APPEA Fire & Explosion Management Guide

Australian Petroleum Production &
Exploration Association Limited
GUIDELINES FOR
FIRE AND EXPLOSION
MANAGEMENT
Australian Petroleum Production & Exploration Association Limited Issued: July 1998
Level 3, 24 Marcus Clarke Street GPO Box 2201
CANBERRA ACT 2600 CANBERRA ACT 2601
Telephone: +61 2 6247 0960 Facsimile: +61 2 6247 0548
INTERNET: http://www.appea.com.au Email: appea@appea.com.au
ACN 000 292 713
ISBN 0 908277 19 9
APPEA Guidelines for Fire and Explosion Management
PREFACE
Effective Fire and Explosion Management is a requirement of the process of safe design of
offshore facilities. It is the process whereby an offshore facility is designed to mitigate the
risks associated with its processing of hydrocarbons to a level that is as low as is reasonably
practicable (ALARP).
The Commonwealth Government Department of Primary Industries and Energy (DPIE)

document - Guidelines for the Preparation and Submission of Safety Cases presents
examples of the elements that would be expected to appear in a Safety Case submitted to the
Designated Authority within a given jurisdiction in Australian waters. The three main sections
being the:
Facility Description (FD);
Safety Management System (SMS); and
Formal Safety Assessment (FSA).
This APPEA Guideline (being one of a series) is concerned with presenting examples of good
industry practice in the development of fire and explosion management systems. The
Guideline therefore includes an explanation of the essential elements of Fire and Explosion
Management (FEM) System development.
The design of the FEM system must be such that it meets the performance standards set for it
(eg. be operational for a given period of time - to allow safe abandonment where required, etc.),
and such that, even when allowing for those instances where it does not meet its design
performance, the overall facility risk levels (on an annualised basis) can be shown to be
tolerable, and ALARP. In order to demonstrate this, initial assumptions about the FEM
system design must be made in the initial stages of the FSA and further refinements made
when performance standards are established. The full FEM system develops over time and
must suit the specific facility and not be dictated by fixed specifications based on other
applications or facilities. A system suitable for risk management on one facility is not
necessarily suited to another, but the SC process, and in particular the FSA, offers probably
the most efficient mechanism whereby the best fit-for-purpose solution can be found.
The development of a safety case requires an assessment of all risks to personnel on a facility
(ie not just fires and explosions), and a review of the Safety Management System. Therefore,
neither successful Fire and Explosion Management, nor full compliance with this Guideline
should be considered to address all elements of a Safety Case.
APPEA, as the collective representation of the upstream petroleum industry in Australia, has
issued these Guidelines in order to offer a means to achieving a standardised approach to the
development of good industry fire and explosion management systems for offshore facilities.
These guidelines are not, nor should they be implied as being, prescriptive. The information
provided here is also not intended to represent a full record of all the current technical
methodologies available for the assessment of the effects of Fires and Explosions. The
document does provide the guidance necessary for the reader to establish a scope and the
philosophical approach to developing a Fire and Explosion Management system (which is just
one part of a whole Safety Management System) that could be considered to be at an

equivalent level as good industry practice.
The assistance of the United Kingdom Offshore Operators Association (UKOOA), in allowing
reproduction of components of their Guidelines for Fire and Explosion Hazard Management to
ensure international consistency in Guidelines, is gratefully acknowledged. Relevant sections
are annotated in the text.
GUIDELINES FOR FIRE AND EXPLOSION MANAGEMENT -
APPEA WORKING GROUP MEMBERS

Dan Ahern - John Hudson -
Atwood Oceanics Australia Pty. Ltd. Santos Ltd.
John Hayes - Graham Wright -
Esso Australia Ltd. BHP Petroleum Pty. Ltd.

CONTENTS
1. INTRODUCTION..................................................................................................................11
1.1 P URPOSE AND SCOPE.............................................................................................................11
1.2 R ELATIONSHIP WITH REGULATIONS.........................................................................................11
1.3 GLOSSARY ..........................................................................................................................13
2. PHILOSOPHY OF FIRE AND EXPLOSION MANAGEMENT................................................15
2.1 INHERENT S AFETY AND P REVENTION OPTIONS ..........................................................................15
2.1.1 Inherently Safer Design And Process/Layout Optimisation Options......................................15
2.1.2 Design, Quality, and Maintenance..................................................................................16
2.1.3 Prevention Options2 .....................................................................................................17
2.2 P RINCIPLES OF F IRE AND EXPLOSION MANAGEMENT ..................................................................20
2.3 OVERVIEW OF THE S ELECTION AND S PECIFICATION OF F IRE AND EXPLOSION C ONTROL S YSTEMS .......21
2.4 S ELECTION OF S YSTEMS ........................................................................................................22
2.4.1 The Definition of a System............................................................................................23
2.4.2 The Role of a System....................................................................................................24
2.4.3 The Suitability of a System............................................................................................24
2.4.4 The Applicability of a System.........................................................................................25
2.4.5 Types and Variations...................................................................................................25
2.4.6 Interaction and Limitations...........................................................................................25
2.5 S PECIFICATION OF THE FACILITY FIRE AND EXPLOSION MANAGEMENT SYSTEM .................................26
2.5.1 Functionality..............................................................................................................27
2.5.2 Reliability/Availability..................................................................................................27
2.5.3 Survivability...............................................................................................................27
2.5.4 Maintainability...........................................................................................................27
3. FEA METHODOLOGY.........................................................................................................28
3.1 INTRODUCTION TO F IRE AND EXPLOSION ANALYSIS ...................................................................28
3.2 S UB-DIVIDE SYSTEM INTO UNITS:-...........................................................................................32
3.3 C ARRY OUT FIRE AND EXPLOSION HAZID (WITH WORKGROUP)..............................................32
3.4 HYDROCARBON INVENTORY DEFINITION ..................................................................................32
3.5 S PLIT UNIT INTO SUB-UNITS ...................................................................................................33
3.6 NON -STANDARD S YSTEMS OR OPERATIONS................................................................................33
3.6.1 Blow Out / Well Control Incidents..................................................................................33
3.6.2 Other Drilling Related Fire/Explosion Incidents................................................................34
3.6.3 Well Testing Operations...............................................................................................34
3.6.4 Transfer Of Fuel Oil From Supply Boat To Rig/Platform...................................................35
3.6.5 Explosives..................................................................................................................35
3.7 NON -HYDROCARBON F LAMMABLE F LUIDS ...............................................................................35
3.8 F LAMMABILITY ASSESSMENT .................................................................................................35
3.9 OTHER ...............................................................................................................................35
3.10 R ELEASE T YPES AND F IRE S CENARIOS.................................................................................36
3.11 R ELEASE S IZES................................................................................................................37
3.12 DISCHARGE MODELLING ...................................................................................................37
3.13 T IME TO ISOLATE INVENTORIES ..........................................................................................38
3.14 JET F IRE MODELLING .......................................................................................................38
3.15 F LASH F IRES ...................................................................................................................38
3.16 P OOL F IRE MODELLING ....................................................................................................41
3.17 BLEVES ........................................................................................................................41
3.18 S UBSEA GAS R ELEASE ......................................................................................................41
3.19 OIL F IRES ON THE S EA ......................................................................................................42
3.20 S TRUCTURAL S URVIVABILITY IN F IRES ................................................................................42
3.21 OTHER EFFECTS OF F IRES ...................................................................................................43
3.22 EXPLOSION ASSESSMENT ...................................................................................................43
3.22.1 Vapour Cloud Explosions.............................................................................................43
3.22.2 Detonations................................................................................................................44
3.23 ESCALATION ASSESSMENT .................................................................................................44
3.24 C ARGO F IRES (EG PRODUCED FLUIDS, PROCESSED PRODUCTS, FUEL OIL )......................................45
3.25 LOADING/OFFLOADING HOSE.............................................................................................45
3.26 MACHINERY S PACE F IRES AND EXPLOSIONS..........................................................................45
3.27 ACCOMMODATION AND S TOREROOM F IRES...........................................................................45
3.28 C LASSIFICATION OF POTENTIAL IGNITION SOURCE ..................................................................45
3.29 R ULE SETS FOR EVALUATION OF CONSEQUENCES ....................................................................46
4. CONCLUSIONS....................................................................................................................48
5. REFERENCES......................................................................................................................49
APPENDIX I : PERFORMANCE STANDARDS (Rule sets)
1. INTRODUCTION
1.1 Purpose and scope
The scope of these Guidelines is to provide the upstream petroleum industry with a set of Fire
and Explosion Management principles that can be considered to represent Good Industry
Practice for managing the risks associated with Fires & Explosions on offshore (fixed and
mobile) facilities.
Good Industry Practice represents a standard of Fire and Explosion management and design
development principles that are:
not the minimum;
not necessarily the highest; but
are the most appropriate application of sound, goal setting design known to be practiced in the
industry at any particular time.
The principal objectives of the guidelines are to provide:
1. examples of good industry Fire and Explosion Management principles;
2. assistance in the preparation of a statement of design of the fire and explosion

protection systems in place on the facility;
3. an identification of potential sources of fires and explosions on a particular facility;

and
4. an assessment of the outcomes of those events.
These Guidelines will also assist the reader to outline a methodology for the preparation of the
Fire and Explosion Analysis (FEA) element of a Formal Safety Assessment (FSA) as required
by the Petroleum (Submerged Lands) (Management of Safety on Offshore Facilities)
Regulations. More details of the FSA are provided in the Australian Commonwealth
Department of Primary Industries and Energy Guidelines for the Preparation and Submission
of Safety Cases (The DPIE Guidelines).
1.2 Relationship with regulations

This document is one of the upstream petroleum industry guidelines. Its relationship with
Acts and regulations is depicted in Figure 1.1.
The principal components of the regulatory regime are :
1. The Petroleum (Submerged Lands) Act, which empowers the Minister to regulate.
2. Regulations, which set mandatory objectives for industry to achieve.
3. DPIE Guidelines, which set out the administrative procedures for the regime and
provide practical ways of meeting goals set by the regulations.
Page 11
4. (a) Upstream industry guidelines, which provide consistency across the

Australian upstream petroleum industry and assist companies setting
out their own standards.
(b) Generals guidelines, Codes, and Standards such as Australian

Standards, API Standards, etc, which provide useful references for
companies setting their own standards
(c) Industry approved competency standards.
5. Company standards, which should provide the demonstration of managing risks to

ALARP.
Figure 1.1 : General Relationship Between This Document (an Upstream

Industry Guideline) and the Acts and Regulations in Australia
P(SL)A
P(SL)A
Management of
Safety Regulations
DPIE Guidelines for Preparation

and Submission of Safety Cases
Upstream General Guidelines

Industry Codes of Practice
Guidelines and Standards
Company Standards
Page 12
1.3 Glossary
The following abbreviations and terms are used throughout this Guideline.
AFP Automatic Fire Protection
ALARP As Low as Reasonably Practicable
APPEA Australian Petroleum Production and Exploration Association Ltd.
BLEVE Boiling Liquid and Expanding Vapour Explosion
DPIE Commonwealth Government Department of Primary Industries and

Energy
E&P Forum The Oil Industry International Exploration & Production Forum
ESD Emergency Shutdown System
ESSA Emergency Systems Survivability Analysis
ETRERA Escape, Temporary Refuge, Evacuation, and Rescue Analysis
FD Facility Description
FEA Fire and Explosion Analysis
FEM Fire and Explosion Management
FSA Formal Safety Assessment
HAZID Hazard Identification
HAZOP Hazard and Operability Study
HSE Health and Safety Executive (UK)
LEL/LFL Lower Explosive/Flammable Limit
Moonpool An exposed area on a facility through which equipment is lowered on

to the sea where drilling operations are conducted
NFPA National Fire Protection Authority (USA)
PFD Process Flow Diagram
PFEER Offshore Installations (Prevention of Fire and Explosion and

Emergency Response) Regulations, 1995; UK HSE
PFP Passive Fire Protection
P&ID Piping & Instrumentation Diagram
Page 13
QRA Quantitative Risk Assessment
SC Safety Case
SGIA Smoke and Gas Ingress Analysis
SMS Safety Management System
TR Temporary Refuge
UKOOA United Kingdom Offshore Operators Association
UVCE Unconfined Vapour Cloud Explosion
Page 14
2. PHILOSOPHY OF FIRE AND EXPLOSION MANAGEMENT

Effective, economic Fire and Explosion Management (FEM) depends on the appropriate
timing and use of resources. This can be achieved by following the principles for identification
and assessment of foreseeable events, and for selection and specification of safety systems.
An appropriate combination of prevention, detection, control, and mitigation systems should
be implemented and maintained throughout the lifecycle of the installation. The design,
operation, and maintenance of the systems should be undertaken by competent staff who
understand their responsibilities in the management of hazards and possible hazardous event.1
This section introduces the concepts of Inherent Safety in the design of offshore facilities (in
the context of these Guidelines) in a general sense in Sections 2.1 and 2.2. In Section 2.3 the
factors that influence the process of selection of a suitable Fire and Explosion Management
(FEM) system are described. Section 2.4 describes how the FEM system can be developed.
Finally, Section 2.5 gives an indication of the level of detail relating to the FEM system that
might be expected to appear in a Safety Case.
2.1 Inherent Safety and Prevention Options

Good design is the most effective means of preventing fire and explosions on offshore
facilities, and this must always be foremost in the development of any fire and explosion
management philosophy. In this context, good design involves addressing such issues as2:
1. the choice of process and production method to minimise the risk of fire and
explosion;
2. the need to minimise the frequency, release rate, and quantity of releases by, for
example, reducing the number of release points and addressing causes of failure, and
limiting the inventory available for release; and
3. optimisation of plant layout to minimise the effect of an initial explosion or fire

incident to neighbouring equipment and areas.
In addition to these issues, measures to minimise the chance of formation and subsequent
ignition of flammable vapor clouds must be addressed.
The extent to which any of the above can be implemented for any particular facility will be
dependent on whether it is in the process of design, or already in operation.
2.1.1 Inherently Safer Design And Process/Layout Optimisation Options
The greatest opportunities to reduce the risk to life on a facility are during the initial hazard
identification stage in the conceptual design phase. Once into detail design there may be
limited scope to apply hazard removal methods, with the consequential outcome that the only
means available for risk reduction relies upon mitigation measures.
Adoption of the following principles where possible will reduce hazards:
1 Reproduce with permission from UKOOA Fire and Explosion Hazard Management, May 1995
2 PFEER
Page 15
appropriate choice of the (ALARP risk) concept; single or multiple jacket, floating
production etc;
choice of operating philosophy; pre-drilling wells, manning, etc;
reduction of hazardous inventories;
reduction of process pressures and temperatures;
minimisation of High Pressure/Low Pressure (HP/LP) interfaces;
use of non flammable or low flammability materials;
minimisation of the number of processing operations carried out on the installation;
selection of simpler processes;
reduction of particular causes of failure (e.g. dropped loads onto equipment);
avoidance or control of simultaneous hazardous operations;
physical separation of major components containing hydrocarbons (e.g. risers,

wells, separators);
location of the TR remote from major hydrocarbon inventories, in particular

wellheads, risers;
reduction of congestion in process areas;
avoidance or reduction of ignition sources;
reduction of external confinement and congestion of gas process areas;
siting of high pressure gas and Liquefied Petroleum Gas (LPG) inventories in well
ventilated areas and away from large inventories;
location of risers to avoid supply boat impacts.
Further guidance on inherently safer design is given in the UK HSE Report Inherently Safer
Design .
2.1.2 Design, Quality, and Maintenance3
The likelihood of hydrocarbon release which could lead to a fire or explosion will depend,
amongst other factors, on the quality of the design, the components, the construction of the
plant and its maintenance/operation.
3 Reproduced with permission from UKOOA, 1995
Page 16
The principles of the reduction of complexity in design and improving operability should also
be used/applied to reduce the number of possible leak points and the likelihood of operator
error.
2.1.3 Prevention Options2
Prevention in the context of an installation means avoiding uncontrolled releases of

hydrocarbons and/or the accumulation of explosive atmospheres and avoiding fires and
explosions from other sources, e.g., electrical fires and fires in the accommodation. As the risk
from fires and explosions offshore is often dominated by ignited releases of hydrocarbons, then
the prevention of such releases represents the starting point followed by the consideration of
preventing (or controlling) ignition.
Effective prevention of hazardous events is dependent on aspects of the SMS, i.e.:
the use of appropriate design codes and standards; and
the implementation of good operating practice.
Prevention measures may be either engineered or procedural and may be specifically applied to
a particular hazard or item of plant or generically applied throughout the installation.
Prevention of Releases (Maintain Equipment Integrity)
The primary prevention measure on plant containing hydrocarbon is the prevention of the
unplanned release of flammable liquids and gases under all circumstances including
commissioning, operation, shutdown, maintenance and decommissioning.
All foreseeable causes of failure should be identified and a combination of engineered and
operational systems put in place to seek to avoid each cause (see Section 3). The likely causes
of failure should be identified by a formal hazard identification process - which could consider
aspects such as:
mechanical overload/overstressing (external loading, including environmental);
overpressure (internal overloading);
internal corrosion/erosion;
external corrosion/erosion;
construction defect;
fire;
explosion;
impact (including dropped objects);
breaches of containment due to operator error;
Page 17
isolation failure;
intentional misuse by internal or external parties;
decommissioning, in particular hazards associated with purging
containment or permanent isolation systems.
Most causes of failure are addressed by the use of established codes and standards for the
design and protection of process plant. However, it may be necessary to verify that these are
appropriate for all the identified likely causes of failure. This verification may be achieved by
the use of a formal Hazard and Operability Study (HAZOP), and by confirmation that
selected designs result in ALARP risk solutions.
Typical prevention measures include:
reduction of possible release points, e.g. use of welded joints and non-invasive instruments;
overpressure protection systems;
process control and shutdown systems;
material selection, corrosion allowances, inspection and protection;
impact decks and control of heavy lifts;
breach of containment controls;
isolation valves, systems and procedures;
interlocks;
controls on shipping;
training and competence of personnel;
operational procedures.
These prevention measures can impinge on all engineering and operation disciplines and this
highlights the need for a fully integrated (between the overall Safety Case concept and the
design process) approach to hazard management.
The need to provide measures to maintain integrity during maintenance and decommissioning
of the installation should be considered at the design stage. These may include provision for:
draining down of vessels and the entire hydrocarbon containing system;
isolation, decontamination, purging and removal of pipeline risers and piping;
draining, decontamination and removal of oil storage tanks;
Page 18
suspension or abandonment of wells;
inert gas or flushing systems.
Ignition Prevention
The aim is to prevent the ignition and sustained combustion of solid, liquid and gaseous fuels.
The selection of materials and specification of appropriately classed equipment falls within the
design remit but operational controls are needed to ensure that the selected approach is
implemented throughout the operational life of the installation. (The selection of equipment
for operation in hazardous zones can not be assumed to represent a means of removing all risk
of ignition).
The generic means of preventing ignition of minor releases of hydrocarbons is the classification
of areas according to the probability, type and potential size of a release; the provision of
suitable equipment in these areas; the control of other sources of ignition and the specification
of materials which are difficult to ignite or do not sustain combustion.
Further reduction of ignition probabilities may be achieved by:
the avoidance of any unnecessary electrical equipment in the area;
the use of suitably designed and approved electrical equipment for the classification of the
area;
maximising the distance of any source of ignition from possible sources of release;
the shutdown of selected equipment on detection of gas;
considering deluge activation on gas detection (considerations include the possible effects
of, increased mixing vs. static generation etc.);
controlling hot work and activities with the potential to generate sparks;
the use of non flammable or low flammability material;
avoiding the use of fired heaters in proximity to hazardous areas;
minimising the need for processing of hydrocarbons near their auto ignition temperature;
the control of hot surfaces;
ensuring adequate ventilation in the areas; and
preventing gas ingress into internal combustion engines and non hazardous areas.
Reduction of a Flammable Atmosphere
The reduction of the likelihood of formation and of the size of a flammable gas cloud will both
reduce the possibility of ignition and the scale of any consequent explosion overpressure or
fireball. The following should be considered:
Page 19
minimise congestion and dead areas around likely leak sources;
optimise natural or mechanical ventilation;
reduce the distance from potential leak sources to the open air;
control the size of process areas.
2.2 Principles of Fire and Explosion Management 4

Despite all measures to prevent fires and explosions, where flammable materials are present,
the potential for an incident to occur always exists, even if it is extremely unlikely. It is,
therefore, necessary to have in place systems to manage or detect, control, and mitigate the
cases where a release (and possibly a subsequent fire or explosion) does occur.
Detection, control and mitigation systems should be selected and specified to meet good
industry practice and according to the following principles:
1. the assessment of fires and explosions should be used to determine the need for a system;
2. each system should have a clearly defined role;
3. systems should be selected and specified to provide an appropriate balance between

prevention, detection, control and mitigation;
4. systems should be specified with regard to the risks from the particular hazardous event
being addressed and their role and importance in reducing that risk;
5. mitigation systems should be specified after taking into account the contribution from the
detection and control measures in reducing the extent and duration of the hazardous event;
6. systems should preferably be specified in terms of functional parameters, reliability,

availability and survivability;
7. systems should be capable of being operated, maintained, inspected and verified on the
installation. The design should take these needs into consideration;
8. systems should be selected and specified after appropriate consultation with those
responsible for their use, operation, maintenance and inspection; and
9. systems which may introduce a new hazard, exacerbate an existing one or impair the
performance of another system should be avoided or the interaction should be addressed.
These drawbacks must not offset the risk reduction provided by the system, i.e. there should
be a significant overall benefit.
Page 20
2.3 Overview of the Selection and Specification of Fire and

Explosion Control Systems5
The purpose of this section is to give an overview of the principals of specifying detection,
control and mitigation measures for fire and explosion hazards. The arrangements selected to
manage each identified hazardous event should be such that the risks to persons are reduced to
a tolerable level and to ALARP.
There are a number of options in the categories listed below. The provision of some systems
may eliminate the need for others in the same or different categories. The quality of some
systems will affect the need for, and the standard of others.
In addition to the prevention measures discussed in Section 2.1 there is an array of measures
that are used when a fire or explosion has occurred. These are, for example:
detection and alarm measures to alert personnel and, where appropriate, to actuate systems;
control measures to limit the scale of an event and avoid escalation to a major accident;
mitigation measures to minimise undesirable consequences of a major accident;
emergency response and manual intervention.
Systems should be chosen with a full understanding of the likely hazardous events, their means
of escalation and the realistic expectation of the capability of the systems. The fire and
explosion assessment process described in Section 3 identifies where different systems may
make a contribution to this process. By examining the frequency and eventual consequences of
these events (in the latter, quantitative elements of the Safety Case), the need for and
performance standards of each proposed system will be determined.
The provision and quality of the prevention and avoidance measures will influence the
frequency of occurrence of an initial event. The consequences of an event will be determined
by the effectiveness of the control systems. The provision of mitigation systems will limit the
consequences of escalation. Effective detection of incidents combined with high performance
control systems will determine the overall risks to life. The provision and performance of
systems should be such that these risks are tolerable and reduced to ALARP. Evacuation,
escape and rescue (EER) are covered in separate APPEA Guidelines.
Each category may have both engineered and operational systems and may be either
specifically designed for a particular hazardous event or a generically applied measure such as a
code or procedure.
The selection of an appropriate combination of measures in a new design will require the
interaction of both designers and the Operator/Owner so that the relative contribution from,
and dependence on, procedural measures and engineered systems is fully assessed and
understood by all involved.
Under a prescriptive regulatory regime, the basis of the design of Fire and Explosion systems
has traditionally been standard design codes and principles (eg NFPA codes).
Page 21
In the case of existing installations, all the measures should already be in place but the relative
dependence on engineered systems and operational measures should be understood by those
responsible for the systems and for the overall safe operation.
Factors to be taken into account in the selection and specification of systems include:
severity of the eventual consequences;
frequency and severity of the initiating events;
the functional role of the system and the suitability of that system for the fulfillment
of that role;
applicability to the circumstances in which they will be used;
survivability requirements of the system;
time-scale and potential for escalation of an initial event to a major accident;
limitations that the systems may place on operations and vice versa;
hazards which may be introduced by the systems themselves;
requirements for, and practicality of maintenance, inspection and testing;
capital and maintenance costs;
availability, suitability and applicability of alternative systems;
performance of the combination of systems in meeting the risk criteria;
any adverse effect that the system may have on hazards or other safety systems.
Table 2.1 can be used as a suitable consistent method for describing systems to aid their
appropriate selection and specification. The Table can be developed for individual systems so
that there is a common language between designers, operators, operators/owners, vendors,
auditors, etc. Each of the topics in the table is discussed in the remainder of this chapter.
2.4 Selection of Systems

The selection of safety systems from the range available will depend on the stage in the
installation life cycle. Refer to Section 3 for guidance on the timing and sequencing of the
selection.
For an existing installation, the safety systems will already be in place. The assessment carried
out under the Safety Case will have identified those particular systems which are important
with regard to reduction of the risk from identified hazardous events and judged their
adequacy. It is advisableto initially concentrate any improvements on procedural measures to
prevent the occurrence or reduce the frequency. Thereafter, consider if further engineered
systems are still required following the hierarchy listed in Section 2.1.
Page 22
Also, when an installation is modified, the principles of inherent safety should be applied
again. Thereafter the provision of systems should be examined to determine if they are
adequate to address any new or changed hazardous events. The generic systems, design codes
and procedures would normally be the same as those already in place unless they are no longer
recognised as good industry practice. Any new systems (both hardware and software) should
be chosen by adoption of the Safety Case FSA approach, with the objective of ensuring that
they represent the ALARP risk solution.
2.4.1 The Definition of a System
The extent of a system should be described so that its role and performance can be defined.
This may range from an overall system such as an active fire protection system to a discrete
part such as a deluge system. These may either have a direct role in counteracting a particular
hazardous event (such as preventing rupture of a vessel) or a support role for these systems
(such as firewater supply or fire and gas detection).
Page 23
Table 2.1 : System Selection and Specification
SYSTEM: ROLE:
Title of Hazard Management System Statement of purpose (2.4.2)
Suitability: (2.4.3) Applicability: (2.4.4)

A statement of the hazardous events for A statement of the application, location and types
which the system may be suitable. of equipment for which using the system, may be
appropriate.
Types/Variations: (2.4.5) Interactions/Limitations: (2.4.6)

The different types or variations Details of possible interactions resulting from the
available of the particular system. use of the system. The interactions could be with
plant, personnel or other safety systems. A listing
of any limitations of the system.
SPECIFICATION PARAMETERS
Functionality: (2.5.1) Reliability/ Survivability: Maintainability:

A listing of essential Availability: (2.5.3) (2.5.4)
parameters relevant to (2.5.2) The parameters relating to The ease with which
functional capability The overall hazardous events which the system can be
which should be reliability/ the system may have to maintained, and its
considered when availability withstand or be design to maximise
specifying the system to requirement. considered when reliability.
fulfil its identified role. designing or specifying
the system.
2.4.2 The Role of a System
The role of a system should be clearly defined by providing a statement of what the system is
intended to achieve. A system may be required for more than one hazardous event and may
also have more than one role, (e.g. a deluge system can reduce oil burn rate, or prevent
catastrophic rupture of a pressure vessel under certain fire conditions). It should be clear how
the system relates to its role in managing each particular event.
2.4.3 The Suitability of a System
The systems chosen should be suitable for the role which they have to perform.
If a system is required to detect, control, mitigate or survive a fire or explosion, it should be

specified so that it is suitable for the range of hazardous events for which it is to be used.
These are identified in the assessment of fires and explosions and it is important that they
should be considered, as appropriate, for the system.
In specifying a system, it may be appropriate to specify either the type of fire or explosion,
the release and combustion conditions or particular characteristics such as:
Page 24
For Fires:
- flame temperature;
- heat flux;
- flame velocity;
- type and concentration of products of combustion.
For Explosions:
- overpressure;
- pressure profile;
- drag force;
- missile velocity or energy.
Where practical, the system suitability should be verified by representative testing. Care
should be taken when extrapolating results or basing a design on a purely theoretical analysis.
Long-term exposure to the environment must be a standard element of a systems capabilities.
The whole system must be commissioned and subject to fully representative functional testing
at start-up, and repeatedly throughout its life, in order to remain confident that it continues to
meets its design intent.
2.4.4 The Applicability of a System
Each system should be designed to ensure it can be installed, maintained and tested effectively
taking into account the working environment, access and site conditions. It should not
introduce undue maintenance and repair requirements such that either system will have limited
availability or require disproportionate resources on the installation to maintain it. It should
not seriously inhibit the day to day activities on the installation. A system should normally be
capable of fulfilling the role for the anticipated life of the installation providing that the
designated inspection, maintenance and repair requirements are carried out. If this is not
practical, or cannot be guaranteed, it should have a predetermined lifespan, at the end of which
it should either be replaced or fully assessed to determine the extension of that lifespan.
2.4.5 Types and Variations
There is a large variety of systems ranging from those operating on fundamentally different
principles to subtle variations between different manufacturers. For example, there are a
number of types of passive fire protection systems - including de-mountable panels and spray
applied systems - and there are variations within these different options.
The choice of a particular type of system should primarily be based on the list of parameters
in Section 2.3. These parameters should be assessed for the full lifecycle of the system taking
into account the effects of the environment and site conditions. In considering the
applicability, the ability to operate, maintain and repair it should be given equal consideration
to the initial cost and ease of installation. Systems should, where possible, be simple and
robust to enhance their long term effectiveness.
2.4.6 Interaction and Limitations
System interactions are those characteristics of a system which may:
Page 25
introduce a new hazard;
increase the frequency or consequence of an existing hazardous event;
reduce the effectiveness or reliability of another safety system.
These should be identified and, where necessary, either an alternative safety system selected or
measures put in place to address the interactions.
Interactions include:
increased direct risk to personnel operating, maintaining or testing the system;
increased numbers of leak points and breaches of containment due to the addition and
testing of process safety systems;
increased explosion overpressures due to the obstruction caused by it or ladders /

walkways / scaffolding needed for its inspection, maintenance or operation;
corrosion caused by the system; for example due to deluge system testing or increased
by passive fire protection;
corrosion due to increased saline exposure resulting from free ventilation and open
venting to reduce explosions;
increased probability of ignition for example due to deluge water ingress to electrical
systems;
limitations on inspection, maintenance and non-destructive testing of plant,

equipment or structure as a result of passive fire protection materials or enclosures;
deterioration of passive fire protection systems caused by repeated removal for

inspection of the protected plant;
increased explosion overpressure caused by firewalls;
reduced ventilation caused by firewalls;
projectiles created by safety systems such as vent panels.
2.5 Specification of the facility fire and explosion management

system
Once it has been established what the optimal configuration of the system should be, it is
necessary to record this in a concise, and practical fashion. The following areas should be
included, though no particular organisation of the information is either suggested by DPIE
Guidelines, or required by regulations.
Page 26
2.5.1 Functionality
The elements of the FEM system should be summarised and include the following features of
each generic type, and overall configuration:
type or equipment used (eg gas detectors, line-of-sight, infra-red heat detectors etc.);
service of the elements, ie what role they play in the overall FEM system;
specification of the individual elements (this should include some reference to the
fire and explosion scenarios that are present on the facility - see Section 3);
location of the equipment - eg. Distribution of gas detectors, PFP etc.; and
activation - how the various elements of the system are activated, automatically, or
by manual activation of ESD or by local manual activation (ie particularly for the
firewater system).
2.5.2 Reliability/Availability
The overall system will be required to perform with a certain level of reliability, which should
be determined in the overall Safety Case where the required performance standards are
determined. Typically, this will flow from the FSA.
2.5.3 Survivability
As with the definition of the incidents which the FEM system is designed to control, note
should be made of the incidents that exceed the capacity of the FEM system to protect the
facility to the extent that an incident can not be brought under control. These events should be
determined from the FEA and the subsequent completion of the FSA.
Specification of the survivability of the system will provide input to the establishment of an
emergency response and evacuation plan for the facility.
2.5.4 Maintainability
The maintainability of the overall system should be considered, either by avoiding failures
(Preventative Maintenance) or by restoring the system to its operating state as quickly as
possible (Corrective Maintenance), either by repair or replacement of the failed part(s). The
FEM system should, therefore, utilise systems, and be configured such that it remains
maintainable and has a high reliability. This can be achieved by:
the specification and selection of reliable equipment;
development of a design for which individual components of the system can be quickly
replaced when they are found to be faulty;
development of systems that can rapidly detect faults in the FEM system; and
ensuring that there is ease of access to all elements of the FEM system.
Page 27
3. FEA METHODOLOGY
One central requirement of the goal setting regime is that the consequences and likelihood of
facility hazard can be evaluated (either qualitatively or quantitatively). The tools for such
evaluations are available and very powerful when applied by the experienced practitioner.
The personnel who work on the facility (or individuals with the same range of experience for
studies of new installations) are the best judges of what possible sources of fires or explosions
exist on the platform when combined with the experience of safety engineers. However, this
experience must be brought to bear in a productive manner for the FEA. The main stages
where workforce involvement should be sought are in the FEM hazard identification process
and at the workshops later on in the FSA, when risk reduction strategies are developed.
One final point is that the FEA process and conclusions must be clearly stated and presented
in such a fashion that the results can be easily understood by a wide audience, and not just a
select group of technical specialists familiar with the techniques of fire and explosion modeling.
3.1 Introduction to Fire and Explosion Analysis

The purpose of the Fire and Explosion Analysis (FEA) is to identify all credible fire and
explosion events on a facility. The results of the FEA will be used as input data for the
Escape, Temporary Refuge, Evacuation and Rescue Analysis (ETRERA), Emergency Systems
Survivability Analysis (ESSA) and Quantitative Risk Analysis (QRA). These additional
studies may or may not be carried out and reported independently.
Credible accident events are those identified in the Hazard Identification workshops, and other
sources.
Typical flammable hazards may be conveniently divided into the following main groups:
blowouts and other well-related hazards (eg well testing);
topside process inventories;
risers, pipelines and subsea process inventories;
cargo tanks and loading and offloading lines;
transfers of flammables between supply boats and rig/platform (eg fuel oil);
machinery space flammables;
paint stores, lube oils etc.; and
accommodation/store room flammables.
Typical Explosion hazards may be as a result of:
any of the above sources of fire hazards;
battery rooms;
Page 28
electrical systems; and
explosives (eg perforating equipment).
Figure 3.1 : FSA Studies Undertaken in a Safety Case (showing FEA highlighted) - TYPICAL
Hazard Identification Hazard Register
Output from
All FSA Studies
Fire & Explosion Analysis

(FEA)
Smoke and Gas Ingress

Analysis (SGIA)
Emergency Systems
Survivability Analysis Non-Hydrocarbon Hazards
(ESSA) Analysis
Escape, TR, Evacuation &

Rescue Analysis
(ETRERA)
Quantitative Risk Assessment
Hazard & Risk Control
Page 29
The overall approach to the FEA is summarised in Figure 3.2 and as follows:
summarise the flammable inventories identified in the hazard identification process;
determine the physical properties of each flammable inventory (e.g. volume, mass
pressure, temperature, etc.);
assess the flammability of each inventory, screening out those for which there is an
insufficient heat source available to result in ignition;
develop the potential release types and fire/explosion scenarios (e.g. gas jet fire, atomised
liquid jet fire, liquid pool fire, flash fire, vapour explosion, solid explosion etc.);
calculate the fire and explosion characteristics for the identified fire and explosion
scenarios (e.g. flame size, burning rate, duration, explosion overpressure, smoke
generation, etc.);
examine the effect of the various control and mitigation systems on the calculated fire
characteristics (e.g. ESD/Blowdown failure, AFP, etc.);
determine the potential for escalation which could increase the severity of the incident
with due consideration to the function of the mitigation systems;
assess the possibility for non-process related fires (e.g. accommodation fires, store room
fires, etc.); and
screen out any non-credible fire and explosion scenarios and summarise the remainder for
input into the ESSA, ETRERA and QRA.
Page 30
APPEA Guidelines
.
Sub-Divide Process
P&IDs + Layouts etc.
(3.2)
Hazard Identification
Process (3.7)
Rule
Hazard Sets Evaluate Im
Others Non-Hydorcarbon Flammables Register

Hydrocarbon Source (3.4) (3.6)
(3.9)
Direct
Process Conditions Effects on Evacu
Stream Compositions
People
Flammability Assessment (3.5, 3.6, & 3.8)
Fire Select Representative Hole Sizes Escape and

Scenarios (3.11) Rescue
(3.10)
Rule Sets Carry out

discharge/dispersion
(3.29)
analysis (3.12 & 3.13)
INPU
Consider
Consequence
Type
Pool Fire (on Pool Fire (on

sea) Flash Fire Confined
facility) Explosion
(3.16) (3.15 & 3.18 & (3.15)
3.19) (3.22)
Jet Fire BLEVE UVCE

(3.14) (3.17) (3.22)
Rule Evaluate Hazard Zones

Sets
Figure 3.2 Overall FEA process
Page 31
3.2 Sub-divide system into units:-

The first stage in the process, in preparation for the HAZID, is to review the system drawings
(layouts, PFDs, and P&IDs) in order to be able to undertake a methodical review of the
system, and develop a full list of the fire and explosion (and other) hazards. Systems may be
grouped in to generic units, such as:
process (eg, subsea, producing well equipment, process, general hydrocarbon);
other hydrocarbons (eg lube-oil systems, fuel oil, drilling fluids, aircraft fuel);
non-hydrocarbon fluids (eg paints, solvents, inhibitors);
others ( eg accommodation, switchrooms, cable runs, battery rooms); and
non-routine activities (drilling, workovers, wirelining, well testing, transfers of product

or loading of services).
3.3 Carry out fire and explosion HAZID (WITH WORKGROUP)

The HAZID is actually a process that is an overall part of the FSA (see Figure 3.1), and the
process is intended to identify all hazards that exist (including non-flammable events such as
helicopter accidents and dropped objects). The process is conducted using a group of
personnel who either already work on the existing facility, or who are representative of the
same mix of personnel on the project team for a new facility.
This process will also identify the various types of events and materials which exist on a
facility and as such, the flammable materials should also be identified at this stage. This is the
most critical in the overall FSA process, and therefore for the FEA. Unless fire and
explosion hazards are identified at this point in a FSA, it is unlikely that they will be
identified later in the process, and the FSA can never be complete. It is, therefore,
possible that the fire and explosion management system for the subject facility will be
incompletely developed.
3.4 Hydrocarbon Inventory Definition

Generally, the HAZID will produce a list of generic scenarios including hydrocarbon releases
(part of the overall Hazard Register). In order to evaluate the fire and explosion hazards, these
general hazards must be further defined as specific scenarios.
The first stage of the FEA is to identify the various hydrocarbon inventories. The bounds of
the process inventories are taken at the ESD valves separating the inventory from adjacent
inventories upon process shutdown. (Process control valves and check valves are not
normally assumed to provide isolation of hydrocarbons and are, therefore, usually discounted).
The following characteristics (all of which will have an impact on the final risk profile on the
facility) of each inventory can then be summarised:
location (in the process and physically, on the facility);
volume of inventory (and whether gas or liquid);
Page 32
mass, pressure and temperature of inventory at normal operating conditions; and
composition of inventory and predicted flash fraction6 upon release to atmospheric

pressure.
Where equipment which operates at different conditions are isolated together (i.e. from a single
inventory) an equalisation pressure can be used to determine the quantities of liquid and gas
contained in each vessel. This calculation can take into account the various liquid levels,
relative elevations and operating pressures of the vessels, to determine the equilibrium
conditions in each equipment item. It should be noted that more than one fire scenario may be
identified for a given inventory as a consequence of applying this method.
Hydrocarbon inventories used should include the volume of the equipment and associated
pipework. However, this can be achieved (in a more generic approach) by using a simple
constant percentage increase on the equivalent lengths of major process pipework.
3.5 Split unit into sub-units

The PFDs should be used to workshop the facility process and separate units in order to split
it in to sub-units defining their characteristics as:
gas and liquid ( dependent on facility but typically at first stage separation); then
platform area (eg. modules); and then
by ESD isolatable unit (within each area); then
total inventory (mass).
The final process is the identification of the physical and chemical properties of the materials
within each sub-unit.
Thus the sub-units become sufficiently unique that they distinguish between each significant
scenario, and present information in such a way that FEM measures can be targeted at the
main source of risk most effectively.
3.6 Non-standard Systems or operations

3.6.1 Blow Out / Well Control Incidents
A blowout could occur from situations such as:
failure of mud/well control system;
6 Flash fraction is the proportion(usually measured as a percentage) of released material originally

in a liquid state in the process, that is vaporised as it drops pressure to a level equivalent to the
surrounding atmosphere. This must be considered to be the minimum proportion of the
released material that is initially carried into the air (ie not falling to the ground immediately).
A portion of the momentum and general energy dispersed during the initial stage of any release
is transferred into a process of stream breakup that may produce a fine liquid mist entrained in
the vapour stream. Care must therefore be taken when defining the size of any vapour release
and the quantity that can be assumed to rain out, and this value can not be assumed to be just
the flashed fraction plus what was already vapour.
Page 33
operational shortcomings;
Shallow Gas;
gas entrained in mud; or
equipment failure.
A blowout is an uncontrolled release of fluid (gas and liquid) from the well which may become
ignited. However, except in the case of a blowout caused by spontaneous equipment failure,
or a Shallow Gas event, the personnel on a facility will have considerable time (perhaps hours)
in order to put in to place emergency response plans, and to evacuate non-essential staff.
The source of the blowout has a direct effect on the consequences of the event, and it is
therefore necessary to identify, and evaluate, several categories of event. These are
summarised in Table 3.1.
Table 3.1 : Categories of Blowouts
Area Potential Types of Incidents
Blowout on Drill Floor Jet fire, flash fire, explosion, pool fire
Blowout below Drill Floor Jet Fire, flash fire, explosion, pool fire
Subsea blowout Flash fire, sea surface pool fire (explosion

when confined within a moonpool)
Blowout from choke manifold Jet fire, flash fire, explosion, pool fire
3.6.2 Other Drilling Related Fire/Explosion Incidents
Other fires related to the well systems can not be adequately described as blowouts, and do
not fit easily in any of the cases above.
Mud Pit Room - Pool Fire, Flash Fire, UVCE, partially confined explosion;
Shale Shaker area - Flash Fire, partially confined explosion.
As with process events that are partially confined, these event may result in explosions which
produce significantly higher overpressures than those associated with UVCEs.
3.6.3 Well Testing Operations
Well testing operations may be considered as particularly hazardous as they involve the use of
temporary equipment (tanks, valves and piping, etc.) with temporary connections. The
equipment is generally set up in a temporary location, utilising temporary (and perhaps
makeshift) fire/gas detection and fire protection systems, with work being carried out by
contractor personnel. The nature of such non-routine operations should always mean that a
HAZOP is carried out for all well test operations so that risks can be safely managed.
Page 34
Well testing operations therefore have the potential to generate additional hazards not easily
identified from some process drawings. These may include:
Oil Leaks - Pool Fires (on deck or on sea surface); and
Gas Leaks - Vapour Cloud Explosions, Flash Fires, or Jet Fires.
3.6.4 Transfer Of Fuel Oil From Supply Boat To Rig/Platform
Leaks in hoses or at manifolds could cause fuel spillage on to the deck or into sea, with the
potential for a pool fire. Events can also occur when hoses are pulled from their couplings and
where quick closing valves fail to close. These events may occur in areas of the facility where
hydrocarbons (or other flammables) are not normally found. Overfilling of tanks during any
fuel transfer operation could lead to fuel spilling out the storage tank vent line, onto deck or
into the sea, with the potential for a pool fire.
3.6.5 Explosives
Storage and transportation of explosives is generally screened out from the FEA due to
detonators and charges being stored separately, however, events have occurred where well
perforating equipment has been prematurely detonated on the facility, and this scenario should
also be considered.
3.7 Non-Hydrocarbon Flammable Fluids

The same general process of evaluation is applied for the hazards related to non-hydrocarbon,
flammable materials.
3.8 Flammability Assessment

Having defined the physical properties of each hydrocarbon inventory, its flammability should
be assessed. Some substances (e.g. hydrocarbon gas) are highly flammable, whereas others
(e.g. fuel oil) require the presence of a heat source before they will ignite. The flammability
assessment will be used to determine the possibility of ignition and sustained combustion. A
fire test may be commissioned if there is doubt concerning the flammability of a particular
inventory.
3.9 Other
Other sources of fires or explosion are present on any facility, and these must also be
defined and addressed within the FEM systems. This group of sources might include:
1. explosives;
2. switchgear rooms;
3. battery rooms;
4. laundry or galley equipment;
5. computer equipment;
6. cables;
Page 35
7. circuit boards etc.
These hazards should also be evaluated by the development of scenarios representative of the
materials and the nature of the threat they pose.
The HAZID workshop will typically record this type of hazard by its:
a) nature; and
b) location.
3.10 Release Types And Fire Scenarios

Once the sources of hazard have been defined, it is necessary to evaluate the type of fire
scenario that may develop as a result of the occurrence of an incident including each of the
materials identified.
The possibility of the following fire and explosion scenarios should be considered:
gas jet fires, due to ignited releases from the gaseous phase of a topsides hydrocarbon
inventory;
liquid and 2-phase jet fires, due to ignition of a high pressure atomised liquid or 2-phase
release (usually from the liquid phase of a topsides hydrocarbon inventory);
blowouts (which may be gas or liquid jet fires, and may contain solid particles - sand);
liquid pool fires, due to liquid rain-out from a liquid (or 2-phase) jet fire or due to ignition of
a low pressure flammable liquid release;
pool fires on the sea surface due to liquid rain-out, liquid run off from the deck, subsea
liquid (or 2-phase) releases, liquid overrun from a flare, release from a diverter vent, rupture
of a cargo tank or rupture of offloading hose;
gas fires on the sea surface due to ignition of a subsea gas release;
flash fires due to delayed ignition of a flammable gas cloud;
explosion due to delayed ignition of a flammable cloud in a confined or congested area;
machinery space fires (engine room and pump room) due to ignition of machinery space
flammables (e.g. diesel, fuel oil, lube oil) or build-up of flammable substances in bilges;
fires in the accommodation block; and
fires in storage areas, offices, laundry, galley, workshops, laboratories, electrical equipment,
etc. or
explosions in battery rooms.
When undertaking an assessment, the analyst should have an understanding of the important
distinguishing characteristics of each of the above types of outcome.
Page 36
3.11 Release Sizes

The fire and explosion characteristics in any particular case, and for any particular type of fire
or explosion, depend on the size of the release. A large hole produces a larger fire, but, if
promptly isolated, the fuel will be exhausted quicker and hence the duration of the fire will be
less than for a small release. Because there are so many sources, and no mechanism that fixes
all releases to one of only a few possible sizes 7, it is necessary to restrict evaluation to a
limited number of release sizes.
The probability of ignition is also very dependent on the release rate. A small gas release into
open air is unlikely to ignite since it would be readily dispersed and diluted to below
flammability limits. It will only ignite if there is an ignition source within the flammable region
local to the release, which is unlikely in a hazardous area, or the release is partly confined and
able to loose some of its momentum prior to dropping below the lower flammable limit (LFL).
Conversely, large gas releases can rapidly form large flammable gas clouds which can envelop
ignition sources remote from the leak source.
3.12 Discharge Modelling

The discharge rate profile for a gas release can be calculated using standard equations for
adiabatic expansion through an orifice. Choked flow will be assumed until the exit velocity
becomes sub-sonic.
The discharge rates for liquid releases are also modelled using standard formulae for discharge
through an orifice. There are two possible scenarios:
a leak from the liquid phase of a separator, where the leak is driven by the pressure of the
gas above the liquid and by gravity; and
a leak from an atmospheric tank where the leak is gravity driven alone.
For the first scenario, the pressure driving the leak is calculated based on adiabatic expansion of
the gas, with allowance for flashing of the liquid. When the liquid level falls below the leak, the
gas will escape through the leak as for a release from the gas phase.
For a leak from an atmosphere tank, the driving pressure is simply the head of liquid, gh
(where = density, kgm-3; g = constant of gravitational acceleration, ms-2; and h = head
of liquid above release point, m).
Discharge modelling should take account of the variety of release orientations that have to be
analysed as incidents can lead to fires or explosions that are very directional, and certain
equipment may tend to have a natural tendency to generate consequences in specific directions
(eg rotating machinery). For certain large events (eg blowouts , smoke plume, or vapour clouds
around the facility, variable weather conditions (primarily wind directions and speeds) should
7 For release sizes, it is typical to take a range of hole sizes, typically 3 or 4, that can represent all
those possible. The main justification is that further definition would not be justifiable
considering the wide uncertainty bounds that are attached to the other elements of the release
and consequence. A special case may need to be considered for particular equipment or failure
mechanisms, for example, a release from a relief valve or a small release from a large pipe or
riser will probably be uni-directional.
Page 37
be accounted for in the evaluation. A release that occurs with one orientation may have
significantly different consequences to the same event oriented another way. The FEA should
account for this in order to establish which outcome represents the greatest risk to the facility,
and the FEM systems developed to respond to these high risk outcomes.
3.13 Time to Isolate Inventories

In order to evaluate the final effect of an incident, its duration must be known. There are a
number of steps in the process from the release occurring to the point when it is stopped.
Figure 3.3 shows the typical sequence of events. This is not intended to show the escalation
routes in any form other than in their effect, that is the change from boxes 5, 6, and 7. An
event may only stop after all inventories on the facility have been released.
The elapsed time between a leak occurring and ESD isolating the inventory depends upon:
the time to detect the release by personnel, by gas or smoke detection, or by fire detection;
the time to initiate an ESD; and
the time to close ESD valves.
The times for detection will depend, in part, on the release rate of hydrocarbons.
3.14 Jet Fire Modelling

Jet fires, for both gas and atomised liquid releases, can be modelled using a variety of methods.
A considerable amount of recent research has been directed towards developing a better
understanding of jet fires and their effects, and much of this has been verified using large scale
testing.
Radiation isopleths are a 3-dimensional envelope joining all points of equal radiation levels
around a fire. They can be calculated using a numerical integration method because the
intensity of the radiation received at a particular point is dependent upon the amount of the
flame that can be seen from that location. However, simpler methods can be applied
provided sufficient contingency is allowed for in the FEM systems that are developed, and
sensitivity checks are undertaken to validate them. A number of proprietary computer
programs exist to undertake these calculations, and can be used for more complex modelling
methods. However, they must all be used with care, as their application is not valid in some
situations (perhaps due to the limited validation that has been undertaken for the models where
they are applied to large incidents).
3.15 Flash Fires

In cases where a gas release is allowed to develop into a cloud before it is ignited, a flash fire
may occur as the cloud burns back to the release point. The hazard zone is therefore the area
of the flammable cloud in the first case, however this shifts to the area of the release when the
gas cloud is consumed. Both cases should be investigated, and the case where the combustion
escalates to an explosion is discussed below.
Page 38
FIGURE 3.3 : RELEASE PHASES
1 Intrinsic
Release Begins Safety
Measures
2 Personnel
Release Identified Process,
Fire and Gas System
Personnel,
3
Release Location Process,
Identified Fire and Gas System
4 Process,
Shutdown Actions Started ESD System
5 Emergency Systems
Shutdown Actions Completed Survivability
6 Prevention of
Release Declines Escalation
7 Prevention of
Release Escalation
Stops
Page 39
Page 40
3.16 Pool Fire Modelling

A pool fire has the potential to spread at a rate determined by:
the area of any bund,
the area of any drainage sump;
for leaks onto the open deck, the deck features (e.g. the camber of the deck, location of
drains, etc.); and
for liquid jet releases, it should normally be assumed that a liquid pool will form under the
jet due to rain-out, however, the effects of the jet, and the potential for liquid spray to leave
any bunded area should be accounted for.
The maximum duration of a pool fire is determined from the liquid released, and the burning
rate (a characteristic of the fuel), and the rate of spread.
The effect of smoke on a pool fire is greater than for a jet fire, as the efficiency of combustion
is much lower in a pool fire.
3.17 BLEVEs
Boiling Liquid Expanding Vapour Explosions or BLEVEs, are potentially one of the worst
events on any facility (onshore or offshore). They are rare, however, due to the particular
circumstances in which they occur.
A BLEVE can occur when a vessel containing a flammable gas, that has been compressed to a
liquid, is exposed to high thermal radiation levels (usually by direct flame impingement) on its
vapor contacted surface. The structural strength of most steel commonly used in pressure
equipment, reduces significantly when its temperature rises above (approximately) 400C..
Beyond this point it is possible that the vessel will fail catastrophically, releasing its contents
as a rapidly vaporising, expanding and burning cloud generating large amounts of heat over a
wide area.
Facilities which have quantities of LPGs have the potential for this type of hazard. Layouts
and PFP levels should be reviewed to determine if a risk of a BLEVE exists.
3.18 Subsea Gas Release

Subsea releases (eg, from subsea wells, gas risers, or pipelines) are very different from releases
above the sea. The major differences are the initial momentum of the gas as it reaches the sea
surface and the larger area of release on the sea. Some experimental research has shown that
this area is approximately proportional to the depth of water.
This relationship is:
D = 0.2H
where:
D = Surface Release Diameter
Page 41
H = Water Depth
Subsea gas releases are unlikely to ignite unless the flammable gas cloud formed on the sea
surface is large enough to engulf an ignition source. This could potentially occur if a subsea gas
release occurs in the proximity of a facility, for example due to a release from a riser or gas
pipeline under a facility.
The consequences of ignition are generally a flash fire. Sustained ignition is very unlikely,
unless the release is very large due to the large area of the release at the sea surface which
results in rapid dispersion of the gas.
Radiation modelling can be performed using a similar method as that used for low momentum
flames, which is similar to a liquid pool fire (see below).
3.19 Oil Fires on the Sea

An oil release on the sea surface can occur due to:
a subsea release;
well testing;
liquid run-off from a facility;
releases from the diverter system during a well incident;
overflow from a flare;
helicopter accident;
release from a subsea storage tank (eg a Gravity Based Structures cell) or a near-surface
cargo tank;
release from an offloading or loading hose; or
release from a shuttle tanker.
Any oil on the surface can be assumed to be carried by the prevailing current and fires (much
less likely if the release is at sea) modelled in a similar manner to topside pool fires.
Special consideration may need to be given to the possibility of oil fires on the sea under the
facility travelling towards the TR due to the action of the weather.
3.20 Structural Survivability in Fires

In order to supply information to the latter stages of the FSA, an assessment of the
survivability of the main structural elements to the credible fire scenarios will be necessary.
Critical structural elements should be identified, the failure of which could result in escalation,
impairment of emergency escape facilities or loss of the installation. The assessment will need
to calculate the survival times for these critical structural elements under the identified fire
loads, taking into account any operating loads and structural redundancy. For example, overall
Page 42
failure of main support members, legs of a facility, or decks of a facility as a result of flame
impingement should be undertaken with due account of the load-shedding capacity of the
facility.
The potential for failure of elevated items of steelwork (eg, the flare tower or derrick) should
also be assessed, since these could potentially topple and cause escalation.
Consideration should be given, in the evaluation of time to failure, to the protection afforded
by any heat retardant measures applied to the structure.
Specific rule sets covering for example, structural survivability, should be developed as
necessary during the course of the FEA. It is important that these are fixed and common to all
aspects of the FSA.
3.21 Other Effects of Fires

Fires present additional hazards that spread far beyond the limit of the hazard zone established
from the radiative properties of the fire. In fact, the consequences for personnel on a facility
may often be as a result of these other effects, and not the initial thermal effects (except for
those in the immediate vicinity of the event). These effects include the generation of smoke,
carbon monoxide, carbon dioxide, and the general depletion of oxygen.
Dispersion calculations should be undertaken for various credible release scenarios that lead to
the generation of smoke for consideration in the smoke and gas ingress analysis. However, the
impacts of these events are analysed in the Smoke And Gas Ingress Analysis (SGIA).
In confined areas, or where ventilation system may draw in contaminated air, the possibility
that an incident could lead to the presence of toxic gases, or the reduction of oxygen in the
atmosphere should also be investigated.
3.22 Explosion Assessment

Two types of explosions can occur and are evaluated separately:
1. Deflagrations - Vapour Cloud Explosions; and
2. Detonations.
In vapour cloud explosions, combustion of the flammable gas occurs with sub-sonic flame
speeds in air, although localised confinement of a gas cloud will rapidly increase flame speeds
and increase the associated overpressure that the deflagration generates.
Detonations are explosions where the reaction front passes to sonic levels (through solids for
condensed explosives such as those utilised in perforating equipment), and may be initiated by
escalation of a deflagration, by severe confinement of a flammable vapour (eg inside process
pipework), or by the use of detonators.
3.22.1 Vapour Cloud Explosions
An explosion assessment should be performed to estimate the potential explosion

overpressure associated with delayed ignition of flammable gas clouds. The consequences of
explosions in terms of structural failure and escalation should be included in the analysis.
Page 43
The explosion assessment needs to account for:
explosions in partially enclosed and congested spaces (eg modules, or process decks);
explosions involving gas within a moonpool;
vapour cloud explosions above deck due to the delayed ignition of an unignited cloud of
hydrocarbon vapour;
explosion in an engine room or power generation room due to a fuel gas leak; and
gas ingress and subsequent explosions in enclosed areas (e.g. the accommodation and
machinery spaces).
Explosion overpressures can be estimated based on a combination of gas cloud size, degree of
confinement and results of experimental research. Calculations of the rate of gas ingress into
enclosed spaces must account for the local air change rate. Bulk concentrations below the LFL
can not be assumed to imply that ignition is not possible. Local to a release, concentrations
will always be higher, and even gas detectors can only detect within the section of the facility.
If explosions with significant overpressure are found to be possible, the risk associated with
explosions will be carried forward for quantification in the QRA.
3.22.2 Detonations
Vapour cloud explosions are the most prolific forms of explosion hazard on an offshore
facility, however, some solid explosives are used in well completion procedures. Vapour cloud
explosions (or deflagrations) are typified by sub-sonic combustion velocities. A transition of a
vapour cloud explosion to a detonation is possible where flammable gas mixtures occur in very
confined areas, eg within process equipment. In these cases, combustion velocities rise to sonic
levels (ie in excess of a few hundreds of metres per second). For solid explosives, the mode of
immediate pressure generation is a detonation, with the explosion propagating through the
solid at sonic velocity.
Explosives require a detonation trigger in order to set off the bulk of the explosive, and
consequently the principal inhibiting methods are procedural (keep explosives and detonators
separate).
3.23 Escalation Assessment

The potential for escalation due to fires will need to be assessed with due consideration of the
effects of the available mitigating systems (ESD, blowdown and AFP).
Potential escalation scenarios include:
escalation to adjacent flammable inventories;
impairment of the fire and explosion detection, protection and mitigation systems, which
should be assessed in the ESSA;
structural failure; and
Page 44
impairment of Escape, Temporary Refuge, Evacuation and Rescue (ETRER) facilities.
Impairment of ETRER facilities should be addressed in detail in the ETRER analysis.
3.24 Cargo Fires (eg produced fluids, processed products, fuel

oil)
A detailed analysis of the potential causes and consequences of cargo fires will need to review:
all potential ignition sources, including static electricity, etc;
the mitigating effects of the inert gas system; and
possible causes of a flammable mixture occurring in the cargo tanks.
The consequences of any cargo fires should be assessed based on the volatility of the cargo and
the likely release/ignition scenarios, the general nature of such an event will have similar effects
to a pool fire.
3.25 Loading/Offloading Hose

The possibility and consequences of a leak and subsequent ignition of flammable material from
any offloading/loading hose during offloading/loading operations should be assessed.
3.26 Machinery Space Fires and Explosions

Engine room and pump room fires and explosions should be performed based on the flammable
hazards identified in the Hazard Identification process, and should include any fuel gas supply
to the engine room, diesel oil, oil build-up in the bilges, etc.
The effects of machinery space incidents should be included in the ESSA undertaken during the
FSA.
3.27 Accommodation and Storeroom Fires

The possibility and consequences of non-process related fires in the accommodation, laundry,
galley, paint store, laboratory, etc., should be assessed.
3.28 Classification of potential ignition source

On any facility there are areas where the potential for hydrocarbon releases is higher than in
other areas. The classification of hazardous areas, and specification of equipment for
installation in those areas, minimises the potential number of ignition sources there. However,
some sources will always remain, either continually or intermittently, or may develop over
time. The temperature of equipment itself may act as an ignition source, as may accelerated
heating of flammable liquids seeping into poorly maintained insulation.
The areas of the facility being studied should be considered in turn in order to identify the
nature of ignition sources that are present or may develop over time. These should be
identified as:
high energy electrical equipment;
Page 45
open flames and sparks;
welding and cutting;
rotating equipment (may have increased temperatures due to wear);
equipment operating at temperatures above the auto-ignition of flammables that may be

released there; and
areas where there are frequent work activities with the potential to generate sparks.
One final source of ignition should also be considered - the energy released when a piece of
equipment fails. Sparks and general high temperatures can be generated by the violent failure
of process equipment.
3.29 Rule sets for evaluation of consequences

In order to provide the input required for the assessment of the impact of the fire and
explosion scenarios identified in the Hazard Identification process, it is necessary to determine
how large are the hazard zones around an incident. The hazard zone can be interpreted as
the area within which a particular sensitive receiver comes under the influence of the
hazardous event. Clearly, for personnel exposed to thermal radiation, a lower threshold or
tolerance can be borne than that which a structural steel member can withstand. Consequently,
the hazard zone for personnel around an incident is much larger than for the local steelwork.
The same issues apply to explosion overpressures, where damage to firewalls will occur at a
different blast pressure than that which can critically injure personnel.
One further complication for evaluating the hazard zones around an incident is the impact that
time has on the hazard zone. This is manifested in one of four ways:
1. the duration of a release will determine the total thermal load (which is generally the
determining factor for level of injury or damage) experienced at any particular location;
2. the movement of personnel in the event of an incident will mean that they experience a
lower thermal load than the total received at their original location;
3. the routes used to escape from an incident can be exposed to the prolonged effects of an
incident, and therefore act as blocked routes because personnel using them would expose
themselves to a hazard zone they would not otherwise be exposed to; or
4. the locations used for shelter become untenable after some period of time as a result of
structural damage that occurs after prolonged exposure to an incident.
In order to accommodate these issues, operators typically have undertaken complex
consequence assessments to predict the size of the hazard zones. The assessment results are
then evaluated in relation to their significance for escalation of an event, for fatalities in an
event, and for their effect on the safety systems on the facility, including the FEM systems.
The output from the consequence assessments is used in determining the optimum FEM
strategy and is required in the latter stages of an FSA. The FEA should address the
assessment results.
Page 46
Because of the potential complexity, the effort expended in the Hazard Identification stage is
crucial:
1. if potential incidents are not detected, the FEM system can never be shown to account for
all the fire and explosion scenarios that the facility might experience; and
2. as a significant part of the effort should be targeted towards attempting to avoid duplication
of the hazards that require analysis, and to initial risk screening in order to identify non-
credible or low risk events for which further analysis is unnecessary.
Even with such approaches, many assumptions must be made. The ultimate results of any
risk assessment, whether quantitative or qualitative, can be very sensitive to these
assumptions. It is very important, therefore, that common sets of assumptions, or rulesets
are used in all stages of the FSA, so that internal consistency can be achieved. It is one of the
fundamentals of the process of preparing a Safety Case that any assessment of the risk
associated with the operations on a facility is undertaken for the sole purpose of :
a) providing additional information to management in order to assist in the decision process of

what safety measures and FEM systems a facility requires in order to reduce the risk for its
personnel as low as reasonably practicable (ALARP); and
b) showing the relative contribution of the various fire and explosion scenarios postulated for
the facility to the risk levels,
and not for the purpose of producing a single number purporting to be an outright
representation of risk on the facility.
One last important check of the rulesets and evaluation of hazard zones that are used in the
FEA comes later in an FSA when, after the first pass through the process (up to and including
the QRA), the results must be tested for sensitivities to assumptions. This type of test can be
used to check the influence of, say, assumed threshold levels of overpressure on the overall
risk to personnel. Where there is unacceptable sensitivity, additional steps in the evaluation
process may be required.
Some examples of the type of rulesets that may need to be produced (threshold values are
based on freely available reference material) are attached in Appendix I.
Page 47
4. CONCLUSIONS
The FEM system is developed within the Safety Case and is one example of how the Safety
Case process can be used. The Safety Case 8 comprises:
the Facility Description (FD)
the summary of the (SMS); and
the Formal Safety Assessment (FSA)
The easiest way to visualise the FEM system is to consider that:
the FD describes the hardware elements of the system and how they interact;
the SMS will be generic, but infers how the FEM systems integrity is controlled through
the establishment of a uniform, structured management system; and
the FSA describes the required performance standards for the FEM system and relates
them to the hazards identified on a facility.
The development of the FSA is iterative, and the FEM system design changes with it.
Therefore it is important to have controlled processes for accounting for the FEM philosophy
in the design process.
The overall structure and general steps in the FSA process are shown in Figure 3.1. The FEM
system is designed and configured so that it will have a level of integrity sufficient to manage
the hazardous events with the potential to lead to fires or explosions. This will be, primarily,
a mitigation system for those cases where there is a release of flammable material, or where a
fire or explosion has already occurred.
The design of the FEM system must be such that it meets the performance standards set for it
(eg. be operational for a given period of time, allow safe abandonment where required, etc.),
and such that, even when allowing for those instances where it does not meet its design
performance, the overall facility risk levels (on an annualised basis) can be shown to be
tolerable, and ALARP. In order to demonstrate this, initial assumptions about the FEM
system design must be made in the initial stages of the FSA and further refinements made
when performance standards are established. The development of a facilitys FEM system
should influence the design of the facility as much as it is influenced by it. A system suitable
for risk management on one facility is not necessarily suited to another, but the SC process,
and in particular the FSA, offers an efficient mechanism for determining the optimum solution.
8 Guidelines for the Preparation and Submission of Safety Cases, DPIE
Page 48
5. REFERENCES
National Hydrocarbon Industry Competency Standards: Emergency Response at Onshore
and Offshore Production Facilities;
Fire Protection Industry Competency Standard for Fire Emergency Response;
Department of Primary Industries and Energy: Guidelines for the Preparation and
Submission of Safety Cases
UK Health and Safety Executive: Inherently Safer Design
UK Regulation: The Offshore Installations (Prevention of Fire and Explosion, and

Emergency Response) Regulations (PFEER)
UK Offshore Operators Association (UKOOA): Guidelines for Fire and Explosion Hazard
Management
Page 49
APPENDIX I : PERFORMANCE STANDARDS (RULESETS)

In order that a facility may be assessed against safety goals (the basis of the safety case
system), it is necessary to define minimum performance standards for the various systems
that are intended to achieve these goals (these also include rule sets used in the FEA).
In safety assessments, the performance of each system is measured in terms of whether or not
it is able to perform its safety function. If it cannot perform this function, it is said to be
impaired. Impairment may be permanent (e.g. destruction of a lifeboat by fire) or temporary
(e.g. engulfment of a lifeboat by smoke for several minutes only).
An impaired system can only result in fatalities if the system is required in a particular
accident event and no alternatives exist. For example, impairment of all the evacuation
systems would not lead to fatalities if it was not necessary to evacuate from the TR in a
particular accident event.
Typical performance criteria are summarised in Table I.1 in terms of potential Impairment
Mechanisms and corresponding Performance Standard Acceptance. These performance
standards are used to evaluate the impacts of the events investigated in the FEA in later stages
of the FSA.
I.1 Structural Integrity

Any structure or barrier which is critical to the effective use of ETRER systems must remain
intact for a defined period. This includes structures supporting the ETRER facilities, essential
barriers (eg. fire walls, radiation shields, etc), structures which could fall and impair ETRER
facilities (eg. cranes, flare booms, helideck structure, etc) and the ETRER facilities themselves
(eg. the hulls of the lifeboats). The defined period (endurance time) will be determined during
the ETRERA.
I.2 Oxygen Depletion/Carbon Dioxide Accumulation

Breathing becomes inhibited if percentage volume of oxygen in the air falls below 17% or the
concentration of carbon dioxide exceeds 2%. The normal concentrations in free air are 20.9%
oxygen and 0.03% carbon dioxide. However, the oxygen would gradually be used up, and
carbon dioxide increased, if personnel are gathered in an unventilated space.
Page I. 1
APPEA
Table I.1 Example Performance Standards for a Safety Case
Category Impairment Mechanism Issues For Consideration
Structural Integrity Collapse of support structure

or breach of barrier due to fire,
explosion, over-pressure or
impact from projectiles or
falling structure.
Life Support Oxygen Depletion
Carbon Dioxide Accumulation
Smoke/Carbon Monoxide The affinity of haemoglobin for CO is extremely

so than O2), so that the proportion of haemoglobin
form of carboxyhemoglobin (COHb) increases
CO is inhaled. There is little doubt that CO
important toxic agent formed in hydrocarbon fires.
monoxide is, therefore, particularly important
1. It is always present in fires, often

concentrations.
2. It causes confusion and loss of consciousness,

impairing or preventing escape.
It is the major ultimate cause of death in fires.
Toxic Gas or Fumes Toxic gases (e.g. H2S) or the generation of toxic
to thermal degradation of chemicals or
materials, could quickly render atmospheres
The performance standard is, therefore, that if
be present then impairment of the area has occurred.
Flammable Gas Dispersion modelling can not account for locali

time varying concentrations of gas.
Thermal Radiation In general, excessive thermal radiation levels

engulfment can render escape routes, evacuation
embarkation areas impassable to personnel
special protective clothing.
The effect of thermal radiation on personnel is
Page I.2
APPEA
Table I.1 Example Performance Standards for a Safety Case

Category Impairment Mechanism Issues For Consideration
the incident heat flux and time of exposure.
Flame Impingement
Explosion Overpressure Explosion overpressure can cause ear and

The latter can be fatal. The consequences
probability of injury or fatality are reproduced
Heat Exhaustion Deviations of body core temperature beyond

can soon cause severe pathological effects.
body core temperature ultimately results
exhaustion.
The bodys ability to regulate its temperature

its ability to shed excess heat gained from metabo
process dependent on the temperature and humidity
surroundings.
The methodology and acceptance criteria

exhaustion is based on ISO 7933 (Ref. 5) which
warning level for body heat storage at 50Wh/m
danger level at 60Wh/m2 . The former
conservatively been adopted for this study.
Hypothermia If the bodys core temperature falls by more

degrees centigrade, then death can be
hypothermia. Offshore, hypothermia can be
death for survivors who enter the sea during
due to a helicopter crash. The acceptance
hypothermia are summarised in Table I.3.
Emergency Flame Impingement, Thermal The vulnerability of any systems considered

Systems (e.g. ESD, Radiation, Explosion for command, monitoring and control of the
blowdown, AFP, Overpressure, Impact, etc. communications, ESD, Active Fire Protection,
gas/smoke assessed in the Emergency Systems Survivability
detection, (ESSA).
communications,
alarms, etc.)
Page I.3
Table I.2 : Effect of Overpressure on Humans
Overpressure (mbarg) Consequence
210 20% probability of fatality to

personnel inside
0% probability of fatality in the open
350 50% probability of fatality inside
15% probability of fatality in open
700 100% probability of fatality inside or

in open
Table I.3 Maximum Exposure Time to Cold Water
Water Temperature Maximum Exposure Time

(C)
0 15 mins
5 30 mins
10 1 hour
15 2 hours
18 3 hours
20 6 hours
At temperatures above 20C, fatality due to hypothermia will take a significant period of time
and other factors, such as shark attack, drowning etc., will dominate the fatality mechanism.
I.11 Emergency Systems
A safety system is critical if:
it helps prevent an accident from occurring (by controlling initiating factors);
it mitigates the consequences of an accident event (e.g. by preventing escalation), or
it is necessary to enable the ETRER Goals to be met.
Page I.11
Page I.22

APPEA Fire &amp; Explosion Management Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

APPEA Fire &amp; Explosion Management Guide

Uploaded by

Copyright:

Available Formats

Australian Petroleum Production &

Exploration Association Limited

FIRE AND EXPLOSION

The Commonwealth Government Department of Primary Industries and Energy (DPIE)

one part of a whole Safety Management System) that could be considered to be at an

GUIDELINES FOR FIRE AND EXPLOSION MANAGEMENT -

APPEA WORKING GROUP MEMBERS

Atwood Oceanics Australia Pty. Ltd. Santos Ltd.

John Hayes - Graham Wright -

Esso Australia Ltd. BHP Petroleum Pty. Ltd.

not the minimum;

not necessarily the highest; but

The principal objectives of the guidelines are to provide:

1. examples of good industry Fire and Explosion Management principles;

2. assistance in the preparation of a statement of design of the fire and explosion

3. an identification of potential sources of fires and explosions on a particular facility;

4. an assessment of the outcomes of those events.

1.2 Relationship with regulations

The principal components of the regulatory regime are :

2. Regulations, which set mandatory objectives for industry to achieve.

4. (a) Upstream industry guidelines, which provide consistency across the

(b) Generals guidelines, Codes, and Standards such as Australian

(c) Industry approved competency standards.

5. Company standards, which should provide the demonstration of managing risks to

Figure 1.1 : General Relationship Between This Document (an Upstream

DPIE Guidelines for Preparation

Upstream General Guidelines

AFP Automatic Fire Protection

ALARP As Low as Reasonably Practicable

APPEA Australian Petroleum Production and Exploration Association Ltd.

BLEVE Boiling Liquid and Expanding Vapour Explosion

DPIE Commonwealth Government Department of Primary Industries and

ESD Emergency Shutdown System

ESSA Emergency Systems Survivability Analysis

ETRERA Escape, Temporary Refuge, Evacuation, and Rescue Analysis

FEA Fire and Explosion Analysis

FEM Fire and Explosion Management

FSA Formal Safety Assessment

HAZID Hazard Identification

HAZOP Hazard and Operability Study

HSE Health and Safety Executive (UK)

LEL/LFL Lower Explosive/Flammable Limit

Moonpool An exposed area on a facility through which equipment is lowered on

NFPA National Fire Protection Authority (USA)

PFD Process Flow Diagram

PFEER Offshore Installations (Prevention of Fire and Explosion and

PFP Passive Fire Protection

P&ID Piping & Instrumentation Diagram

QRA Quantitative Risk Assessment

SGIA Smoke and Gas Ingress Analysis

SMS Safety Management System

UKOOA United Kingdom Offshore Operators Association

UVCE Unconfined Vapour Cloud Explosion

2. PHILOSOPHY OF FIRE AND EXPLOSION MANAGEMENT

2.1 Inherent Safety and Prevention Options

3. optimisation of plant layout to minimise the effect of an initial explosion or fire

2.1.1 Inherently Safer Design And Process/Layout Optimisation Options

Adoption of the following principles where possible will reduce hazards:

choice of operating philosophy; pre-drilling wells, manning, etc;

reduction of hazardous inventories;

reduction of process pressures and temperatures;

minimisation of High Pressure/Low Pressure (HP/LP) interfaces;

use of non flammable or low flammability materials;

minimisation of the number of processing operations carried out on the installation;

APPEA Fire & Explosion Management Guide

APPEA Fire & Explosion Management Guide