysis of Environmental Impact Risk
6.10.1 Overview
One approach to environmental risk analysis is the methodology developed by
DNV and Norsk Hydro, called ‘MIRA’, described by Sørgård et al. (1997); OLF
(2001), which is an approach that may be carried out with variable extent of
details, according to the available resources and the extent of detailed input data.
This approach is also able to reflect the level of prior knowledge from comparable
conditions and/or similar studies. The three levels of detail are called:
- Source based analysis: The simplest approach, based on duration and
rate of release, as well as distance to shore.
- Exposure based analysis: More extensive approach, based on duration,
rate and amount of release, as well as oil drift
simulation. Resources and effect of releases are
considered in separate grid quadrants, typically
15 by 15 km.
- Damage based analysis: Most extensive approach, based on duration,
rate, and effect potential of release, as well as
oil drift simulation. Consequences are related to
the most vulnerable populations, including
beach habitats.
The source based analysis is the most conservative, it has been indicated that over-
prediction of frequencies by almost one order of magnitude is possible with this
approach. The damage based analysis is the least conservative, but there is still
distinct conservatism in the approach. The source based calculation should be used
as a quick first round to determine whether a closer examination is warranted or
not. Otherwise this approach may be used to find a traceable way of applying
results from previous projects to a new related project.
Analysis Techniques 229
6.10.2 Measurement of Environmental Damage
The team involved in the MIRA development focused, after careful consideration,
on recovery time as the single parameter for quantification of consequences. This
parameter may in principle be used irrespective of which analysis level is chosen.
But only in the damage based analysis is the recovery time calculated
quantitatively. More qualitative and indirect assessment is used in source based and
exposure based analysis.
The recovery time as a measure of environmental damage may be illustrated by
considering actual data from some large spills (from Vinnem and Vinnem, 1998),
this is shown in Table 6.7. It may be observed that more than half of the accidents
shown were caused by tankers or other types of vessels. Further, all the impacts
with the longest durations have been caused by vessels.
Table 6.7. Overview of recovery times of some large oil spills
Source of spill Year of spill Calculated total
spill (bbls)
Observed recovery
time (years)
Exxon Valdez 1989 375–500,000 Around 10
Mercantile Marcia 1989 ? 4
Oil pipeline, Louisiana 1985 ? 1
Oil pipeline, Texas 1984 ? 2
Amoco Cadiz 1978 20,000 5–10
Esso Bernica 1978 – 9
Ekofisk B platform 1977 22,000 1
Tsesis 1977 – 5–10
Arrow 1970 7,000 5–10
Santa Barbara 1967 > 8,500 1
Torrey Canyon 1967 30,000 5–10
It may be observed that there is no direct relationship between the amount of oil
spilled and the resulting recovery time. The longest recovery times that have been
recorded are in the order of 10 years. No spill with recovery time shorter than 1
year is shown in the table, but this is due to selecting only some of the largest spills
as the basis for the presentation.
The prediction of recovery times is still relatively uncertain, and it is therefore
prudent to express these times in categories, rather than exact values. The
following categories are recommended:
- Less than 1 month
- 1 month – 1 year
- 1 – 10 years
- >10 years
Sørgård et al. (1997) has used a slightly more refined division into categories, in
that the lower categories are split into three instead of two categories; <2; 2–5 and
5–10 years. Risk levels are often considered as ‘order-of-magnitude’ expressions,
230 Offshore Risk Assessment
and it is therefore considered most prudent to use the ‘order-of-magnitude’
categories indicated above.
Sometimes only qualitative statements are used for the different categories.
Such qualitative descriptions may be associated with the intervals in the following
manner:
- Insignificant recovery time: Less than 1 month
- Short recovery time: 1 month–1 year
- Moderate recovery time: 1–10 years
- Long recovery time: Above 10 years
6.10.3 Event Trees
The event trees that are usually used in the analysis of environmental risk are often
relatively simple, mainly focused on aspects which may determine the duration of
the uncontrolled flow. The factors that will determine the duration of a blowout are
usually the following:
- Immediate well ‘killing’ before developing into full blowout
- Mechanical isolation of the flow (‘capping’)
- Self stopping of flow in the reservoir (‘bridging’)
- Drilling of relief well(s).
Ignition of the blowout is also an important indirect factor, because an ignited
blowout will put quite severe restrictions on movement of personnel on the instal-
lation. In this event mechanical isolation activities may be prevented or take a lon-
ger time. The spill will also be less extensive, due to the amount of oil which burns
off.
Another factor which will have importance for the likely success of isolation
activities is whether the well is a so-called ‘dry completion’ or a ‘wet completion’
i.e., whether the wellhead and Xmas tree are on a platform deck (‘dry’) or on the
seabed (‘wet’). Installation of mechanical devices in the well will be more
complicated for a subsea completed well, which will imply that a higher fraction of
the blowouts may require drilling a relief well. A typical event tree for environ-
mental consequence analysis of oil spills is shown in Figure 6.31.
6.10.4 Environmental Damage Distribution
The environmental risk will be expressed as frequencies of environmental damage
in the categories as outlined above. The following would be the complete calcula-
tion of frequencies:
) ( ) ( ) (
, , , , , ,
t P t P t P
j i damage jL B j A
T J
j end i damage
=
¯¯
ì ì
( 6.9)
where

damage, i
= frequency of damage for damage category i
Analysis Techniques 231

end, j
= frequency of end event in Figure 6.31 i.e., a release with spe-
cified duration according to the categories stated above and
valued component j
P
A, j
(t) = probability of exposure of an area with component j present at
time t
P
B, j
(t) = probability of presence of the valued component j at time t
P
damage,i, j
(t) = probability of damage in category i and valued component j
at time t
T = total time over which the damage frequencies are considered
J = total number of valued components.
1 2 3 4 5 6 7 8 9 10 11
Blowout
1. Killed immediately
2. Ignited
3. Stopped within 1 day
Yes
4. Stopped within 1-7
days
5. Stopped within 7-30
days
6. Stopped within 30-90
days
Event number
Figure 6.31. Event tree often used in oil spill analysis
The common approach to implementation of MIRA (Sørgård et al., 1997) is that a
few of the most vulnerable VECs are selected for analysis. These VECs are then
considered individually, such that the Equation 6.9 is implemented as follows:
) ( ) ( ) (
, , , , , , ,
t P t P t P
j i damage jL B j A j end j i damage
= ì ì ( 6.10)
where

damage, i, j
= frequency of damage for damage category i and valued
component j.
Some of the weaknesses of this approach were discussed in Section 3.4. An exam-
ple of how such results may be presented is shown in Figure 6.32 for six different
VECs that are presented separately.
The highest damage frequency is 6 x 10
-4
per year, when the VECs are consi-
dered separately, whereas the sum is 2.3 x 10
-3
per year, if the damage frequencies
232 Offshore Risk Assessment
for each VEC are summed together. This summation would be according to
Equation 6.9.
0.0E+00
1.0E-04
2.0E-04
3.0E-04
4.0E-04
5.0E-04
6.0E-04
7.0E-04
Beach 1 Beach 2 Beach 3 Beach 4 Bird stock
1
Bird stock
2
Ecological component
A
n
n
u
a
l

d
a
m
a
g
e

f
r
e
q
u
e
n
c
y
Autumn
Summer
Spring
Winter
Figure 6.32. MIRA results for six ecological components

162

Offshore Risk Assessment

SAFOP

Preliminary Hazard Analysis Comparison with detailed studies

A technique to review procedures in order to identify sequences of failures and conditions that may cause accidents. A technique often used as an initial screening study, but may also be used alone. PHA is described in the subsequent subsection. Detailed studies used in similar situations may be used to identify which sequences that may give rise to hazardous situations.

Section 3.1 has presented an overview of accidents on the Norwegian Continental Shelf, which may also be used as input to hazard identification. The level of detail to be considered in hazard identification is sometimes uncertain and the approach to be adopted has to be determined prior to commencing the work. Hazards should be identified for equipment as well as operations. For the hazards associated with equipment, there are three levels of detail: Equipment level: All individual equipment items, valves, instruments, vessels, etc. are identified separately as possible hazards. All subsystems, such as separation stages, compression stages, etc. are identified separately as possible hazards. All systems, such as separation, compression, metering, etc. are identified separately as possible hazards.

Subsystem level:

System level:

It is obvious that the number of hazards identified on each level will decrease at lower levels of detail. At equipment level in the order of 500–1000 hazards may be identified for a large installation. At system level perhaps only 20 hazards would be identified while 50–100 hazards may be identified at subsystem level. The main problem working at equipment level is the high number of hazards created, most of which will be similar apart from the equipment identified. Thus the overview is very easily lost. System level on the other hand may be too coarse, and distinctions and important differences may easily be lost. The subsystem level is therefore normally the most suitable. For hazards associated with operations, there is only one level, as each operation has to be considered in detail. The most difficult aspect of the hazard identification is to ensure that significant hazards are not overlooked. This is a challenge to achieve. Structured analytical techniques that could assist in achieving this objective have been searched for, but so far without success. It may be argued that performing very detailed HAZOPs may be able to achieve the objective. However, the resources required to complete such a programme would be prohibitive. Consider the following example. More than 15 years ago, a semi-submersible platform experienced uncontrolled ballasting operations, to the extent that severe listing developed and the crew were considering whether to evacuate or not. It was

Analysis Techniques

163

later found that the root cause of the problem was a minor fire in one leg of the platform, which had resulted in heating up of the hydraulic fluid used in the control system for the ballast valves. The return lines were too narrow to relieve the additional pressure generated by the heat sufficiently rapidly, thus causing uncontrolled valve operation. When the fire was extinguished, the problem disappeared. The critical question to consider is whether hazard identification could have identified such a hazard.
6.1.1 HAZOP

HAZOP is an analytical technique used to identify hazards and operability problems. The technique is being applied generally to any situation involving the interface between hardware, software and operators, although initially developed for evaluation of process plants. The approach may also be used in order to identify hazards. In HAZOP analysis, an interdisciplinary team uses a systematic approach to identify hazards and operability problems occurring as a result of deviations from the intended range of process conditions. An experienced team leader systematically guides the team through the plant design using a fixed set of ‘guide words’ which are applied to specific ‘process parameters’ at discrete locations or ‘study nodes’ in the process system. For example the guide word ‘High’ combined with the process parameter ‘level’ results in questions concerning possible ‘high-level’ deviations from the design intent. Sometimes, a leader will use check lists or process experience to help the team develop the necessary list of deviations that the team will consider in the HAZOP meetings. The team analyses the effects of any deviations at the point in question and determines possible causes for the deviation (e.g. operator error, blockage in outflow etc.), the consequences of the deviations (e.g. spillage of liquid, pollution etc.), and the safeguards in place to prevent the deviation (e.g. level control, piped overflow, etc.). If the causes and consequences are significant and the safeguards are inadequate, the details are recorded so that follow-up action can be taken. Access to detailed information concerning the design and operation of a process is necessary before a detailed HAZOP analysis can be carried out and thus it is most often used at the detailed design stage after preparation of the P&IDs or during modification and operation of existing facilities. A HAZOP analysis also requires considerable knowledge of the process, instrumentation, and operation either planned or actual, this information is usually provided by team members who are experts in these areas. A HAZOP team typically consists of five to seven people with different background and experience in such aspects as engineering, operations, maintenance, health safety and environment and so forth. It is normal for the team member who leads the analysis to be assisted by another, often referred to as the secretary, who records the results of the team's deliberations as the work proceeds. The HAZOP relates to the following process parameters: Flow, temperature, pressure, level, react, mix, isolate, drain, inspect, maintain, start-up, shutdown. The HAZOP guide words focus the attention upon a particular aspect of the design intent or a process parameter or condition:

More extensive documentation of the HAZOP may be found in Crawley et al. An efficient secretary is therefore essential. in particular with respect to documentation of actions that have been agreed. 6. flow. toxic materials etc. other high-temperature fluids. radioactive materials. flow. etc.) More (more temperature. explosives. will give rise to a hazardous event. etc. noise. Typical hazardous energy sources considered include high-pressure oil and gas. if not sufficiently prevented from occurring.164 Offshore Risk Assessment No (no flow) Less (less pressure. Preliminary Hazard Analysis is undertaken in a structured manner usually using some form of table. Reporting is particularly important from a HAZOP.1. .2 PHA Preliminary Hazard Analysis is an analytical technique used to identify hazards which. It does not require detailed design to be complete but allows the identification of possible hazards at an early stage and thus assists in selection of the most advantageous arrangement of facilities and equipment. and then using a particular rule set to categorise the probabilities and consequences identify and evaluate actions to be taken to reduce the probability of the hazardous event occurring or to limit the consequence evaluate the interaction effect of different hazardous events and also consider the effects of common mode and common cause failures.) Reverse (reverse flow) Also (additional flow) Other (flow) Fluctuation (flow) Early (commencement). objects at height (lifted items). (2000) and Lees (2004). There are also several software packages available in order to assist in the administration of the HAZOP. Each hazardous event that has been identified for the particular subsystem or operation is studied in turn and recorded in one line of the table arriving at a ‘risk rating’ either for that particular hazardous event or the subsystem or operation. The general process adopted involves the following steps: definition of the subsystems and operational modes identification of the hazards associated with the particular subsystem or operation definition of the particular hazardous event resulting from realisation of the hazard estimation of the probability of the event occurring and the possible consequence of each of the hazardous situations. flammable materials. ships). Preliminary Hazard Analysis is often used to evaluate hazards early in a project being undertaken at the conceptual and front end engineering stage. etc. objects at velocity (helicopters.

It assists . heat. air) Malfunction or lack of equipment Malfunction or lack of instruments Undefined/unclear responsibilities (tugs. checks: Weather: Necessary equipment.1. grillage. radioactive Release of hazardous substances Current: Position: Power: Equipment: Instruments: Responsibility: Communication: Execution: Procedures: Visibility: Movement: Stability: Tolerances: Interfaces: Stuck: Rupture: Access: Escape routes: Contingency: Other: Impact: Drop: Fall: Energy release: Toxic release: 6. maintenance. SAFOP is a powerful tool for risk assessment of new (planned) or changed operations and is applicable for all activities where a procedure will be used. tugs or vessel not in correct position No power or insufficient power (tugs. such as process interventions. overloading Insufficient access/space on tugs. etc. pressure.1. port Sufficient. cold. Movement cannot be performed Rupture of critical equipment. port) Malfunction or lack of communication equipment. noise. vessel. material handling. protected Back-up procedures/equipment not available Other items not covered by the above guidewords Impact between objects. Weather forecasting. marine growth. squeezing (personnel) Drop of objects from a higher level Fall of personnel to lower level Electric. unexpected currents Object. checked against requirements. Communication lines. vessel.Analysis Techniques 165 6. shift changes A work task is executed in a wrong way. timing. low temperatures Problems related to strong.4 Bow-tie The Bow-tie methodology is a process which can be used to effectively demonstrate how a facility’s Safety Management System can be implemented. etc. The SAFOP checklist as described by Scandpower Risk Management (2004) has the following guidewords (for marine operations): Preop. contamination. hydraulic. electrical. crane operations. tugs not available on schedule Necessary equipment checking/testing not performed Unclear weather restrictions or unexpected deterioration of weather (abortion of operation). Wrong.3 SAFOP Safe Operations (SAFOP) study is an adaptation of the HAZOP technique for analysing work processes and procedures in order to identify and evaluate risk factors. marine activities. speed Missing or unclear procedures Can the operator(s) see sufficiently? Objects. corrosion. tugs or vessels move in an uncontrolled way Unstable conditions Tolerances for positioning.

barriers. such as: . depict the relationship between hazards. probability. originally conceived by Shell International and now jointly owned and developed by ABS Consulting Ltd and Shell International. recovery preparedness measures and critical tasks. escalation factors. The most well-known tool for this purpose is THESIS.1. The relationship between all the involved aspects as mentioned above has been an area of fault or weakness in many organisations – using the bow-tie method can help to display all the interactions and links that are often found to be loosely related over a number of various documents. in order to illustrate the relationship between various factors. display and illustrates the relationship between hazards. What a bow-tie presents in addition however. are the ‘barriers’ in place that prevent ‘threats’ from releasing a hazard and ‘recovery preparedness measures’ that reduce the severity of the hazard consequences. Figure 6. 6. (see also Appendix A). Bow-ties. consequences. whereby the fault tree constitutes the left-hand side of a bow-tie and the event tree the right-hand side. A typical bow-tie display Essentially a bow-tie is a combination of the traditionally used fault and event trees.166 Offshore Risk Assessment companies/operators in the analysis and management of the hazards and risks to which their business is exposed.2 Cause.1. Escalation factors Control of escalation factor Control of escalation factor Escalation factors Consequences Barriers to prevent threat Hazard Threat that could release hazard Recovery preparedness measures Top event Consequences Consequences Activities & tasks = HSE-critical task Figure 6. and frequency analysis techniques are used in QRA in order to determine many different parameters. controls. controls. Bow-ties have become a preferred tool in many circumstances. Probability and Frequency Analysis Cause. and through the use of graphics. risk reduction measures and a business’s HSE activities. threats.

. In-depth introduction may be found in these sources. Failure Mode and Effect Analysis may also be employed for qualitative analysis. A brief overview of the most important methods is given below. For quantitative purposes there are many tools that may be used in order to calculate probability or frequency. such as HAZOP analysis. usually referred to as the top event. Frequencies are often based on statistical analysis of failure and accident data.1 Fault Tree Analysis There are several good textbooks available which provide instruction on Fault Tree Analysis (FTA). Probability that a particular severe accidental consequence occurs. singlefailure-oriented techniques such as FMEA and HAZOP analysis are more appropriate. such as causes of initiating events or failure of barrier systems. has pin-pointed the possible occurrence of a hazardous event which requires further investigation. structured process that can help identify potential causes of system failure.Analysis Techniques 167 Potential causes that may lead to accidents. including simulation methods. FTA is particularly well suited to the analysis of complex and highly redundant systems. This allows an holistic approach to the identification of preventive and mitigative measures. For this reason fault tree analysis is often used in situations where another hazard evaluation technique. 6. in the case of an accident. theoretical modelling. The strength of the fault tree technique is its ability to include both hardware failures and human errors. and thereby allow a realistic representation of the steps leading to a hazardous event. For systems where single failures can result in hazardous events. Conditional probability of failure of safety systems. The fault tree is a graphical model displaying the various combinations of equipment failures and human errors that can result in the occurrence of the hazardous event. whether due to hardware or software. Frequency of initiating events. and formal methods such as Fault Tree Analysis and Event Tree Analysis.2. The technique was developed to identify causes of equipment failure and was used primarily as a tool in reliability and availability assessment. and will result in attention being focused on the basic causes of the hazardous event. Probability that operating and/or environmental conditions are specially adverse. a brief introduction is provided below: Høyland and Rausand (1994) Henley and Kumamoto (1981) Vesely et al (1981) Aven (1992) Fault tree analysis is a logical. Probability that personnel are present in an area when the accident occurs.

AND. output occurs if all the input events occur. in the latter case both the order and knowledge have to be available. OR) that describes how different combinations of events lead to the hazardous situation.2.2. LAN server theft D0 G1 Random theft by criminal D1 Planned theft by criminal D2 G2 Criminal receives order for LAN server D3 Criminal has knowledge of actual LAN server D4 Figure 6. A large number of fault trees may be necessary to adequately consider all the identified top events for a large process plant. The differences may be characterised as follows: . D4 The two gates are different. and the analyst needs to exercise judgement when selecting the top events to be considered.168 Offshore Risk Assessment The output of a fault tree analysis is a failure-logic diagram based upon Boolean logic gates (i. All events are shown as rectangles. The fault tree illustrated in Figure 6. shows some indicative causes of why a LAN server in an office may be stolen. with different coding below. G2 D1 D3. This simple example focuses on either random theft or planned theft. Fault tree illustration The following are characteristics of a fault tree: Top event: Gates: Undeveloped event: Basic events: Event D0 G1. and may be characterised as follows: Gate G1: Gate G2: OR gate. Boolean OR. AND gate. output occurs if any of the input events occur. Boolean AND.e. as shown by the graphics in the diagram. as shown by the graphics in the diagram. The events are also different.

but not a minimal cut set. D3 } is also a cut set. By reviewing the fault trees. D3. For illustration. Useful descriptions and overview may be found in the following: Høyland and Rausand (1994) Stamatis (1995). This topic is therefore discussed at some length in Section 6. causes not developed further. Event D2 occurs if both of D3 and D4 occur. It is easy to observe from Figure 6. and knowledge of component failure modes and their effects. the set {D1.2 that the top event will occur in case of the following event combinations: D1 D3 and D4.3 Failure Mode and Effect Analysis Failure Mode and Effect Analysis is a simple technique that does not require extensive theoretical description. detailed process drawings. circle. A cut set is a fault tree set of events which will cause the top event to occur if all events in the set occur. 6. 6. D3 and D4 together constitute a minimal cut set of order two. D4: diamond.3 below. because it may be reduced further. but not a minimal cut set. but should rather be based on practice in conducting such studies.Analysis Techniques 169 Undeveloped event D1: Basic events D3. In order to undertake fault tree analysis. Experienced and well-qualified staff should always be used to ensure an efficient and high-quality evaluation. The different failure combinations may be qualitatively ranked depending upon the type and number of failures necessary to cause the top event. D4} is a cut set. D1 is a cut set of order one. where reliability data is applied. lowest level of fault tree. it is possible to identify the different combination of failures or errors which give rise to the hazardous event.2. The top event D0 occurs if any of D1 or D2 (or both) occurs. {D1. This implies that there are two minimal cut sets in Figure 6. Inspection of these lists of failure combinations can reveal system design or operational weaknesses for which possible safety improvements can be considered by the introduction of additional barriers. analysis and use of event trees.2. procedures. . it is necessary to have a detailed understanding of how the plant or system functions.2 Event Tree Analysis There is no extensive text material available for instruction in the construction. A minimal cut set is a cut set that cannot be reduced further and still maintain its capability as a cut set.2.

2004) gave some preliminary observations and introduced a proposed approach. interested readers may be pointed to: Høyland and Rausand (1994) Ripley (1987). There is an obvious need to understand better the performance of barriers. 2003b). 6..5 Analytical Methods A typical example of an analytical approach is the modelling of collision frequency.2. against fire and explosion hazards on the installations. It was concluded that there is a clear need for improvement of the analysis of barriers. Barriers intended to prevent the incident occurring along with those intended to eliminate/reduce consequences are included. . in order not to cause disruption of stable production. which is described in several textbooks. operational risk assessments were discussed.6 Operational Risk Analysis The offshore petroleum industry has for a long time invested considerable resources in engineering defences. particularly non-technical. during execution of manual activities. In a paper presented at ESREL 2003 (Vinnem et al. This topic is therefore not repeated here. and particular emphasis is placed on barriers during execution of operational activities. Safety systems are usually addressed on a one-by-one basis.. The occurrence of these leaks is a clear indication that system and human defences relating to containment of leaks are not functioning sufficiently well during these operations. though often not extensively.2. Two case studies with modelling and analysis of physical and non-physical barriers on offshore production installations have been carried out. 2003a). Half of the leaks from hydrocarbon containing equipment occur in connection with manual activities in hazardous areas. 6. together with effective modifications and configuration changes. not allowing dependencies and common mode/cause failures to be identified.2. The results from the studies should enable both industry and authorities to improve safety through: Knowledge about performance of barriers and improvement potentials Identification of the need to reinforce the total set of barriers. or barriers.170 Offshore Risk Assessment 6.4 Statistical Simulation Analysis The best known simulation technique is the so-called Monte Carlo method. The performance of barriers is to some extent followed up through performance standards and Key Performance Indicators. These aspects form the outset for an extensive research activity called the BORA (Barrier and Operational Risk Analysis) project (Vinnem et al. during which engineered defences often are partially inhibited or passivated. A PSAM7 paper (Vinnem et al.. especially during operational activities Identification of efficient risk reduction measures for barriers. which is discussed in Chapter 10.

as outlined in Vinnem (2004). which presents the BORA methodology as well as the sources for scoring of RIFs. 6. The questionnaire survey has extensive questions relating to working environment factors as well as a number of aspects relating to perceived risk and safety culture. The methodology has three main processes: Qualitative analysis of scenarios.. . and presented in detail in Aven. RNNS is a project conducted annually by PSA for the entire Norwegian Continental Shelf (PSA. The TTS/TST verifications (Thomassen and Sørum. These verifications were developed by Statoil. Also the sources for the installation specific quantification of frequencies and probabilities are presented in Figure 6. which for the purpose of the BORA methodology has two applicable activities: Biannual questionnaire survey Annual collection of barrier performance data. and the approach has been adopted by several Norwegian offshore operating companies in Norway. Sklet and Vinnem. is concerned with a selection of barrier elements. basic causes and RIFs Quantification of average frequencies/probabilities Quantification of installation specific frequencies/probabilities.3.1 BORA Methodology The BORA project has proposed a methodology in order to analyse failure of operational barriers. (2006). The following sources are available: TTS/TST verifications MTO (Man. Barriers are in general characterised by reliability/availability. most of which are technical barriers. where relevant. 2005) are investigations with special emphasis on human and organizational aspects that have been conducted for many accidents and incidents in the past few years. mainly by or on behalf of the Petroleum Safety Authority (PSA) in Norway. functionality and robustness.Analysis Techniques 171 The analysis has been quantitative as far as possible. The Norwegian regulations require that dependencies between barriers shall be known.2. common cause or mode failures and dependencies between barrier elements are accounted for.6. The barrier performance data. This is shown in Figure 6.3. see PSA (2006a). Technology and Organisation) investigations RNNS (Risk Level Project) questionnaire surveys RNNS barrier performance data Detailed assessments (Expert input) General background studies. The analysis is therefore performed such that. 2006a and b). All of these performance measures are addressed. MTO investigations (Tinmannsvik et al. 2002) are focused on technical and documentation aspects of barriers.

4. Incorporation of operational activities functioning as operational barriers such as use of checklists. Summary of main aspects of the BORA methodology Traditionally. and manual inspection in order to detect corrosion in the risk model. see Figure 6.172 Offshore Risk Assessment Basic barrier modelling Sources for assessments TTS/TST verification MTO investigations General background studies RNNS questionnaire survey results Quantification of average frequencies/ probabilities Identification and classification of RIFs Scoring of RIFs RNNS barrier performance data Detailed assessments Adjustment due to dependencies between RIFs Quantification of importance (weights) of RIFs Quantification of specific frequencies/ probabilities Complete barrier model Figure 6. . For this purpose ‘barrier block diagrams’ have been developed for different conditions which may cause loss of containment.3. there are several extensions compared to typical offshore QRA studies: Event trees and fault trees are linked in one common risk model. however. including initiating events reflecting different causes of HC release and safety barriers aimed to prevent release of HC. The basic risk model in the BORA project may be seen as an extended QRAmodel. In the BORA project we want to visualise the barrier elements in place to prevent the leak itself. Detailed modelling of the loss of containment barrier. third party control of work. the event modelling in QRA starts with loss of containment as the initiating event. For the case ‘loss of containment due to incorrectly fitted equipment’. and the barriers to limit the potential consequences of the leak are modelled.

Finally a leak test is carried out prior to start-up. Figure 6. it is the possibility to evaluate the relative importance of the different release preventive barriers and the effect of changes that is important regarding control of risk and prioritization of risk reducing measures. It should be noted that at the time of preparing the manuscript. However. (2004). followed by independent (third party) control. Jensen (2001) and Pearl (2001) present this approach. ‘incorrectly fitted equipment’ The calculated release frequencies from the different release scenarios constitute the input to the analyses of the consequences. ‘release due to incorrect fitting of flanges or bolts during flowline inspection’. The event sequences caused by the initiating event are presented as a barrier block diagram in Figure 6. (2007). The example case is the following accidental event.2 Bayesian Belief Network The use of Bayesian belief networks (BBN) is gaining popularity among risk analysts as they are flexible and well suited to taking the performance of human and organisational factors into consideration.4.6. 6. Recently a methodology called Hybrid Causal Logic (HCL) has been developed.4. The basic approach is presented by Mosleh et al. There are three barrier functions to prevent the initiating event to occur.2. .Analysis Techniques 173 Initiating event Valve incorrectly fitted during maintenance Barrier element Control / YES inspection of work reveals the error NO Consequence OK Pressure testing before start up reveals the error OK Potential Loss of containment Figure 6. but prior to start-up. allowing Bayesian belief networks to provide input information to fault trees and event trees. Barrier block diagram. The technician carries out self control after assembling the flowlines. Also other ways to calibrate the numbers are considered. there is no commercially available software which may be used for the BORA analysis. The assembling of the flowlines occurs after inspection. and some suggestions for application to the offshore industry are presented by Røed et al. The BORA methodology may use release statistics in order to calibrate the quantitative numbers obtained by analysis of the release scenarios.5 shows a simple illustration of the Bayesian belief network. and they provide a more precise quantitative link between the performance of risk influencing factors.

tension calculations/tables Incorrect fitting of flanges or bolts Third party checker fails to detect incorrect fitting of flanges 3rd party control Third party control of work specified. but not performed Self control Use of self control/check list not specified in program Technician fails to detect incorrect fitted flange by self control use of check lists Program for leak test Program for self control Procedures for self control Work permit Test medium Time pressure Training/ experience of technician Flange layout Process complexity/ accessibility Training/ experience of technician Initiating event Leak test specified. but significantly less information can be compressed into one sheet. The event tree is quite similar to a cause consequence diagram although the latter uses more text and a few more graphical symbols. Bayesian belief network for example (Røed et al.174 Offshore Risk Assessment Leak test Failure to detect leak in leak test Leak test result interpretation Procedures for leak test Execution of leak test Communication between technician and control room Leak test not specified in program Use of self control/check list specified. The probability or frequency of alternative end events (also often called terminal events) is calculated based on the probability or frequency of the initiating event and the conditional probability associated with each branch. The probability of alternative outcomes is calculated for each question which forms a branching point in a logic diagram. The cause consequence diagram is somewhat easier to read. These branching points are often called the ‘nodes’ of the event tree. End events may be gathered in groups having similar consequences to give on overall risk picture.5.3 Event Tree Analysis 6.1 Basics of Event Tree An event tree is a visual model describing possible event chains which may develop from a hazardous situation. but not performed Procedures for third party control Training/ experience for third party checker Program for third party control Mechnical tension. 2007) 6.3. The questions will often correspond to safety barriers in a system such as ‘isolation failed?’ The method therefore reflects the designer's way of thinking. From event trees the following are often performed: . but not performed Use of thrid party control of work not specified in program Figure 6. Initiating events (sometimes called top events) are defined and their frequency or probability of occurrence calculated. Possible outcomes from the initiating event are determined by using a list of questions where each question is answered ‘yes’ or ‘no’.. This may be part of the reason why event trees appear to be preferred.

Tools and approaches need to be able to reflect dynamics in the most accurate way. One such alternative. in the form of a number of questions relating to the nodes. depending upon the circumstances. is to assign a number of fatalities to the branching points (in case of branching one way).1. .1. This is demonstrated by the incident involving the maloperation of ballast valves due to build-up of pressure in hydraulic system return lines.g.6) is an event tree for evaluation of evacuation from a platform. The initiating event in the event tree is assumed to be an event which requires evacuation from the platform. A simple way to carry out a fatality risk assessment. 6.3. Human intervention may sometimes have extensive effects on the development. Small differences in circumstances may often lead to vastly different final scenarios. a large fire etc. 6. The following are the main difficulties in such modelling: The process is normally highly time dependent. The different circumstances are described to the right of the event tree.1 Accident Sequence Modelling One of the most crucial tasks of QRA (and also probably the most difficult) is the modelling of the potential accident sequences. and to accurately represent the possible accident sequences.5. is briefly described in Section 6. as a result of a fire (see page 162). different scenarios may develop. In most situations it is a challenge to identify the possible hazard. in order to achieve realistic modelling. It is recognised that an event tree model is usually too static a tool to be really suitable for detailed analysis of accident sequences and the dynamics of such a process. an event tree may also be used for direct calculations of consequences. a blowout.3. The following sections outline both the theory and the practical application of event tree analysis.Analysis Techniques 175 Frequency calculation for consequence classes Sensitivity analyses (effect of variations of some parameters) Identification of major contributions to each consequence class. In addition to frequency/probability prediction. The most typical way to calculate consequences is to carry out separate calculations associated with the different branches and/or terminal events.1. e. Very little effort however has so far been devoted to the development of alternative tools and approaches. and these are summed to find the number of fatalities for the end events. Escalation involves complex interactions between different processes and different equipment. The theory on which the event tree methodology is based is very simple and requires only limited explanation. Dynamic situations are probably the main challenge. PLATO®. From this initiating event.2 Event Tree Illustration The event tree used for initial illustration (Figure 6.

Event tree for escape and evacuation The first question considered is whether precautionary evacuation from the platform has been performed. However. Also nuclear plants (and even space vehicles) are simpler than the largest offshore installations with respect to escalation of accident consequences. this question is superfluous. but could be considered simpler. depending on alternative outcomes to intermediate situations. Secondary LB launch successful 7. The second question is whether escape has been performed prior to ignition. . and the way plants are laid on the ground level. for the right branch it is relevant. 6. The analysis of these processes is extremely complex on offshore platforms.6. due to spacing between units. although they are more complicated with respect to the work processes. if precautionary escape has been performed. this second question is therefore not considered. In fact offshore platforms are the most difficult objects to analyse for accidental event development.3 Sequence of Events The analysis of accidental scenarios includes the following elements in relation to hydrocarbon leaks: Modelling of leaking media Event sequence analysis. Escape prior to ignition 3. In this way.1. Escape to secondary LB possible 6. Due to this. Large offshore platforms often have 3–4 levels of equipment with different kinds of interaction. otherwise we move to the right.176 Offshore Risk Assessment Evacuation scenario Yes 1. then we move to the left along the first branch of the event tree. Onshore petrochemical and chemical plants are more complex in relation to the process design. Some R&D work has been going on in this regard.3. Obviously. Successfully seaborn 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Event number Figure 6. Precautionary evacuation preformed 2. Main LB launch successful 5. Escape to TR complete 4. For the left branch from the first question. If this is the case. modelling of event sequences is the aspect of offshore QRA that causes most of the uncertainty. including ignition and barrier modelling Escalation modelling Impairment modelling Consequence modelling. splitting the scenarios into more and more detailed scenarios. we can continue through the event tree.

3. When the standard rule of only two output branches from each node is applied strictly. as shown in the event tree. When more branches are allowed from each node.2. vs. 6. vs. This is discussed in more detail in Section 6. There are several aspects that need to be considered carefully. the most important of which is the sequence in which the escalation factors are considered. Consider the following alternatives with respect to ignition of small gas leak: Immediate ignition (fire is implicit) Delayed ignition causing explosion Delayed ignition causing fire No ignition.5.6.8 shows the same example redrawn such that one node has three outputs.Analysis Techniques 177 and there are one or two alternative options available to replace the traditional approach to event sequence modelling. Figure 6. These three nodes will occupy a lot of space in a graphical representation of the event tree and a more condensed presentation is possible if one node is ‘allowed’ to have all four sequences as outputs. in order to save space. then there will always be one more end event than there are nodes in the tree. The sequence issue is especially important in respect of leaks from process equipment because there are a number of safety systems and functions installed. o Delayed ignition. when considering failure or success of evacuation. If the standard rule of dual branches from each node is followed. the outcomes are classified in binary states as either ‘failed’ or ‘success’. For instance.7 shows a simple example with binary division in each node. in constructing an event tree. whereas Figure 6.4 Node Branching Rule Another aspect which may be mentioned is that the rule of branching in two mutually exclusive sequences from each node (binary output from nodes) is sometimes broken. this leads to three nodes being required: No ignition. . which splits into o Immediate ignition. Figure 6. Ignition. all of which are intended to reduce the risk associated with leaks. which splits into Explosion Fire. The requirement that all outputs are mutually exclusive is valid in all cases. These two diagrams further show that event trees may be drawn horizontally as well as vertically. The importance of sequence is closely coupled with the fact that conditional probabilities are used in the event trees. So far however there is no single technique which has really been able to replace the use of event trees. then the number of end events may be smaller than the number of nodes.1.

3. a typical node question is whether automatic systems are capable of controlling the fire. Event tree example with binary division Gas leak Ignition Fire Yes Immediate Fire Fire Delayed Expl No ignition No ign Figure 6. and loop back in order to improve on the chance that further escalation is prevented.178 Offshore Risk Assessment Gas leak Yes 1. 1976).5 Loops in the Tree Since sequence is an important aspect. In the case of fire for instance. Looping could increase the realism in the modelled sequences. If the automatic control is unsuccessful. but there is theory available also to cover this aspect (Nielsen. although the theory has been available for 30 years. however. it will often lead to further escalation. which compensate for its shortcomings: . complicates the calculation of frequencies quite substantially. one might assume that loops in the event tree could be quite useful. Event tree example with one combined node 6. Immediate ignition 3. we could take extra fire fighting measures (activation of manual control) into consideration. it has three very significant advantages.1. The use of loops. Ignition 2. But in a looped fashion. Despite this fact this alternative is virtually never used.8.7. Although it is recognised that the event tree is far from ideal for modelling of accident sequences. Explosion No ign Fire Expl Fire Figure 6.

3.8 = 0.8 and Figure 6. and it provides a good opportunity for integration of reliability analysis into the accident sequence modelling. Figure 6. we may assume that the probability of precautionary evacuation being performed is 0.6. we may assume that the probability of escape before ignition is 0. we can arrive at probabilities for the terminal events in the event tree. A sketch showing the principles of such integration is outlined in Figure 6.6). Illustration of integration between event tree and fault trees 6. 1 2. . it may be noted that event trees are commonly drawn either top-to-bottom or left-to-right. By continuing this logic through the tree. as illustrated in Figure 6. 3 2. Probability values can be assigned to each branch and in this way we build up a tree of conditional probabilities. as the conditional probability. 4 Figure 6.1.Analysis Techniques 179 It is graphically easy to understand. given that precautionary evacuation has not been performed. we arrive at the frequency for each terminal event. then becomes 0. Secondly.4.8.8.9.7 Combination of Event Trees and Fault Trees The RiskSpectrum® software is outlined in Section 6. This means that the probability that precautionary evacuation is not performed will be 0.32. N1 1 N2 N4 2 3 N3 N5 4 5 6 2. Finally.4 0.4. 6.9 being the exceptions to this rule. noting that it allows an integrated analysis of event trees and fault trees. The total probability of escape before ignition.9. If in addition we multiply with the frequency of the initiating event.3.6 Probability and Frequency Calculation The event tree can also be used for quantification of the likelihood of different scenarios. The top-to-bottom convention is used throughout this book.1. given no precautionary escape. 2 2. If we return to the evacuation example again (Figure 6. it is easy to use.

3. The leak categories may be based on: Mass flow. Dimensions of the leak area. There is a unique relationship between the gas composition. The discussion in this section is focused on hydrocarbon leaks. including blowouts. mud process and quarters Structural and marine accidents Separate event trees could be developed for each relevant leak category and for each piece of equipment. often in kg/s. (often using an equivalent diameter circular hole). Event trees are often presented for the following categories of leaks: Process Leaks: Small leak Medium leak Large leak Riser and Pipeline Leaks: Small leak Medium leak Large leak Full Bore Blowouts: Full flow Reduced flow Different flow paths/location of release The number of categories may obviously change.2 Major Hazard Scenarios The main use of event trees in offshore QRA is for modelling accident sequences from hydrocarbon leaks and other major hazards. A leak classification frequently used is: . the pressure.180 Offshore Risk Assessment 6. 6. depending on the circumstances of the analysis. in order to avoid losing the overview.3. The number of event trees would therefore be very substantial for a large platform and it is therefore necessary to eliminate trees and parts thereof that are not really required. The following are the main types of hazards for which event trees are used: Blowouts Hydrocarbon leak events from process equipment Hydrocarbon leak events from riser Fires in utility systems. the mass flow and the area of opening.3 Initiating Event Frequency The frequency of initiating events is shown in the event tree.

The next category of leak would be those that cause escalation to the next section due to jet fire impingement. common characteristics are calculated for each of the categories. the following values could be observed for gas leaks from one installation during 10 years of operation: Large leaks.3. in the sense that only the distances between vessels are illustrated. With respect to process segments.05 kg/s) Medium leaks.Analysis Techniques 181 Small leaks.1 kg/s. whereas flames from medium sized leaks will always impinge. and for a medium leak. 1–10 kg/s Large leaks.1 How to Divide into Categories? One potential problem associated with use of either of the two systems of categorising leaks is that it may not truly reflect actual situations.1–1 kg/s (sometimes from 0. 17 metres. . >10 kg/s. This may be highlighted by considering how escalation may be modelled (this phenomenon is sometimes called ‘artefact’). In order to illustrate typical occurrence frequencies. 19 Over 250 registered seepages and other leaks below 0. Instruments and piping may result in the real separation distances between vessels being shorter.45 leaks per installation year 6. 1 Small leaks. Vessels C and D belong to the same ESD segment. Vessel E is a separate ESD segment from all the other vessels. is an artificial situation brought about by grouping leaks and giving them a single representative size. the following is assumed: Vessels A and B belong to the same ESD segment. It is assumed that all these five vessels are installed in the same area. however. This.10. then the flame from small category leaks will not impinge on the next section of equipment.3. the flame length of jet fire may be 3 metres. The principles are illustrated in Figure 6. none Medium leaks. If the distance to the next section of process equipment is 7 metres.1–1 kg/s): 0. Thus for small leaks. When leaks are grouped in categories. which reports the following average frequencies during the 10 year period 1996–2005: Large leaks (>10 kg/s): 0. which is different from the segment which Vessels A and B belong to.0069 leaks per installation year Medium leaks(1–10 kg/s): 0. This illustration is simplified in order to demonstrate the principles. A logical system for categorising leaks would define the smallest leaks as those below a size which causes jet fire impingement and subsequent escalation. 0. Another way to illustrate frequencies is from the Risk Level project.151 leaks per installation year Small leaks (0. In actuality the larger leaks in the small leak category may have a jet flame length of over 7 metres and thus would give rise to escalation.

For detailed studies it is common to base the calculation of leak frequency in an area on leaks from the following equipment.3. The leak categories may be defined as follows: Since Vessels A and B belong to the same segment. and each leak category. Simplified sketch of five process vessels and distances (in horizontal plane) The leak categories should now be determined on the basis of jet fire flame lengths in relation to the distances between the vessels. The second category is based on the distance L3. the distance L1 is not applicable as basis for these definitions.2 Leak Frequencies for Selected Categories Frequencies for initiating events are calculated separately for each piece of equipment or system. smallest category.10. from which the total system leak frequency is generated: valves flanges bends instrument connections welds piping . which gives the lower limit for the category.182 Offshore Risk Assessment Vessel E L3 L2 Vessel A Vessel D L1 Vessel B Vessel C Figure 6. The third category should be based on the distance to a fire wall (not shown). 6.3. based either on system or equipment values. The distance L2 is used as the lower limit for significant leaks.

Analysis Techniques

183

pressure vessels coolers and heaters risers pipelines. Gas and oil leaks are considered separately for all systems and operations. Generic data (typical average for industry standard equipment) are most commonly used. Installation specific data should be used, whenever available, as discussed in Section 5.10. The approach indicated here is the traditional approach where leak frequencies are calculated based on an equipment count i.e., without taking operations into consideration. The BORA project has developed a general approach in order to take activities and operations into account. This was outlined in Section 6.2.6.1. For blowouts, the following operations are considered separately: shallow gas zone drilling exploration drilling well testing development drilling completion of production wells completion of injection wells regular production wireline operations coiled tubing operations snubbing operations workover operations. The distinction is also often made between wells with regular deviation and socalled horizontal wells (with sometimes very long horizontal sections), High Pressure/High Temperature wells and wells with completion in multiple reservoir zones (‘multibore’ wells).
6.3.4 Nodes in Event Trees

Event tree probabilities are provided at each branching point (node) in the event trees. Typically the following aspects are considered: Detection of leaks Ignition Emergency shut down, blowdown, flaring Fire fighting system Explosion and fire Extent of escalation of accidental effects. This list only shows the main categories that are considered and further categorisation may be required, in a detailed event tree. In a detailed event tree the following

184

Offshore Risk Assessment

active and passive safety systems and functions world be covered by the logic nodes:
Safety Systems Reliability: ESD system, including valves Blowdown valves Gas detection High Integrity Pressure Protective System Fire detection Smoke detection Fire fighting, automatic and manual. Passive Fire Protection: Escalation (mainly depending on passive fire protection) Ignition time and location.

There is some discussion as to whether all safety systems should be reflected in the event trees as separate nodes or not. Some analysts would claim that not all safety systems need to be reflected separately in the event trees. They will claim that it is most efficient in many circumstances, to combine several systems into one node, to avoid the event tree being too unmanageable. The opposite view is that more focus is put on those safety systems that are reflected explicitly as nodes in the event tree, and that this will help in meeting the regulatory requirement to document the effect of barrier system failures. It will often be most efficient to find a compromise between these two extreme positions. Let us illustrate a case where there is a node stated as ‘ Closure of ESD valves’, which then would include implicitly the following barrier elements; ESD valves; ESD logic as well as auto gas detection and manual gas detection sub-functions. The probability of failure to shut the ESD valves can be calculated for this node in the following manner (if the elements and sub-functions are independent):
f PTOT f PESDV f PESDL f f PGASDET PMANDET

( 6.1)

where
f PTOT

= probability of failure to shut the ESD valves = probability of failure of the actual ESD valve itself = probability of failure of the ESD logic = probability of failure of gas detection = probability of failure of manual gas detection.

P P P

f ESDV

f ESDL

f GASDET

f PMANDET

Equation 6.1 may be valid for many similar cases. It should be noted that this equation assumes independence between [automatic] gas detection and manual de-

Analysis Techniques

185

tection. The individual elements of Equation 6.1 may be calculated by Fault Tree Analysis or based on operational experience (or a combination). The importance of the correct sequence by which the nodes are considered has already been pointed out. It could be mentioned that one typical error in this context is that ignition of a gas leak is considered as the first node in the tree, prior to consideration of leak detection. But the probability of ignition is highly dependent on whether the leak has been detected or not. The first node should therefore in most cases be concerned with the detection.
6.3.5 End Event Frequency

The calculation of end event frequencies is mathematically straightforward, just involving multiplication of the initiating event frequency by the appropriate conditional probabilities. The amount of calculations may, however, make the use of computerisation necessary. The following relationship between frequencies and probabilities may be observed: Initiating event: Nodes: End events: Usually given by its frequency. Probabilities are always used, principally these are conditional probabilities. Have the same dimension as the initiating event, therefore usually frequency.

The end event frequency may be expressed as:
j i K

pk

( 6.2)

where j = frequency of end event j i = frequency of initiating event in the tree pk = conditional probability of branch k K = set of branches that defines the path from initiating event to end event j. The initiating event frequency is usually considered to be constant, assuming for instance a Poisson distribution of the occurrence of events. With this assumption, a simple relationship between probability and frequency exists, as shown below. If the annual frequency of small gas leaks is i, then the probability of at least 1 gas leak in a one year period, may be expressed as:
P(at least 1 leak ) 1 e
it

it

( 6.3)

The approximation is valid only if the probability is lower than 1% (the error at 10% is 0.05), the first expression is always valid. The probability of no gas leaks in a year, is (with the same condition for the approximation):

4 may be used for the end events as well as for the initiating event.l = impairment frequency for end event j pimp. This event tree considers only one safety system. l where imp. The conditional probabilities of the terminal events are also shown. 6. The end. The frequency of the end events are often multiplied by the impairment [conditional] probability (in range 0.11 presents a simple event tree for process system medium sized leaks in the range 1–10 kg/s. j .0–1.3. but may also be more sophisticated. the frequency of events which the safety functions are not designed to sustain. It would be expected that the probability of this particular sequence would be higher on an old installation like Piper Alpha. These reflect typical conditions on a relatively modern production platform on the Norwegian Continental Shelf. j .l = conditional probability of impairment for safety function l for end event j. It could be observed that the sequence of events in the Piper Alpha accident is not particularly probable on a modern platform in the North Sea.0) in order to determine the impairment frequency i.7) has been marked with a thicker line in the event tree. Figure 6.j. l j p imp . Piper Alpha may be characterised as follows: .186 Offshore Risk Assessment P (0 leaks) 1 it ( 6. the ESD system. Event trees are often constructed quite simplistically.4) Equations 6.e.3 and 6.5) imp . The nodes (branching points) in the diagram are focused on the following safety systems and important safety aspects: ESD system availability Ignition Explosion Escalation to nearby equipment Escalation to other areas. In event tree terms. ( 6. or terminal events in the tree. The nodes following the safety system node involve the consideration of ignition inside the module as well as different mechanisms of escalation including strong explosion. The sequence of events in the Piper Alpha accident (see Section 4.6 Gas Leak in Process Area Hydrocarbon leaks are analysed to consider different fire and explosion scenarios. It may be observed that the Piper Alpha sequence is quite well reflected in the simple event tree shown above. due to the probability distribution used. are sometimes called the ‘accidental events’..j.

82 3 0. see Figure 6. Ignition occurred in spite of this (ESD probably not initiated until after the explosion). Escalation to other equipment 5. This implies for instance that the Subtree A to be inserted into Figure 6.12 is the part of Subtree B in Figure 6. Figure 6. Escalation then subsequently resulted in riser rupture. .0010 10 0.0202 9 0.47 8 0. Although the Piper Alpha events can be quite simply modelled it will often be important to expand the hydrocarbon leak event tree into more details because only in this way is it possible to model explicitly the influence of different protective and/or detailed systems and functions.53 2 0. Operator in the area initiated ESD.12 and also on a lower level.11 6 0. The following example shows a detailed event tree for a medium gas leak.12 and Figure 6.11. setting off an oil fire. Strong explosion 4. ESD unsuccessful 2. as a subset of Subtree B. A and B. There are two subtrees shown in Figure 6. which could be denoted ‘Fire detection successful’ (actually the ‘No’ outcome of ‘Fire detection failure’).Analysis Techniques 187 Medium gas leak Yes 1.13.13.0075 4 0. In fact it is shown that this event tree involves a small extent of ‘looping’ in the event tree.13 is principally devoted to Subtree B. The resulting explosion was not strong (it has been back calculated to 0. in the sense that ‘operator intervention’ is shown on a high level in Figure 6. Transfer logic normally used in fault trees is used for the subtree transfers. Ignition inside module 3. also including operator intervention.13.04 7 2.2– 0. which are used to simplify the drawing of the subtrees. in Figure 6. with Piper Alpha sequence highlighted Medium gas leak. but contains in fact also Subtree A.12.0001 11 0. Event tree for medium gas leak.0027 12 0. There are two additional subtrees inside Subtree B. This event tree has a considerably higher number of nodes than the simple event tree in Figure 6. Escalation (probably due to fragments) was first to other equipment.4 bar).11. Escalation to other areas 1 96.0008 5 0.0010 Event number Conditional probability (%) Figure 6.

Operator intervention not successful 3. Operator intervention not successful 8. Spreading to equipment 12. Blowdown failure 10. Strong explosion causing escalation to other equipment 5.13 were used for calculations.12 and Figure 6. then the transfers cannot be allowed. because the nodes may have different probabilities. Fire water not effective 11. according to where they are in the event tree. Subtree B Yes A 6. Ignition 4.188 Offshore Risk Assessment Medium gas leak Yes 1.13. If the trees in Figure 6. Strong explosion causing escalation to other areas 6 7 A 1 2 3 4 5 B Event number Figure 6. ESD failure C C D 9. Spreading to other area 8 9 10 11 12 13 14 15 16 17 18 19 20 Event number Figure 6. Detection failure 2. Fire detection failure D 7.12. Subtrees for detailed event tree for small and medium gas leaks . Detailed event tree for small and medium gas leaks The use of transfer symbols is not common in Event Tree Analysis.

in the sense that so-called ‘double negation’ is used. reflecting what has been mentioned earlier. The total number of nodes in the expanded (actually full) version of this event tree is 48.Analysis Techniques 189 The effectiveness of fire water activation (Level 10) is strongly dependent on the circumstances that prevail in the scenario.3. the ‘No’ branch actually implies a positive outcome.14. This detailed event tree is a real case. and a point has been made to present it in the way it was used. The modelling of aspects that determine the environmental consequences fall outside the scope for this book. Fire on sea 1 2 3 4 5 6 7 8 9 10 11 12 13 Event number Figure 6. The event tree is shown in Figure 6. and the wording of the event trees in Figure 6. Greatly delayed ignition 4. due to the rapid development. Delayed ignition 3. There is also a similar double negation for ‘detection failure’.13 is therefore not a recommended solution. in the sense that it has been used in an actual detailed QRA. and the nodes discussed in the text below.14. implying that there is a total of 49 terminal events in this event tree. In these cases ESD isolation will often have limited effect. Fire (=no explosion) 5. This implies that when the question ‘Fire detection failure’ is posed.12 and Figure 6.3. that all probabilities in the event tree are conditional probabilities. Blowout Yes 1. There is one aspect of this tree which is somewhat unfortunate. and are not discussed in detail.7 Blowout Event Tree The discussion of blowouts in this section deals only with the effect on personnel and facilities. 6.7. A standard event tree is often used for the description of the relevant accident scenarios. The same tree is often used for all blowout scenarios. An explosion . ‘Fire detection successful’. It is recommended to structure event trees such that ‘double negation’ is avoided.1 Node: Immediate Ignition Ignition is regarded as ‘immediate’ if the leak is ignited within the first seconds (may be up to just a few minutes) after the leak occurs. irrespective of the cause. Immediate ignition 2. Blowout event tree 6.

then it is implied that the blowout is unignited. 6. Authority requirements and offshore design practices have often concentrated attention on protection against pool fires. (Consider for example one actual case when a blowout was ignited 2–3 days after it started. or up to billions of m3 for gas. where huge clouds may be generated. If escalation occurs instantly because of the explosion.6 below. or to another area or deck. and have a significant effect on objects in the flame.7. The Piper Alpha accident may illustrate this aspect. The size of the spill or dispersed cloud is completely dependent on the duration of the blowout. The possibility of strong explosion is much higher in this case. There are no official definitions or standard regarding jet fires that are appropriate. 6. the latter are dealt with in Section 6.3 Node: Greatly Delayed Ignition Greatly delayed ignition is of interest in the case of blowouts and riser/pipeline leaks. and may range from a few tons up to tens of thousands of tons of oil.3.3. and thus realistic fire scenarios have to be judged.3. presumably under the assumption that protection against gas fires is impossible or unrealistic. probably because. and travel some distance before finding an ignition source. escalation is virtually certain once a blowout is ignited. 1998) have demonstrated that under the worst case conditions very strong explosions may theoretically occur in such circumstances. Such fires are very heat intensive. due to the long duration of the fire.7. 6.7. Gas leaks may lead to jet fires. as an explosive gas cloud may not have had the time to form.) If none of the ignition cases occur.4 Node: Fire On offshore platforms gas fires are often more significant than oil pool fires. an explosive cloud may be rapidly forming in some cases.5 Explosion Explosions (‘No’ branch for the ‘Fire’ node) following a massive gas leak from a blowout may involve a substantial amount of gas. whether it is escalation to another segment. This is not always the case. especially if it occurs prior to evacuation having been completed. The important aspects related to occurrence of explosion is whether escalation occurs or not. Usually this is not directly expressed in the blowout event trees. as it is likely that the explosion in this accident occurred only some 20 seconds after the leak started. The measures necessary to give adequate protection from jet fires also need to be determined.7.3.190 Offshore Risk Assessment may be less likely in these circumstances. if rapidly ignited. by a work vessel which came in to tow the wrecked platform away. .3. 6.2 Node: Delayed Ignition Ignition is regarded as delayed if it normally takes some few minutes (perhaps up to 30 minutes) for a leak to ignite.7. This calls for a dedicated assessment. as a cloud of considerable size may have been formed before being ignited. Recent R&D programmes (SCI. This implies that the consequences mainly are spilled oil and/or gas releases to the atmosphere. such early escalation may be more critical.

Only gas has the possibility to be ignited inside the installation.Analysis Techniques 191 The scenario could in such cases be similar to the Piper Alpha accident. Pool fires in the open are controlled by the evaporation rate from the fuel surface. The vapour will mix with the entrained air as it rises due to buoyancy effects. height and diameter of the flame radiation heat load on objects located outside the flame heat load on objects enveloped by the flame. are: duration of the pool fire extent of the pool fire i.8 Gas Leak from Riser/Pipeline 6.7. To assess the hazard it is necessary to know the time-dependent rate of outflow and the characteristics of the outflow when ignited. and an accidental release of hydrocarbons may give rise to substantial mechanical damage and/or fire.15.1 Leak and Outflow Conditions A sudden rupture of a high-capacity gas/oil pipeline in air (i. above sea level) will result in a massive release of highly combustible material. When a pool fire occurs inside an enclosure where the air supply is limited.e. This oil may then burn on the sea surface. namely an explosion and fire caused by a blowout in the US Gulf of Mexico area in 1970. An example is illustrated in Figure 6. Only one such scenario with corresponding severity (37 fatalities) is known from the accident records. If the volume of oil burning on the sea surface reaches a significant amount.. It is further heated to ignition and reacts generating heat. usually by equipment on the installation. and the gas fraction will therefore influence the probability of ignition.8. the actual extent of air supply will determine the intensity of the pool fire.3. . Fire on sea may in theory also be caused by a subsea blowout from a wellhead on the seabed. The main characteristics of a pool fire which are important with respect to safety. A burning subsea blowout will only occur if the flow is ignited. because there are limited possibilities for risk reduction. The event tree for riser leaks is usually quite simple.3. The smoke production may also prevent escape and evacuation from being completed. The liquid absorbs energy from the flame and evaporates.e. 6.3. 6. then the radiation loads on the underside of the deck may be quite high.6 Node: Fire on Sea In the case of an offshore platform blowout. The best approach for the control of risk in this context is to prevent the actual occurrence of the rupture itself. there is always a chance that some amounts of oil may be spilled onto the sea surface without being completely burned in the air. Burned gases then radiate energy until they reach some low temperature at which point they merely exchange heat with the surroundings. These characteristics are strongly dependent on the geometrical conditions at the location where the oil spill occurs. The amount of energy stored in such a line may be enormous.

A subsea valve will act as a barrier stopping the outflow of gas from the pipeline. A subsea isolation valves is typically located 200–500 m away from the platform. After the Piper Alpha accident much attention was given to the ESD-valves located on the platform. The crude oil is relatively incompressible and the outflow conditions will be much more affected by friction. Ignition of a leak from an oil riser is quite different from a gas leak.3. Ignition 2.8.3. Riser leak event tree 6.2 Ignition The flow rate in case of a gas leak will be very high if a riser rupture occurs above the sea level.3 Isolation of Flow Subsea isolation valves were installed quite extensively on gas pipelines in the first few years after the Piper Alpha accident in 1988. even if a leak develops in the riser. 6.15. this was already indicated in Subsection 5. The reasons for this are that: It reduces the likelihood that the valve will be damaged by dropped objects from the platform. and some 50 valves were installed on existing pipelines. Strong explosion 3. Isolation available 4.3. Fire on sea 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Event number Figure 6. The valve will be capable of blocking not only riser leaks but also leaks in the section of the pipeline closest to the platform. if such a barrier is installed. The size of the gas cloud will therefore be quite extensive in a very short time. This is also the part of the pipeline which is clearly most likely to develop leaks.3. in particular with regard to their survivability in various accidental conditions. such that ignition is unlikely. .8. A possible fire will therefore have short duration. in fact it could be so extensive that large parts of the cloud are above the upper explosive limit (UEL).192 Offshore Risk Assessment Riser leak Yes 1. The most extensive protection is however provided by a subsea valve location. The possibilities for ignition are therefore much more limited. Spreading to other risers 5. implying that expansion will be limited to an initial ‘gushing’.

The fire loads may be very extensive.7. the connection between the pipeline and the vessel is usually through flexible flowlines. This was also demonstrated in the Piper Alpha accident. 6. In practice. 6. see Section 4. Location of subsea isolation valves on gas pipelines If a subsea valve is installed. SSIV Riser flowline connection Figure 6. such that the probability of failure to close in an accident is minimised.7.3. compared to a steel riser.16 indicates a location of a subsea isolation valve on a gas export pipeline from an FPSO installation.4 Spread to Other Risers The consequences may be even more severe. A subsea valve implies that several potential leak points are introduced in the pipeline.8. With such vessels. This means that a gas leak may develop through the valve itself. because the support structure may be damaged in addition to the topside. and this leak can obviously not be stopped by the valve. Figure 6. which are considered to have a higher probability of leakage. then the focus in the operations phase must be on maintaining high availability of the valve.3. it can be expected that the expected leak frequency is higher after the valve has been installed. .16.5 Fire on Sea Fire on the sea surface is important. if the accident escalates into additional risers. and if the duration of the fire is long. see Section 4. Installation of subsea isolation valves is therefore more common in these circumstances.Analysis Techniques 193 The disadvantage of this location is that the inventory in the pipeline/riser section between the valve and the platform will be greater and thus represents a greater risk. Possible leaks from the valve itself also have to be considered. then the likelihood of rupture of a second riser is quite high. and it is therefore important that the valve is located sufficiently far away from the platform to avoid the possibility of the development of a gas cloud around the platform in the event of a leak from the valve.8. as demonstrated by Piper Alpha.

using common techniques for analysis of cut sets. common mode failures and importance calculations. The regulations. systems and failures. It would be possible to extend a RiskSpectrum® analysis also to include human and organisational barrier systems and elements. 2006). and reliability is extremely crucial. on the other hand. Such results would usually never be found using traditional quantitative risk analysis. Reliability analysis of barrier systems and elements is conducted to a limited extent as input to the node probabilities in event trees. such that all fault trees for barriers then may be integrated into a huge common fault tree. An exception. to an extent where dependencies may be analysed in detail. but has the ability to transform event trees to fault trees. is when a HIPPS (High Integrity Pressure Protection System) is used. often in a superficial manner. The analysis may be used to identify the requirements for barriers to be effective. require that physical as well as non-physical barrier systems and elements are considered in parallel. This analysis tool has event trees and fault trees in a common manner. The analysis is however often limited to the pressure protection function. As it was a quite limited pilot study. where comprehensive analysis of barriers is usually conducted. A pilot study was completed in order to demonstrate the advantages of application of the RiskSpectrum® tool (Bäckström. It was further found from the pilot study that the contribution from common mode failures was lower than expected. It is usually physical barrier elements that are analysed with the use of RiskSpectrum®. it is common to perform extensive event tree and fault tree analysis. . The analysis may be used in order to identify what compensating measures are required if barrier systems are unavailable. together with common mode failures. For the installation in question. The most commonly used tool is RiskSpectrum® (Relcon. The RiskSpectrum® analysis tool gives the following advantages: Dependencies may be identified. From this overall fault tree. it is unsure whether this is an observation which has wide ranging applicability. and without consideration of the influence from utility systems. This was also the limitation used in the pilot study. Importance measures may be calculated for components. the following were found to be the systems with highest importance with respect to prevention of uncontrolled escalation of fire: Pneumatic power supply Two named electric power supply circuits. 2003). dependencies may be analysed in detail. These reliability studies are usually conducted separately for each node.194 Offshore Risk Assessment 6.4 Analysis of Dependencies Between Barriers The way quantitative risk analysis in the petroleum industry has been conducted for many years makes the comprehensive analysis of dependencies between barriers impossible. In the QRA studies for nuclear power plants.

Very often there will be loops. Miles and Cooper. is the ease in communicating the assumed accident sequence to non-analysts. In actuality the scenario development is seldom so simple if the scenario is completely without control. there is only one package available for modelling of such dynamic trees.1 Time Dependency A ‘one-directional’ time development is often assumed when constructing an event tree. however. its couplings etc. 1994). An independent review (Jones and Irvine. and to some extent couplings or combinations. (Morris. are fixed by the analyst prior to conducting the actual analysis. 1997) found that the models that are used . if oversimplified consequence calculations are used. In practice this cannot be integrated into the event tree. where secondary leaks. between representation of the dynamic tree with simplified consequence calculations. The benefits of the dynamic event trees may be lost entirely. In the past the high number of outcomes has apparently limited quite considerably what can be done in terms of consequence calculation for each terminal event. Commercially.Analysis Techniques 195 6. The alternative to the static event tree is the dynamic event tree. It is a difficult choice to make.). which can be programmed to alter its logic and construction to reflect the modelled development of an accident. on the other hand. The dynamic event tree generator in PLATO® will develop the branches in the tree according to the results of the consequence calculations that are automatically carried out as the process is developing. or more static (and simpler) event trees with more advanced consequence calculations. Cause–consequence analysis is another form of event tree which has the ability to show time delays between steps. PLATO® is said to be a simulator for accident development. The time sequence is still assumed to be ‘one-directional’. developed by Environmental Resources Management (formerly Four Elements Ltd. but may perhaps better be explained as a dynamic event tree generator. in the sense that the logic of the tree.5 Event Sequence Analysis 6. explosions and escalation of the fire occur. may in the dynamic analysis have 5. The big advantage of the event tree method.000 terminals.5. The event trees usually used in QRA are considered as ‘static’. What would typically be an event tree with 50 terminal events. namely PLATO®. London. But the dynamics has its price. For a gas leak this typically follows the sequence: Leak Gas detection Isolation Ignition (potential) Fire detection Fire fighting Secondary loss of containment. in order for the computing time to be realistic.

they should then be represented in the same sequence in the event tree. and the sequence will therefore be of considerable importance. It may appear that this is unimportant as node probabilities are to be multiplied anyway. A suggested rule to use is the following: If systems and actions have a time sequence in the development. the program is still being used extensively. see Appendix A. or the most probable direction or the worst case direction. The event tree is often modelled using a ‘typical’ direction. although the resulting number of event trees becomes very high.2.196 Offshore Risk Assessment for combustion are suitable and sufficiently detailed for application to an offshore installation.5. there has been an increasing use of CFD calculations within QRA studies. 6. 6. which will isolate sections of the process plant. where it may be claimed that there is in fact no universal truth. all directions along the circumference of the flange are equally likely. An alternative to this approach has been chosen by some analysts who use event trees modelled in six different (Cartesian) directions. but also cut power to all electrical equipment which could be an ignition source. Consider the following example: Detection of a gas leak will usually result in emergency shutdown. It may on the other hand be argued that since 1997. The ignition node therefore needs to follow the detection node. The node probabilities are conditional probabilities. because it will depend on the structure of the tree. In this field no absolute rules may be stated. But how shall this be determined? In the case of a gas leak from a flange on a piping system.2 Node Sequence in Event Tree Modelling The sequence of nodes in an event tree is one of the most difficult aspects. in order to provide an approximate model of reality. according to Equation 6. But this is far from the case. In spite of the severe restrictions on how the event tree may model the dynamics in the accident sequence. as the opposite would result in a gross over-prediction of the risk associated with ignited leaks. then that one system should be considered first in the event tree. The advantage of this approach is that directional modelling may be accomplished with ‘normal’ trees using a PC. PLATO®. . is however also able to handle escalation due to flames in different directions. The software ASAP® performs such modelling.5. But it should be noted that further research and development work would be advantageous in order to improve the accident sequence modelling.3 Directional Modelling Another limitation of the normal event tree is that it becomes too complicated if different flame directions are considered (applies mainly to jet fires). If activation of one system or function has an effect on the success of other systems. the safety systems and the functions that are involved. the dynamic event tree generator mentioned above.

17 illustrates the MTO-analysis worksheet. Change analysis Normal Deviation Normal Deviation Events and causes chart (Causes) (Chain of events) Barrier analysis Figure 6. one of which is by Tinmannsvik et al. when used in an accident investigation. (2005). It may be noted that MTO investigation is the main investigation technique used by Petroleum Safety Authority Norway for investigation of accidents on the Norwegian Continental Shelf.4 MTO MTO (Man. and a brief summary is therefore included.5. the analyst should identify possible technical and human causes of each event and insert these vertically to the events in the diagram. Change analysis by describing how events have deviated from earlier events or common practice. Technology and Organisation) analysis is primarily developed as a technique for the investigation of accidents and incidents. on the other hand. Figure 6. The MTO-analysis is based on three methods: 1. and has been developed by Jean-Pierre Bento. Structured analysis by use of an event. It may. Barrier analysis by identifying technological and administrative barriers which have failed or are missing. There are few sources available for a general description of the MTO-analysis. 2.Analysis Techniques 197 6. Illustrative MTO-diagram . also be used for analytical purposes. 3. Then. on which the following summary is based. The first step in an MTO-analysis is to develop the event sequence horizontally and illustrate the event sequence in a block diagram.17.and cause-diagram. The method is based on HPES (Human Performance Enhancement System) from the nuclear industry.

. Further. human or organisational. to assess how events in the accident progress have deviated from normal situation. This is a step in the accident investigation which is common for many of the investigation techniques.198 Offshore Risk Assessment The development of the event sequence is often referred to as a ‘timeline analysis’ i. 6. All missing or failed barriers are shown below the events in the diagram. such as: pipes and associated fittings vessels pipelines/risers. training. or common practice.6 HC Leak Modelling The modelling of an accidental scenario associated with gas and oil starts with the leaking medium.18 and Figure 6. an analysis of the sequence of events and their timing. This may be from many sources. It should be noted that the MTO-analysis is not suitable for quantitative analysis. The next step is to make a change analysis i. instructions Supervision Working practices Competence. Normal situations and deviations are also illustrated in the Figure 6. The basic questions in the analysis are: What may have prevented the continuation of the accident sequence? What may the organisation have done in the past in order to prevent the accident? The last but important step in the MTO-analysis is to identify and present recommendations. human or organisational barriers that have failed or were missing during the accident progress. A classification system for basic causes has also been developed. in order to enable trend analysis of accident causes.. determine which technical. . The causes are classified into the following categories: Working environment Operational organisation Routines for change management Installation management MMI – Man Machine Interface Working schedules Communication Procedures.e. and might be technical. Figure 6.e. The recommendations should be as realistic and specific as possible.17.19 show a complete MTO diagram from an actual case.

usually gas and oil (liquid) mixed 3 phase flow i.e.Correct tools note found No instruction given about sequence for moving bolts Decided to start job using wrong tools Crew members do not know good work practice/ method Use Hyper Mate tool Use of air driven impact tool and sledge hammer Move bolts in cross pattern Move bolts in serial pattern Job leader approves work site when correct tools are in place Job leader appr. Evening planning meeting Job leader hands out WP & instructions (incl. site before correct tools are in place Downgrading of WP is communicated to OFM for approval Downgrading of WP is not communicated to OFM for approval Normal Normal Normal Deviation Deviation Deviation Normal Deviation Job is planne WP is received by mechanical crew Preparation of work site Tools are collected Job starts using wrong tools Job carried out using wrong method The phase of the leaking medium is the next important aspect: Area responsible & job leader sign WP at site Decided to use wrong tools not communicated to job leader 1 phase flow i.. gas or oil (liquid) phase 2 phase flow i.. oil..e. gas. MTO diagram for ‘Hot bolting’ incident.18. Part 1 Job leader delivers WP to SSI Job leader receivs WP from CCR Analysis Techniques Job leader fills in application for WP 199 . water. tool) Figure 6.e.

MTO diagram for ‘Hot bolting’ incident. There is actually data available for a ten year period.1 kg/s leak rate from all installations in the Norwegian sector is shown in Figure 6. The overview of all leaks exceeding 0. and this should be the main data basis. The scientific approach has been discussed in Vinnem et al.19. 1996–2005 for all installations on the Norwegian Continental Shelf.200 Offshore Risk Assessment Job leader follows up work in progress Job leader does not follows up work in progress Normal Deviation Downgrading of WP is communicated to OFM for approval Downgrading of WP is not communicated to OFM for approval Area responsible follows up work in progress Area responsible does not follows up work in progress Normal Normal Deviation Deviation Job continued using wrong tools and wrong method Job continued with wrong tool and wrong method Job is stopped Flange is checked for gas leak (no leak found) Job leader does not react OSV decides to stop job in progress Job leader receives info that wrong tools are used OSV realises that wrong tools & methods are used OSV performs survey of work in progress Figure 6.20. The quality of the data is good for the period 2001–2005. in particular for hydrocarbon leaks from process equipment and operations. The last annual update is presented in PSA (2006a and b). The models are primarily aimed at determining the flow rate as a function of time. Details are only available in Norwegian.6. . the summary report is also published in English. (2006b).1 Leak Statistics The Petroleum Safety Authority [Norway] has the last six years collected considerable amounts of experience data for the Norwegian Continental Shelf. 6. Part 2 Different models suitable for the different phase compositions and different sources (mainly reflecting the difference between outflow from a vessel or from a pipeline or pipe section) have to be used.

1 0. Overview of HC leaks > 0.01 0. 1996–2005 The data in the project has been normalised in relation to several parameters. 2001–2005 . Figure 6. There may be from two to more than ten bridge linked installations.21 presents a cumulative leak rate distribution as average for all installation types in the entire Norwegian sector. It should be noted that complexes are somewhat special. Cumulative frequency per inst. irrespective of how many bridge linked installations there are. complexes are counted as one installation. and how many of them that handle hydrocarbons. The installations have been divided into categories: Fixed production installations Floating production installations Complexes. of which several may in theory handle hydrocarbons.yr 1 0. expressed per installation years.1-1 kg/s Figure 6.1 kg/s.Analysis Techniques 201 50 45 40 Number of leaks 35 30 25 20 15 10 5 0 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 >10 kg/s 1-10 kg/s 0. But with respect to normalisation. Leak rate distribution for Norwegian leaks.20.21.001 0 10 20 Leak rate (kg/s) Figure 6. bridge linked production installations Normally unattended installations (production installations) Mobile units. Norwegian sector. for hydrocarbon leaks it is the number of installations and number of manhours worked on the installations.

whereas the corresponding value for floating production installations is 0.2.1–1 kg/s 0. This exercise was focused on installations north of 59 ˚N. and thus makes the comparison Figure 6.25 0. 0.202 Offshore Risk Assessment The leak frequencies per installation year for the categories of production installations are shown in Table 6. because the size and complexity of the installations are similar in UK and Norwegian sectors. The value for normally unattended installations is very low.012 0.029 1–10 kg/s >10 kg/s 0. 16 N u m b er o f leaks p er yr 14 12 10 8 6 4 2 0 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 Year Norw. One other source of uncertainty cannot be eliminated though. The project has presented a comparison of leak frequencies per installation years. The UK data collection performed by HSE.74 per installation year. shelf UK shelf Figure 6.57.03. This implies that some of the leaks that exceed 1 kg/s are not included in the statistics.1.0079 0.020 0 0 The Risk Level project (PSA.44 0.22 somewhat imprecise. in order to compensate for this. as shown in Table 6. Table 6. which are additional cut-off limits due to either very short duration of leak and/or very small total amount. Overview of leak frequencies per installation year Production installation Fixed production Floating production Complex Normally unattended 0.22. 2006a) also includes a comparison with UK operations.1 kg/s is 0.1. has some additional classification criteria.047 0. 0. Figure 6.31 per installation year for fixed production installations.12 0. for complexes the value is the highest.46 0. which are not used in the Norwegian data collection.26 0. . The reason why 1 kg/s leak rate is used as cut-off limit is in order to eliminate possible underreporting.22 presents a comparison of the number of leaks > 1 kg/s for the entire UK and Norwegian sectors. It may be observed that the total frequency of leaks above 0. Comparison of number of leaks > 1 kg/s for UK and Norwegian sectors The Risk Level project performed an exercise in 2005.

is a fraction of 29%. account for as much as 70% of the leaks.2. It is shown that leaks during normal operations accounts for less than 30% of the leaks. Operational phase recorded when leak occurred It is demonstrated that under comparable conditions. the frequency per installation years is almost four times higher in the Norwegian sector. opening valves in a wrong sequence.Analysis Techniques 203 Table 6. 60 50 Number of leaks 40 30 20 10 0 Normal ops Startup/shutdow n/trip Manual ops Not in operation Figure 6. before starting opening other valves or starting pumping. Figure 6. or not performing manual tasks according to procedures or good practice. Combinations where operational faults are involved.25 considers leaks caused by operational faults in more detail. 32% of the leaks involve some kind of procedural fault or weakness..0 3.23. The final presentation in Figure 6. as an average percentage distribution for the period 2001–05. The leaks are strongly dominated by loss of containment barriers during manual operations and start-ups.e. compared to the UK sector. The next two diagrams focus on the causes of hydrocarbon leaks. It is clearly demonstrated that where only equipment is involved i. Figure 6. Comparison of leak frequencies for UK and Norwegian sectors. shut-downs and trips (which also are strongly influenced by manual intervention. north of 59 ˚N UK. as well as the type of failure that caused the leak. which is virtually the same as the ‘normal operation’ in Figure 6.8 Norwegian. ‘Operational fault’ may in this connection be for instance. The two dominating contributions are ‘operational faults’ and ‘left open’. .24 shows the causes of leaks in the Norwegian sector. etc.23 shows the operational phase for the system involved when the leak occurred based on leaks in the period 2001–05.23. 2000–04 Shelf Number of leaks 2000–04 24 7 Number of installation years 2000–04 172 185 Number of leaks per 100 installation years 14. north of 59 ˚N The Risk Level project has also analysed the leaks with respect to operational condition on the installation when the leak occurred. no operations and manual interventions. ‘Left open’ could typically imply that it was forgotten to close an open valve. Correspondingly.

25.24. A release in the liquid phase from a pressurised system will normally give a small gas cloud compared to gas release with the same mass flow rate. Causes of leaks with operational faults 6.204 Offshore Risk Assessment Equipm&operational &procedure cause 5% Equipment cause 29 % Operational&proced ure cause 26 % Operational cause 26 % Equipm&operational cause 13 % Procedure related cause 1% Figure 6. . is the mass flow rate (often called the ‘leak rate’). with a lower flammability limit and lower ignition temperature or energy. But there are some aspects that may imply that the liquid release may be just as dangerous as the gas leak. as will the probability of gas explosion. It is therefore important to be able to calculate the leak rate for hydrocarbon leaks that are observed on the installations.2 Calculation of Leak Rates from Experience Data One of the main parameters used in order to characterise a hydrocarbon leak. in some cases even worse: Some of the liquid will evaporate and result in a gas leak.6. in particular gas leaks. usually expressed in kg/s. 2001–2005 25 Number of leaks 20 15 10 5 0 Inspect fault Ops fault Testing fault Maint fault Install fault Left open Opened w ith HC Opened w Other ops Unknow n latent fault fault Operational causes Figure 6. Causes of hydrocarbon leaks. This implies that the probability of ignition will be lower. often dominated by heavy gas fractions.

with a volume of 700 m3.Analysis Techniques 205 The release may constitute a spray of small droplets. More detailed cases may be calculated by means of studies using CFD tools. in the case of a free. the volume increases to 10 m3. Gas detector recordings may be used to calculate the dimensions of the gas cloud. Due to the low leak rate. the following could be considered: a large leak in a process module. Depressurisation of one or more sections of the process system to limit the volume of gas or oil escaping from the leak.6. as a function of time if the detector readings allow that. as much as 20 times larger. within flammable limits. The mass flow rate will vary considerably as a function of time. however. based on PSA (2005b). As an example. The times to stable conditions are 2 s in the case of a jet. implying that the hazard potentials should be the same. A leak rate of 0. having decreased to 1 kg/s after 60 seconds. an ‘equivalent’ continuous gas leak is considered. The flow rate given as the characteristic leak rate is that of the equivalent continuous leak. which would give a stable gas cloud of the same size as the equivalent stable leak scenario. Measurements which may be used in order to calculate the mass flow rate are typically related to the dimensions of the gas cloud.3 Modelling of Leaks There are several factors which influence the flow modelling and influence the duration of the leak: Isolation of sections of the process systems into limited volumes. and the largest cloud usually occurs with the highest leak rate. The maximum gas cloud may then occur with some time delay in relation to the release. which may behave more or less as a gas cloud. unobstructed jet. whereas the time would be in the order of 60 seconds inside a process module. usually only the fraction above the lower flammability limit is considered. Below follow some simple illustrations of how different leak sizes will result in gas cloud of different sizes. If the jet is without impulse (diffuse leak).5 m3. This is due to the fact that the size of the gas cloud is usually the most important parameter for the hazard characterisation of the gas leak. instantaneous leaks. there is little or no difference between a leak in the open or inside a process module with limited natural ventilation. . A large leak (around 10 kg/s) in open air will cause a gas cloud which is stable after less than 5 seconds. starting at 10 kg/s. One exception where this may not be the case is a leak with very short duration.1 kg/s gives a gas cloud above the lower flammability limit with a typical volume of 0. In these cases. This corresponds to a stationary leak of 4 kg/s. this distinction becomes an important parameter. and 20 s in the case of diffuse leak. what is reported as the characteristic leak rate is usually the maximum leak rate. For larger leak rates. The volume of the gas cloud (within flammable limits) is also much larger in the latter case. based on some simple modelling with CFD tools. The maximum gas cloud occurs after 30 seconds. 6. which would give a gas cloud with the same size.

due to the difficulty or impossibility of establishing realistic values through laboratory experiments. Further.206 Offshore Risk Assessment The depressurisation model is the most difficult aspect. where the leak source was also the ignition source.6.5 m3 of crude oil leaked during a period of less than 2 minutes. The summary below was based on a review of HSE statistics on ignited HC leaks in the period 1992–2003. four were caused by welding. Comparison of UK and Norwegian leak rates was presented in Section 6. 2002). etc.1 above. but seldom include anything approaching design and operation details. About 0. is quite a bit better although not perfect.7 Ignition Probability Modelling Ignition probabilities are one of the most critical elements of risk quantification in that the risk results are normally directly dependent on the probability of ignition.1 kg/s since 19 November 1992. As seen from the summary.3. a failed seal on the export pump during normal operation. one due to explosion in the pump exhaust. one by faulty trace heating tape. The collection of leak and ignition data by UK HSE is the most extensive online data collection scheme in existence. around 5 kg/s. 6. one by lightning and one was not a real ignition. that the vast majority of leaks has occurred for non-process leaks from utility systems of various types. These models reflect leak rates and module volumes. that is leak frequency. There are simple as well as complex models available for use in modelling this aspect. most likely because such statistics are difficult to establish following an accident involving an ignited release. 6. implying that the leak rate was considerable. Ignition probability models have been published in several textbooks and papers. was ignited most likely by grinding sparks during modification work. In this incident a small gas leak. Simpler models may be used for coarse evaluations. Multi-phase releases from pipelines and risers really require complex computational tools such as OLGA (see Appendix A). out of a total of eight ignited leaks. as summarised in Table 6. and has an extensive overview of ignited leaks. probably in the order of just above 0.7. HSE publishes data on leaks and ignitions (HSE. where it was shown that leak frequencies per installation year are substan- . and the response of the platform. Realistic modelling of the leak and its duration is obviously very important to determine the size and duration of any fire that may occur. It may be noted that the extent of available data for the other critical element of the risk quantification. there is very little experimental data available. There are limited accident statistics available on the subject of ignition probability.1 Experience Data There has been no ignited hydrocarbon leak with leak rate above 0. auto ignition temperatures. The type of data that are available is limited to flash points. It should be noted however.1 kg/s. Prior to that there was an oil leak from an export pump.

when compared to the Norwegian sector. Welding ignited the gas. The source of the explosion was not immediately clear. No muster was called as the engine was isolated and the incident contained. The turbine tripped and some moments later an explosion was heard. deluge auto activated and fire extinguished. During the start up sequence of G4500 (GT4) Avon Gas Turbine driven generator incident is believed to be due to excessive build up of fuel gas within the turbine unit during the start up sequence. For the period 1 October 1992 until 31 March 2005 the following gas and two-phase leaks in the UK sector compares to no ignited leaks in the Norwegian sector: 480 gas/two-phase leaks > 0. leak testing done to identify the source of the leak and subsequently de-pressurised in order to change out the gasket. Flash fire disappeared up pipe and extinguished itself. Summary of ignited Leaks (HSE statistics in the period from 1992 to 2003) # 1 Description of Event Gas leak during construction activity. The fire was extinguished with fixed CO2 system. LT-Vent was ignited by lightning. While undertaking welding activities on the new tie-in pipe work a spark ignited a small gas release from a flange on valve XCV-46007. gas leak ignited by faulty trace heating tape. platform fire and gas system detected. Gas pocket remained even after nitrogen purging.3.1 kg/s o Of which 187 leaks > 1 kg/s 6 gas/two-phase leaks > 0. using cutting torch to remove valve.Analysis Techniques 207 tially lower in the UK sector. The platform has been shutdown. 3 to 4" long. Two items of debris have been found on the platform top deck. Minor fire from instrument impulse line. The gas vented through.gas control action took place and eventually the source of the explosion was traced to the pump exhaust. resulting in a torch fire approx. Cause of ignition Welding ignited a pocket of gas that had not been inerted by nitrogen. The flame was quickly put out by the fire watch and no damage or injury occurred. When the comparison was repeated for ignited leaks. the situation was opposite. Welding ignited the gas. The equipment was not checked for hydrocarbons prior to work. The equipment was depressurised but not entirely degassed. During normal ops a fuel changeover was being made on mol pump turbine. plant shutdown and depressurised. Internals of spool piece not checked for hydrocarbons prior to work. 2 3 4 5 6 Welding 7 8 Lightning Exhaust gas activated smoke detection . The gas leak ignited by faulty trace heating tape. Annual shutdown. Explosion in the pump exhaust. Gas release through a valve that was marked closed but was open. No fuel . Presence of hydrocarbons caused flash fire when welding attempted.1 kg/s have been ignited o Of which 1 ignited leak > 1 kg/s Table 6.

A more fundamental problem is that no actions taken to prevent ignition are reflected in the model.01 0. burners. which is dependent upon the likelihood and susceptibility of the leaking medium to ignite. Different types of equipment have different failure modes and frequencies which may be susceptible to failure that leads to ignition. the leak rate in relation to the module volume and the ventilation rate. and the location of the equipment in relation to the leak. The model is based on relatively simple assumptions regarding the ignition probability for the lowest leaks. It is therefore important that platform specific modelling is used. 6.. and preferably also operation specific modelling. Simplified ignition model according to Cox et al. and a framework for a more sophisticated model to be used in determining the probability of ignition. etc.3 Platform Specific Modelling Use of the Cox model results in relatively high ignition probabilities. Ignition by manual operations (such as welding) should be considered explicitly.7. The objectives of platform specific modelling are to reflect the following aspects: 1 P r o b a b ilit y 0.001 0.prob Prob of expl 0.7. . was for a long time the only publicly available model and has therefore gained significant usage. The size and concentrations of the flammable cloud i. The same also applies to permanent ignition sources. (1991) has presented a simplified model.e.208 Offshore Risk Assessment 6.1 Ign.26. such as the flare. The Cox’ model however. and the observed ignition probability for blowouts as the extreme. The probability of ignition of a HC leak.2 Cox Model Cox et al.1 1 10 100 Flow rate (kg/s) Figure 6. The ignition probability should be expressed as a time dependent function. The likelihood of ignition from different equipment units should therefore distinguish between equipment types.

The ignition probability due to continuous sources has reached a stable level after typically some 90 seconds. from ‘continuous’ and ‘discontinuous’ sources. but even so the use of just two blocks in the vertical direction may give conservative results. however. because it was considered to be too coarse.4. 1998b) has been conducted to develop a methodology for the prediction of ignition probabilities in offshore QRAs. 2. ESD.Analysis Techniques 209 A 'baseline' (or 'background') probability of ignition is considered to exist in all areas. and the total probability.7.27. BD) and prevent ignition. The model originally involved simplified dispersion modelling. DNV. Integration into a time dependent ignition probability function. Figure 6. Three main modules have been established: 1. presenting continuous as well as discontinuous sources. The model is based upon release of a light hydrocarbon gas. In recent years. . 6. in which average concentrations in four quadrants at two heights were calculated. In addition to these main technical requirements for an ignition there is also a need for a model which is not too complicated to use. after which this mechanism does not contribute any further. and may produce non-conservative results. This approach was soon replaced by a more detailed approach. Actual modelling will therefore always be a compromise. Representation of the different ignition sources reflecting experience data and operational mode. all studies have been based on dispersion calculations using a CFD computer code. due to miscellaneous activities and equipment that is not possible to consider explicitly. The main focus has been on the ignition of high pressure gas releases inside modules and to external gas dispersion and ignition. irrespective of equipment and operations. in the public domain and thus only brief details can be presented here. the modelling is not representative. after which no further ignition is likely.7. For condensate leaks.27 implies that the total ignition probability has two components. 3. Prediction of gas dispersion and the likelihood of exposure of potential ignition sources to flammable concentrations.4 Industry State-of-the-art Time Dependent Modelling A joint industry project (JIP. An example of how the results are presented is shown in Figure 6. Both internal and external ignition models have been developed. 6.1 Internal Ignition Model An approach has been selected which is capable of reflecting both the geometrical conditions in an offshore module as well as the dynamic development of a hazardous situation after a release occurs. Only a general description of the models is. The discontinuous sources contribute to the ignition probability for typically some 6–8 minutes (400 seconds in the diagram). It is therefore possible to incorporate the effects of the location of release sources in relation to potential ignition sources as well as safety measures which may be activated to control the release (detection.

the dispersion of gas and the resulting ignition probability can be calculated using generic models in a consistent manner.06 0. It is therefore important that the modelling of this aspect is as realistic as possible. Illustration of time dependent ignition probabilities.4. and to allow influence on the probabilities from design or operational aspects. The external ignition sources can sometimes be continuous and not possible to isolate quickly (such as the flare). that the ignition probabilities are not high in relation to the data from UK HSE’s leak and ignition database. discontinuous Probability. Within the limits of the program. the ignition probabilities are somewhat on the high side. Compared.7.7.04 0. 6. including continuous and discontinuous sources 6. Another critical aspect is the model for external ignition.3 Critical Aspects It has been found that the model produces relatively high ignition probabilities. continuous Total probability Figure 6.16 0. A revision of the model was therefore started in 2004.02 0 0 100 200 300 400 500 600 700 Time since leak (s) Probability.4. The intention with this work has been to calibrate the model against the newest data available.1 0. 0.2 External Ignition Model A mathematical model has been developed in order to predict the complex phenomenon of flow of gas around an offshore platform. which is a rather coarse representation of flow outside the platform. The mathematical model has been developed based on correlations against a limited number of Computational Fluid Dynamics (CFD) cases and physical effects deduced from these cases.7.5. nor high in relation to the Cox model described above.4. The new model is briefly introduced in Section 6.7.08 0. It should be noted though.4 Calibration of Ignition Model A benchmark exercise (DNV. 1998c) was conducted in 1998.210 Offshore Risk Assessment 6.14 0. to the ignition probabilities that some consultants working in this field have been using. however.12 Ignition probability 0.27. in order to calibrate the ignition model by comparing the predicted number of fires as calculated from . The model therefore has quite severe limitations.

and thus normalisation against the leak frequency can only be done for the UK sector. 1998). a simple illustration of the implications of the ignition modelling. and 0. The following is. the model should be applied to all UK (and Norwegian) installations. Thus the number of leaks in the period is 735 [non-minor] leaks. and have published annual statistics. however.5 for UK platforms. or where an area is segregated from other process areas by a fire/blast wall) for each installation in the North Sea. and some sensitivity analyses are carried out in order to compensate for this. Ideally. four explosion incidents have occurred in the period. has calculated the number of explosion areas (either a small platform with all equipment installed in one area. Corresponding information is not available for the Norwegian sector. For the UK sector. 1998). The smallest leaks are excluded from the study. irrespective of the platform type. all being relatively trivial with limited blast loads. as these are not considered capable of giving a gas cloud which is sufficiently large to produce a gas cloud explosion. . limited to the probability of explosion. Similar values for the Norwegian sector are five and two. What has been done.2 barg.1 (Vinnem. This information is used to generate frequency predictions for the entire UK North Sea sector. The average explosion probabilities are assumed to apply to all explosion areas. For platforms with just one explosion area. Regrettably it was found that insufficient data prevented any firm conclusion being drawn from the exercise. some are very simple. This is an extremely time consuming activity. These are relatively coarse assumptions. The number of explosions is established through the explosion study which is further described in Section 7.3. The most difficult aspect is to establish a prediction of the probability of explosion on any Norwegian or UK installation. for process leaks and explosion probabilities. based upon the use of the ignition model.8 for Norwegian platforms. The results of two approaches are presented in the following. This is taken care of by applying an adjustment factor of 0. The number of leaks may be established quite precisely from this overview. however. the difference due to fewer simple platforms in the Norwegian sector than in the UK sector. which is virtually impossible to carry out. as long as the number of explosion areas exceeds one area per platform. The explosion study referred to above (Vinnem. limited to the installations on the UK Continental Shelf.Analysis Techniques 211 the model with the actual number of fires in the North Sea in recent years. Since 1992 HSE have implemented a rigid system for reporting hydrocarbon leaks. is the following: The average explosion probabilities given process leaks using the time dependent ignition model as well as the gas leak frequencies have been calculated in detail for one installation.4. Only two of these are relevant to process systems that are included in the QRA studies. of which one caused a blast load somewhat above 0.

This concerns the following: Two of the four cases in the UK were due to internal explosions inside the flare system. The actual number of explosions was related to the number of leaks for the UK sector.7 Relevant explosions that have occurred 2 2 4 All explosions 4 5 9 The ratio between predicted number of explosions and the number of relevant explosions is 11. Three of the five cases in the Norwegian sector were due to aspects that fall outside the QRA studies.7. for UK and Norway.7:4 2. The most relevant comparison implies that the JIP model overpredicts the ignition probability with a factor of 5. The results are presented in Table 6. where the ignition probability was calculated from the time dependent JIP model. Table 6. The following comparison attempts to eliminate the gas leak frequency. The weak aspect of this approach is that the calibration actually includes both the number of leaks and the probability of ignition leading to explosion given a gas [or condensate] leak. Comparison of predicted number of explosions in the North Sea with real explosions Explosions Predicted number of Country explosions UK 8. 6. This approach is judged to be better with respect to actual calibration of the ignition model. and compared with the actual number of explosions.6 Calibration of the Conditional Explosion Ignition Probability The second calibration is done for the conditional probability of ignition of explosion.52:0.4. as noted above. .212 Offshore Risk Assessment 6. and the leak frequency calculated from the HSE database.2 Norway 3. The number of explosions is important. Some of the explosions. because the number of leaks is eliminated from the calibration.272 5. and therefore have to be eliminated in the calibration.4. given the occurrence of a gas leak. one due to construction work in a fire pump room.5. The elimination of non-relevant explosion cases was done as outlined above. The predicted value is taken from the QRA study referred to above.7. one due to manual work in the wellhead area and one due to an internal turbine explosion.6. The comparison of the results is presented in Table 6.5 Calibration of Actual Number of Explosions First the actual number of explosions is predicted by the ignition model and generic leak frequencies. The ratio between conditional ignition probabilities based on the predicted number of explosions and the number of relevant explosions is 1.4.9.4. as mentioned above. have been concerned with systems and mechanisms that are not addressed in a QRA.6 Total 11.6.

5. Comparison of predicted probability with actual ratios. however. JIP model 1. Pif Continuous vs.Analysis Techniques 213 Table 6. It appears. that the time dependent JIP ignition model overpredicts the probability of explosion ignition by a factor typically in the range 2–3 or even more. The model considers ignition as a function of the size of the ignitable gas cloud (discrete ignition sources). hot work. The model reflects isolation of ignition sources due to gas detection..44 10-3 Mean value Prediction limits Upper (90%) Lower (10%) It should nevertheless be pointed out that the number of cases included is low.45 10-2 3. UK sector Probability of ignition causing explosion Predicted. The model has the following characteristics: The model parameters reflect 10 years (1992–2002) experience related to gas leaks and ignitions on offshore installations on the Norwegian and UK continental shelves. Piso Time delay. ib Effect of ignition source isolation.52 10-2 Relevant explosions 2.5%. Also the time for gas detection and subsequent ignition source isolation has to be entered into the model.72 10-3 1. size/volume of flammable mixture at a given time step and the increase in the gas cloud during that time step. Phot.e. It may nevertheless be seen that an 80% confidence interval is entirely below the predicted value. . ignition by hot surfaces and isolation. Pevent Ignition sources in the area. Input to the model is description of the gas cloud i.g. the probability that the frequency exceeds the value predicted by the JIP model is about 8. 6.5 Revised JIP Model The revised model is described in Scandpower Risk Management (2006). The term ‘event ignition’ is used for ignitions that occur immediately and are typically related to the cause of the leak in some way. In fact. The model has the following parameters Event ignition. impacts or operator intervention e. The model gives a contribution to immediate ignition (leak rate dependent) The model includes ignition as a function of gas cloud growth (for continuous ignition sources). ia.00 10-3 All explosions 5. only two relevant explosions. discrete ignition sources.. This may be equipment breakdown.7.

With higher contribution from discrete sources. the explosion risk will increase. With effective ignition source isolation. The importance of barriers is well illustrated by comparison of the outcome from two actual events each involving a medium sized gas leak in the compression area of a platform. the barriers functioned as intended. Piso = 0 means that ignition source isolation has no effect with respect to ignition probability. The worst case. The explosion risk will also be reduced.7.214 Offshore Risk Assessment The potential ignition sources that are distributed in the actual area are described by the parameter Pif. This accident started in exactly the same way as the Piper Alpha accident. The effect of ignition source isolation on ignition probability is quantified using the parameter Piso. for continuous sources. sometimes called. Finally.1988 is less well known. The fraction.1. the probability for delayed ignition is reduced. 6. to an extent that the required fire water capacity can no longer be provided. This section discusses the modelling of barriers in the event tree. the Piper Alpha disaster on 6. because ignition of a large gas cloud is less likely.1. Phot. reliability and availability as well as the survivability of the systems.1 Functionality Analysis of the functionality of the barriers involves determining whether they are capable of performing their intended function. The relative contributions to ignition probability for discrete ignition sources are described by ia and ib. Fire water systems may be clogged with dirt. with respect to their functionality. The parameter ib is applied before isolation. with only superficial damage to the compression module.1988 is well known. Some more details about these two accidents are presented in Subsection 8. the explosion on the Brent Alpha platform on 5. The effect of ignition source isolation will increase as well. Piso = 1 means that ignition source isolation effectively stops all ignition sources in the area.8 Escalation Modelling Barriers are those systems and actions that prevent escalation from occurring. as delayed ignition probability increases. brought under control in some 45 minutes due to automatic systems. and ia after isolation. but only for the scenarios that are effectively detected. The dramatic difference between the two events arose because on the Brent Alpha platform.7. gas detectors of the catalyst type have often been ‘poisoned’ by salt and other contaminations. the ignition probability for small leaks that are hard to detect automatically due to their small gas cloud sizes will be higher. 6. There is an additional delay related to the cooling time of hot surfaces.8. As an example. . rust and other particles. vulnerability to accidental loads. The result was a gas fire following the explosion. is the fraction of the isolated ignition sources that can still ignite a flammable gas cloud. The Pif parameter is defined such that it is comprised of both continuous and discrete ignition sources. The probability that the continuous source is still a potential ignition source has been modelled exponentially decreasing. while on Piper Alpha they did not.

Many of the barriers (safety systems) which relate to the control of hydrocarbon systems. in the sense that in a demand condition. including inspection and testing. and/or testing will determine its availability to function as intended. 6. both the availability and the reliability are important aspects. It is very crucial that the detection of a possible leak is as early as possible. involving measuring the flow rates. as may be illustrated by consideration of the gas detection system.. as to which of these two aspects is most important or whether they have equal significance. Next. The state of maintenance.8. for instance by performing a flow test of the fire water system. The system’s availability is therefore the crucial aspect when the leak starts. When detection has occurred. all aspects of preventive and curative maintenance. will have to be considered. When both the availability and the reliability are computed. An immediate start is crucial when the system is activated. The fire water system however. On the other hand some systems will require initiation by control room personnel.e. There is considerable variation between systems.Analysis Techniques 215 The analysis of functionality is a deterministic analysis of the capacity and/or capability of the system in normal operating condition. But it is at the same time important to distinguish between functionality under ideal test conditions and under real-life accidental conditions. are automatic and cannot be negatively affected by personnel in the local control room. including consideration of operational premises and constraints. This implies that both availability and reliability are crucial aspects. but it is equally important that it continues to operate as long as the fire lasts. is also of crucial importance for some systems. where the functionality may be jeopardised by maloperation. Its reliability is unimportant. Fault tree analysis is a commonly used analysis technique. Consequently. and are being maintained. the time to first failure.2 Availability and Reliability Many of the nodes in an event tree are related to the performance of safety systems which are normally passive. there is really no further use of the detection system. the reliability of the system i. Thus even though these systems are repairable. The results of the functionality analysis may determine the probabilistic modelling of the barrier’s function. there is usually no time for repair. it has been shown that human errors are . they function in an accident sequence as unrepaired systems. after the system has been activated. only intended to be activated upon detection of a hazardous event or accident. Many aspects of functionality may be verified by testing. is a different matter. which upon actuation will depressurise the process equipment either sequentially or simultaneously. For instance. Let us consider first the availability of a system required to operate upon detection of particular conditions. In fact the importance of HOF is sometimes even more vital for barriers related to non-hydrocarbon systems. most typically the blowdown system. The participation of operators in the actuation process means that human and organisational factors need to be explicitly addressed in the availability and reliability studies. This is often called the ‘on demand availability’. inspection. or ‘dormant’ systems.

survivability considerations may be integrated into the reliability analysis. as well as blowdown and flare system piping. even though its original functional condition and state of maintenance is perfect and error free. and may as an example. 1999).8. 6. f PUNAVAIL f PSURV . This is briefly discussed in Section 9. Due to the nature of the phenomena involved. be expressed as follows for gas detection: f PGASDET f PFUNCT f PUNAVAIL f PSURV ( 6. This may be used to produce installation specific availability data.216 Offshore Risk Assessment the main cause of failure of barriers against marine hazards to FPSO vessels (Vinnem and Hauge. It is however. from which it was observed that fire water piping survived considerably higher overpressure loads than previously thought. which implies considerable experience data. 6. It is therefore important that analysis of barrier availability and reliability is performed with due attention to the importance of HOF.6) where f PGASDET f PFUNCT = = = = probability of failure of gas detection probability of gas detection not capable of functioning as intended in the specific accident circumstances probability of gas detection unavailable due to maintenance problems probability of gas detection not surviving the accident conditions for the required period. If a fault tree analysis is carried out. testing of survivability in realistic accidental conditions is virtually impossible. 1998). to such an extent that fire water cannot be supplied to an area. if it is systematically collected and analysed. worth considering the experience from the so-called ‘large scale’ explosion tests in 1996/97 (SCI. Survivability is also important in relation to the integrity of process piping and equipment. A severe explosion will most probably damage the fire water distribution system. except that the operating conditions are the conditions of the accident.3 Survivability Survivability analysis may be considered to be a form of reliability analysis.4 Node Probability The final value of a node conditional probability is a function of all the elements mentioned above.3.8. Most safety systems are periodically tested. Reliability data for the continued operation of the system during the course of the accident can usually not be extracted from test data.

mainly to fire and explosion loads.9 Escalation Analysis The entire process from an initial accidental event to the final end events. which could be a ‘never ending story’. The modelling of fire escalation in a process area is a complex task.Analysis Techniques 217 6. Under this interpretation. escalation thus involves determination of different accident sequences and the related loads and responses applicable to each sequence. Secondary fire effects such as smoke or radiation stemming from the original fire are not considered as escalation. is sometimes called the ‘escalation process’. The ‘critical duration’ for external flames. is the transition point between a short duration flash fire and a stable fire. is the so-called impairment analysis. A narrower interpretation of ‘escalation’ is to describe it as the secondary failure of containment. This is the widest interpretation of ‘escalation’. and the wide interpretation is replaced by the term ‘accident sequence’ modelling or analysis. Both escalation analysis and impairment analysis are focused on response to accidental loading. The failure of segregating walls. which may be carried out independently of the escalation analysis. unless limited in some way. ceilings. It is assumed that fires may escalate due to damage to the fire walls. An alternative. This is the interpretation of ‘escalation’ used in this book. In such cases the effect of protective systems (which are focused on preventing escalation to other equipment) is limited.9. The likelihood of structural failure due to fires may be considered in two ways: Coarse modelling based on simple heat transfer values Detailed modelling based on a comprehensive nonlinear structural analysis. the escalation probability increases from near zero to a value dependent upon specific local conditions. Escalation to other areas may be due to three different escalation mechanisms: Heat impact from external flames Flames passing though penetrations and openings in the floor.1 Modelling of Fire Escalation Escalation of fire from one area to another is required to predict whether a fire spreads out of the original area. by direct flow of fuel to the adjacent area or by external flames. It may be important to carry out escalation analysis if the risk to assets is being considered. walls or roof Failure of the segregating walls. determined by consideration of the performance of protective systems and the responses of equipment and structures. which involves an assessment of the frequencies of impairment of the main safety functions. 6. Some extent of simplifi- . due to accidental effects. and floors in the process areas will be strongly dependent on the loading and passive fire protection. If the fire duration exceeds this critical duration.

Explosions may lead to escalation in several different ways: . A survey was carried out in the process areas to judge the conditional probability that fire from a certain process segment would impinge on piping from other segments. Figure 6. the fire escalation has been carried out in to the following steps: 1..28 (Vinnem et al. mainly as a result of the so-called ‘large scale’ tests conducted during 1996/7 (SCI. internal pressure. times according to heat load and blowdown (BD) time The actual probability of escalation in a specific scenario. piping diameter. will depend upon: Fire dimensions in relation to the location of other equipment Type of fire Duration of fire Effect of active and/or passive fire protection. Time to failure (min) 6 5 4 3 2 1 0 50 100 150 200 250 BD=7. The following example. have come very much into the focus in the recent years. An escalation probability was then calculated by considering the particular circumstances of each scenario.28. as a possible source of escalation. illustrates a fairly detailed fire escalation model. 1998). taken from a detailed QRA (Vinnem et al.2 Modelling of Explosion Escalation Explosions. 3. according to Steps 1 and 2 above. wall thickness.5 BD=15 BD=30 BD=60 Heat load (kW/m2) Figure 6. In the study referenced. and thus brought the existing design methods into question.218 Offshore Risk Assessment cation has to be used.9. 8 7 2.. This assessment included a consideration of the size of the flame and the size of the adjacent piping. A non-linear structural analysis of the failure times for piping was carried out. 1996a) presents an example of the results from the non-linear stress analysis of the piping systems under fire loads. These tests found considerably higher blast loads than those that had been found in smaller scale tests. using a range of parameters for. Results from pipe failure study. 6. 1996a). system medium and blowdown time.

Analysis Techniques 219 Global structural collapse Rupture of explosion barriers (separating areas or modules) Excessive deformation of explosion barriers to the extent that they no longer form functional barriers Excessive deformation of decks or walls causing loss of containment in equipment units in other areas Excessive deformation of process equipment causing loss of containment in equipment units in other areas Damage to safety systems which renders them non-functional. Modelling of escalation should therefore reflect the actual loads and the capacities of the platform’s structure and equipment. Limitation of damage is based upon the use of active and passive systems such as: . (Often a triangular pressure pulse is used. following the explosion.9.5 bar. has now been clearly shown to be inadequate. in the sense that it has been assumed that process equipment and fire water piping would rupture at 0. With the higher probability of extensive blast loads. A further drawback of this approach is that such modelling is the opposite of platform specific modelling. Escalation modelling therefore has to be done more specifically. This approach. not the least because then the analysis will be capable of determining the effects of any risk reducing measures that may be considered. if such a conservative approach is used for escalation modelling. however. and that structures would collapse at an overpressure of 0. 6. It is essential that the response calculations are carried out with due attention to the dynamics of the system taking account of both elastic and plastic responses and the effect of large deflections.) Discretise the output (pressure–time curves) from the explosion calculations into linear sections which may be used as input to structural analysis software. It will be important that these are reflected as far as possible in the analysis.4. and this results in the need for a dedicated analysis to determine realistic explosion loads. it will be extremely conservative (and costly). How this can be done is discussed further in Section 9.3 Damage Limitation There are extensive possibilities to limit possible damage and thus limit escalation potential.3 bar overpressure. This may be done in either of the following ways: Convert the output from the explosion analysis to idealised dynamic loads which may be then used as input to response calculations. in the sense that it is overly conservative. Escalation modelling has in the past been done extremely simplistically. but it should be noted that current experience indicates that analysis based on CFD has to be employed.

The probable effect of this is the introduction of further conservatism in the analysis. It is considered in spite of these limitations that the accuracy of the predicted results is reasonably good. decks. Traditionally. It is possible to calculate the cooling effect of active fire protection under idealised conditions. and equipment Explosion relief systems for reducing explosion overpressure Active fire protection systems for cooling and/or fire suppression Active explosion protection systems for reduction of overpressure. These may be applied to structures as well as equipment. The same considerations also apply to the use of active explosion protection. 6. These calculations will have to be based upon somewhat idealistic conditions and often do not reflect possible mechanical failure of the fire protection material. This has recently changed as a result of the large scale test programme.1 Passive Fire Protection There are several software packages to analyse the protective function of passive fire protection. There may sometimes be a conflict between these two principles.3. roof and floor is considered together with the actual load calculations as these two aspects are very strongly interlinked. Modern CFD codes are able to take account of explosion relief measures.5.3. More thorough discussion of the possibilities for risk reduction is provided in Section 9. 6. 6. It appears that rather limited research has addressed this subject.3. and the application of active fire protection has mainly been based on standards.9. The effect of active fire protection in damage limitation is often considered rather simplistically without detailed calculations. or ageing of the material. There is also a trend that probability reducing measures are to be preferred over consequence reducing measures. walls. Given an accidental fire load and a protective shielding. regulations and industry accepted guidelines. mainly by use of fire water deluge systems.220 Offshore Risk Assessment Passive fire protection on structures. piping. the resulting temperature loading on the actual structure or equipment can be calculated with a reasonable degree of precision and assurance.9.3 Explosion Relief Explosion relief by panels and openings in module walls. or suppression. but this is rarely done and moreover the effect of using idealised conditions has probably a large effect on the applicability of the results.9. The focus in the following text is on how to model these systems. .2 Active Fire and Explosion Protection The influence of active fire protection is difficult to model explicitly. The main problem for active systems has been the failure to activate them in the case of an accident. passive systems have been considered preferable because they are independent of activation. and the explosion simulation CFD codes are now able to simulate the effect of water deluge systems on explosion overpressure.

a vessel filled with gas. The critical steel temperature for flanges with ordinary bolts is approximately 450°C.4. thickness 43 mm) filled with gas: Pipe ( =32'.3. however.18 ( 6. and a vessel filled with liquid.4 Analytical Consideration The sections above have demonstrated that the methods to analyse accidental loads in a detailed and quantitative fashion are somewhat limited. where the following response times (time to temperature of the steel wall reached 600°C) resulted: Pipe ( =14'. but not detailed modelling on a case-by-case basis.6 F A 0. calculation method for the absorbed heat has been developed by API (API. thickness 20 mm) filled with gas: Pipe ( =32'. these tools are not as effective as those used for fire loads.1 Fire Response The critical part of pipe flanges is the bolts. Damage due to projectiles is another aspect where detailed modelling is virtually impossible. On the ‘wet’ part of the vessels the absorbed heat heats up and evaporates the liquid. When the fire risk is considered. while the critical temperature for flanges with special bolts is 650°C (Gowan. The pressure inside the vessel will increase as a result of evaporation of the liquid phase. Vessels filled with flammable liquids will absorb heat during a fire. 1976) based upon several series of tests with pool fires. Considerable resources however need to be devoted to such studies.7) . 6. If the pressure relief system for the vessel has insufficient capacity (the evaporation rate is higher than the relief rate). In Gowan (1978) this is demonstrated by reference to one specific case with 122 kW/m2 heat load on a pipe. There are quite considerable difference between an empty vessel. So far. it is normal to consider the effect of a hydrocarbon pool fire beneath the vessel. if they are to be effective.9.Analysis Techniques 221 6. This is further complicated by the fact that practical circumstances would play an important role in order to differentiate between what can actually happen following an accident and the extent to which damage may be caused.9. 1978).9. it is very often coupled with relatively idealistic considerations. When an analytical capability exists. This is expressed in the formulas: q 2. in that the damage following an explosion is now becoming possible to calculate with advanced analytical tools. Some coarse modelling based empirical data has been attempted. a BLEVE (‘Boiling Liquid Expanding Vapour Explosion’) may occur.4 Response of Equipment to Fire and Explosion 6. thickness 43 mm) filled with liquid: 4 minutes 7 minutes 13 minutes With several test series with pool fires as basis. Actually the situation is to some extent changing. These are the main reasons why sophisticated analysis of accidental damage is seldom attempted.

13 min. As a guideline 540°C can be used as the critical steel temperature for process equipment in general. Table 6. kW. . the equilibrium temperature in the steel will after some time (depending on thickness) be 535°C. The steel plates are exposed on one side.82 ( 6. Table 6. The values in the table are calculated based upon an absorbed heat flux of 44 kW/m2.222 Offshore Risk Assessment Q 27. 1979). The diagram shows that reduction of yield strength is quite gradual.29.9 F A 0. It also shows that the ultimate strength (governed by the stress–strain relationship) actually increases up to 250°C. With an absorbed radiation flux of 30 kW/m2. Time in minutes to rupture of uninsulated steel plates exposed to a pool fire (API.8) where q F = = A = Q = average heat absorbed per m2 surface of the wet part of vessel. Another illustration of the behaviour of steel under fire loading can be found in Figure 6. and up to 9 metres on the sides of a vertical cylindrical tank.0 for insulated tanks and vessels. m2.6. Structural response of an entire system may be calculated. area of the wet part of the vessel. 1979) Tension in the steel plates 70 MPa (N/mm2) Thickness of the steel plates 3 mm 13 mm 25 med mer 3 mm 13 mm 25 mm Time to rupture in minutes from start of fire 5 min. 23 min. 75% of a horizontal cylindrical vessel. This formulation is based on the assumption that the flame from a pool fire will impinge on 55% of the total surface of a spherical tank. 8 min. The part of the vessel that is not filled with liquid (‘dry’) will have a temperature rise in the steel and at high temperatures steel plates may rupture.0 for uninsulated tanks or vessels. using non-linear finite element calculations. kW/m2 dimensionless factor F = 1.6 shows the time to rupture of uninsulated steel plates as a function of the tension in the steel plates and the thickness of the plates. The time to reach this equilibrium temperature varies with the thickness of the steel. F < 1. 2 min. 140 MPa (N/mm2) Literature often quotes 540°C as the critical steel temperature for load-bearing elements based upon the fact that at this temperature the yield stress of steel is approximately half that at ambient temperature (American Iron and Steel Institute. 17 min. and total absorbed heat by the wet part of the vessel.

9.Analysis Techniques 223 R e la t iv e s t r e n g t h ( % ) 120 100 80 Yield strength 60 Ultimate strength 40 20 0 0 100 200 300 400 500 600 700 Steel temperatur (degC) Figure 6. In general. 1943).3 Carbon Monoxide (CO) Sax (1984) quotes a lowest published ‘toxic’ limit of 650 ppm for 45 min exposure.2 Explosion Response There is actually a considerable amount of data available regarding the response of structures. using non-linear finite element calculations. 6.9. respiration and pulse increase. there was insufficient data in order to conclude that the levels were too conservative.9. 1997) states a level of 6.2 Oxygen Content in Air When the oxygen concentration falls from 21% to 14% by volume.3 kW/m2 as permissible for exposure up to 1 minute for personnel with ‘appropriate clothing’ (API. the records indicated though that somewhat longer exposure times could be accepted. .9. Lethal concentrations are generally quoted to be higher. without severe burns. Properties of structural steel at elevated temperatures 6.1 Heat Radiation API RP 521 (API. in order to determine if the limits based on API were too conservative or not. For ‘emergency actions lasting several minutes’ 4. 1997).9.7 kW/m2 is quoted as the exposure limit and 1. The ability to maintain attention and think clearly is diminished and muscular coordination is somewhat disturbed (Henderson and Haggard. Much of the data regarding the effect of explosions on people comes from work and experience in the military. Some tests with voluntary participation of test personnel were conducted in May 2003.5.5.5.6 kW/m2 for continuous exposure. 6. 6.5 Tolerability Criteria for Personnel 6.29. equipment and humans to explosion overpressure loads.4. Structural response may be calculated.

The damage criterion could therefore be phrased as follows: The safety function is considered to be impaired when the smoke concentration is so high that the end of escape ways and corridors cannot be seen. if exposure for longer periods is considered (see Section 6.9.9. The criterion for impairment may taken as an air temperature exceeding 50°C. In desert climates temperatures can reach 50°C or more in the summer but usually then with low humidity.9.6.5. Lower values should be used. 6. 6.4 Air Temperature High air temperatures can be sustained. In saunas for example. A limiting value of 20–25 kW/m2 is normally accepted as the greatest heat load that humans can tolerate for more than a few seconds. there will be three factors which require consideration: Structural damage/debris High heat loads Combustion productions.2 above).e. The first factor is mainly associated with severe structural impacts (collisions) or the effects of explosions. say in order of 10 metres. The following text discusses the considerations of impairment and the main aspects to be taken into account.4. This is sometimes translated into a minimum distance of sight. It is worth noting that most of these criteria are ‘soft’ i.5 Smoke Smoke may hinder escape and evacuation if the visibility is reduced to such an extent that personnel are not able to orientate themselves or see whether the escape way leads to safety or not.6 Impairment Criteria for Safety Functions Impairment criteria are necessary in order to judge when the safety functions are unable to function adequately. but depend upon the effect of the incident on personnel. It may also be useful to define what constitutes ‘blocking’ of the escape ways. 6.9. temperatures in the order of 100°C are commonly used. they are not coupled with hardware damage nor structural failure.224 Offshore Risk Assessment 6. The criterion applies mainly to TR as short term exposure of higher temperatures may be allowed during escape and evacuation.5. Normally. In many scenarios the heat load will be the most important factor when evaluating the functioning of escape ways. . Sometime an ‘obscuration’ factor is used in order to express the limitation of the visibility..1 Impairment of Escape Ways The probability of the escape ways being blocked is related to the time it takes for the personnel to evacuate to the TR.9. providing that the humidity is low.

9. Unusable evacuation means for those taking shelter in TR. This may often be true for precautionary evacuation.9. In these circumstances.6. When assessing impairment of lifeboats. because companies tend to state that the helicopter is the ‘primary means of evacuation’. 6. not as part of the TR. Impairment of lifeboats is therefore not necessarily limited by the ability of the lifeboat to survive the accidental effects. Loss of communication and command support. The evaluation should include a study of possible smoke and gas ingress into the living quarters and TR. there are a number of factors to consider. The TR must remain habitable until the personnel inside have been safely evacuated. Effects which must be considered include the following: . except that evacuation is considered separately. the evacuation systems themselves may tolerate the accidental loads they are exposed to while the personnel who are going to use the boats are more vulnerable. fire on sea etc. The combustion products from a fire primarily have two effects: Reduced visibility due to soot production Toxicity. Confusion about how to evacuate apparently contributed to the high death tolls in the Piper Alpha disaster in 1988. 6. It is vitally important that there is no confusion about what the main mode of evacuation shall be. In some scenarios. extensive heat load.Analysis Techniques 225 Impairment due to combustion products may cause impairment of larger areas. primarily associated with CO and CO2. 1992): Loss of structural support. especially in the event of a gas leak or fire. The impairment assessment of the primary evacuation system is similar to that for escape ways. but is seldom so for emergency evacuation. as specified by the Health and Safety Executive (HSE.2 Impairment of Temporary Refuge (TR) The following are the conditions constituting loss of integrity of the TR.6. The assessment of impairment probabilities for the lifeboats takes into account factors like possible explosion damage. There is sometimes some confusion about what constitutes the ‘primary evacuation means’. All accidental events affecting the TR are evaluated and the probability of ‘impairment’ of the TR for each event is calculated in the same way as for escape ways.3 Impairment of Evacuation Systems The vulnerability of the primary evacuation system is assessed for each accidental event. Impairment of the Shelter Area under Norwegian legislation (corresponds to Temporary Refuge in UK) is usually considered in the same way. the lifeboats must be considered the primary means of evacuation. This means that the time the TR must remain intact is longer than the corresponding time for the escape ways leading to the TR. Deterioration of life support conditions.

Evacuation by several boats may have to be considered for larger . For large platforms this time is normally in the order of 15 to 20 minutes.6. the temperature is likely to rise relatively rapidly. 20 minutes is often used as a typical mustering time (including confirmation of those missing) for emergency situations on large platforms. but personnel may be unable to use it because it is engulfed in heavy smoke. in addition to the normal 10 minutes launching time. access to the lifeboats is completely sheltered. In predicting the required intactness time. explosion overpressure loads and impact loads on the main support structure (or hull structure in the case of a floating installation) have to be considered in relation to the capability of the structure to resist these loads. The mustering time for the installation must be based on the number of personnel present. or the exposure time is very long. and be compared with the results of drills (if available).7 Required Intactness Times for Safety Functions The last aspect to consider in relation to impairment is the time the safety functions need to remain usable. etc. Thermal effects: GRP lifeboats can tolerate 10–25 kW/m2 without being seriously affected or losing integrity. Due to the normally short time it takes to lower the lifeboats. 6. After it is lowered to the sea. This means that personnel inside the lifeboat may be exposed to unacceptably high air temperatures within a relatively short time. may be tolerable for this period of time. In some cases. Higher radiation levels are therefore likely to be sustainable without impairment. or possibly filled with smoke. However. if a lifeboat is exposed to high radiation levels in the range 10–25 kW/m2.9. allowance is normally made for the time necessary to move to another lifeboat and to launch that. the inbuilt sprinkler system on the boat itself will effectively cool the lifeboat. it is considered that high heat loads. 6. dimensions. less for smaller platforms. This topic is discussed in more details in Chapter 8. Smoke will obviously not affect the lifeboat itself. probably in excess of 50 kW/m2. unless the heat loads are very high. The time required to enter and launch a conventional lifeboat is assessed to be typically around 10 minutes. The time necessary for search and rescue of missing/wounded persons has to be included in the required intactness times. The following aspects are part of a consideration of the required intactness times for the safety functions.. The discussion above is primarily related to the situation where the lifeboat is still hanging in the davits on the side of the installation. The limiting factor determining whether or not the lifeboats may be used will therefore frequently be the ability of people to enter the lifeboats.226 Offshore Risk Assessment Smoke effects: Toxic effects as well as reduced visibility. 10 minutes is sometimes used for smaller installations.4 Impairment of Main Structure The effects of high heat loads.9.

When a similar correlation exercise was performed in relation to required muster time. Figure 6.30. including establishing the status of personnel. when there is ample time available. The permissible heat loads for the escape ways may however. Recorded muster times in exercises on Norwegian installations. The helicopter evacuation time is dependent on the mobilisation time for helicopter. If the escape ways need to be usable for the time it takes to reach the SA (or TR). The time required to carry out a helicopter evacuation is usually not included as an alternative to lifeboat evacuation. ‘Required muster time’ is in this context the muster time requirement that the operator has defined in the emergency management system. Several hours may be needed. It may be noted that some of the times are relatively straightforward to calculate. as well as a trend line. then the necessary time will be in the range 10–30 minutes. Observations for each installation are shown. and the number of personnel to be evacuated. while others (especially the time to search for survivors) may only be subjectively predicted. depending on the circumstances.Analysis Techniques 227 platforms. but not for time critical emergency evacuation. The entire duration is usually considered to take somewhere in the range 10 to 30 minutes. 2006a) on Norwegian installations. There is a clear relationship between the average POB and the average time needed to complete mustering. there was no visible correlation at all. Such an approach however. as function of average POB In determining the time requirement for intactness of escape ways the following need to be considered. if one helicopter is to take care of more than 100 persons. Recorded muster time (mins) 30 25 20 15 10 5 0 0 100 200 300 400 500 Average POB Figure 6. as a function of time.30 shows the recorded muster times in exercises (PSA. will . from seconds up to 1–2 minutes. their seat capacity. the time for a round trip to a suitable offloading location (often another installation). The arguments here are that personnel will try to reach TR as rapidly as possible and thus will only be subjected to high heat loads for short durations. but up to 60 minutes for large installations. be based on short exposure periods. and to seek and rescue injured personnel. Helicopters are often used for precautionary evacuation.

The damage based analysis is the least conservative. and survivors who may have to await assistance to reach TR (or SA). but there is still distinct conservatism in the approach. This approach is also able to reflect the level of prior knowledge from comparable conditions and/or similar studies. Resources and effect of releases are considered in separate grid quadrants. based on assumptions as presented above (all including time for mustering. Damage based analysis: Most extensive approach. including beach habitats. as well as oil drift simulation. Consequences are related to the most vulnerable populations. Exposure based analysis: More extensive approach. The following required intactness times are presented as typical values for the safety functions of a small platform. rate. The source based analysis is the most conservative. as well as distance to shore. then only very low heat loads would be permitted.10. Otherwise this approach may be used to find a traceable way of applying results from previous projects to a new related project. which is an approach that may be carried out with variable extent of details. based on duration. it has been indicated that overprediction of frequencies by almost one order of magnitude is possible with this approach. (1997). .10 Analysis of Environmental Impact Risk 6.228 Offshore Risk Assessment not allow time for attending to injured personnel. described by Sørgård et al. called ‘MIRA’. and effect potential of release.1 Overview One approach to environmental risk analysis is the methodology developed by DNV and Norsk Hydro. search and rescue as well as lifeboat evacuation): Temporary Refuge: Escape Ways: Evacuation Means: Control Room: 40 minutes 20 minutes 40 minutes 40 minutes. according to the available resources and the extent of detailed input data. based on duration and rate of release. 6. If maximum heat loads are to be based on the presence of an escape way up to 30 minutes. which would be impracticable to implement. OLF (2001). based on duration. The three levels of detail are called: Source based analysis: The simplest approach. The source based calculation should be used as a quick first round to determine whether a closer examination is warranted or not. This would lead to extensive protection requirements. rate and amount of release. typically 15 by 15 km. as well as oil drift simulation.

. No spill with recovery time shorter than 1 year is shown in the table. The recovery time as a measure of environmental damage may be illustrated by considering actual data from some large spills (from Vinnem and Vinnem. Texas Amoco Cadiz Esso Bernica Ekofisk B platform Tsesis Arrow Santa Barbara Torrey Canyon Year of spill 1989 1989 1985 1984 1978 1978 1977 1977 1970 1967 1967 Calculated total spill (bbls) 375–500. Table 6. The prediction of recovery times is still relatively uncertain.Analysis Techniques 229 6.7. after careful consideration. all the impacts with the longest durations have been caused by vessels.2 Measurement of Environmental Damage The team involved in the MIRA development focused. on recovery time as the single parameter for quantification of consequences. Risk levels are often considered as ‘order-of-magnitude’ expressions.000 > 8.7. This parameter may in principle be used irrespective of which analysis level is chosen. <2. but this is due to selecting only some of the largest spills as the basis for the presentation. rather than exact values. But only in the damage based analysis is the recovery time calculated quantitatively. and it is therefore prudent to express these times in categories.000 ? ? ? 20. The longest recovery times that have been recorded are in the order of 10 years. It may be observed that more than half of the accidents shown were caused by tankers or other types of vessels. (1997) has used a slightly more refined division into categories. Further. Overview of recovery times of some large oil spills Source of spill Exxon Valdez Mercantile Marcia Oil pipeline.000 Observed recovery time (years) Around 10 4 1 2 5–10 9 1 5–10 5–10 1 5–10 It may be observed that there is no direct relationship between the amount of oil spilled and the resulting recovery time. 1998). in that the lower categories are split into three instead of two categories.000 – 7.500 30. 2–5 and 5–10 years. The following categories are recommended: Less than 1 month 1 month – 1 year 1 – 10 years >10 years Sørgård et al. Louisiana Oil pipeline. More qualitative and indirect assessment is used in source based and exposure based analysis. this is shown in Table 6.000 – 22.10.

because an ignited blowout will put quite severe restrictions on movement of personnel on the installation. The following would be the complete calculation of frequencies: damage. In this event mechanical isolation activities may be prevented or take a longer time.10. i = frequency of damage for damage category i .4 Environmental Damage Distribution The environmental risk will be expressed as frequencies of environmental damage in the categories as outlined above. Ignition of the blowout is also an important indirect factor. A typical event tree for environmental consequence analysis of oil spills is shown in Figure 6. jL (t ) Pdamage. Installation of mechanical devices in the well will be more complicated for a subsea completed well.3 Event Trees Less than 1 month 1 month–1 year 1–10 years Above 10 years The event trees that are usually used in the analysis of environmental risk are often relatively simple.i T J end . j (t ) ( 6. Another factor which will have importance for the likely success of isolation activities is whether the well is a so-called ‘dry completion’ or a ‘wet completion’ i. due to the amount of oil which burns off. which will imply that a higher fraction of the blowouts may require drilling a relief well.9) where damage. mainly focused on aspects which may determine the duration of the uncontrolled flow.10. The spill will also be less extensive. whether the wellhead and Xmas tree are on a platform deck (‘dry’) or on the seabed (‘wet’). Such qualitative descriptions may be associated with the intervals in the following manner: Insignificant recovery time: Short recovery time: Moderate recovery time: Long recovery time: 6.31.e. j PA. Sometimes only qualitative statements are used for the different categories. 6.i . The factors that will determine the duration of a blowout are usually the following: Immediate well ‘killing’ before developing into full blowout Mechanical isolation of the flow (‘capping’) Self stopping of flow in the reservoir (‘bridging’) Drilling of relief well(s). j (t ) PB.230 Offshore Risk Assessment and it is therefore considered most prudent to use the ‘order-of-magnitude’ categories indicated above..

i . jL (t ) Pdamage.Analysis Techniques 231 end. such that the Equation 6. j = frequency of damage for damage category i and valued component j. j(t) T J = = = = = frequency of end event in Figure 6. Some of the weaknesses of this approach were discussed in Section 3. when the VECs are considered separately. Stopped within 1 day 4. Stopped within 7-30 days 6. j (t ) ( 6. j(t) PB.. 1997) is that a few of the most vulnerable VECs are selected for analysis.i. Stopped within 1-7 days 5. The highest damage frequency is 6 10-4 per year.32 for six different VECs that are presented separately. These VECs are then considered individually. j end .e.i . j (t ) PB . An example of how such results may be presented is shown in Figure 6. j PA. if the damage frequencies .9 is implemented as follows: damage . whereas the sum is 2. Stopped within 30-90 days 1 2 3 4 5 6 7 8 9 10 11 Event number Figure 6.31. Ignited 3.3 10-3 per year.4.. j(t) Pdamage. Blowout Yes 1.10) where damage. i. Event tree often used in oil spill analysis The common approach to implementation of MIRA (Sørgård et al.31 i. j = PA. a release with specified duration according to the categories stated above and valued component j probability of exposure of an area with component j present at time t probability of presence of the valued component j at time t probability of damage in category i and valued component j at time t total time over which the damage frequencies are considered total number of valued components. Killed immediately 2.

7.0E+00 Beach 1 Beach 2 Beach 3 Beach 4 Bird stock Bird stock 1 2 Autumn Summer Spring Winter Ecological component Figure 6.232 Offshore Risk Assessment for each VEC are summed together.0E-04 Annual damage frequency 5. MIRA results for six ecological components .0E-04 6.32.0E-04 0.0E-04 2.0E-04 3. This summation would be according to Equation 6.0E-04 1.0E-04 4.9.