HSE Manual: Design

Shell International Exploration & Production B.V.
Design
EP 95-0230
HSE
MANUAL
Revision 0: 27 October 1995

jh 6/1199
EP HSE Manual Amendment Record Sheet
Section Number: EP 95-0230
Section Title: Design
Rev Chapter Description to amendment Date Amended by

Nos.
dd/mm/yy
No.
*
0 All Original hard copy and CD-ROM issue 27/10/95 EPD/621
* In this publication, some of the figures have been colour enhanced. This was done after the issue of the CD
ROM. The next issue of the CD ROM will include these enhancements. There is no difference in content.
Contents
CONTENTS
1 Introduction 1 3.6.1 Activities and tasks 16

1.1 Objective of this Document 1 3.6.2 Monitoring 16
1.2 Background 1 3.6.3 Records 16
3.7 Audit 16
2 Overview 3
3.7.1 Auditing 16
2.1 Scope of the Document 3
3.7.2 Audit action and feedback 17
2.2 Area of Coverage 3
3.8 Review 17
2.3 Organisation of the Document 4
3.8.1 Review 17
3 HSE Management System 7 3.8.2 Feedback from review 17
3.1 Leadership and Commitment 8
4 Identification and Assessment of
3.2 Policy and Strategic Objectives 8 Hazards 19
3.2.1 Policy 8 4.1 Hazard Identification 19
3.2.2 Strategic objective 9 4.1.1 Experience 19
3.3 Organisation, Resources and 4.1.2 Checklists 19
Documentation 9
4.1.3 Codes and standards 19
3.3.1 Organisational structure and
responsibilities 9 4.1.4 Structured review techniques 19
3.3.2 Management representative 10 4.2 Hazard Assessment 21

3.3.3 Resources 10 4.2.1 Overview 21
3.3.4 Competence 10 4.2.2 Codes and standards 22
3.3.5 Contractor HSE management11 4.2.3 Qualitative analysis 23
3.3.6 Communication 11 4.2.4 Consequence analysis 23
3.3.7 Documentation and its control11 4.2.5 Quantitative Risk Assessment
(QRA) 24
3.4 Hazards and Effects Management
(HEMP) 13 4.3 A Framework for Hazard
Identification and Assessment25
3.4.1 Overview 13
3.4.2 HEMP in design 14 5 Control of Hazards 29
3.5 Planning and Procedures 15 5.1 Overview 29
3.5.1 General 15 5.1.1 Design for ease of operation
and maintenance 29
3.5.2 Asset integrity 15
5.1.2 Substitution 30
3.5.3 Procedures and work
instructions 15 5.1.3 Reduce inventory of
toxic/hazardous materials 30
3.5.4 Management of change 15
5.1.4 Simplify the process 30
3.6 Implementation and Monitoring 16
EP 95-0230 Revision 0 27 October 1995 i

HSE Manual EP 95-0230 Design
5.1.5 Reduce probability of loss of 6.4 Fire and Gas Detection System 75
containment 31
6.4.1 Objectives 75
5.1.6 Eliminate sources of ignition 31
6.4.2 Functional requirements 75
5.1.7 Reduce pressure 31
6.4.3 Guidelines 76
5.1.8 Reduce temperature 31
6.5 Emergency Shut-Down System 82
5.1.9 Reduce volatility 32
6.5.1 Objective 82
5.2 General System Design
Considerations 32 6.5.2 Functional requirements 82
6.5.3 Guidelines 83
5.2.1 Overview 32
5.2.2 Operability and maintainability32 6.6 Emergency Depressurisation (EDP) -
Vent and Flare 85
5.2.3 The design envelope 38
6.6.1 Objective 85
5.2.4 Corrosion mitigation 41
5.3 Specific Equipment Design
Considerations 42 6.6.3 Guidelines 85
5.3.1 Overview 42 6.7 Emergency Power System 89
5.3.2 Piping and pipelines 42 6.7.1 Objective 89
5.3.3 Pig launchers and receivers 45 6.7.2 Functional requirements 89
5.3.4 Pressure vessels 46 6.7.3 Guidelines 90
5.3.5 Heat exchangers 47 6.8 Drainage Systems 91

5.3.6 Furnaces and heaters 48 6.8.1 Objective 91
5.3.7 Machinery 49 6.8.2 Functional requirements 91
5.3.8 Atmospheric storage tanks 54 6.8.3 Guidelines 91
5.3.9 Electrical systems 56 6.9 Active Fire Protection 93

6.9.1 Objectives 93
6 Recovery from Hazardous
Events 59
6.9.3 Guidelines 94
6.1 Facilities Layout 59
6.10 Passive Fire Protection 105
6.1.1 Objective 59
6.10.1 Objectives 105
6.1.3 Guidelines 60
6.10.3 Guidelines 106
6.2 Facility Control Centre 69
6.11 Evacuation, Escape and Rescue
6.2.1 Objective 69
Provisions 108
6.11.1 Objective 108
6.2.3 Guidelines 69
6.3 Process Safeguarding 72
6.11.3 Guidelines 109
6.3.1 Objective 72
6.3.3 Guidelines 73
ii EP 95-0230 Revision 0 27 October 1995

Contents
Appendix
I Fire and Explosion Strategy 117
Abbreviations 121
Glossary 123
References 125
EP 95-0230 Revision 0 27 October 1995 iii

This page intentionally left blank
iv EP 95-0230 Revision 0 27 October 1995

1 Introduction
1 INTRODUCTION
1.1 Objective of this Document
This document has been prepared for those involved in supervising the engineering design of
Exploration and Production facilities. The objectives of the document are:
to describe the specific application of Hazards and Effects Management Process (HEMP) in
engineering design, namely:
the techniques available for hazard identification
the varying approaches to hazard assessment
methods of controlling and recovering from hazardous events.
to provide a route map to more detailed references and provide guidance in their application.
to provide a frame of reference for the application of hazard management tools and techniques.
1.2 Background
In the engineering design phase, there is considerable scope to remove or minimise hazards. It is
during this phase that provision can be made to reduce the risks associated with a process, system or
facility to a level that is as low as reasonably practical (ALARP).
This can be achieved in a number of ways. In order of preference these are:

removal of hazards
reducing the probability of hazardous events occurring
minimising the risk of escalation should a hazardous event occur.
Once the hardware has been installed, retroactive implementation becomes relatively more hazardous
and considerably more expensive:
new design teams have to be mobilised
the introduction of new facilities may introduce previously unrealised hazards
construction activities have to take place in the midst of an operational plant
the implementation of new hardware may attract loss of revenue due to production downtime.
It is crucial therefore that the opportunities available for minimising risk in the design and
engineering phase are not lost.
EP 95-0230 Revision 0 27 October 1995 1

2 EP 95-0230 Revision 0 27 October 1995

2 Overview
2 OVERVIEW
2.1 Scope of the Document
This document provides the information required to manage HSE during engineering design. It
provides guidance on:
the organisation and procedures necessary for management of HSE
the tools available for HSE analysis, or Hazards and Effects Management Process (HEMP)
the identification, assessment and control of hazards associated with common EP plant and
equipment
recovery from hazards
the objectives, functional requirements and guidelines for specific safety systems.
The chapters on controlling and recovering from hazardous events contain much material from the
previous Safety Manual, EP-55000, in particular, Section 21 (Safety in Engineering Facilities Design)
and Section 23 (Fire Damage Mitigation).
The more detailed material (especially prescriptive type information) in those documents is being
transferred into other functionally supported documents, particularly DEPs. This document is intended
as a route map to this more detailed information whilst retaining key overview advice on HSE
management principles and objectives.
Although this is a 'design' document, it mainly addresses the hazard management process as it relates to
the containment of hydrocarbons. It does not as yet address many other areas of design such as offshore
structures, floating units and subsea processing facilities and risers.
2.2 Area of Coverage

The document provides guidance on the HSE issues to be addressed in engineering design.
Engineering design in this context is identified as the period that commences with the issue and
approval of the Project or Field Development Plan. At this stage the previous consideration of a variety
of development options has been narrowed down for more detailed optimisation and engineering. The
period concludes with the issue of the approved AFC drawings, completion of the material requisitions,
and provision of agreed commissioning and operating manuals and procedures.
These areas are described within the EP Business Model (EPBM) under activities A-12.01 Prepare
Conceptual Design and A 12-.02 Prepare Detailed Design (Ref. 1).
The principal activities undertaken during this period include:

preparation of the Basis for Design
execution of Conceptual Engineering Design and preparation of the Project Specification
execution of Detailed Design (including preparation of construction work scopes).
Within the context of the total project development, hazards and effects management in this phase will
build upon the studies and decisions made in the foregoing phases. Equally the decisions made during
this phase will have implications for future phases. Below is a synopsis of the changing emphasis of
HEMP, complete with an indication of where guidance on each phase can be found.

Concept It is during this phase that most of the major hazards and effects will be identified
Development (EP and an initial assessment of their importance will take place. In this phase there is
95-0220) considerable scope for removing potential hazards. The emphasis is on
safeguarding HSE by adopting, where possible, an inherently safe approach, e.g.
specifying unmanned (rather than manned) facilities, placing processing facilities
onshore rather than offshore etc.
Conceptual Design During this phase there is still a clear identification and assessment focus, albeit
and at a more detailed level of application. The emphasis is on incorporating
Project Specification inherently safe features at a detailed level, and prescribing passive and active
control measures for remaining hazards. These are incorporated into the
(This Section)
philosophies and engineering drawings (process engineering flow scheme [PEFS],
process flow schemes [PFSs], Cause and Effects etc) which constitute the base
documents for the remainder of the design phase.
Detailed Design By the time the detailed design phase is reached, the cornerstones of the HSE
safeguards will have been placed. The emphasis becomes directed to the detailed
(This Section) engineering of the agreed control and recovery measures, and developing
procedural control and recovery mechanisms.
Construction The methods of construction imposed by the design will dictate, to a certain
and extent, the risks associated with the construction and commissioning phases.
Commissioning Where possible the risks associated with construction should be minimised by
careful design. Residual risks will be fed forward as input to the construction
(This Section and
contracting process. Construction execution presents its own hazards, and for
EP 95-0240)
major projects a separate construction HSE Case may often be prepared.
De-commissioning Decisions made in the design phase will often have considerable impact on the
options available for decommissioning. The physical difficulties associated with
decommissioning and the obligations placed on the operator during the
decommissioning should be considered during design.
Operations Decisions made during the engineering phase should reflect an agreed operations
and maintenance philosophy. At the handover stage a HSE case should be in
(EP 95-0250) existence which formally documents the hazards and effects associated with the
facility and the methods for their control.
2.3 Organisation of the Document

The document is structured in the following way:
Chapter 3 Highlights the elements of an HSE management System and the HSE Management
HSE Management principles relevant to engineering design. The structure of this section is
consistent with Section EP 95-0100: HSE Management Systems, and builds on
the generic HSE management principles described within that section.
Chapter 4 Describes the various methods of identifying and assessing hazards and effects -
Identification and both qualitative and quantitative.
Assessment
Chapter 5 Defines the principles of inherent safety and hazard control, and indicates how
Control of Hazards these principles are applied to design.

2 Overview
Chapter 6 Defines for those systems provided for recovering from the consequences of
Recovery from hazardous events:
Hazardous Events
system objectives
functional requirements
guidelines.


3 HSE Management System
3 HSE MANAGEMENT SYSTEM

Figure 3.1 HSE Management System
Leadership and Commitment
Policy and Strategic Objectives
Organisation, Responsibilities
Resources, Standards & Doc.
Hazards and Effects

Management
Corrective
Planning & Procedures Action
Implementation Monitoring
Audit Corrective Action &

Improvement
Review Corrective Action &

Improvement
Overview
A management system describes the way a process or activity is managed with respect to its stated
objectives (Figure 3.1). It does this by concentrating on critical aspects, ensuring they are properly
controlled, measured and reported so as to assure performance and identification of areas for
improvement. The introduction of such systems for the management of health, safety and environment
is required in many areas by legislators, and many of them now require the production of a facility
specific Safety, or HSE, Case.
Where an HSE Management System has been developed and implemented, management, shareholders,
employees, and where appropriate, regulators, will have assurance that:
the hazards and effects associated with the asset and its operation have been fully identified and are
properly managed
the assets being operated by the company have been designed and are being operated to meet known
criteria
the methods employed to manage risks have been systematically identified and appropriate know-
how, controls and verification processes have been applied
the methods and quality of application are continually assessed and improved by a systematic
programme of performance monitoring, audit and review
there is documentary evidence of the above.

The E&P Forum has produced guidelines for HSE Management which have been adopted by the Shell
Group as the basis for their HSE MS. EP 95-0100 contains details of that HSE MS which is applicable
at both corporate and activity level. The remainder of this chapter retains the same structure as that
section and provides guidance particularly relevant for engineering design.
For a specific facility the HSE Management System is translated into a facility-specific document (the
HSE or Safety Case). A central element of that HSE Case is produced during the engineering design
phase, i.e.:
the demonstration that all potentially significant hazards have been identified
the risks from those hazards evaluated, understood and minimised to ALARP level
the controls to manage the causes (threats) and consequences of hazardous events are in place.
The format of the documentation of that Hazards And Effects Management Process (including the
Hazard Register) is included in EP 95-0310 Implementing and Documenting an HSE Management
System and HSE Cases.
3.1 Leadership and Commitment

Strong and visible leadership from Management is necessary to promote a culture conducive to
minimising risks. Senior Management must foster the active involvement of employees and contractors
towards improving HSE performance by encouraging a culture of belief, motivation, individual
responsibility, participation and commitment.
Demonstration of commitment to HSE includes:

ensuring that HSE criteria are explicitly considered in decisions
providing appropriate resources for HSE studies and analysis
communicating (in presentations and documentation) the HSE aspects of design in the development.
3.2 Policy and Strategic Objectives

3.2.1 Policy
Policies are the means by which Management communicate their intentions and expectations. A policy
is a concise statement of belief, principles and direction.
HSE policy documents should form part of a structured hierarchy. At the highest level is the Shell
Group HSE Policy. This in turn has been customised by individual Operating Companies (Opcos) into
policy statements that reflect local conditions and priorities. The policy is normally restricted to one
A4 page of concise action-oriented statements.
For major projects the development of a specific project HSE policy statement, signed by the project
manager should be considered. The preparation of such a document gives a clear HSE focus both
internally to the project team, and equally to external agencies, both contractors and regulatory bodies.
The project HSE policy document should set out both the overall policy of the project (which
recognises the specific scope and external considerations) and also the roles and responsibilities of the
project organisation.

3.2.2 Strategic objective

At the end of the design phase all potential opportunities for hazards and effects reduction should have
been evaluated and, where appropriate, incorporated. Within the operations phase the only ability to
control hazards is by the application of procedural controls and employee competence assurance.
The strategic objectives of a design should therefore include:

the provision of a facility where the risks have been reduced to a level that is ALARP
the provision of documentation to demonstrate the above, and to provide a link into the operations
phase.
In relation to these overall objectives a number of sub-objectives should be defined in areas such as
asset loss and damage, personnel injury, damage to health, escape and rescue, environmental effects
etc. Performance criteria should be defined to allow measurement of the degree of success in meeting
the stated objectives.
3.3 Organisation, Resources and Documentation

3.3.1 Organisational structure and responsibilities
Single Point Responsibility

Regardless of the size of a design, or structure of the project organisation, the responsibility for
implementation of all HSE objectives must always lie with the project manager. The project manager is
responsible for ensuring that HSE considerations are given appropriate weighting, equivalent to the
project cost, schedule and quality.
Two relatively independent tasks face the project manager in managing the HSE aspects of his project:
to optimise the development of the facilities and the associated procedures and technical
information so as to minimise the hazards and effects during their operating life and subsequent
decommissioning
to exercise full control of the HSE aspects in the execution of the project itself (i.e. the day-to-day
HSE risks encountered by the project team (transport, office, health etc).
Within the design phase the development of a 'safe and environmentally acceptable facility' will tend to
be the dominant task. It should however be realised that decisions made in the design phase will have
an impact on the direct HSE risks imposed in the construction phase. Further consideration of the
impact on construction is given in EP 95-0240 Construction and Commissioning.
Interdisciplinary Involvement
Representatives from operations and maintenance should be fully involved from the earliest moment,
either on a permanent or part-time basis. They will provide valuable input in the following areas:
definition and interpretation of the operating and maintenance philosophies
hands-on experience of operating hazards
relative merits of hardware and procedural controls for managing hazards
development of commissioning and handover plans
requirements for, and contents of, operating documentation

Most importantly, they will prepare the first draft of the Operations HSE Case.
The personnel seconded for this role should have an adequate level of seniority, experience, vision and
authority to ensure that operating hazards are fully identified and that suitable control measures are put
in place.
The optimisation of the facility design with respect to HSE also requires a high level of
interdisciplinary co-ordination between the engineering disciplines. The project manager should ensure
that the schedule of preparation of key design deliverables is supported by a schedule of
interdisciplinary reviews.
Specialist HSE input

The size and scope of a project will determine the need for full-time specialist advisors in the field of
HSE. Where full time HSE staff are not included the detailed project plan, showing the specific HSE
studies planned, should be agreed with the Opco HSE department to ensure that resources (internal or
external) will be available.
In cases where it is proposed to carry out detailed HSE studies using external contract resources,
specialist in-house HSE resources should be consulted regarding:
the choice of contractor
the scope of work
study outputs and evaluation criteria
selection of input data and study assumptions.
3.3.2 Management representative

Within the design phase of a project significant quantities of work are often undertaken in a contractor's
office. A client representative should be nominated to be the focal point for overall contractor - client
communication. He should be made responsible for monitoring and ensuring client verification and
approval of HSE issues e.g. deviations from standards, design changes etc and for verifying that the
necessary interdisciplinary communication is taking place within the contractor's design team to ensure
an integrated approach to the management of hazards. It is his contractor counterpart who should ensure
execution.
3.3.3 Resources
The resources required are a function of the project scope size and complexity, the geographical spread
of the individual work packages, and the selected contract strategy. In respect of HSE, the resources
required should be mapped out after development of the overall project schedule which clearly
identifies the individual studies, reviews and deliverables throughout the design phase.
3.3.4 Competence
It is fundamental to HSE management that people required to plan and execute HSE critical activities
are competent - competency being achieved by a combination of theoretical knowledge and practical
experience. Detailed guidance on the assurance of competency is given in EP 95-0120 Competence
Assurance for HSE Critical Activities. In relation to design, this issue is likely to be of most relevance
during the selection of contracting organisations and specialist consultancy services.

The best indicator of competence is the successful execution of similar previous work and studies. It
should be noted however that guarantees of competency are not provided just by the selection of a
'reputable' company or contractor. That reputation has been achieved by the work of specific
individuals, and therefore the CV's of nominated individuals should be screened. In times of high
demand for the contractor's services there may be a temptation to substitute the individuals proposed by
less qualified and experienced staff. The possibility of awarding a contract subject to the availability of
named individuals should be investigated.
3.3.5 Contractor HSE management

As noted above a large part of design activities are normally executed by contractors. The selection of
a suitably resourced competent organisation is therefore critical.
The formal links and reporting relationships to the client should be clearly defined at the outset of the
contract and internal quality control procedures should be one of the first agreed deliverables.
These should include formal procedures for:

approval and release of accredited personnel
design check and review
interdisciplinary checks
deviation and change control
drawing and document registers and controls
agreed authority levels for sign off
the specific routing and authority levels for client review and approval of specific deliverables.
3.3.6 Communication
Within the design phase the basic data, assumptions, and system descriptions are undergoing gradual
evolution as the level of engineering becomes more detailed. It is therefore essential that the updated
status of the information is clearly communicated across the project organisation. Interdisciplinary and
inter-functional mis-communication is frequently the cause of HSE problems that come to light later in
the development. Similarly the later transmission of information to the eventual Asset Holder needs to
be considered early. The quantity and format of data needs to be defined and agreed in order to avoid
the rework associated with the conversion of project data bases.
3.3.7 Documentation and its control

Design generates a substantial number of documents and data which can be divided into three broad
categories:
Input Legislation, Philosophies and Policies, Standards, Corporate Guidelines.
Control Internal procedures - defining how the work is conducted.
Output Engineering deliverables, calculations, drawings, MTOs, procedures, Safety Case, etc
For all control and output documents a custodian list should be developed and an archiving system put
in place to maintain an auditable trail of revisions.

Regulatory and Legal Requirements

Early in the project the existence of national or regulatory requirements which have a potential impact
should be identified and the initial project plan should clearly list the public bodies having jurisdiction
over design, construction and operation.
These requirements will form the minimum mandatory acceptance criteria. As such they should be
reviewed to identify any specific deliverables (e.g. Environmental Assessment, HSE Case) and the
project plan should include milestones for the delivery of these.
Philosophies
In order to provide a clear framework for the engineering of facilities, a number of high level objectives
and philosophies should be explicitly documented early in the project. These include:
Operating philosophy
Sparing philosophy
Maintenance philosophy
Fire and Explosion Strategy (FES)
Security philosophy.
These strategies and philosophies together with their objectives and performance criteria become part
of an HSE Case for an installation or operation. Further information on the FES is provided in
Appendix I.
Standards
Shell projects should conform to the standards prevailing in the Group. Where regulatory standards are
more stringent then they should augment the Shell requirements.
Standards form the primary source of reference during the project, and also partly the criteria against
which the project may be audited. Care should be taken in the selection of standards to ensure that they
are relevant and applicable.
The principles set by the Standardisation Spearhead should be followed - i.e. adoption and adaptation
is preferable to creation. Where possible international standards should be specified, amended only
where necessary to reflect local circumstances and Group experience. The following hierarchy is
applicable:
Industry standards National, international and industry standards (e.g. ISO, API, BS)
SIEP standards Standards such as the Shell Health, Safety and Environment Committee (SHSEC)
guides, DEPs, EDPs, SQAIR (Shell Quality And Inspection Requirements).
Opco standards Opcos may have standards which reflect local operating conditions
Contractor Specialist contractors may require their own standards or they may be more applicable
standards than Opco requirements.

The standards and procedures to be applied during the project should be clear and auditable. Having
agreed the suite of project standards it is accepted that there will be occasions when deviations are
deemed applicable. A procedure and set of authorised signatories for the deviations shall be created. In
addition, a log of deviations should be maintained.
Acceptance Criteria
A project may be judged on its success in meeting its declared HSE objectives. As the project
progresses, the overall objectives should be increasingly refined to provide lower level measurable
objectives for individual elements of the design.
Details are provided in EP 95-0310 of how to formulate acceptance criteria.
Health, Safety and Environment Management System and the HSE Case
The Opco's HSE MS defines the policy, objectives, organisation responsibilities, standards and
procedures, business processes and controls that are required to manage HSE. Documentation of this
management system forms the HSE MS Manual. As such the HSE MS should provide guidance on the
steps necessary to ensure that the risks within a facility are ALARP.
The primary HSE output document of a project is the HSE case new or modified for the facility.
The HSE Case is the documentation of the HSE MS to a site-specific installation or operation. The
HSE Case also provides a comprehensive description of the hazards and effects associated with the
particular installation or operation, and the means by which they have been assessed and controlled. It
also details emergency preparedness and contingency planning aimed at safeguarding life, the
environment and the asset as well as recovering from any emergency situation that may occur. The
Case concludes with a Statement of Fitness, demonstrating that all potential hazards and effects have
been evaluated and measures have been, or will be, taken to reduce the risks to the lowest level that is
reasonably practicable.
The means of preparing the HSE MS, and the HSE Case complete with a recommended format are
described in EP 95-0310.
3.4 Hazards and Effects Management (HEMP)

3.4.1 Overview
As noted in EP 95-0100, the process of Hazards and Effects Management (HEMP) comprises five steps
to minimise risks to Health, Safety or the Environment:
systematically identify hazards, threats and potential hazardous events
what can go wrong?
evaluate (assess) the risks against accepted screening criteria, taking into account the likelihood of
occurrence and severity of the consequences to people, assets and the environment
how likely is it to occur?
how serious is it?
Record the significant hazards and effects
document the findings

implement suitable risk reduction measures (control and mitigate)

can the hazard be eliminated or controlled?
reduce the probability of occurrence
reduce the consequences
plan for recovery in the event of a loss of control
what measures are required if the hazard occurs?
3.4.2 HEMP in design

Design and engineering, as defined in the EP Business Model (Activity A-12- Design, Construct,
Modify or Abandon Facilities), includes the following major activities and deliverables.
Prepare conceptual design Carry out all activities concerning project technical scope definition in
A-12.01 sufficient detail to allow the preparation of the firm budget proposal.
This activity includes the following sub-activities:
Make Basis for Design A-12.01.01

Produce Conceptual Design A-12.01.02 - A12.01.11
Compile Project Specification A-12.01.13
Prepare detailed design Carry out all discipline and inter-discipline activities necessary to prepare the
A-12.02 detailed design of new or modified facilities or for facilities decommissioning.
The HEMP in design is based on the systematic identification and assessment of potential hazards and
effects, and the subsequent definition of suitable control and recovery provisions. The activities within
design are a continuation of the work that will have commenced earlier in the project development.
The earlier HEMP activities will have focused on the high level identification and assessment of
hazards and effects, and their minimisation by overall concept selection, e.g. by use of HAZID, see EP
95-0312 HAZID. The activities within the phases described above consist of the more focused
application of the HEMP process. Control provisions can be hardware or administrative/procedural
controls. Inherent or passive control mechanisms being preferred to active or procedural measures.
Recovery provisions are implemented to mitigate the consequence of hazardous events. Again the
emphasis is on applying inherent and passive techniques where possible.
A summary of the HEMP process and the associated tools and techniques is contained in EP 95-0300.
The detailed application of HEMP in design is described throughout the remainder of this document
within the following chapters:
Chapter 4 Identification and assessment of hazards
Chapter 5 Control of hazards
Chapter 6 Recovery preparedness.

3.5 Planning and Procedures

3.5.1 General
The foundation for the successful application of HSE MS, is a detailed plan which integrates the
various steps of HEMP into the overall project schedule. Volume 3 of this EP HSE Manual gives
details of the available hazards and effects management tools, reviews, studies, methodologies and
their associated objectives, scope, timing and deliverables.
The cost, time and resources required for HSE management must be fully integrated into the overall
planning. The project plan should specify the milestone points at which HSE studies and activities (e.g.
reviews, audits, HAZOPs, QRA, EA) are required. Sufficient allowance must be made in the project
schedule to incorporate the accepted recommendations arising from such activities.
3.5.2 Asset integrity

Activities undertaken during the design phase are aimed at specifying a facility or asset that has a
defined level of technical integrity. The activities within the construction and commissioning phases
will ensure that the appropriate tests and checks are carried out to confirm that this integrity has been
achieved. During its operational phase the asset must be operated and maintained within the designed
operating envelope. In summary design creates technical integrity and operations safeguard technical
integrity.
In specifying the facility during the design phase it is recognised that it is not appropriate to provide
hardware for all eventualities (including low probability events) and that in many cases the controls in
the operational phase will be procedural/competency controls, not hardware.
It is therefore crucial to the operation of the facility that the assumptions and design rules selected are
explicitly documented and passed on to the operations phase in a readily usable and understandable
format. The key deliverables that contain this essential asset integrity information are the Operations
HSE Case (particularly with respect to the Hazards and Effects Register) and its associated Manual of
Permitted Operations (MOPO). The MOPO defines the level and numbers of barriers installed initially
and the recovery preparedness measures to be in place and the limits of safe operation if the barriers
and/or recovery preparedness measures are reduced or removed.
Of particular importance is the management of corrosion and its relationship with inspection. This
needs to be defined in the HSE Case.
Further details are contained in EP 95-0310 Implementing and Documenting an HSE Management
System and HSE Cases.
3.5.3 Procedures and work instructions

Details are given in 3.3.5 of those areas of the design activity for which formal control, monitoring and
authorisation is required. The adherence to these procedures should be the subject of regular review and
audit.
3.5.4 Management of change

At the end of the Basis for Design and conceptual design the documents produced should be 'frozen',
and any subsequent changes subject to a formal change control procedure. Prior to freezing the

documents, considerable resources will have been spent in creating technical integrity. The simplest,
smallest and cheapest changes can have the effect of destroying technical integrity. The formal change
system should include the effect of the changes on technical integrity, as well as cost, schedule and
contractual impacts.
3.6 Implementation and Monitoring

3.6.1 Activities and tasks
The activities and tasks carried out within design are essentially intellectual in nature. The nature of
the work is such that it relies heavily on professional competence and the application of good practice,
supported by codes, standards and analysis techniques. Whilst detailed engineering itself cannot be
easily regulated by procedures, overall control guidelines should be in place to regulate the checking
and authorisation of the output. In order to ensure interdisciplinary communication, regular cross-
discipline reviews should be scheduled.
3.6.2 Monitoring
A formal system should be in place for assuring the HSE aspects of design. This should apply to the
development of drawings and specifications and to the verification of calculations.
A minimal level of assurance will normally require at least the following three signatures:
the person preparing the document
a supervisor who checks the work
the project manager, or his designate, who approves it.
The procedure should be formalised, and the listing of authority levels kept up to date.
Where work is carried out by consultants/contractors, the provision of internal QA procedures should be
specified in the contract. A schedule should be agreed to regularly review the system and ensure it is
being followed.
3.6.3 Records
Procedures should be established to ensure the integrity, accessibility and control of HSE critical
documents and records. The control of these documents should form part of the contractors QA
procedures. In addition a policy should be established as to which documents to archive, and for what
period.
3.7 Audit
3.7.1 Auditing
During the design a programme of audits should be conducted to ensure that the control processes
described above are being effectively implemented. Where design activities are being undertaken by a
third party, control measures and associated QA procedures should be a requirement under the contract.
Audit of those agreed procedures should be a contractual right.

EP 95-0130 Audit gives more detailed advice on the application of auditing techniques.
3.7.2 Audit action and feedback

Action items will be generated by the various audits. A system should be set up to ensure that there is
an auditable trail from an initial recommendation, to its final close out.
Periodic reviews of the action log should be undertaken to ensure that the system is working effectively
and that sufficient detail is being recorded. It is not sufficient to record comments such as 'done,
checked, rejected, etc' in response to action items. The system should record reasons for rejection,
references to checks made and conclusions and references to the action implementation, e.g. drawing
revisions, etc.
3.8 Review
3.8.1 Review
In the same way that the control measures are subject to periodic review, so the technical development
of the facility should be subject to reviews at agreed milestones.
Whilst a number of these will be internal interdisciplinary reviews, it is essential that a number are
conducted with a degree of independence. The resources to conduct the independent reviews can be:
a separate Project Group (peer review)
Central Engineering Function
SIEP.
The role of review is described in EP 95-0100.
3.8.2 Feedback from review

Experience gained from the development of a design and the reviews of the design should be available
for future projects in quality close-out reports.
Sections describing the design should be written on completion of the design phase not on completion
of the project.


4 Identification and Assessment of Hazards
4 IDENTIFICATION AND ASSESSMENT OF HAZARDS

4.1 Hazard Identification
The starting point in any HEMP is Hazard Identification. Failure to identify potential hazards and
effects, or identifying them too late in the development cycle may lead to failure to implement control
measures, or to the provision of inefficient control measures (e.g. a hazard has to be controlled over the
operational life of the facility by procedures, whereas hardware could have been provided).
At the commencement of design, there should be an initial listing of high level hazards and
environmental effects as a result of a Hazard Identification (HAZID) study and an Environmental
Assessment (EA) conducted during the feasibility stage of the project. During the conceptual design,
this identification process is taken to a finer level in order to allow detailed assessment and the
provision of control measures at a detailed level.
Hazard Identification can be assembled from a number of sources:

experience
checklists
codes and standards
structured review techniques.
4.1.1 Experience
It is possible to identify a large number of hazards and effects from the experience of personnel. Some
hazards are obvious, but others less so. Success in identifying the less obvious is a function of
individual experience, operational input from existing facilities, and the ability of the organisation to
document the lessons from previous incidents/accidents. Whilst single events are often easy to
envisage, those events which present hazards in combination with others are less easy to foresee.
4.1.2 Checklists
A number of checklists can be developed to aid the Hazard Identification process. The potential danger
of checklists is that they encourage a 'tick off' mentality and stifle the search for issues not covered by
the lists. Equally, as with 'experience', they do not deal effectively with hazards that arise from
interactions.
4.1.3 Codes and standards

Codes and standards are the collective knowledge of many years of operating experience. As such they
are focused examples of HEMP for a defined area or piece of equipment.
4.1.4 Structured review techniques

To overcome the limitations of individual experience, and checklists, a number of structured review
techniques have been developed:
HAZID (HAZard IDentification)
HAZOP (HAZard and OPerability study)

SAFOP (SAFety and Operability study)

EA (Environmental Assessment)
HF (Human Factors Analysis)
HRA (Health Risk Analysis).
The above are not restricted to identification but can include assessment.
HAZID
HAZID is a methodology for the early identification of high level hazards. The technique is based on a
set of guidewords in a team brainstorming process. The methodology is directed towards the earliest
stages of project development where major directional changes can be made to the project.
It is suitable for application during concept selection, and equally for review of basic development
concepts when the following level of information is normally available:
operations philosophy
sparing and maintenance philosophy
process flow schemes
preliminary layouts
fire and explosion strategies.
The methodology is described fully in Volume 3 of this HSE manual in EP 95-0312. This study will
normally have been performed in the feasibility stage and provides a basis for hazard identification
during conceptual design.
HAZOP
A HAZOP study is the most widely accepted and powerful of the hazard identification tools available
for reviewing the design of process facilities and, if used properly, can overcome many of the
shortcomings of process design checks alone.
The HAZOP study is undertaken by a multi-disciplinary team. The team considers for each element of
the design possible deviations from the design intent to determine whether appropriate means of
protection have been provided. The study is structured around simple guide words which are used to
prompt the team to identify deviations. The HAZOP technique can be used for any flow process (as
reflected in a flow diagram) or a sequential procedure.
All new 'greenfield' and 'brownfield' projects should be subjected to Project Definition and Design
Freeze HAZOPs. Pre-startup and procedural HAZOPs may also be used in critical areas. Depending on
their complexity, change proposals may also be subjected to a HAZOP.
It should be emphasised that HAZOP is to be used in addition to, and not in place of, conventional
design checks. It is used after these conventional checks have been carried out.
Full details of the methodology, scope, timing, team composition are included in EP 95-0313 in
Volume 3 of this HSE manual.

SAFOP
For projects involving complex electrical power generation, transmission and distribution systems a
SAFOP study may be performed. The SAFOP method is broadly similar to a HAZOP although
different deviation prompting lists are used.
The objectives of a SAFOP are to:

identify potential hazards to personnel in the vicinity of electrical installations or instrumentation
systems
provide a critical review of both network design and plant; and assess any limitations and their
effects on operability and security of the system
analyse tasks and procedures set for operators, assess facilities and recommend measures to avoid
operator error.
A full description of the methodology will be provided in a future DEP. In the interim further details
may be obtained from SIEP electrical engineers.
EA - Environmental assessment
The objective of an EA is to predict the significant chemical, biological and socio economic aspects of
an activity and to make recommendations on activities, sites, techniques and technologies to be
adopted in order to maximise the positive and minimise the negative effects. Within the EA an
environmental description is developed and the potential environmental hazards and effects identified
in order to determine any environmental control and recovery provisions necessary.
Full details of the methodology, scope, timing, etc are included in EP 95-0370 in Volume 3 of this
HSE manual.
HF - Human Factors
HF considers ergonomics in design, see EP 95-0324.
HRA - Health Risk Analysis

HRA considers health risks. Refer to SHSEC guides on Health Risk Assessment and Chemical Hazards
(Refs. 2 and 3).
4.2 Hazard Assessment

4.2.1 Overview
General
Having identified the scope of hazards and effects, the next step in the HEMP is Assessment. The
assessment techniques should consider the following:
the effects on the health and safety of personnel
effects on the environment

risk to assets and production

effects on reputation
the cost effectiveness of risk reduction measures.
Assessment Techniques
Some of the above issues cannot be quantified; those that can may still carry considerable uncertainty.
Therefore, decision-making guidelines have to contain a large element of management and engineering
judgement. What is possible, however, is to ensure that the best available knowledge is presented to the
decision-maker in a useful, complete and concise manner. The decision-maker must be made aware of
what is fact, what is judgement and the nature, direction and magnitude of uncertainty. The two most
common types of decisions required are:
(i) whether a facility is safe and environmentally acceptable to operate, or an operation safe to carry
out
(ii) whether an HSE improvement can be justified.
Just what constitutes a 'safe design, a 'safe operation' or a 'justifiable HSE improvement' is not
something that can be simply described. Individual judgement is inevitably a major factor. However,
what is often called 'judgement' is usually supported by different levels of evidence appropriate to the
scale of the issue.
Broadly speaking, the supporting information can be split into four categories:
Evidence For comparison with
Engineering judgement Codes, standards, objective argument (4.2.2)
Qualitative analysis Goal setting criteria (4.2.3)
Consequence analysis Physical parameters, acceptance criteria (4.2.4)
QRA Options, risk criteria (4.2.5)
These four approaches form a hierarchy of evidence. The vast majority of issues should be resolved at
the first level (engineering judgement) with a gradually reducing number requiring additional analysis.
4.2.2 Codes and standards

For well understood hazards and effects, there will often be existing codes and standards that specify
recognised means of control. Compliance with accepted national, international or industry codes and
standards will in many cases be sufficient. This does not imply that they should be followed 'blindly'.
Intelligent analysis of the problem and sound engineering interpretation of the standards are required to
prevent gross over/under specification of control measures or to identify unusual circumstances not
(adequately) covered by them.
Many of the new generation of standards have moved away from a prescriptive approach, to one of
goal-setting objectives. Greater emphasis is given to inherent safety, i.e. designing out the hazard. Also
recognised is the fact that there may be several means of providing the same protection and that
providing many 'layers' of protection may be difficult to justify.

The approach in these cases is to undertake the analysis. Then, with a better understanding of the
consequences of the hazardous event, the most appropriate (cost-effective) means of control or
mitigation may be selected.
4.2.3 Qualitative analysis

In some cases it may be possible to demonstrate on the basis of probability alone that no action can be
justified. In these cases it is not necessary to evaluate the consequences because the event itself is so
unlikely. It must be appreciated, however, that even though the event is of low probability it might still
happen. It is on these grounds that oil installations are not protected, for example, against impact from
falling aircraft or meteorites.
4.2.4 Consequence analysis
General
If it can be demonstrated that a hazard is adequately controlled even under a worst case scenario, it
may not be necessary to evaluate all possible (i.e. less severe) outcomes. This is especially relevant in
the design of onshore facilities where less space constraint mean that layout can readily cater for
maximum credible events. This approach should, however, be treated with caution. A fire resulting
from a release from a large diameter hole may be a less severe case than that from a smaller leak. In the
first case the pressure, and hence the flame length, decline rapidly. In the latter case the flame length
remains more constant and may impinge on a structural member for longer.
In order to evaluate physical effects associated with hydrocarbon events a number of physical effects
models have been developed within the Group. Physical effects modelling is described in detail in EP
95-0314.
Methods are available for predicting the scale of leaks, fires and explosions. These predictions are for
various single fire incidents and relate such factors as pressure, leak size and vessel inventory to, for
instance, thermal radiation and overpressures.
Effects of gas leaks and fires

The Shell Group suite of programmes - FRED (Fire, Release, Explosion and Dispersion which is
available from SIEP) provides a suitable method for calculating the magnitude of leaks from process
equipment, the dispersion of released hydrocarbon vapours and the flame shape and associated
radiation due to any ensuing fires.
Explosion Overpressures
There are no simple prediction programs for explosion overpressure. Thornton Research Centre (TRC)
have developed methods for both confined and partially confined explosions. The programme SCOPE
can be used to give reasonable predictions of overpressure in enclosed modules but does require major
simplifying assumptions about the shape and position of equipment within the module.
For onshore plant a method is given in the FRED suite of programmes which can predict the scale of
explosion overpressures. Further research work is ongoing to develop more accurate methods for
confined and semi-confined explosions.

4.2.5 Quantitative Risk Assessment (QRA)
Overview of the Method

QRA provides a structured means for assessing risk and expresses this numerically. The technique is
fully described in EP 95-0352.
QRA of process-related events usually commences with the identification of initiating events for
complex accident scenarios. Formal analytical methods, such as fault and event trees, are used to show
the relationships between initiating event, affected systems and final outcomes. The frequency of the
initial event is estimated, usually using historical data. The probabilities for the subsequent branches in
the fault or event tree are taken from historical data, modelling or expert judgement. The final
outcomes will be expressed as a frequency of occurrence and a measure of the consequence of that
particular scenario. The final outcomes may be summed to provide quantitative measures of risk for the
range of scenarios considered. These measures of risk (the product of risk analysis) are then used to
identify the main risk contributors and compare the relative effectiveness of risk reduction options.
The overall measures of risk used (which would normally also include day-to-day risks such as slips,
trips and falls and transport) are Individual Risk of death Per Annum (IRPA) and, for specific
installations and activities, Potential Loss of Life (PLL), Potential Loss of Asset and Potential Loss of
revenue. For offshore installations, temporary refuge, escape and evacuation impairment frequencies
may also be calculated. Onshore an estimate of risk to the public may be appropriate.
Application of QRA
The use of QRA to improve HSE by comparing alternative designs or methods of operation is now
widely used. It is considered a valuable tool in the decision-making process, providing a means to
communicate, to quantify opinions and to combine these effectively with available historical data and
experience.
In EP, QRA has two main functions:

to assist in the comparison of design and operating philosophy options with a view to effective and
efficient HSE management
to demonstrate when required within Opcos and to third parties including the regulating authorities
that risks are ALARP.
QRA may also be used in circumstances where:

(combinations of) equipment or operating philosophy are intended that could not possibly have been
anticipated by those formulating standards and practices (e.g. application of new technology or new
combinations of existing technology); or
it is agreed beforehand by the function that there are strong grounds for challenging standards and
practices, e.g. on the basis of engineering judgement and reasoned evaluation.
QRA should not be used to justify a reduction in the level of HSE of current activities, and should not
be used on a case-by-case basis to challenge accepted HSE standards and practices.
QRA is considered to be the best means of combining historical data, effects modelling and judgement
in determining the likelihood and consequences of accidents. It should present the best knowledge
available and decisions based on it will generally be better than those based on subjective assessment.

EP 95-0352 Quantitative Risk Assessment in Volume 3 of this Manual describes the QRA technique in
detail and provides advice on the use and misuse of the technique.
Scheduling of QRA in a project

QRA is not always appropriate/applicable. For many onshore or simple facilities the application of the
other assessment techniques described may be entirely suitable and sufficient for decision-making.
As noted in EP 95-0220 Concept Development, the use of risk assessment early in project development
can be extremely beneficial in the comparison of development options. A comparison of risks
associated with, for example, onshore versus offshore processing, platform versus subsea installation,
location of onshore installations, etc may be effectively studied by QRA.
During conceptual design, more detailed and focused risk assessment(s) may be undertaken to assist
with final major decision-making with respect to design options and to provide a basis for further
optimisation during completion of conceptual engineering.
At the end of detailed engineering, i.e. when all optimisation has been completed, the risk assessment
may be issued in the form of a final report for input to the Operation HSE Case. This is intended to
demonstrate that the risk criteria have been achieved, and that the risks can be demonstrated to be
ALARP.
4.3 A Framework for Hazard Identification and Assessment

The flow scheme in Figure 4.1 gives an overview of the hazard management objectives for various
phases of a development and some of the tools and techniques available. A summary of the referenced
tools is given in EP 95-0300 which in turn provides further references to detailed application.

Figure 4.1 Hazard Identification and Assessment - Tools and Techniques

The activities in the EPBM (Ref. 1) described below encompass the life cycle of an asset. The HSE
Case which is prepared during the execution of these activities becomes the HSE Case for the asset and
forms part of the Asset Reference Plan.
The broad HSE objectives are bulleted on the left of the table. Some of the tools and techniques
available are listed on the right.
ACQUIRE OR DIVEST ASSET (A16)
objectives
Evaluate/Value Asset or Divestment (A16-01-02)
identify major hazards HAZID
identify environmental Environmental Assessment (preliminary)
effects and sensitivities
together with history of past
practices

EVOLVE DEVELOPMENT CONCEPTS (A11)
Make Facility Design Concepts (A11-04-02)
identify major project HAZID
hazards
Carry out HSE Analysis (A11-04-05)
obtain assurance of Qualitative comparison of risk based on judgement or coarse
manageability QRA if significant global risks or high level of innovation
Environmental Assessment, Health Risk Assessment
Evaluate Concepts (A11-05)
obtain an assessment and QRA (Comparative or coarse)
comparison of HSE risks Environmental Assessment (update)
between options
Propose Development Concepts (A11-06)
finalise option selection with QRA (comparative or coarse)
due regard for HSE Environmental Assessment (update)
review hazards within option HAZID
obtain agreement for
philosophies of:
Operations and Maintenance;
Fire and Explosion

DESIGN, CONSTRUCT, MODIFY OR ABANDON FACILITIES (A12)
Prepare Conceptual Design (A12-01) (Validate 'Basis for Design')
ensure technical integrity of HAZOP (coarse)
basic process
develop layout to minimise Coarse Layout Methodology
consequences in developing Human Factors
the 'Project Specification'
review technical integrity of HAZOP (detailed)
detailed process Instrumented Protection Function (IPF) Classification
minimise risk of escalation
-for offshore and complex plant Detailed Layout Methodology, Fire and Explosion Analysis
-for less complex and onshore Emergency System Survivability Analysis
FIREPRAN
ensure adequate provision Escape, Evacuation and Rescue Analysis (use judgement
for escape for less complex plant)
review overall risks QRA (as necessary)
minimise construction risks HAZID
incorporate HSE-specific Health Risk Assessment, Human Factors,
requirements Environmental Assessment

HSE CASE FOR ASSET
HAZARDS AND
EFFECTS REGISTER

Figure 4.1 Hazard Identification and Assessment - Tools and Techniques (continued)
objectives

DESIGN, CONSTRUCT, MODIFY OR ABANDON FACILITIES (A12) cont'd)
Prepare Detailed Design (A12-02)
ensure change does not QRA
HAZOP
impair technical integrity
Instrumented Protection Function (IPF) Classification
prepare input for HSE Case
for facility see ACT-01-06
Construct and Precommission Facility (A12-03)

ensure HSE risk managed in
construction
Prepare activity HSE Case Plan (see ACT-01-06)
Commission Facility (A12-04)

verify readiness to startup Pre-startup audit
Abandon Facility (A12-05)

ensure legal and social Prepare plan (ACT-01-06)
obligations met with respect HAZID
to environment Environmental Assessment (including review of past
practices and liabilities), Health Risk Assessment
decommission and remove HAZID
safely with due care for Environmental Assessment
health and environment Health Risk Assessment

DESIGN, CONSTRUCT, MODIFY OR ABANDON WELLS (A09)
(as for A12 for Wells)

OPERATE AND MAINTAIN FACILITIES AND WELLS (A71/A72)
(see under HSE Case for Asset)

MANAGE ASSETS (ASS)
(Includes HSE Case for Asset)
Asset Reference Plan (ASS-01-02)
demonstrate that risks HAZID
associated with asset and its Health Risk Assessment
operation are managed Environmental Assessment
Job Hazard Analysis
Permit-to-Work
Instrumented Protection Function (IPF) Classification
H2 S
Fire Control and Recovery
Safe Handling of Chemicals (SDS)
Human Factors
Emergency Response (including oil spill plans)
Oil Spill Dispersants
Contaminated Soil and Groundwater
Classification of Waste
Waste Management
Appraise Asset Integrity (ASS-04-02)
confirm process integrity and Process Hazard Review
containment HAZOP
compare fire and explosion FIREPRAN
provisions against objectives set

HSE CASE FOR ASSET
HAZARDS AND
EFFECTS REGISTER


5 Control of Hazards
5 CONTROL OF HAZARDS
5.1 Overview
Control = Prevent the incident
= Reduce the probability of the inci
The optimum way of controlling hazards is to prevent hazardous events from occurring. The emphasis
in design should therefore be on removing hazards altogether (inherent safety). If it proves impossible
to remove the hazards completely, then efforts should be taken to reduce the probability of hazardous
events occurring. This chapter contains an overview of the principles behind control techniques and
their resulting benefits. Later in the chapter it explains in more detail how these principles are applied
in the overall design of facilities and specific equipment.
The principles consist of:

design for ease of operation and maintenance
substitution of hazardous materials
reduce inventory of toxic/hazardous materials
simplify the process (e.g. eliminate equipment, minimise probability of error)
eliminate sources of ignition
minimise the probability of loss of containment
reduce pressure
reduce temperature
reduce volatility.
5.1.1 Design for ease of operation and maintenance

A large proportion of the incidents occurring on facilities occur as a result of operator error, or during
maintenance. The root cause of these incidents, however, can normally be traced back to missed
opportunities or oversights during the design phase where the potential exists to make the plant more
operator- and maintainer-friendly and tolerant, thus reducing the probability of incidents occurring.
The key factors to address include:
simplicity of process configuration
transparency of control
adequate provisions for process isolation
good access to all equipment
design provisions for non-routine operations
provision of appropriate lifting devices.

5.1.2 Substitution
The most direct way to achieve inherent safety in a process is to substitute hazardous with non-
hazardous materials, e.g.:
replacing combustible components with non-combustible components (e.g. replacing a hot oil
heating system with a tempered water system)
replacing toxic components with non-toxic components.
5.1.3 Reduce inventory of toxic/hazardous materials

Reduction in the inventory of flammable or toxic material will reduce the potential magnitude of a
release for a given event.
isolating valves should be specified between multiple vessels/tanks and they may be separated by
fire breaks or fire walls (see ESD valves)
consideration should be given to using different equipment types to reduce inventory (e.g. using
packing rather than tray internals in columns or thermosyphon rather than kettle reboilers)
the size of process vessels and storage tanks containing hazardous material should be reduced if
viable. This should be balanced against the increased number of leak sources introduced
the surface area of a liquid spill that could be exposed to a fire should be minimised to control
burning and to prevent escalation. Liquid surface area should be reduced by incorporating
intermediate walls in multi-tank bunds
the use of gas-powered systems should be minimised, particularly in manned areas (e.g. electrical
systems should be used for heating and cooking rather than bottled LPG).
5.1.4 Simplify the process

The process should be as simple as necessary to achieve the production objectives (i.e. yields, product
specifications and export conditions). Justification for additional equipment (e.g. to increase yield or
efficiency) should take account of any increased HSE risks in addition to the normal cost benefit
considerations. The following points should be considered:
consider the provision of single train facilities (which increases plant simplicity) within the
constraints of availability requirements
avoid the use of crossovers between sections of plant
These can cause confusion during maintenance and increase the complexity of the control and
shutdown logic.
set the pressure profile of the process with the aim of minimising items of rotating machinery. For
instance:
transfer liquid by gravity (rather than pumping)
specify the operating pressure of low pressure gas sources at the required fuel gas pressure.
specify equipment that is proven in a similar operating environment (ideally within the Opco)
minimise use of complex or non-traditional unit operations which may be difficult to understand or
may require high levels of maintenance
minimise the potential for onstream maintenance within the constraints of the availability
requirements.

5.1.5 Reduce probability of loss of containment

provide adequate overpressure protection
specify realistic design margins on capacities and performance requirements
select material to minimise corrosion
provide appropriate mechanical design (e.g. minimise flanges, small bore and screwed fittings, use
effective seals)
provide protection from mechanical damage by mechanical barriers, layout or shutdown
provide assurance of operation within the design envelope
specify a robust and transparent process control system.
5.1.6 Eliminate sources of ignition

Where possible ignition sources should be eliminated from the plant, for instance:
replace fired heaters with electrical heaters or waste heat recovery units
eliminate rotating machinery where possible
import electrical power (rather than generating on site)
reduce the temperature of the process
minimise the number of junction boxes.
5.1.7 Reduce pressure

Reducing the operating pressure of a process is desirable, because:
the mass per unit volume of hydrocarbon in the vapour phase is reduced
the leakage rate of fluid through a fixed orifice is smaller
the energy released from a catastrophic failure of a piece of equipment is lower
there is a reduced chance of hydrate formation
emergency depressurisation can be achieved more readily
the likelihood of over pressuring low pressure downstream systems is reduced.
The designer should examine ways of reducing the operating pressure in the process. The optimum
solution should be ascertained by trading off the benefit to safety against any increased expenditure.
5.1.8 Reduce temperature

Reducing the operating temperature of a process is desirable, because:
lower proportion of vapour generated from a volatile liquid, giving a reduced spread of vapour from
a leak
reduced propensity for temperature-related material failure problems (e.g. metal creep or hydrogen
embrittlement)
safer heating systems are feasible (e.g. pressurised water instead of hot oil)
reduced utilisation of energy

reduced corrosion rate

reduced risk of unwanted heating of the environment (e.g. in cooling water discharge lines)
lower risk from problems associated with thermal expansion.
less risk of personnel injury from hot surfaces.
The designer should examine ways of reducing the operating temperature in the process, e.g. by using
reduced pressure in conjunction with reduced temperature to meet a TVP specification.
5.1.9 Reduce volatility

Reducing the volatility of the constituents reduces the likelihood of a hydrocarbon release escalating.
The volatility of fluids can be reduced by:
reducing temperature and pressure
adopting a balanced approach to recovering NGLs from a gas stream particularly in offshore
locations
reducing the vapour pressure of stored LPG products by specifying refrigerated or semi-refrigerated
storage
ensuring that incoming liquids from other facilities are stabilised to a satisfactory TVP.
5.2 General System Design Considerations

5.2.1 Overview
Application of the principles outlined above to specific types of EP equipment are covered in 5.3. A
number of the principles are, however, sufficiently general, or are applied at the system design level, to
be covered here generically.
In oil and gas facilities the most hazardous events are those related to loss of containment. The
principal causes of loss of containment are:
operator error
excursions of the process outside the design envelope.
corrosion/erosion
third-party activities.
5.2.2 Operability and maintainability

A large proportion of the incidents occurring on oil and gas facilities occur as a result of operator error,
or during maintenance activities. The root cause of these incidents, however, can normally be traced
back to missed opportunities or oversights during the design phase where the potential exists to make
the plant more operator- and maintainer-friendly and tolerant. This section is concerned with reducing
potential hazards relating to the human interaction with the plant during production and maintenance
operations.

Simplicity/Transparency of Plant
The potential for errors during operations and maintenance is greatly reduced with simple plant whose
function, status and interconnectivity are transparent to all.
Preference should be given to minimising the number of trains and reducing the degree of
interconnectivity between the system elements. The control system should be designed with maximum
operator involvement to ensure that information is presented in a manner that is clear and concise.
A logical naming and numbering system should be adopted for equipment and this should be reflected
in the layout. For example, a set of identical pumps (three operating/one standby) should be oriented in
the same sequence as the numbers to avoid confusion during maintenance operations. Particular care
should be taken in numbering equipment that is retrofitted at a later date.
The provision of a plant colour code system for piping greatly improves transparency and the
requirement for a coding system should be included in the plant piping specification.
For safety-critical activities, physical mechanisms should be considered in the design which 'force' an
operator to carry out tasks in the correct sequence, thus achieving a degree of inherent safety. Care
must be taken not to introduce provisions which will become cumbersome. Such complexity may
encourage unauthorised 'by-passing' with the consequence of increased risk.
Accessibility to Equipment
During design the requirement for access to equipment should be reviewed. The following factors
should be considered:
access arrangements for all regular operations shall be straightforward and simple
These points shall be accessible and visible from main floors or aisles, preferably without the help of
auxiliary platforms and ladders.
where such platforms and ladders are required they shall be permanently installed
Portable ladders are not acceptable substitutes.
equipment which requires attention on a less regular basis (e.g. scheduled maintenance yearly) need
not necessarily be provided with permanent platforms and ladders unless emergency access is a
requirement
arrangements shall be made for all routine operations which involve handling and storage of
materials and equipment
Permanent equipment (e.g. runway beams, hoists) should be provided for equipment that is critical
to plant availability or requires regular attention.
every instrument and operational checkpoint shall be so positioned that access and/or calibration is
possible from permanent walkways, stairs or platforms
DEP 32.37.00.33 should be consulted for specific advice on the mounting of plant instruments
(Ref. 4).
equipment parts, instruments, valve hand-wheels and piping shall not protrude into access ways
normal entrance and exit points shall be located so as to enable easy access and egress to work areas
in considering access, suitable provisions should be provided to prevent contact with hot surfaces
If applicable, all external surfaces of equipment and accessible piping operating at temperatures in
excess of 70C shall be provided with protection to personnel to prevent contact by personnel, (see
DEP 30.46.00.31 Thermal Insulation for Hot Services Ref. 5). Where protection is provided solely

for personnel protection preference should be given to shielding of all parts which are accessible
during normal operation, rather than insulation to avoid corrosion under the insulation. Protection
shall be provided for parts accessible by temporary maintenance platforms or scaffolding if it is the
intention to provide such access while the equipment is hot. Warning signs and barriers shall be
provided to prevent access to any hot equipment which is not provided with such personnel
protection. On no account should asbestos be used as an insulating material.
Provisions for Non-Routine Operations

Formalised operating and maintenance philosophies are developed during the preparation of the Basis
for Design. These documents provide the operational framework for the design. At a detailed level the
full scope of operational requirements and constraints should be reviewed to ensure that adequate
provisions are made in the design to allow such activities as:
hydrotesting of equipment and pipelines
black start
startup following a manual shut-down
startup following a Process Shut-down (PSD) or Emergency Shut-down (ESD)
purging
venting
manual shutdown
manual depressurising
draining
cleaning/desanding of vessels
pig launching/receiving
catalyst change-out (e.g. molecular sieves)
well testing.
It may be necessary to develop and review the procedures associated with these activities at an early
stage, typically in the Project Specification period, to ensure that the necessary hardware is specified
on the PEFS (e.g. purge points, temporary flaring points). To do this the following factors will need to
be established:
modes of operation and flexibility required
role of operators
length of shift, manning pattern
mechanical handling equipment to be used
skills and experience of operators
skills and experience of maintenance personnel.
Where simultaneous drilling or workover and production may take place sufficient space shall be
available for pipe handling, mud handling, chemicals delivery, sludge removal and other well
operations without interfering with production. The need for temporary laydown areas associated with
maintenance activities e.g. space to withdraw heater tube bundles should also be considered.

Space shall be provided for the laydown of equipment during maintenance or replacement particularly
for large items such as turbines, heat exchanger bundles and compressor shafts.
Sample points should be designed to allow safe operation. The requirements for sampling should be
established at the design stage and sample points shall be readily accessible, have an easy escape route
and be designed based upon a defined procedure. The design shall take account of the type of sampling
equipment used and where necessary suitable overpressure protection shall be provided.
Isolation/maintenance philosophy
A philosophy for isolation shall be developed that is consistently applied. Where possible the facility
should be simplified by reducing to a minimum the number of individual units which may be isolated.
Manifolding of spare valves, controls and equipment is not recommended and should only be
considered where high availability is demanded which cannot be achieved in other ways.
The safest maintenance philosophy is one that allows work to be performed only when the plant, unit,
or system has been shut down, isolated, depressurised to atmosphere, drained, and freed of flammable
and toxic gas. When a total shutdown is not practicable, the design shall incorporate facilities to ensure
adequate isolation of a complete train or individual equipment. The isolation facilities shall be
provided at the boundaries of the unit. This shall include not only main inlet and outlet lines, but also
drains, vents, and other interfaces.
The design of the isolation requirements shall be the result of a task analysis of the actions required to
isolate, depressurise and purge the system. This shall also take into account the service conditions (e.g.
corrosive, fouling).
Except as noted below, isolation facilities shall include a means of 'positive isolation'. Positive isolation
is achieved by fitting a blank, insertion of a spade or by rotating a spectacle blind. For hazardous
service, flange bolts shall not be loosened unless it has been proven that the isolation valve or valves
are containing the fluid or gas. If full containment is not achieved, the work may not proceed and a
more extensive shutdown may be necessary.
The provision of positive isolation facilities, e.g. spectacle blinds, may not be required to facilitate all
maintenance activities. Their provision is determined by an analysis of the expected activity to be
performed and its likely duration. In cases where the work is relatively minor (and the expected
duration short), the overall risk in performing the isolation and de-isolation (i.e. swinging and
reswinging the spectacle) may be greater than the risks imposed in doing the actual work with only
valved isolation for that short period of time. An example of this might be the simple change-out of a
defective control valve with a replacement unit. Under no circumstances shall non-return valves be
relied on to provide isolation of equipment for maintenance. This applies also to proprietary swing
check valves with manual actuation since there is no way to check visibly if the internal parts of the
closure mechanism have functioned correctly.
Recommended isolation provisions are indicated in Table 5.1

Table 5.1 Recommended isolation requirements
System System Description Minimum Requirement

A Shutdown, depressurised and Positive isolation by a spade or
hydrocarbon free system. remove spool and install blind.
B System in service, of ANSI Single leak tight valve

class 600 and below . plus spade/blind.
Bleed: see note 1.
For flashing liquids and toxics
see C below.
C System in service, of ANSI Double block and bleed plus

class 900 and above. spade/blind. (see 6.3.1)
All systems containing toxic

fluids (note 2).
Systems containing flashing
liquids above ANSI 300 (note 3).
Notes:
1. A bleed connection should be installed between the valve and the spade/blind for line sizes 6" and above.
The purpose of the bleed is to establish that positive isolation is achieved and to provide a means of draining
or depressurising the volume between spade/blind and isolation valve. Depending on circumstances
(including inventory and likely valve integrity), it may be appropriate to install bleed connection in lines less
than 6.
2. For the purposes of this requirement, toxic in case of H2S is defined as more than 500 ppm H2S in the
process stream.
3. The definition of flashing liquids for the purposes of this Table is that given for cat A fluids in Appendix B
of the IP Code part 15 (Ref. 6).
Equipment in 'operationally critical service' may be subject to more stringent requirements than those
given in this table. 'Critical' in this context means that a non-scheduled shutdown due to failure of the
isolation would be unacceptable in view of economic or business loss.
The design shall take into account the operational consequences of an isolation valve failing to seal
when required, and the chance of this happening. An example would be a pig receiver in a main trunk
line. When for any reason the receiver cannot be properly isolated from the line, the economic losses
due to downtime and/or line depressuring would be considerable. A pipeline isolation valve, which
under normal conditions would never be operated, may be installed as an 'insurance premium' upstream
of the normal receiver isolation. If there is an ESD valve in the pipeline, there may be a manual valve
required on the pipeline side of it to allow repair of the ESD valve even though the normal isolation
criteria here may not require such a double block-and-bleed.
An isolation design for a particular service must achieve a balance between increased isolation
integrity and the risk from extra leak sources due to additional flanges, valves and bleeds.

Lifting Provisions - Manual Handling Aids

Following the initial layout, a detailed study should be undertaken to analyse the requirements for
manual handling facilities required for maintenance (e.g. removal of major items of equipment, electric
motors, etc). Where the expected frequency of use is such that permanent lifting facilities (cranes,
runway beams etc) cannot be justified the provision of padeyes should be considered to allow the use of
temporary lifting equipment.
The normal operational swing zones of permanently installed cranes shall not pass over hydrocarbon-
containing equipment unless this has been designed for impact resistance to loads dropped from the
crane. Where such resistance has not been provided, crane use shall be limited to maintenance
activities on the equipment after it has been depressurised and drained.
A review should be undertaken to identify any operational activities that involve frequent manual
handling of appreciable loads (e.g. chemical stock replenishment, filter changeouts, etc) and
appropriate aids provided.
Working Environment
Appropriate standards should be set for the working environment as this can be an important factor in
the performance and health of operational and maintenance personnel. Factors to be considered are:
noise
vibration
lighting
climate (temperature, humidity, ventilation, weather protection) chemical and dust
radiation (heat and radioactivity)
cleanliness
social amenities
organisation of work (shift and leave patterns, working alone, variety, etc)
chemical exposure.
Ergonomics and Human Factors

Ergonomics and human factors aim at optimising the human-machine interface with respect to
efficiency and safety by examining the design of products, tools and working methods (factors such as
motivation, work stress and human relations are also taken into account).
The benefits which can accrue from an ergonomic design are:

reduction in operator errors
reduction in work load, fatigue and stress on the operator
improved system performance/efficiency
reduction in hazards for the individual worker and the general work environment.
EP 95-0324 Human Factors describes in more detail the human-machine interface and describes the
role of human factors engineering. The document introduces a number of tools and techniques that may
be of benefit in minimising hazards and errors and improving efficiency and usability.

The application of these tools and techniques should be considered for:

layout of control rooms and panels
layout of normal and emergency controls
analysis of the appropriate degree of automation
determination of the extent of protective systems
layout of valves and equipment where manual operations are envisaged
determination of equipment layout for maintenance access.
In all of the above areas it is essential that the operators and maintainers are fully involved in the
application of the tools and techniques.
Further guidance on the design of control rooms and control panels is given in 6.2.
5.2.3 The design envelope

The facility will be designed with a defined operational envelope. Suitable control provisions shall be
installed to ensure that the normal operational range of the plant remains within that envelope and
contingency provisions (overpressure relief etc) shall be installed to cater for any excursions beyond the
defined envelop. In order to ensure the safe ongoing operation of the facility, the limits of that original
design envelope need to be documented and understood by the operations personnel. As noted in 3.5.2
the development of a MOPO provides the vehicle for this knowledge capture and transfer.
Design Conditions, Specification Breaks

The inherently safe approach in design would be to specify an entire plant to be suitable for the most
onerous conditions it can experience, for example the highest source of pressure (CITHP), the
maximum operating temperature under upset conditions etc. This approach has severe capital cost
implications and therefore the design conditions for different sections of the plant are normally varied.
Appropriate process control is provided to keep the varying sections of the plant within their operating
envelopes and safeguarding systems are installed to deal with excursions outside the operating
envelope.
This leads to a number of different equipment specifications in different sections of a plant. The
location at which the specification changes is defined as the specification break. The correct location
of specification breaks is critical to integrity. Abnormal and transient process conditions shall be taken
into account in selecting appropriate piping specifications and in locating a specification break.
DEP 01.00.01.30 Definition and determination of temperature and pressure levels (Ref. 7) gives
detailed guidance on the definition of terms relating to design pressures and temperatures and advice
on the selection of appropriate levels and design margins.
All specification breaks shall appear on the PEFS. This includes changes in pipe class due to change in
material or fitting specifications as well as the pressure and temperature rating. The designer should
address the following when incorporating a specification break:
identify which is the lower specification (weaker) system
This is usually obvious, however, care must be taken when there is a change in material (for
example, the more onerous material specification may have a lower pressure rating).

identify possible paths of overstress from the higher specification system

For example, for a break in pressure rating, identify any valves which may be closed, thus exposing
the lower pressure system to overpressure.
if viable, move the specification break to include the vulnerable equipment
For example, rate the piping up to the valve and the valve itself for the higher pressure.
if circumstances dictate that the specification break cannot be moved, then the lower-rating section
should be protected by the following provisions:
a control loop equipped with a pre-alarm (if appropriate) and operational procedure for
addressing the potential upset condition
a trip with a corresponding shutdown function
an overpressure protection device.
The temperature drop over valves, including relief valves, in high-pressure gas service should be
carefully considered in setting specification breaks.
Consideration must be given to the possibility of hydrate formation when determining operating
temperature. Hydrates themselves can be responsible for blockages which lead to overpressure. Care
must be taken during design to ensure that the operating temperature does not fall to within the
predicted hydrate formation temperature under any mode of operation, i.e.:
normal operation
relief
blowdown
cooling of a 'blocked in' section of plant to the ambient condition.
If the operating temperature does fall within the predicted hydrate formation temperature, then control
and recover mechanisms must be in place.
Control Systems
The function of the process control system is to maintain the operation within its defined operating
envelope and hence in a safe, stable, efficient, productive state. The process control system is active at
all times during normal operation and is not viewed as a safeguarding system. It should be realised that
failure of the control system itself is one of the root causes for a deviation beyond the operating
envelope and thus activation of the safeguarding system.
Process control is achieved using instrumentation to measure parameters (e.g. pressure, temperature,
flow) which can be used to provide a basis for actively altering other components in the system (e.g. the
position of a control valve, speed of a compressor) to maintain the process in its designated operating
envelope.
Process control can be undertaken by manual or automatic means. In EP operations an automatic

control system is normally utilised.
The control philosophy should be tailored to the competence of the personnel who will ultimately
operate the facility. In principle, the opportunity for intervention should be reduced with decreasing
competence. The following rules are applicable in determining the required degree of automation in a
process.

A function should be automated if:

it involves danger to the operator
it requires rapid response
it requires exceptional skill, dexterity or strength
it requires tedious or repetitive work
it involves considerable computations.
An operator should be included in the control loop of a function which requires decisions:
which involve qualitative evaluation
which require a response which is reliant on previous experience.
The control system philosophy should not be based on the need for a human to react in a particular way
to prevent an hazardous event from occurring. In some instances, however, it is appropriate to install
alarms (commonly known as pre-alarms) to offer the operator the chance to intervene in the process to
redress an upset condition. This does not substitute for the need for process safeguarding.
The purpose of alarms is to alert the operator to a hazardous situation in the most rapid and
unambiguous manner so that appropriate action can be initiated. Alarms should be specified only where
they will provide meaningful information and where the operator has time to take action.
Design of the Instrumentation and the Control and Safeguarding Systems shall be in accordance with
the following documents:
DEP 32.80.10.10 Classification and Implementation of Instrumented Protective Functions (Ref. 8)
DEP 01.00.02.12 Preparation of safeguarding memoranda and Process Safety Flow Schemes (Ref. 9)
DEP 32.31.00.32 Instrumentation for measurement and control (Ref. 10)
DEP 32.31.09.31 Instrumentation for equipment packages (Ref. 11)
DEP 32.31.00.10 Instrument engineering procedures (Ref. 12)
DEP 32.37.00.33 Mounting of plant instruments (Ref. 4)
DEP 32.37.20.31 System cabling (Ref. 13)
DEP 32.80.10.30 PLC based instrumented protective systems (Ref. 14).
Process Safeguarding System

As noted above, a plant control system is installed to regulate the process within the design operating
envelope. Failures of the control system, or human error, can lead to potential excursions outside this
envelope and therefore there is a requirement for the provision of a separate safeguarding system. This
system is further described in 6.3.
Of particular interest is the safeguarding to be provided against overpressure. Detailed guidance on

overpressure protection can be found in DEP 80.45.10.10 (Ref. 15) which is based upon advice in API
RP 520 (Ref. 16) and API RP 521 (Refs. 17 and 18).
Three approaches are possible for overpressure protection in decreasing order of preference:
fully pressure rated mechanical design
Ideally the design pressure of all parts of the process should be set sufficiently high to contain totally

the maximum pressure generated under the worst credible event. It should be noted that relief valve
protection from fire may still be a requirement.
relief valve protection
The above approach is often not economically viable. In such cases overpressure protection shall be
provided on all parts of the system not designed to contain the maximum generated pressure.
The conventional approach for vessels, equipment and piping is to provide the ultimate protection
against overpressure by mechanical relief valves. To prevent frequent demands on the relief system
and to provide secondary protection, an instrumented protective function is normally provided at a
lower set pressure than the relief valve to isolate the source of the overpressure.
A single relief valve may be specified to protect a number of interconnected items providing they
are free of intervening block valves or other restrictions, and close coupled, without significant
pressure drop through interconnecting pipework under relief conditions. Details of the requirements
for relief valve configuration are given in DEP 80.45.10.10 (Ref. 15).
protection by a system of instruments and actuated valves of demonstrated reliability.
In specific circumstances, it may be highly desirable to limit, or even eliminate, the emergency
relief since the flare system will become disproportionately large in size and cost. In such cases it
may be possible to consider providing an Instrumented Protective Function (IPF) or HIPPs (High
Integrity Process Protection systems) of sufficient integrity to restrict the sizing of the relief system
to a proportion of the maximum possible relief flow or ultimately down to the level required for fire
relief only. The complete substitution of relief valves by instrumented functions can, however, rarely
be justified, except for flowlines and pipelines. Applications should be supported by detailed
reliability/availability studies. Details of the IPF analysis technique are contained in DEP
32.80.10.10 Classification and Implementation of Instrumented Protective Functions (Ref. 8)and
EP 95-1745 Instrumentation for Ultimate Safeguarding Protection (Ref. 19).
It should be noted that such protective functions require frequent testing and maintenance to strict
quality procedures throughout the project life for adequate reliability to be sustained. The effect of
this testing requirement, in terms of Opex for testing manpower and any deferment associated with
valve test closings, should be analysed as part of any study.
5.2.4 Corrosion mitigation

Corrosion of equipment (both internal and external) can be a causative factor for loss of containment. In
many cases, for economic reasons, equipment will be built from materials which are expected to
corrode significantly during their design life and adequate corrosion management is essential if
problems with loss of containment are to be avoided.
The management of corrosion during the life cycle will be dependent upon sufficient attention being
given to materials selection and the operating constraints which the selection implies, to materials,
construction and commissioning specifications and to the everyday operation of the plant to ensure that
the boundaries of the planned operating envelope are not exceeded. Careful analysis of inspection
results, leading to the adjustment of the operating regime where necessary, can contribute greatly to
successful corrosion control.
General advice on corrosion and materials engineering can be found in the EP Production Handbook
Chapter 7 of Volume 9 (General) (Ref. 20) and Chapters 1.3 and 3.3 of Volume 8 (Pipelines) (Ref.
21). More specific guidance can be obtained from DEPs and from the local corrosion engineering
group or SIEP.

5.3 Specific Equipment Design Considerations

5.3.1 Overview
This deals with the application of the control principles outlined in 5.1 to a number of specific common
equipment processing blocks. Those systems provided for recovery are detailed within Chapter 6.
The equipment blocks covered are:

pipelines and piping
pig launchers and receivers
pressure vessels
heat exchangers
furnaces
machinery
storage tanks
electrical systems.
Within each following paragraph references are provided to more detailed design guidance material
(normally DEPs). Not all the DEPs relevant to the subject have been referenced. An attempt has been
made to select the primary 'top level ' DEPs in each area such that the lower level material is cascaded
from those documents.
5.3.2 Piping and pipelines
Standards and Guidelines

Requirements for piping and pipelines are provided in:
DEP 31.40.00.10 Pipeline engineering (Ref. 22)
DEP 31.38.01.10 Piping classes - Basis of Design (Ref. 23)
DEP 31.38.01.11 Piping general requirements (Ref. 24)
DEP 31.38.01.15 EP piping classes (Ref. 25), based upon ASME B 31.3 specifications (Ref. 26).
Deviations from these standards (including on package units) should only be accepted on a case-by-
case basis and only if properly justified and documented.
Mechanical Integrity
All piping shall be designed, installed and tested in accordance with ASME B 31.3. Piping should be
routed to minimise risk from mechanical impact damage and where practicable should be protected
from dropped objects.
piping above ground should be installed on proper pipe supports and laid in dedicated pipe tracks
traffic barriers and warning signs should be used to prevent impact by vehicles. Special precautions
are required at road crossings
pipelines or flowlines located in areas of high population density should be buried (particularly
pipelines containing high pressure hazardous fluid). Buried flowlines should have cathodic

protection, their paths marked on the surface and their routing recorded on field drawings which
should be maintained to As Built status.
sections of line at deck level on offshore platforms should be so positioned to avoid or limit the
exposure to impact damage
subsea isolation valves (SSIV) in pipelines local to an offshore installation need consideration with
respect to material handling, anchor handling and trawler activity
flowline and trunkline risers entering/exiting offshore structures should be positioned within the
structure envelope to afford maximum protection against damage from boat collision/impact.
pipeline route selection shall include an EA which will also address the effects of loss of
containment.
Riser ESD should be located such that the length of the riser outboard of the ESD valve is as short as
possible, commensurate with locating the ESD valve above the splash zone and where it can be
periodically tested and maintained, and by its location is protected as much as possible from explosion
and fire from other sources and from dropped objects.
The use of screwed piping fittings shall be minimised. For new facilities, screwed fittings are only
permitted on piping which is:
handling only cool, completely non-hazardous fluids (e.g. non-flammable, non-toxic)
rated for a maximum working pressure not exceeding 20 barg
of nominal diameter DN40 or smaller.
Where screwed fittings are already installed they should be replaced unless the risk involved in the
replacement activity outweighs the benefit of replacement.
Small bore connections (smaller than 2 inch nominal bore [DN 50 mm]) are prone to damage and
fatigue failure. The risk is increased in vibrating or cyclic systems and can be minimised during design
and construction by the following:
minimise the number of small bore connections, combine functions into a single branch where
possible
locate small bore connections such that they are protected from mechanical damage
minimise the length and weight of branch assemblies
avoid threaded connections, maximise the use of reducing tees and flanged one-piece forged branch
fittings, using weldolets only where these fittings are not available
support or brace small bore branches especially in vibrating service. After start-up, survey for small
branches that are vibrating and may need further support or modification.
Overpressure Protection
General
As stated earlier, the preferred means of overpressure protection is to set design conditions in excess of
the maximum potential operational conditions. In-plant piping codes based on fatigue criteria (such as
ASME B31.3) (Ref. 26) allow short-term excursions up to 133% of design pressure which can be used
to reduce the need for overpressure protection if intervention can be achieved within the code
acceptable excursion period and frequency. This short-term overpressure excursion does not apply to

pipelines and flowlines designed to pipeline codes. For pipelines, see DEP 31.40.10.14 Pipeline
Overpressure Protection (Ref. 27).
For new designs, the pressure rating of flowlines, manifolds and gathering lines up to and including the
separator inlet shutdown valve, should exceed or equal the maximum CITHP unless an instrumented
safeguarding system has been installed. See DEP 32.80.10.10 Classification of Instrumented Protective
Functions (Ref. 8) and EP 95-1745 Instrumentation for Ultimate Safeguarding Protection (Ref. 19).
Thermal Relief
Thermal expansion relief valves are required in liquid-filled systems when the system can be blocked in
and subjected to heat input from the atmosphere or process. The theoretical pressure rise for most
liquids lies in the range 4 to 14 bar for each degree Celsius of temperature increase. In practice, the
theoretical pressure rise is not attained because systems are rarely totally liquid full and usually have
small leakages through, for example, valve seats. Calculations of the pressure rise are thus of little use
in formulating realistic guidelines for the application of thermal relief valves.
The following factors indicate when thermal expansion relief is unlikely to be required:
the piping or equipment is in continuous operation and thus not routinely isolated without being
depressured and drained
the liquid is not highly toxic, corrosive or a flammable gas at atmospheric conditions
the system will not be totally liquid filled (i.e. to more than 94%).
As a general guide, thermal relief valves are not needed for:

process plant piping
storage or transport piping sections which are not normally shut in for operational or emergency
purposes
lines in which there is normally two-phase (gas/liquid) flow
heat traced lines which are not blocked in as part of normal operations.
For pipelines see DEP 32.80.10.10 (Ref. 8) which addresses thermal relief.
Thermal relief valves are normally fitted to:

sections of piping containing more than 400 litres of LPG or toxic material which could be normally
blocked in
piping in storage areas or transport lines which will be regularly blocked in during normal operation,
e.g. batch transfers.
Use of Non Return Valves

Non-return valves are usually fitted to prevent backflow in the following typical situations:
from manifolds to ruptured or leaking flowlines
in process piping distribution systems in the event of control failures
through pumps and compressors.

Non-return valves shall not be considered to give pressure isolation. Alternative means of protection
(e.g. a relief valve) shall be provided. Non-return valves are, however, considered reliable in their
ability to prevent bulk backflow. Design leakage rates are specified in the MESC specification for non-
return valves.
Non-return valves may, in certain duties, be considered as an alternative or supplement to SSIVs valves
to isolate subsea pipeline inventories where the reliability and response time of actuated valves is
considered inadequate. The use of a subsea non-return valve also considerably reduces costs by
avoiding an umbilical and control system, but consideration should be given to the slam-shut effect on
the valve and the hydraulic shock on the pipeline, the reliability of the unit overall and the requirement
to pig the pipeline. Subsea check valves can be pigged if designed for this but should not be used where
sphering is required.
Corrosion
For piping and pipelines a number of alternatives exist to cater for potential corrosion (See 5.2.4
above).
For water service GRP/GRE can provide a corrosion resistant alternative to carbon steel. DEP
31.40.10.31 (Ref. 28) provides a purchase specification for all sizes and pressure ratings of GRP pipes
and fittings.
GRP/GRE can perform satisfactorily under fire exposure but is susceptible to impact damage and
brittle fracturing. Suitable layout and protection should be provided when intended for use in fire
protection service.
Piping Identification
A number of incidents with piping have been associated with operator error caused by poor
identification of individual flow streams. In complex plant the adoption of a standard colour coding
system to demarcate individual flow streams should be considered. All valves and associated
instrumentation should be clearly tagged to match the PEFSs (P&IDs).
5.3.3 Pig launchers and receivers

The design of pig launchers and receivers should be in accordance with DEP 31.40.10.13 (Ref. 29).
System Requirements
The DEP referenced above has been developed to ensure that the following system requirements are
met and that sufficient facilities are provided to allow safe operation:
opening of the receiver before full depressurisation should be prevented
sufficient indication should be provided to the operator to allow him to detect the presence and
location of a stuck pig
suitable facilities for draining and purging should be provided such that soil contamination is
avoided

effective isolation of the units from the interconnecting pipework should be included
control of the pig velocity should be possible.
5.3.4 Pressure vessels

All pressure vessels shall, as a minimum, be designed and constructed, tested and stamped according to
a recognised international code:
DEP 31.22.10.32 (Ref. 30) provides Shell amendments to BS 5500.
DEP 31.22.20.31 (Ref. 31) provides Shell amendments to ASME VIII code.
DEP 31.22.05.11 (Ref. 32) provides details on Gas Liquid separators - type selection and design rules.
Overpressure protection
Suitable provision should be made to protect the vessel from overpressure. Detailed guidance on
pressure relief and blowdown can be found in DEP 80.45.10.10 (Ref. 15) and is further covered in
5.2.3.3.
Separators or manifolds connected to a multiple well system and protected against overpressure by
individual well stream emergency shutdown valves may not need full flow mechanical relief protection
provided that process trips are fitted to shut in individual wells at a level below the relief valve setting
of the separator or manifold. The sizing of the relief system required should then be determined by a
detailed reliability analysis of the overall protective system. DEP 32.80.10.10 - Classification and
Implementation of Instrumented Protective Functions (Ref. 8), provides a methodology for reviewing
the requirements on a per loop basis of such instrumented systems.
Data from previous studies indicate that it is possible to restrict the manifold or separator relief flow to
20% of the wells connected and possibly less. This topic is covered in more detail in EP 95-1745
Instrumentation of Ultimate Safeguarding Protection (Ref. 19).
Mechanical Integrity
equipment shall be protected from impact from mechanical devices, traffic and dropped objects:
minimum nozzle size for vessels should be 2" to avoid failure through mechanical damage.
Accessibility for Maintenance

all pressure-containing equipment shall be designed such that all pressure-containing parts are
accessible for internal and external inspection
where vessels will be opened for cleaning or element replacement on a regular basis (e.g. filters), the
design shall take into account the safety of the following operations:
isolation from the process
safe venting, purging and draining provisions, including a means of checking that the vessel is
depressured and where appropriate empty
safe access to and removal/replacement method for covers, used elements and debris (use of
quick release devices shall be considered)
safe, environmentally acceptable means for disposal of used elements and debris.

5.3.5 Heat exchangers

DEP 31.21.01.30 (Ref. 33) which is based upon TEMA (Tubular Exchangers Manufacturing
Association), governs the design of shell and tube heat exchangers.
Overpressure Protection
A major hazard specific to shell and tube heat exchangers is the potential leakage from, or bursting of,
a tube which could result in the overpressuring of the low pressure side of the exchanger.
If economically practicable, it is recommended that the design pressure of the low pressure side of the
heat exchanger is set at greater than two-thirds of the design pressure of the high pressure side. This is
the pressure ratio considered adequate in API RP 521 to avoid the need for further protection, but the
reader should be aware that API is based on ASME Code. If BS5500 is used then the ratio needs to be
higher.
If circumstances dictate otherwise, a relief device shall be installed sized for the flow corresponding to
the rupture of one full tube. Where there is a large difference between shell side and tube side design
pressures this relief capacity can be large and liquid in the shell can restrict the flow of escaping gases.
The relief device should be located directly on the shell, preferably on top, and due account taken of
the effect of internal baffles on the relief path. Multiple relief points may be required. Special care has
to be taken in sizing relief devices protecting against a tube burst when gas has to displace liquid to
reach the relief point.
Bursting discs are often employed for exchanger protection (particularly in situations requiring the
handling of displaced liquid) because of their rapid response and high capacity. The relief system
should be designed to handle the liquid quantities and hydraulic forces resulting from such a failure. If
necessary, additional trip protection should be specified to isolate the source.
It is sometimes found that uprating the design pressure of the low pressure side (see above) is a more
preferable option when the cost and complexity of these extra requirements for the relief and trip
system are taken into account, but care must be taken to evaluate the whole LP system for such
acceptability.
Thermal relief valves should be fitted to the cold side of heat exchangers which can be blocked in.
Tube Leakage
Tube leaks may give rise to other undesirable effects that may occur before the exchanger shell design
pressure is reached. Gas may enter cooling or heating media and be passed into a non-hazardous area.
The design should provide suitable protection against the effect of such leaks if they are a hazard. The
methods available for detection of tube leaks are:
overpressure detection in the shell or media circuit
flow detection from media surge vessel vent
gas detection in media surge vessel vent.
The executive action should include isolation of all high pressure sources from the leaking heat
exchanger. The design may include provisions for tube plugging if part of the operations requirements.

Maintenance and Inspection

Provision shall be made for cleaning, maintenance and inspection of exchangers. All pressure-
containing parts shall be designed such that they are accessible for inspection. Particular care shall be
taken when considering use of fixed tube sheets, 'U' tubes or novel designs such as printed circuit
exchangers which are inherently difficult to inspect. Correct material selection can become vital.
Hot Oil Systems

Where hot oil is used in indirect heating, on frequent occasions the oil has leaked out of the system and
contaminated the lagging which subsequently self-heats and spontaneously ignites. For this reason
consideration should be given to not lagging flanged joints and protecting lagging at sample points.
5.3.6 Furnaces and heaters

Design of furnaces for EP facilities shall be in accordance with documents DEP 31.24.00.30 General
type furnaces (Ref. 34).
MF 92-0410 Basic requirements for safe operating of fired heaters (Ref. 35), provides further
comprehensive information and tools with respect to safety in design for a wide variety of fired heating
equipment. Specific attention is drawn to the sections on automatic safeguarding systems, safety aspects
of furnace layout and standard control and safeguarding packages.
Minimise Ignition Potential

The potential for ignition can be reduced by adopting electric heaters rather than direct fired heaters.
Fired heaters and furnaces represent a continuous source of ignition and should be located as far as
practicable outside hazardous areas resulting from other equipment.
The area around a furnace itself is not classified as hazardous. The instrumentation and electrical
equipment should, however, be selected for Zone 2 application to minimise the risk of a leak being
ignited during, for example, heater shutdown or maintenance periods.
Minimise Leakage Potential

The process and fuel lines to and from the furnace should be all-welded with no valves or fittings
except the minimum required at the furnace for operation and control.
Minimise Explosion Potential

The potential exists for explosions if there is a delayed ignition of the fuel in the burner chamber.
Usually this leads to the provision of an automatic ignition system that sequences air purge,
introduction of fuel and application of the ignition source. Flame detection devices monitor whether
ignition has been successful within a pre-determined period and in cases of failure enforces a time
delay/purge sequence before allowing a re-attempt.

5.3.7 Machinery

The design of machinery such that it can be operated safely is to a large extent covered by good
engineering practices as set out in the following documents (which in many cases are based upon
relevant national codes and standards) (see Table 5.2).

Table 5.2 Machinery - Shell DEPs
General
Installation of DEP 31.29.00.10 (Ref. 36)

rotating
equipment
Pumps Compressors
General DEP 31.29.02.11 (Ref. 37) General DEP 31.29.40.10 (Ref. 40)
Centrifugal DEP 31.29.02.30 (Ref. 38) Centrifugal DEP 31.29.40.30 (Ref. 41
Reciprocating DEP 31.29.12.30 (Ref. 39) Reciprocating DEP 31.29.40.31 (Ref. 42)
Rotary DEP 31.29.40.32 (Ref. 43)
Instrument Air DEP 31.29.40.33 (Ref. 44)
Turbines Engines
Combustion gas DEP 31.29.70.11 (Ref. 45) Diesel Engines DEP 31.29.80.30 (Ref. 47)
Combustion gas DEP 31.29.70.31 (Ref. 46) Gas Engines DEP 31.29.90.30 (Ref. 48)
Overpressure
Suction piping for pumps and centrifugal compressors should be rated for the full discharge pressure
back to and including the first block valve. This is particularly important when pumps and compressors
are in parallel or where they discharge into a system with a large inventory such as a pipeline.
Centrifugal compressor casings should be designed for 1.25 times the maximum pressure which can
occur at the surge point for the highest speed and gas molecular weight (API 617) (Ref. 49).
Reciprocating compressor cylinders shall be rated for the relief valve set pressure plus 10%
accumulation.
Positive displacement pumps shall be protected against closed discharge.
Centrifugal pumps should be rated to withstand the highest closed-in discharge pressure plus 5%
allowances for head or speed increases (API 610) (Ref. 50).
Mechanical Failure
Catastrophic failure of rotating equipment can occur due to overspeed, lube oil failure, surge,
overheating and excessive vibration. Start up with liquids in the compressor or liquid carry over into
compressors, cavitation due to loss of NPSH or lack of flow in pumps can also cause serious damage.
Compressors
Surge protection shall be standard on centrifugal compressors.
Compressors shall be protected against liquid ingestion by suction knock out facilities and absence of
low points in suction piping.

Drain connections should be provided to ensure full draining of casing or cylinders.
Pumps
Minimum flow protection should be considered a standard feature on process centrifugal pumps.
Protection against low flow should be provided.
The need for low suction pressure protection on pumps shall be assessed on the basis of the likelihood
and consequences of cavitation. This can be severe, particularly on high power machines. Appropriate
protection shall be provided to shut down before catastrophic damage and loss of containment occurs.
Turbines and Engines

Overspeed protection is required on gas turbines and gas and diesel engines.
Overtemperature and 'loss of flame' protection is required on gas turbines.
Protection against loss of lube oil should be provided (gravity run down systems, shaft driven).
Vibration
Vibrations can cause serious damage to compressors and pumps and also may affect their hydraulic
performance. These vibrations may be the result of rotor dynamic vibrations or the result of
discontinuous flow from reciprocating compressors and pumps. For the latter, pulsation suppression
devices may be used to limit potential damage and these vessels should be designed on the basis of
acoustic and mechanical response analysis. These studies are the responsibility of the equipment
vendor, although for critical applications verification by an independent third party may be required.
Vibration monitoring and trips may be provided as a means of condition monitoring and/or protection
against catastrophic conditions. Alarm/trip settings should be at pre-catastrophic levels to avoid
damage. High speed machinery should be protected by automatic trips, without operator intervention.
Instrument connections can be particularly vulnerable to vibration as they can have natural vibration
frequencies similar to those of the machine. For this reason screwed connections shall not be used for
instrument connections and isolation valves on rotating machinery. They may be used for gauges after
the first isolating valve. Instrument connections should be properly supported to minimise vibration.
Seal Leaks
Pumps
Fully enclosed electric motor/pump sets with no seals offer significant safety advantages and should be
considered where process conditions warrant their selection.
Reliable mechanical seals shall be provided on centrifugal pumps in hydrocarbon service. The design
should consider the consequences of failure of such seals and for specific applications, e.g. pumping
LPG or toxic compounds, high integrity sealing arrangements should be specified. The IP code on
hazardous areas - IP Code Part 15 (Ref. 6) gives credit in the form of reduced hazard radii for
improved seal containment.

Compressors
Centrifugal compressors can be fitted with liquid seals or gas seals. Gas seals are considered to be safer
than liquid seals since the possibility of contamination of oil is not present thus removing the
requirement to ensure adequate degassing of seal oil. Further information is provided in EP 90-0575
(Ref. 51). For all new applications gas seals are preferred.
If liquid seals are fitted it is usual to provide seal oil header tanks to permit a seal to be maintained
during rundown and depressurisation and thus prevent blowby and the escape of gas.
Seal Oil Handling Systems

Seal oil should have a high flash point to prevent explosive mixtures in the seal oil system. The flash
point of the oil should be maintained at a level such that there is no chance of a flammable mixture
existing in the oil seal and the fresh seal oil tank. This is specified because, apart from any external
ignition sources, the oil itself can accumulate a static charge resulting in a discharge and potential
ignition within the tank. The flash point can become markedly reduced if the return seal oil is
contaminated by dissolved gas. There may be free gas present if any of the seal pot traps are leaking.
For safety, mechanical and operational reasons, it is therefore essential to specify a seal oil degassing
system which has the capacity to remove the dissolved gas and vent any seal pot leakages. The
degassing vessel vent system and pressure rating should take into account possible failure modes in the
seal return system.
Ignition Potential - Fire and Gas Leak Hazards
General
The drivers of rotating equipment are potential sources of ignition both to gas leaks from other
processing units, but more relevantly to leaks from their own fuel supply or leaks from the driven unit.
This risk can be minimised by:

physical separation from non-related process equipment
siting in non-hazardous areas
Fixed diesel engines, gas engines and turbines driving equipment which are not handling flammable
materials shall always be installed in non-hazardous areas. Air compressors including their drivers
shall be situated in a non-hazardous area
the use of ventilated enclosures (often specified for acoustic reasons)
Gas turbines are normally installed in an enclosure. The enclosure shall be artificially ventilated -
refer to IP Code Part 15 (Ref. 6). If the turbine is in a Zone 2 area the air supply should be drawn
from outside the hazardous area and the ventilation system should be such that the enclosure is
under a positive pressure. The ventilation outlet should be located to ensure no recirculation occurs
to either the ventilation system or turbine combustion air intake. This ventilation assists in keeping
the enclosure gas-free but also has a cooling function.
the appropriate use of certified electrical equipment (See IP Code Part 15)
Enclosed gas turbines and gas/diesel engines shall be fitted with gas detectors in the ventilation
intakes. When the ventilation system is running the enclosure may be classified as Zone 2 (unless
the fuel gas system is all welded, when it can be rated non-hazardous) but shall be classified as Zone
1 when it is not. The fan should thus be powered by a motor suitable for use in a Zone 1 area. All

equipment in the enclosure which can be energised without the ventilation should be suitable for use
in a Zone 1 area.
reduced ignition potential
Gas and diesel engines in hazardous areas should be protected as per EEMUA 107 (OCMA MEC-
1) (Ref. 52) which specifies a number of features to reduce ignition probability. Features include a
limitation on surface temperatures, spark arrestors, anti static belts. Ignition systems for gas engines
are detailed in DEP 31.29.90.30 - Spark Ignited Gas-Fuelled Engines (Ref. 48).
An additional hazard is created if a gas or diesel engine is installed in an enclosure. EEMUA 107
gives guidance on maximum surface temperatures for diesel engines related, but not equal to, the
auto-ignition temperature. For enclosed gas engines, the installation of fire and gas detection in the
enclosure shall be included. Care should be taken if turbo chargers are used in view of the
possibility of fire if sprayed with lube oil. Consideration should be given to water-cooled chargers.
physical barriers between driver and driven unit
In general dry gas is difficult to ignite on hot surfaces, even above the auto-ignition temperature, but
the presence of even small amounts of liquids can change this considerably since the aerosol
droplets contacting the surface may ignite the body of any escaping gas. Where pumps, driven by
gas or diesel engines are handling flammable liquids a physical barrier such as a wall between pump
and driver should be installed to prevent liquids spraying on to hot surfaces.
reduction in possible leak paths (minimum flanges on fuel supply)
The fuel supply to engines should be at the lowest practical pressure and with no flanges (outside the
vendors scope) apart from those on one valve at the limit of the vendors supply. The vendor will
usually supply shutdown valves for machine protection. If additional shutdown valves are provided
outside the vendors scope e.g. as part of the facility ESD system, these should be located such that
the engine does not lie in the Zone 2 area around the shutdown valve assembly. Threaded
connections are particularly vulnerable on engines because of vibration and are not allowed.
Maintenance
Engine or turbine enclosures shall be provided with sufficient doors or removable panels to allow safe
and easy access for maintenance.
Noise
Noise limits for machinery should comply with the standards set out in the SSHC Noise Guide (Ref.
53).
The noise levels associated with the current generation of large machines may be above the prescribed
limits and be difficult or impossible to inherently reduce although elimination of gearboxes and choice
of high speed direct coupled machines are usually effective noise reducing measures. The use of
acoustic enclosures may be the only way to achieve noise reduction. Totally enclosed driver/driven unit
assemblies provide significantly reduced noise levels but hazardous area considerations may require
separate enclosures for the driver and the driven unit.
Hot Surfaces
Hot surfaces provide a source of ignition with impingement of flammable liquids or mists. Protection
by means of water jacketing, shielding, equipment layout should be provided.

5.3.8 Atmospheric storage tanks

All tanks shall be designed in accordance with DEP 34.51.01.31 Standard vertical tanks - design and
fabrication (Ref. 54).
Overpressure
Overpressure protection and breathing requirements for storage tanks are set out in API Std 2000
(Ref. 55). The venting requirement should cater for:
maximum inflow and outflow
volume changes due to temperature variations, and
vapour generated under fire conditions.
Tanks and vessels designed to operate at or near atmospheric pressure are usually unsuited to withstand
even small overpressures with rectangular tanks being particularly vulnerable. It is therefore important
to ensure that the pressure drop over their venting system at maximum possible flow is within the design
capability of the vessel. It may prove necessary to specify the vessel or tank so that it is designed to
withstand small overpressures without deformation or overstress.
Such vessels and their vent systems should be designed:

to handle any gas blowby which could occur from upstream pressurised equipment
to accommodate potential overpressures associated with liquid overfilling into elevated vents
to allow easy access to any installed flame arrestors for inspection and maintenance
for vacuum conditions when draining liquid-full vessels (e.g. after pressure testing).
Formation of Internal Explosive Mixtures

During the cyclic conditions imposed by the process and by external environmental temperature
differences, there is the possibility of generating a flammable mixture in the internal vapour space of
the tank. This risk can be minimised by the provision of a gas blanketing system for the tank and by
careful design of the manifolded vent system where a number of tanks are provided.
As an ultimate control measure, the DEP referenced above calls for a weak roof to shell seam to be
provided to ensure that in any incident involving an internal explosion, the walls of the tank remain
intact.
Ignition Potential
The ignition potential for storage facilities is normally related to static electricity, or lightning. For that
reason suitable earthing and bonding should be provided for the tanks. Details are provided in the SSC
Guide Static Electricity (Ref. 56) and DEP 33.64.10.10 Electrical Engineering Guidelines (Ref. 57).

Prevention and Control of Fire

For fires on fixed roof tanks holding crude oil or similar hydrocarbon liquids, where boilover is a
possible consequence of a full surface fire, the following guidelines should be followed:
for 18 metre diameter or greater
A sub-surface or semi-subsurface foam extinguishing system should be provided based on an
appropriate combination of fixed and semi-fixed fire fighting equipment.
for tanks of less than 18 metre diameter
Fixed or semi-fixed systems are still preferred but mobile fire fighting means can be used if the
resources exist.
tanks left unprotected
Tanks should only be left unprotected where there is a negligible risk of escalation (due to boilover
and radiant heat emissions) and the loss can be accepted.
For fires on floating roof tanks the risk of boilover is less if the fires are limited to the annular seal. If
the floating roof sinks however, then a full surface fire can develop. This type of fire in floating roof
tanks is extremely difficult to extinguish and larger diameter tanks often burn out despite very large
quantities of foam agent solution being applied.
Fire protection on floating roof tanks should be based on the fitting of a fire retardant rim seal which
will resist a fire in this region of the tank. Rim seal fires can be extinguished with local application
systems using foam (known as first shot foam systems). Fire retardant rim seal materials should be
tested to DIN 22118 (Ref. 58) and conform to test standard DIN 22100 Part 1 (Ref. 59).
Halon 1211 has been effective when used for rim seal fire extinguishment but new designs should use
acceptable halon alternatives. Refer to SSHC Guide Recommendations for Alternatives to Fire
Fighting Halons (Ref. 60).
In general, floating roof tanks in hydrocarbon service should have fire protection systems designed to
include fire detection and alarm measures together with foam dams and top pourer aspirated foam
systems. These systems may be supplied with foam solution from fixed or semi-fixed foam skids
depending on the potential for ignition, escalation and the response time of the available mobile fire
service. If this exceeds 15 minutes than fixed systems should be the chosen design option.
First shot foam pressure systems can be a useful as an initial method of attacking rim seal fires on tanks
in critical service. They should be used in combination with and not instead of fire retardant rim seals
and top pourer foam systems.
Fluoroprotein foams should be used for onshore tank protection since this type of foam has a high
resistance to 'burn back' and spreads well across the surface of burning hydrocarbons. Extinguishment
cannot be achieved until the surface of the hydrocarbon contained in the storage tank is completely
covered with a fluoroprotein foam film.
Maintenance and Operations

Suitable access provisions should be provided for all operations and instrumentation associated with the
tanks. This is normally related to access to the roof for tank dipping and for maintenance of level and
gauging instrumentation.
Provisions should also be made for access and periodic clean out of debris.

5.3.9 Electrical systems

DEP 33.64.10.10 Electrical Engineering Guidelines (Ref. 57).
Hazardous Area Classification (HAC)

All elements of the system shall be selected with due regard to the hazardous area in which it is to be
situated.
The principal aim of HAC is to avoid ignition of flammable hydrocarbons by minimising the
probability of coincidence of a flammable atmosphere and a source of ignition.
Hazardous areas are those areas of the plant in which a flammable atmosphere may be expected
to be present in such frequencies and volumes as to require special precautions. All other areas are
defined as non-hazardous. Hazardous areas are further subdivided into zones progressively decreasing
in probability of existence of flammable atmosphere.
Classification into zones forms the basis for selection and protection of electrical equipment in the area
concerned and for the safe positioning of other potential sources of ignition (e.g. fired heaters, internal
combustion engines, etc), taking account of the gas releases which can occur in normal operation. It is
not the aim of HAC to guard against the ignition of flammable vapour from releases with a very low
probability of occurrence, such as catastrophic failures, though these must be considered during the
layout stage.
The aspects of HAC are covered in DEP 80.00.10.10 (Ref. 61) which provides Shell additions and
deletions to IP Model Code of Safe Practice Part 15. In applying the code, it must be understood that
the hazardous areas specified in the Code are the minimum necessary to provide protection from
normal failures. Greater separation distances provide greater protection and should be used where space
allows.
Consideration should be given to upgrading the selection of hazardous area to allow for possible
emergency situations:
abnormal hydrocarbon releases
Equipment required specifically to deal with situations where abnormal hydrocarbon releases will
exist (e.g. bund evacuation systems) shall be classified according to the hazardous areas which will
exist at such times.
shutdown of ventilation systems
In offshore situations where ventilation systems may be shut down during an incident, gas may linger
in modules for many hours. Zone 1 instead of Zone 2 electrical equipment shall be specified for any
equipment which has to be kept operational, such as ventilation fans.
Zone 2 equipment
Zone 2 equipment may be specified for non-hazardous areas which might be affected by a major
release.
Personnel and Equipment Protection

protection should be provided to prevent faults in the system giving rise to fires or explosions
facilities should be provided to minimise the risk of contact with live conductors

appropriate system isolation should be provided to allow maintenance on the system, or connected
equipment
A means of locking the isolation points should be specified in order to allow Permit to Work control
of the isolation process.
if used, impressed current cathodic protection systems shall be switched off during inspection by
divers.


6 Recovery from Hazards Events
6 RECOVERY FROM HAZARDOUS EVENTS

The previous chapter concentrated on the control provisions associated with process systems. Suitable
provisions should also be made for those circumstances where the hazards are realised.
Recovery measures should consider provisions to:

detect any potential, or actual, loss of containment
isolate the facility inventory
minimise the duration of any event by reducing pressure and inventory
provide appropriate separation between equipment to minimise escalation
minimise the risk of escalation by reducing the probability of ignition
extinguish any resultant fire
reduce the effects of any resultant explosions
ensure emergency power and communication facilities
allow escape, evacuation and rescue of personnel.
The structure of this chapter is based upon that used by the committee developing ISO/CD 13 702
Petroleum and Natural Gas Industries: Control and Mitigation of Fires and Explosions on Offshore
Installations (Ref. 62). At the time of issue the ISO work was at the committee draft stage. In line with
the Standardisation Spearhead principles, it is possible that upon formal release of the ISO, this chapter
will be re-issued as an addendum to the ISO clarifying what is additional to the ISO.
In the ISO standard, reference is made to a Fire and Explosion Strategy (FES) and an Evacuation,
Escape and Rescue Strategy (EER). These are not necessarily stand-alone documents and in Shell
they form an integral part of the HSE Case for the facility.
6.1 Facilities Layout

6.1.1 Objective
Optimisation of the layout of a facility is a primary means of both preventing incidents, and also of
preventing initiating incidents from escalating.
The primary objectives should include:

adequate provision for operations and maintenance (See 5.2.2)
siting of equipment to minimise the risk of loss of containment
minimisation of the probability of ignition of any released hydrocarbon
minimisation of the risk of escalation of any ignited flammable release
minimisation of any overpressure from a delayed ignition of flammable material
provision of suitable means for escape, temporary refuge and evacuation.
6.1.2 Functional requirements

The layout of an installation may have a major effect on the consequences of fires and explosions and
on the arrangements required for evacuation, escape and rescue. Consequently, for a new installation or

the modification of an existing installation, the impact of layout on the HSE Case or Fire and
Explosion Strategy and Evacuation, Escape and Rescue Strategy shall be fully evaluated as a basis for
selection of the design which, as far as is reasonably practicable, minimises the risk of fire and
explosion.
hydrocarbon processing facilities should be protected against major mechanical impact

maximum separation should be provided between hydrocarbon inventory and potential sources of
ignition
continuous permanent ignition sources, such as furnaces and electric power generators, shall always
be installed in 'non-hazardous' areas
maximum use should be made of natural ventilation to disperse flammable vapours
facilities shall be designed so that no area has to be classified as Zone 0, (with the possible
exceptions of the area around a continuous vent in pits below grade and in holding pits) and such
that the extent of Zone 1 areas is minimised
the accumulation of liquid pools or the spreading of pools between areas should be prevented
the degree of confinement of equipment and modules should be minimised to reduce explosion
overpressure
minimisation of escalation of an initiating event should preferably be by passive means - separation,
physical barriers - rather than active systems
essential safety systems (control station, temporary refuge, muster areas, fire pumps, emergency
generators) should be located in areas that are least likely to be affected by fires and explosions.
6.1.3 Guidelines
The following guidelines on layout are structured in the following way:
general aspects of layout relevant to both offshore and onshore installations
a methodology for developing offshore layouts
a methodology for developing onshore layouts.
General
A good layout should meet requirements for vehicle and personnel traffic, security, emergency
evacuation, fire fighting and access for maintenance, operation and workovers. Furthermore it should
include proper positioning of emergency shutdown and depressuring valves, ventilation inlets and
outlets, engine air intakes and exhausts, vents, fired heaters, control rooms, offices, living quarters,
doors and cranes. In case of major leaks, large fires or explosions, personnel and assets need to be
protected against escalation. Layout is the primary (inherently safe) means of preventing escalation. It
should be recognised that the degree of separation between equipment to prevent escalation, and the
performance standard of any barrier between equipment blocks, will be influenced by the following:
process conditions
safeguarding facilities provided
environmental conditions (prevailing wind, temperature, etc).
Facility layout requires co-ordination between all of the engineering disciplines involved in design, as
well as construction, operations, maintenance and HSE staff. Systematic layout reviews involving these

staff should be planned into the project schedule. Particular care should be taken when plant
modifications are being considered.
Designing a facility with a good layout is a complex problem which is greatly assisted by the ability to
view in 3-D. Historically scale models have been created, particularly for complicated projects. DEP
30.10.05.11 (Ref. 63) gives guidance on the construction of models. With the increasing use of 3-D
CAD for design, the ability to create 'walk through' virtual reality images is increasing. The greatest
benefit of 3-D representations is in the design phase when the scope for improvement is relatively easy
to achieve. Models should be reviewed systematically and in depth with design, operations and
maintenance personnel and kept up-to-date.
Minimisation of Risk of Loss of Containment

The risk of loss of containment can be minimised during layout by minimising the possibility of
mechanical damage.
Factors to consider include:

physical protection for hydrocarbon containing equipment within the swing of any crane
careful routing of roads and accessways
protection for equipment in the vicinity of potential dropped objects, e.g. wellheads
the use of major structural members to protect equipment (e.g. routing risers within the jacket
structure shadowed by the legs)
siting inventory isolation valves in areas where they will not be affected by mechanical damage
from projectiles, or from fires and explosions (e.g. riser isolation valves below deck level).
Facilities Orientation
The prevailing current and wind directions must be considered when establishing spatial arrangements
and orientations of facilities. The orientation of an offshore or onshore plant should be selected so that
accommodation blocks, Temporary Refuges (TRs) and administration buildings are upwind or cross-
wind of the prevailing wind direction of the hydrocarbon facilities. Similarly pool fires on the sea will
be carried by current and wind direction. Orientation should be such that leaks or spills will tend to
drift away from the accommodation block and TRs under prevailing conditions.
In setting spatial arrangements it is also important to consider the relative densities of flammables and
what happens when lighter-than-air-flammables rise, neutral-density flammables drift and heavier-than-
air flammables fall.
Minimisation of Ignition Potential

A primary method of minimising ignition potential is by the adoption of HAC. Hazardous areas are
defined as those areas in which a flammable atmosphere may be present in such frequencies and
volumes as to require special precautions. All other areas are defined as non-hazardous. Hazardous
areas are further subdivided into zones which reflect the degree of probability of the existence of
flammable atmospheres. The subdivision into zones forms the basis for the selection and protection of
electrical equipment in the area concerned, and for the safe positioning of other potential sources of
ignition.

It should be noted that HAC gives industry-accepted separation distances between ignition sources and
sources of flammable release considered credible during normal operation. The distances provided by
the code do not however cater for the effects of any larger, but less likely, catastrophic failures. These
should be reviewed as part of an overall layout study discussed below.
Minimisation of Escalation Potential

In order to prevent the escalation of incidents involving fires, explosions or leakages, suitable barriers
shall be provided between the various parts of a facility. Onshore, sufficient separation can generally be
provided so that physical barriers are not required. Those distances are based on three main
considerations; the effects of explosions, fires and ignition of gas leaks. For offshore the compactness of
the facility often means that minimisation of escalation is achieved by a combination of distance and
physical barriers.
The criticality of the various specific facilities must be considered when determining the acceptable
minimum spacing. This is particularly the case for emergency systems such as firewater pumps,
emergency power generation and ESD systems, where their ability to survive the worst credible
accident scenario must be carefully considered.
Layout as a Form of Explosion Protection

The consequences of an explosion should be minimised and the escalation (as a result of overpressures
damaging fire or blast walls, equipment or piping or causing progressive collapse of the structure)
should be contained.
Explosion mitigation systems should be evaluated for areas where the potential for a gas or vapour
cloud explosion exists. The study should identify the potential for escalation caused by overpressures
which would impair the operation of critical systems and the effects of any subsequent fire.
The following effects of explosions should be considered:

equipment rupture
The threat of projectiles needs to be assessed considering the likelihood of the projectile impacting
critical plant and doing damage.
blast overpressure
This is a function of obstacle generated turbulence, the size, geometry and confinement of the area.
drag forces
These are developed behind the flame front, and which may impose significant loads on equipment,
pipework or structure and which may escalate the explosion damage. Resistance to such drag forces
can be achieved for example by increasing the strength of supports for piping, vessels and
equipment.
effects of dynamic amplification factors.
The severity and consequences of an explosion can be minimised by the use of blast barriers, providing
sufficient equipment strength to prevent escalation or the use of active explosion suppression systems.
However, the preferred method of protection should be by avoiding designs that will cause high
overpressures and by providing adequate venting to allow unburnt gas and combustion products to flow
out of the compartment before any high overpressures can develop.

The layout of equipment and piping, and the location of walls and blast relief panels should be
optimised according to the principles given below. Refer also to Figure 6.1.
design ventilation to minimise the probability of build-up of the most likely types of gas or vapour
releases
minimise number of ignition sources and keep ignition sources near to the openings as far as is
practicable
minimise module volume
avoid long narrow modules
minimise congestion.
Equipment and pipework can form obstacles which can result in the acceleration of the flame-front
of an explosion
minimise the extent to which the obstacles block the cross-sectional area of the module
Aim to place successive rows of obstacles at least 5 characteristic diameters apart to allow any
flame-front acceleration to decay
minimise the number of obstacles in the flame path between the potentially most likely ignition
location and vent
locate obstacles in the inner part of the module and away from vents
orientate obstacles so that they present their most aerodynamic profile to the main vent flow
direction
For example, orientate horizontal vessels so that the longest dimension is in the direction of the
main vent flow
maximise openings (within the constraints of the HAC) particularly in floors or ceilings if possible
Consider the use of grated flooring. Where necessary venting can be achieved by the provision of
weak points in the containment shell (blast panels), which are designed to open at a predetermined
pressure level. The performance of blast relief and ventilation panels should be verified by suitable
testing. As a minimum the following test data should be available:
the normal ambient conditions inside the module
the relief pressure
the time to relief.
do not obstruct the openings in the module boundaries
make safety critical equipment/structures barriers as strong as reasonably practicable and do not
limit the design to a calculated explosion over-pressure
design collapse in a cascade fashion such that failure occurs first in less critical directions
consider mitigation by venting, water sprays, chemicals, and dilution.

Figure 6.1
Poor Better
Effect
Reduce
volume Safe area
Reduce
blockage ratio
and number
of obstacles
Move obstacles
to inner part of
module
Sideways
venting
Reduce
blockage ratio,
increase
transverse
spacing
The combined effect of venting and layout modifications is complex and should be validated by blast
calculations and/or experimental scaling. However, these effects can only be assessed quantitatively for
specific situations. The degree of accuracy is still being determined and improved but may be used to
effectively compare alternative layouts and ventilation openings.
Only explosion pressure calculation models which have experimental validation should be used and
then only by experienced personnel. At present, the recommended method for assessing overpressures

for confined explosions is using the Shell-developed programme SCOPE (Shell Code for Overpressure
Prediction in gas Explosions).
Residual Blast Strength

Blast walls may provide a means of reducing the impact of explosion overpressures, even though it may
not be practicable to design against the overpressures in the worst case scenarios.
A decision to use design overpressure values less than the maximum calculated should be based on an
assessment of the consequences.
Explosion protection for structures, equipment, piping should be documented with structural
calculations which take into account the dynamic behaviour relating to the short pulses of explosions.
In special cases simulated tests may be accepted according to recognised standards or procedures. In
other cases engineering judgement may be acceptable.
Active Mitigation
Active mitigation depends upon rapid detection of an explosion or loss of containment and release of
the system prior to ignition.
The system will either deliver:

coolants to the flame front (water sprays, water barriers etc)
chemical inhibitors (dry chemical, etc) to the flame front or to the enclosure
diluents (nitrogen, carbon dioxide, etc) to the enclosure
Explosion suppression systems have not normally been used for module protection. The interaction of
suppressants with explosion flame fronts is poorly understood and suppression systems are, as yet, not
fully proven in large volumes. Systems of this type should be approached with caution and then only
where passive mitigation measures are either impracticable or do not reduce predicted overpressures to
a tolerable level.
If considered the system performance should address the response time for the detection system,
suppressant release and the location and qualities of the agent. Suppression systems are unlikely to
prevent re-ignition if a flammable mixture and an ignition source are still present.
Offshore Layout Methodology

The method for optimising layout of offshore facilities is set out in EP 90-2500 Layout Considerations
for Offshore Topsides Facilities (Ref. 64). The method provides an auditable framework within which
the development of a topsides layout can be structured. The evaluation begins with the establishment of
a 'functional shape' for the facility and then reviews the interrelation between identified 'Function
Groups'. This allows a structured consideration of the spacing and physical barriers required between
individual equipment and facilitates an assessment of the logicality of system interconnections (piping
and cabling).
Whilst the methodology has been derived for new installations, the basic concepts also apply to the
assessment of existing topsides.

Onshore Layout Methodology
General
There is, at present, no onshore equivalent of the offshore methodology. The principles set out below
are, however, considered to be sound.
Analytical Approach
The following analytical approach, illustrated in Figure 6.2 may be used to evaluate onshore plant
layouts.
The various steps are as follows:

1. A number of hazardous events are identified for each main area of the plant in a brainstorming
exercise using PFS, PEFS and layout drawings.
2. The events are assigned to broad frequency classes to give a perspective on probability of
occurrence.
3. The duration and rate of release are calculated for each event and input to physical effects
modelling.
4. The physical effects of each release are calculated, including thermal radiation from a jet or pool
fire, flammable concentrations of gas and explosion overpressures as appropriate.
5. Critical exposure levels for the physical effects are established with regard to third parties,
administration, camp areas, control/utility buildings and equipment. The impact on preliminary
layout is assessed, in terms of criticality and agreed loss philosophy, and events that may conflict
with the layout highlighted.
6. Measures to improve the layout identified.

Figure 6.2 Onshore Plant Layout Evaluation Methodology
PLANT LAYOUT
IDENTIFY HAZARDOUS EVENTS
CALCULATE DURATION AND

RATE OF RELEASE
ASSIGN FREQUENCY CALCULATE PHYSICAL

CLASSES EFFECTS
ESTIMATE IMPACT
IDENTIFY POTENTIAL IMPROVEMENTS
MODIFY PLANT LAYOUT
If the above methodology results in unacceptably large separation distances, the use of more robust
design features and/or operational procedures can be considered. These include:
improved containment integrity
physical barriers
improved automatic isolation and/or depressuring systems
improved fire and leak detection and more stringent procedures.
Quantified risk assessment techniques may be required to evaluate the impact of such measures.
Hazardous Events Governing the Segregation of Onshore Equipment

Figure 6.3 gives an indication of potential hazardous effects which are most likely to determine the
distances between parts of a facility. The effects are not necessarily reciprocal. For example a process
facility presents risks of explosion, fire and leakage to a control room, but the control room presents
only an ignition risk to the process facility.

Figure 6.3 Effects Matrix for Plant Layout

E - Explosion
F - Fire radiation/damage
L - Leak
I - Ignition source
M - Mechanical damage
S - Security
A - Access limitation
V - Induced voltage
Lower case if unlikely

to determine distance
SOURCE OF HAZARD
(3 & 4) FM F Fe F f F L L L FL FL FL Lf Lf
Wellhead
(5) fe FLe Fe FE fe fe L L L eLf ELf ELf Lf Lf
Process facility
(6) If If FI F f f L L L Lf Lf Lf Lf Lf
Transfer operation
(7) F FL F F F F L L L FL FL FL Lf Lf
Storage
(8) L L L L L L L L
Piperack
(9) L L L L L L L L
ESD valve
(10) I I I I I I e e e
Furnace
(11) I I I I I I
Electrical
Power line I I I I I I v v V
(12) I I I I I I
Reinforced Control Room
(13) I I I I I I
Normal Control Room
(13) I I I I I I
Service building
SIa SIa SIa SIa SIa SIa Sa Sa Sa Sa Sa
Fence
(14) I I I I I I
Boundary
Notes:
1) The table is not applicable for LPG facilities. For guidance on LPg facilities refer to DEP 30.06.10.12. (Ref. 65)
2) The effects of toxic gases are not considered in the table.
3) Rig access and potential mast collapse should also be considered.
4) Based on gas wells.
5) Due to the wide possible configurations, which may include non hydrocarbon processes such as power generation, steam raising and
other major utility plants these are to be assessed on the basis of the particular fire, variety of explosion and ignition risks involved.
Major above ground piperacks should be considered as items of process facilities.
6) Transfer operation involving flammable products. Transfer operations typically represent road tanker loading/unloading.
7) For tank spacing follow IP Refining Safety Code (Part 3) (Ref. 66)
8) Off plot pipe tracks and elevated piperacks.
9) ESD valves only. Valves with only a PSD function may use a less stringent radiation resistance criteria. Blowdown valves should either
be rated fire safe for the blowdown period or be given the same separation distance as ESD valves.
10) Includes fired boilers and internal combustion engines.
11) Electrical equipment not certified for hazardous areas. 'Electrical' excludes power generation, see note 5 above.
12) Based on building to DEP 34.17.10.30 (blast resistance 100 kPa) Ref. 67
13) Based on building to DEP 34.17.00.32 Ref. 68
14) Boundary of non-related (third party) activities.

6.2 Facility Control Centre

6.2.1 Objective
To provide a safe environment for plant monitoring and control from which to supervise emergency
response.

The control centre should be situated and protected such that it remains unaffected by any initial
hazardous event occurring in the plant.
The control centre should be designed such that its endurance for prolonged events is compatible with
the overall plan for escape and evacuation. Such endurance should include not only the structural
endurance but also the continued provision of any supporting utilities, power, communications, air
supply etc.
Suitable provision should be made for the safe evacuation of the control centre.
All information required by the operator to supervise and control emergencies should be readily and
clearly available within the control centre.
6.2.3 Guidelines
General
Each installation or facility should have a designated control point which may be referred to as the
installation Control Centre (CC). This shall be located in a non-hazardous area and be equipped for
overall control of all process and safety systems. All pertinent information from the production
processes, drilling, utilities, detection and fire fighting systems should be monitored at the CC.
Emergency control associated with these systems shall be available at the CC.
Special protection shall be provided for the CC for the following reasons:
to protect personnel who have to remain to monitor and shut-down the plant in the event of a serious
incident
to protect essential instrumentation which has to remain operational for safe shut-down of the plant
to protect essential records which may aid in post-accident investigations.
Location - Offshore
In the case of offshore platforms, the CC should have appropriate fire and explosion rated boundaries.
As noted above, EP 90-2500 Layout Considerations for Offshore Topsides Facilities (Ref. 64) gives a
methodology for the layout of topsides which addresses the location and protection of the CC. For
unmanned stations or platforms, a remote CC is acceptable, with information and control signals
telemetred to an adjacent installation or shore base.

Location - Onshore
The main hazards to the control building arise from vapour cloud explosions, leaks of flammable and
toxic substances and, to a lesser extent, fire. The primary, inherently safe, philosophy is via the
provision of sufficient distance between the building location and hydrocarbon process or storage
facilities. Should it not be possible to provide sufficient separation then appropriate measures should be
taken to:
design the structure and fittings for blast over pressure particularly windows
incorporate special features in the ventilation system.
In general an onshore control centre should be located:

in a non-hazardous area
at least 30 metres from any source of flammable vapour
on the periphery of the facility so that it is not enclosed on all sides by equipment
up-wind of the facilities
such that there are at least two unobstructed escape routes
clear of other buildings or structures which could cause confinement of gases
such that the main areas of operational importance and requiring regular supervision are easily
accessible and where possible visible
at the same or preferably higher level than the facilities.
Buildings located > 500 metres from hydrocarbon processing plant require no special provisions with
respect to explosion resistance and may be constructed to national and/or local building regulations.
Buildings located within the 200-500 metre zone (100-500 metres if related to hydrocarbon storage
and transfer operations) should be designed with a certain resilience against explosions. This
requirement aims at relatively inexpensive measures allowing a large deflection of the essential
structural elements and external wall panels prior to collapse of the building. DEP 34.17.00.32 (Ref.
68) provides details of those measures.
Buildings within 200 metres of hydrocarbon processing equipment should be constructed to DEP
34.17.10.30 (Ref. 67). Constructions to this standard are allowed within 15 metres of equipment
containing flammable material. Depending on size, pressure and contents of the equipment this
minimum distance may be increased to 30 metres.
It is recognised in the DEPs that shorter distances than those prescribed may be acceptable for low-risk
plants. Such proposals to adopt these shorter distances should be confirmed by a specific hazard
assessment which shall take into account the nature and quantity of the product and the degree of plant
congestion.

Integrity from Smoke and Gas Ingress

Buildings such as control rooms and offshore living quarters, in which personnel may have to remain
during a major incident shall be pressurised if there is any possibility of explosive or toxic gases
enveloping them. DEPs 31.17.10.10 (Design of Offshore living Quarters) (Ref. 69) and 37.17.10.11
(Design of Offshore Temporary Refuges) (Ref. 70) provide design details but the following features
should be included:
monitoring (but not control) of overpressure
automatic start of 100% standby fan on loss of pressurisation unless fan tripped by safeguarding
system
closure of dampers on smoke detection in ventilation inlets and outlets
fire dampers in all inlet and outlet ducts operable from inside and outside the building
toxic and combustible gas monitoring on air inlets.
In view of the fast response required, setting shall be; alarm only at TLV or 10% LEL and trip of
ventilation system at 20% LEL. Depending on the reliability of the type of detectors selected, a
voting system may be required (or some alternative HIPPs arrangement).
the distance from sources of flammable vapour to air intakes/outlets shall be as great as reasonably
practicable and at least 1 metre outside a hazardous area
The level of overpressure for a ventilating system usually lies in the range 30 Pa to 70 Pa. It is difficult
to design (and even more difficult to control) such small overpressures and more important criteria are
air change rate, overall fan differential pressure and the balancing of main inlet, outlet and the internal
supply ducts. It is recommended to have these systems designed by specialist heating, ventilating and
air-conditioning engineers.
Low-level overpressure alarms should be considered. These should detect extended loss of
overpressure, not short term drops.
Existing installations may still have pressurised control rooms and living quarters which encroach into
hazardous areas and which have exits to hazardous areas. The following minimum standards shall apply
if upgrading to eliminate the encroaching hazardous area is not reasonably practicable:
all walls and service penetrations shall be vapour-tight and fireproof where they are in the hazardous
area
all doors to hazardous areas shall be double self-closing and form an airlock (where access is to a
Zone 1 area the airlock space shall be classified Zone 2).
For onshore control centres seepage of hydrocarbons through the subsoil or along cable ducts is a
potential source of flammable vapours. Attention shall be given to sealing of all subsurface
constructions and penetrations. Checks shall be made at the design stage to ensure that the subsoil is
free of contamination especially for existing sites.
Internal Layout
The following points should be considered:
operator overview
It should be possible for operators to readily use and overview all key controls and indications. This
includes emergency systems such as fire and gas detection and key controls of packaged units.

instruments and controls positioning

Instruments and controls should be positioned according to their frequency and sequence of use,
degree of importance and/or basic functions. A 'link analysis', as described in EP 95-0324 Human
Factors may be used to provide a structure for analysing the interface of operator and controls.
environmental factors
Environmental factors should be analysed to ensure maximum operator efficiency and alertness:
thermal climate (heat loads provided by computers and VDUs can be significant)
lighting (quantity, quality position) to ensure that VDUs can be easily read and are free from
reflection
noise (for disturbance rather than hearing damage).
VDU systems
The design of any VDU-based control system should be approached with specialist human factors
input to ensure the displays are legible, clear, have appropriate coding (use of colour etc) and
graphical representations.
position and access
The relative positions of control room, auxiliary room, SCADA/computer room, electrical
equipment room, etc should take account of the need to limit access to authorised personnel only.
Such rooms should in general not be used as access routes for unauthorised persons, or people
collecting permits, and those occupying or visiting adjoining offices.
Laboratories, workshops and social amenities may be more convenient if close to the control room
but this results in more personnel close to the facilities. They should be located away from the
control building and further away from the facilities.
6.3 Process Safeguarding

6.3.1 Objective
To detect potential excursions of the process outside the design operating envelope and to initiate
appropriate executive action.

The Process Safeguarding system shall meet the requirements of the HSE Case.
The safeguarding system should prevent excursions of the process outside of the design envelope.
The safeguarding system should be separate from the control system.
To ensure a high degree of availability, provisions should be made to allow regular testing.
Where possible primary and secondary safeguards should use diversity (for example different types and
makes of equipment, measurement of different process parameters) to minimise the risk of common-
cause failures.
Suitable and sufficient alarms and visual indications should be provided to the operator to indicate the
status of the safeguarding system.
The executive actions for all safeguarding instrumentation should be documented in a Cause and Effect
matrix. Details of the instrumented protective functions should be described in the Control and

Safeguarding Narratives as part of the Safeguarding Memorandum. Refer for details to DEP
01.00.02.12 (Ref. 9).
6.3.3 Guidelines
The preferred defence against a potential hazard is to design it out using inherent safe principles (see
5.2.3). This is not always economical and more active instrumentation-based safeguarding may be
required.
The executive actions initiated by the safeguarding system should be based on a consistent
safeguarding philosophy which identifies the actions to be taken for various levels of emergency. The
philosophy shall be determined, taking account of issues such as:
manning status
system interdependencies
availability requirements
maintenance philosophies.
The philosophy should describe such issues as:

the appropriate safe action on various types of utility failure
necessary back-up power supply and signal systems for actuators
under what circumstances critical utilities are to be kept running
when imports and exports will be diverted or isolated
when subsea riser valves will be closed
when subsurface safety valves will be closed.
It is recommended to structure the safeguarding system into a number of shutdown levels dependent on
the hazard. The levels conventionally adopted within the Group are shown in Table 6.1.
Table 6.1 Group-adopted shutdown levels
Usual Abbreviation Typical Action
PSD-3 Equipment shutdown (e.g. of a compressor or pump)
PSD-2 Partial shutdown (e.g. of a processing train)
PSD-1 Total shutdown, no depressurisation (unless required for

specific reasons, e.g. compressor seal protection)
ESD (see section 6.5) Total process shutdown with depressurisation and
closure of SSSV's
A process control system is provided to actively regulate the process within the operating envelope.
(see 5.2.3). It is Group practice to separate the safeguarding systems from that of the control system.
Therefore one transmitter provides the signal for control and alarm while, if a trip function is required,
a separate transmitter from a separate tapping shall operate it via an independent logic system. There
are various ways of implementing this, ranging from pneumatic to microprocessor based logic. The
method finally chosen shall take into account such factors as fail-safe operation, diversity, availability,
size, simplicity, cost and ease of maintenance.

Within the exploration and production environment prescriptive guidance on specifying safeguarding
systems has historically been set by API RP 14C (Ref. 71).
A more fundamental analysis of instrumented protective functions (IPF) can be obtained by a formal
IPF analysis as described in DEP 32.80.10.10 (Ref. 8). This analysis optimises the design of the IPF
from a consideration of :
frequency of demand
potential extent of injury, environmental impact, asset damage and production loss
duration of presence of personnel in the danger zone
possibility to avert the hazard.
Instrumentation failures are either latent or patent. Patent failures are those with immediate visible
consequences e.g. the failure of a pressure controller. Latent failures, such as the failure of a pressure
switch, are not revealed until the equipment is required to operate and fails to do so. The majority of
safeguarding equipment has a latent failure mode, hence the requirement for regular function testing
and provision of secondary levels of protection. The IPF analysis above explicitly covers latent
(unrevealed) failures and patent (revealed) failures and considers the test regime necessary to ensure a
determined level of reliability.
The primary safeguarding system is normally an instrumentation-based system. A direct-operated relief

valve is the preferred secondary safeguarding mechanism.
For the sizing and selection of relief valves refer to:

local statutory regulations
DEP 80.45.10.10 (Ref. 15)
API RP 520 (Ref. 16)
API RP 521 (Refs. 17 and 18).
The design should avoid, as far as possible, 'low trips' which have to be overridden for startup. Where
override of trip systems for startup cannot be avoided, the system should be designed such that the
alarm should remain active and indicate that the set point has not been reached and the override should
be automatically cancelled when the set point is exceeded.
Audible and visual indicators should be provided for alarms.
Safeguarding systems for both manned and unmanned facilities shall include a first trip indicator to
show and log which parameter initiated the trip action.
Since failure of a safeguarding system will not be obvious until the system is needed, the operating
procedures shall include that the complete system should be checked at regular intervals. In general,
testing will be carried out during normal operation and the trip system should be designed so that
testing can be carried out simply with defined levels of process interruption. Maintenance override
switches (MOS) can be used for the purpose of testing. These are usually key-operated switches and
should be designed such that:
the key cannot be withdrawn in the override position
the number of trip functions in override at any time is restricted (the preferred sequence is to have
only one override on at a time)
associated alarm remains working

annunciator lights alert the operator that an MOS is in override position and identify which function
the operator can manually trip the system in case an emergency occurs during testing
overrides are automatically recorded in DCS/SCADA (if installed), or data logger.
See DEP 32.80.10.10 (Ref. 8) for detailed requirements.
It should also be possible to carry out tests of the logic elements of the system if this is not fully
covered when testing the initiators and other end elements.
If a DCS/SCADA system or equivalent is installed, it should be designed to log all alarms trips and
failures automatically.
Safeguarding actions which affect a number of interrelated systems shall shut down all of the systems
directly rather than rely on a cascade of trips through the process. There may be exceptions where
satellite feeders are involved. These should be treated on a case-by-case basis.
The details of the executive actions shall be recorded in a Cause and Effect diagram and safeguarding
philosophy.
6.4 Fire and Gas Detection System

6.4.1 Objectives
The objectives of the fire and gas (F&G) detection system are:
to provide early detection of a fire or flammable or toxic gas
to communicate this information to personnel permitting the initiation of a response e.g. raising an
alarm, evacuation of personnel etc
to initiate automatic executive actions such as alarms, extinguisher discharge and the appropriate
level of emergency shutdown etc to minimise the likelihood of escalation.

An F&G detection system shall be provided in accordance with the requirements of the FES or those
described in the HSE Case. Where provided, an F and G detection system has the following functional
requirements:
provide continuous automatic monitoring for fire and hazardous accumulations of flammable/toxic
gases
monitor for ingress of smoke and flammable gas into areas where they may represent a hazard
permit manual or automatic initiation of an alarm
alert operators to the presence and location of a fire or hazardous accumulation of flammable gases
minimise the number of spurious trips and alarms and contain appropriate test facilities
initiate an appropriate response action, for example initiate active fire protection (AFP) systems
initiate an appropriate level of control action (see 6.5)
be capable of operating under the conditions experienced at the time F&G detection is needed
use field devices suitable for the area in which they will be located.

6.4.3 Guidelines
General Fire and Gas System Design Considerations

The early detection of flammable and toxic gases and/or fire is essential to prevent minor incidents
escalating into major events. The trend towards lower manning levels and separation of control stations
from the plant has resulted in automatic detection becoming the primary means of identifying these
types of release.
To reduce the consequences of loss of containment, early detection should be linked to the initiation of
alarms and automatic executive actions that alert personnel and initiate recovery measures respectively.
Detailed information on flammable gas, toxic gas and fire detection strategies, selection of detector
types, coverage, installation, calibration, alarm levels, voting and logic are contained in DEP
32.30.20.11 (Ref. 72) and DEP 32.80.10.10 (Ref. 8).
When designing F&G systems the following should be taken into account:
type and criticality of the plant
nature and quantity of the combustibles and their locations
product to be detected along with the potential rate of fire growth
required detector response characteristics and reliability
Detectors are not usually required to survive a fire or explosion.
non-fire phenomena that may interfere with detection and result in spurious trips
For example UV radiation from welding, ionising radiation, the sun's rays, IR radiation from hot
surfaces, etc.
local environmental conditions
Special consideration should be given to ambient temperatures, air movements and the potentially
detrimental effects of vibration, moisture, salt or dust-laden air.
The following general guidance is given on F&G system design:
approach to F&G assessment
All areas of a facility should be individually assessed for hazards that could result in a fire or
flammable gas release. Ways of eliminating or reducing the probability of a fire starting, or release
occurring, should then be explored. Only once this is complete should detection measures be
considered.
integration and separation
All detectors should be integrated into an overall fire and gas detection actuated safety shutdown
system. The inputs and alarms should be kept separate from the process control systems.
plant segregation and F&G alarm representation and response
Process plant should be segregated into zones for fire damage mitigation purposes. Gas and fire
detector alarms in the control centre should be configured to match these zones and response
measures based on them.
identification of types of alarms
Fire alarms, flammable and toxic gas alarms should be different and separate on the panel.
alarm annunciation and logging
Alarms should, in general, be annunciated on the main fire and gas detection panel in the CC and
logged:
on the DCS/SCADA system
on repeat annunciation panels at various locations (for example the fire station for onshore

facilities)
on local status stations located in different areas of the location or facility.
audible/visual alarms
Alarm conditions requiring muster of personnel should be identified by audible signals which may
need to be supplemented by visual signals in high noise areas.
standard displays
Fault and alarm annunciation systems should use standard signals for conveying information in order
to avoid any confusion in an emergency.
display of critical information
Critical information displayed by the F&G system panel and required by the operator at a CC
should be clearly presented to minimise the chance of misinterpretation and ensure appropriate
response actions.
simplicity and reliability
F&G system design should be as simple and reliable as practicable. Functional component
redundancy should be confined to those parts of the system where it can positively impact reliability
and availability. This avoids an increased maintenance load for little added benefit. The limiting
factor will be the reliability of the fire and gas sensors themselves.
suitability
System designs should be suitable for the conditions under which they are required to operate. The
power supply should be from a reliable source and remain available during an emergency.
spurious signals
Where there is a high probability that certain detector types could give spurious signals they should
be used on a coincident basis for executive actions or alarms. Single detector responses should only
be used to initiate an alarm. The use of multiple alarm levels for gas detectors can allow limited
control actions, upon detection of a low level of gas, without requiring a full ESD. Information on
the level or quantity of gas present in an area should always be indicated at the relevant control
centre.
Flammable/Toxic Gas and Fire Detector Requirements

The location, number and types of detectors required in a given area should be derived from an
identification and assessment of release events that could result in a fire or accumulation of toxic or
flammable gas. The likelihood of loss of containment events in each area should be evaluated and the
system performance requirements needed to reliably detect these events defined.
To achieve early detection, F&G systems should monitor all air spaces in a facility or installation
where smoke, fire, flammable or toxic gas accumulations could potentially occur. For releases of
hydrocarbon liquids that form mists, early detection normally requires oil mist detectors or manual
detection measures.
F&G detection devices should be selected based upon their response characteristics, (for example
speed of response), and the conditions under which they will be expected to operate when detection is
required. Correct detector positioning is fundamental to early detection as covered in the guidance
below.
Flammable gas detection can be effected by number of methods as follows:

Pellistor type catalytic detectors
IR point detectors

semi-conductor and electro-chemical cell-type detectors

IR absorption beam detectors
acoustic sensor leak detectors
human observation (manual call-point)
In general the use of IR is recommended due to high reliability and good self-diagnostic features, see
DEP 32.30.20.11.
These detectors have different characteristics and applications as follows:

IR gas detectors
IR gas detectors with a point capability offer a high mean time between failures, low drift and
present a much lower maintenance burden than catalytic types.
IR absorption beam detectors
IR absorption beam detectors with a linear capability have been accepted within the Shell Group as
suitable for initiating executive actions as well as alarms.
Acoustic sensor leak detection systems
Acoustic sensor leak detection systems should not be used as stand alone systems but can provide
supplementary information especially in land based facilities. They are, however, sensitive to set-up
and are not recommended for applications where noises in their sensitivity range or other sounds
similar to leaking gas are common.
Low-pressure trips cannot be regarded as effective leak detectors as they are only likely to operate
during catastrophic gas leakages and may be prevented from actuating by the plant control system set
to maintain pressure.
Flammable gas detector locations have the following general requirements:

detection of accumulations
Flammable gas detectors should be located such that they will detect accumulations which may
present a significant hazard to the installation. Locations should be based on dispersion calculations
that model credible leak scenarios following identification of potential gas release sites.
consideration of local environmental conditions
Assessment of the nature of flammable gas accumulation and migration should include local
environmental conditions (wind etc). This assessment may identify a general requirement for each
area where gas detection is required or a specific requirement around particular items of plant.
dispersion effects
Dispersion effects and the need for the gas to enter the detector head of spot type detectors means
that not all leaks will necessarily be detected by them.
detector settings not covered by standards
Open path (line-of-site) IR detector settings are not yet covered by standards. Installation and
location should be dealt with on a case by case basis. Alarm levels in units of 'LEL metres' can be
reliably detected up to 50 metres.
siting of detectors relative to potential points of release
Plant layout should provide sufficient distance between potential points of flammable gas leakage
and ignition sources so that natural ventilation can reduce concentrations below LEL. When
separation distances are shorter than those required to provide adequate dilution and dispersion of
leaks, detectors should be placed between the potential release points and the ignition sources. They
are normally sited closer to the points of potential release.

enclosed or semi-enclosed areas

Enclosed or semi-enclosed process areas pose a greater risk of gas accumulation and should be
provided with appropriate gas detection equipment.
Non-hazardous areas adjoining hazardous areas with Zone 1 or Zone 2 classification should be
safeguarded by flammable gas detectors located at the inlets to the ventilation system. System logic
should take into account the following :
action on detection of gas in non-hazardous modules
Gas detection in non-hazardous modules should be used to initiate executive action to shutdown
HVAC systems and close the associated dampers. The system response time is important and needs
to prevent ingress of flammable gas.
gas migration and the positioning of detectors
Where it is assessed that a gas release could migrate into non-hazardous areas, the air intakes, or the
areas themselves, should be fitted with detection.
system response time
Use of gas detection within a non-hazardous area to prevent ignition of a gas accumulation needs
careful consideration to ensure that the F&G system response time will be adequate to complete shut
down actions and deactivation of ignition sources.
enclosures with an internal gas source
Enclosures with an internal gas source (for example gas turbines) should have flammable gas
detection within the enclosure preferably on the ventilation outlet.
detection of gas in outlet from an enclosed space
Detection of gas in the outlet from an enclosed space should be used to initiate appropriate
automatic executive action such as shutdown of process and electrical equipment. Where inlets to
the enclosure are generally gas- free, the HVAC system can help disperse and dilute the flammable
gas and should be left in operation. If gas is entering by the enclosure inlets the HVAC should be
shut down. F&G system logic should take this into account.
Toxic Gas Detection (see also EP 95-0317 H2S in Operations)

The toxic gas of primary concern to EP operations is hydrogen sulphide (H2S), although volatile
organic compounds such as benzene are often a hazard also. H2S is present in the fluids from sour
reservoirs and can also result from the action of sulphate-reducing bacteria on stagnant sea water.
Although H2S has a clearly defined 'rotten eggs' smell at concentrations of a few ppm, higher
concentrations anaesthetise the human sense of smell. Detection of large release of H2S is therefore
essential to protect personnel.
In practice high levels of H2S would normally be associated with a large release of hydrocarbon gas
which should be picked up by flammable gas detection before H2S levels represented a serious threat.
Detection techniques usually include semi-conductor and electrochemical-based methods which can be
used to reliably detect concentrations above 1 ppm in air. For further details on the design of fixed
detection systems refer to EP 95-0317 and DEP 32.30.20.11 (Ref. 72). The following should be noted:
detection is not practicable for continuous background monitoring and should only be employed to
detect releases that present a toxicity threat to personnel
it can be detected using line-of-site detector but this technology is new and should be approached on
a case-by-case basis

installation of fixed detection in no way replaces regular monitoring by portable devices to see that
levels are kept within acceptable limits
detector location is similar to flammable hydrocarbon gases in that the potential dispersion plume of
a release should be used to determine location
H2S has the ability to 'poison' traditional pellistor-type detectors.
Fire Detection
Fire detection can be effected by the following methods, refer to DEP 32.30.20.11
(Ref. 72) for fire detection design requirements:
Heat detectors
point rate of rise
point fixed temperature
point combined temperature and rate of rise
linear
fusible plugs
Smoke detectors
point optical scattering
point ionisation
high sensitivity smoke detection.
Flame detectors
IR line-of-sight
UV line-of-sight
combination IR/UV
Heat detectors are the oldest and least expensive form of fire detection but the following should be
considered:
they have a low spurious alarm rate but can be slow in detecting fires
since the heat generated by a small fire tends to dissipate rapidly, heat detectors are best used in
confined space close to the expected fire source
in unconfined spaces they should be installed directly over the potential fire site for example just
above an internal combustion engine.
Smoke detectors function by sensing products of combustion and are best applied in areas where
cellulosic or smouldering types of fires can occur (for example accommodation and electrical areas).
The following should be considered:
they are not very effective in detecting fires that burn efficiently in air with little smoke, for
example alcohols. They do respond more quickly than heat detectors if installed in the path of
combustion products from the fire
installation should always verify that despite air current, forced ventilation and convection the
smoke detectors will actually see the smoke from a potential fire site. Use of harmless chemical
smokes whilst simulating normal operating conditions in the plant is one way to check that location
is appropriate
they can give false alarms due to dirt or dust emissions. One way to avoid this is to employ smoke
detectors only in relatively clean areas and service them regularly, including cleaning the detection
chamber.

High sensitivity smoke detection (HSSD), using a pump-driven sampling system to draw combustion
products past a laser or xenon tube light source, is highly tolerant of high air flows and will respond to
low levels of combustion products. Points to note include:
HSSD systems can be over 100 times more sensitive than point detection systems and cope well
with dust and dirt as they have their own internal filtration system
where rapid response measures such as removing the power supply or manual intervention are
available, HSSD can often eliminate the need for a fixed fire protection system.
Flame detectors are suitable for detecting fires in large modules and open areas. Flame detectors give
a more rapid response to fires than heat or smoke detectors, providing that flames are clearly visible
and not obscured by smoke. The following points apply to their application:
they work best where visible flames are the main indicator of a fire
they can be used to provide area protection when installed in a number of locations near a hazard
identified as having the potential for fire
IR and UV flame detectors are line-of-sight devices and care should be taken so that their field of
vision is not inadvertently blocked
a combined IR/UV detector (whilst initially appearing attractive) is an expensive option, combines
the deficiencies of both, and is less suitable than IR or UV (single- frequency IR detectors are
recommended for critical process areas)
the cone of view of these detectors is limited typically up to 20 metres and effective coverage is
achieved by installing them with overlapping cones and marking this on installation drawings.
Manual alarm call points linked to the F&G system should be provided at convenient locations around
the installation to allow personnel who have observed a fire or gas release to alert the control centre.
Control Actions
The following should be taken into account for manned offshore facilities:
deluge should not be applied in the event of gas release.
A real risk exists that sparks are created by deluge water entering faulty fittings of electrical
equipment and igniting the surrounding gas, and that increased air turbulence may increase
explosion overpressures. Deluge should only be applied once the gas has been ignited to prevent
escalation.
in the case that fire is detected, the area fire protection system shall be activated automatically
if gas is present in an area, the area ventilation should be maintained to facilitate removal of the gas
(the HVAC shall be designed for Zone 1 under these conditions)
if gas is detected at HVAC intakes, these shall be shut down and the fire dampers closed
in case of fire, it is recommended to shut down the area ventilation and to close the fire dampers.

Table 6.2 F&G detection and associated actions
Detection Action
Gas detection in any area except accommodation ESD
No deluge
Maintain HVAC
Gas and/or smoke detection in HVAC intake to ESD
accommodation Shut down HVAC
Close fire dampers
Fire or smoke detection in any area except ESD
accommodation Shut down HVAC/Close fire dampers
Initiate area fire protection system
Fire detection in accommodation Shut down HVAC/Close fire dampers
If sprinklers are not of the frangible bulb type -
initiate sprinklers in the fire area
Deviation from these guidelines should be justified and approved as part of the facility safeguarding
philosophy.
Service, testing and maintenance

F&G systems should be regularly maintained and tested. System design and equipment choice should
take note of the following requirements:
components should be easily accessible for calibration, testing and maintenance
system integrity checking should be possible without taking the whole system out of service
detection and alarm circuits should be self-checking for electrical faults and fault announcement
provided at the control panel
facilities should be provided which allow the inhibition of automatic executive control actions from
individual detectors to avoid spurious trips during maintenance and testing
cabling and piping essential to the system function should be suitably protected and routed to
minimise the possibility of damage.
6.5 Emergency Shut-Down System

6.5.1 Objective
To initiate appropriate shutdown and isolation actions to prevent escalation of abnormal conditions into
a major hazardous event and to limit the duration of any such events which occur.

An Emergency Shutdown (ESD) system shall be provided in accordance with the HSE Case or the
FES.
ESD system should:

isolate the facility from the major hydrocarbon inventories within pipelines and reservoirs

sectionalise the facility to limit the quantity of material released on loss of containment and limit
the duration of the incident
contain provisions to control potential ignition sources such as fired units, engines and non-essential
electrical equipment
where appropriate, initiate depressurisation
initiate actions in utility systems to mitigate hazardous events (start up of fire pumps, shutdown of
HVAC etc).
The system should be designed such that it is capable of fulfilling its function under the conditions
which may be experienced when the system is required to operate.
Loss of power or key input signals should not compromise the integrity of the system.
An ESD system shall provide adequate information at a control station so that personnel involved in
managing an emergency have the information they need. The information presented and the controls
provided shall be such that the operator can effectively execute the required actions.
The system should contain facilities to allow testing of both input/output circuits and internal functions.
6.5.3 Guidelines
ESD Valve Position

The valves providing ESD isolation should be located so as to minimise the possibility of their being
affected by any incident. Where necessary they should be specified as fire-safe valves.
The valves should be positioned such that the possibility of hazardous events affecting the pipework
upstream of the valve is minimised.
ESD valves on incoming pipelines and risers should be provided. The requirements for boundary
isolations should also address gas-lift lines.
Offshore, riser ESD valves may need to be supplemented by sub-sea isolation valves to limit the
duration of leaks associated with the riser (or if the riser ESD valve fails to close).
ESD valves within the process may be required, to limit the amount of hydrocarbons released on loss of
containment, to separate systems with differing operating conditions, and to facilitate blowdown system
design.
Provisions for Start-Up

The design of the safeguarding system shall take account of commissioning startup and routine startup.
The ESD isolations should not be compromised by any startup bypasses. Following a plant shutdown
with inventory blowdown a high differential pressure (DP) will exist across the ESD valve. Opening
large ESD valves with a high DP across them will cause mechanical damage and so means of
equalising the pressure across the valve must be provided. Rather than providing a bypass around the
main ESD valves, this can best be achieved by installing the bypass across an adjacent locally operated
block-valve, if one exists, with a bleed between the manual block valve and the ESD valve.
Alternatively, identifying a small enough line, which has its own ESD valve, to accomplish

repressuring. If an ESD bypass cannot be eliminated its inclusion shall be justified and approved as part
of the facility safeguarding philosophy. The bypass shall be configured so that the emergency shutdown
system is not defeated. It shall therefore be fitted with its own ESD valve which can be opened by
manual action for startup but which resets to the closed position when there is a shut-down signal.
Spring loaded valves are not acceptable since:
they are liable to abuse by defeating the spring return
the seat will be cut by the throttling action and will not seal.
In order to maintain isolation integrity no ESD valve shall be used for throttling. Where this function is
required it shall be carried out by an adjacent manually operated valve.
In circumstances where high availability is required parallel redundant ESD valves may be installed to
allow full function testing. One of these valves shall be retained in the normally closed position.
The use of ESD valves as part of the provision for maintenance isolation should be avoided,
particularly as the main pressure isolation valve. Where circumstances dictate otherwise, adequate
procedures must be in place to ensure:
that the valve actuator is positively disconnected from any source of motive power and will remain
so until the work is finished
that the automatic valve actuation is reinstated before any subsequent startup.
The design shall be compatible with these procedures.
Start-up after an automatic shutdown shall not be initiated until all causes of the shutdown have been
identified and corrected. For systems with manual startup this requirement shall be incorporated in the
startup procedures. For systems with automatic start sequence this should be a part of the startup logic.
Local manual reset devices should be specified to ensure that a site check is made before restart.
Design of Hardware
The following are special requirements for the design of ESD system hardware:
shutdown valves should not be fitted with hand wheels for manual operation
shutdown/isolation valves should fail closed
large block valves may be hydraulically or pneumatically operated and systems shall be included to
maintain fail safe operation during automatic shutdown when their prime energy source may also be
shut down (hydraulic/pneumatic accumulators)
valve leakage (both internal and external) should be minimised (valve leakage rates and associated
tests are given in ANSI B17.104) (Ref. 73).
where necessary, fire-proofing should be applied to ESD valve actuators, accessories and actuator
control systems
manual actuation buttons should be located at a safe distance from the fire risk area (preferably on
exit routes)
valve position indicators may be displayed in the control room.

Other Executive Action

In addition to isolating the installation or facility from the reservoir and pipelines and providing
sectionalisation of the inventory, consideration should be given to:
initiating emergency depressurisation (See 6.6)
isolating electrical equipment to prevent escalation of electrical fires
initiating shut-down of HVAC to minimise smoke or flammable gas ingress
initiating isolation of non-intrinsically safe electrical equipment, upon detection of flammable gas
initiate the muster of personnel.
Failure of an essential utility (e.g. instrument air) shall activate an ESD.
Control room mounted, or local manual, switches shall be provided to shut down individual items of
equipment or activate ESD.
The requirements for ESD actions in relation to drilling and well servicing activities need special
consideration. Manual initiation of ESD actions which affect drilling or well services operation is
usual.
6.6 Emergency Depressurisation (EDP) - Vent and Flare

6.6.1 Objective
To reduce the magnitude and duration of a hazardous event by disposing of the hydrocarbon inventory
in a safe and controlled manner.

The rate of depressurisation should be such that major escalation of initiating events is prevented. In
theory, it should be determined from an analysis of the expected heat flux from the initiating event and
the wall thickness of the equipment being protected.
The pipework to the disposal point should be routed away from areas of potential fire impingement, or
appropriately protected.
The consequences of venting or flaring gas when activating the emergency depressurisation should not
introduce any unacceptable hazard due to, for example, thermal radiation or flammable/toxic gas.
The environmental impact of the disposal system shall be minimised.
6.6.3 Guidelines
General
EDP systems should be considered for pressurised hydrocarbon systems in order to safely dispose of the
gaseous inventory under emergency conditions. Fast effective EDP may reduce the duration of jet fires
to the extent that the need for, or amount of, passive fire protection can be reduced or removed.
However, failure of EDP system pipework, for example in an explosion, may result in the entire

pressurised inventory being discharged into the area of failure. Consequently, the design of the EDP
system should be carefully optimised to ensure that it is capable of fulfilling its intended role.
In case of a serious fire or gas leak, the equipment in the affected area should be depressured (blown
down) automatically. In the case of fire, pressurised equipment and associated process lines should be
depressured in order to avoid potential escalation of the emergency due to rupture caused by loss of
metal strength. In the case of a gas leak it is both a precautionary measure and a means of reducing the
size and duration of the release.
If jet fires are a possibility, heat fluxes of 200 to 350 kW/m2 may need to be taken into account. All
reasonable steps should be taken to ensure that the risk to personnel and the environment due to
catastrophic vessel rupture are minimised. Thin-walled low pressure vessels are particularly at risk.
The protection afforded by blowdown systems designed to the fixed blowdown time specified in API
RP 521 (i.e. to 50% of design pressure within 15 minutes) will vary depending on the thickness of
pressure vessel walls and the intensity of the fire. It is recommended that checks are carried out to
determine what blowdown time is actually required. It should be noted that asset protection provided
by blowdown will only be effective if the blowdown is initiated at the start of the fire. This implies
automatic initiation from the F&G detection system.
The requirement for automatic blowdown means that the F&G detection system must be reliable so that
spurious trips are minimised. Modern instrumentation is sufficiently reliable to make automatic
blowdown practical, providing the correct amount of redundancy and testing are built into the design.
The provision of an EDP system may not in itself be sufficient to prevent vessel rupture if a vessel is
engulfed in a fire. Where an assessment indicates that such failures present a significant risk, additional
forms of protection such as increased spacing, or passive fire protection should be considered.
Blowdown is applied to protect pressure vessels and in-plant pipework. Onshore flowlines, inlet
manifolds, slug catchers and some piping do not need blowdown in a well designed layout since they
should be away from the site of serious fires. It is recommended that when systems are blown down all
sections within each area are fully depressured otherwise fire crews may be placed at risk through
assuming that everything has been depressured, when in fact it has not. Careful attention to the
positioning of ESD valves and non-return valves is required to ensure this.
Offshore, the blowdown of inlet manifolds, trunk line cross-overs and near platform pipeline
inventories should be considered in relation to platform layout.
In case of loss of instrument power, or valve actuating fluid, blowdown valves should fail open.
Backpressure control valves may be used for blowdown duty to simplify instrumentation and improve
reliability. This shall only be considered for valves which are subject to continuous flow in normal
operation and which have internals appropriate for the blowdown flow/pressure characteristics.
The blowdown rate often determines the sizing of the flare system and particularly offshore this is a
reason to seek means of reducing the rate. Facilities may be divided into sections each of which is
blown down separately. If this is done the design and layout should be such that a fire or explosion in
one section will not affect the adjacent sections. Onshore, adequate separation distances are required.
Offshore, separation distances may be economical in shallow water otherwise fire and blast walls are
required.

Segmented blowdown systems are an option where:

segmentation is applied to accelerate the blowdown of sensitive sections of the process rather than
reduce the size of the flare.
In this case the flare system shall be designed to accommodate simultaneous blowdown caused by
any common mode failure as the base case.
the segmented process safeguarding systems are sufficiently independent and reliable that it can be
demonstrated that the risk of simultaneous blowdown is negligible.
Onshore process complexes with common flares normally fall into this category. In such cases it
should nevertheless be demonstrated that the consequences of a simultaneous blowdown would not
be catastrophic in terms of radiation, noise, vibration and back pressure.
It is sometimes proposed to phase the opening of blowdown valves so as to augment the blowdown rate
part way through the blowdown sequence. This has the effect of reducing the peak blowdown mass flow
rate. Since, however, the failure mode of the blowdown valves is in the open position, the total loss of
instrument air case must be guarded against usually by local reservoirs. Refer to DEP 32.45.10.10
Instrumentation of Depressuring Systems (Ref. 74).
Low temperatures during blowdown and relief require selection of the correct materials. The possibility
of blowdown from a temperature less than normal operating should be considered. The thermal capacity
of the piping system may be taken into account in predicting what the lowest transient temperature will
be. As pipes operating below 0oC rapidly frost up, the insulating effects of this shall be taken into
account. For material selection refer to DEP 30.10.02.31 (Ref. 75)., ASME B31.3 (Ref. 26) and
ASME VIII (Ref. 76). Accurate methods for the prediction of temperatures within the equipment being
blown down (i.e. upstream of blowdown valves) are being developed. SIEP may be consulted for more
details.
Vent and Flare System

The vent and flare system is used for the disposal of hydrocarbon gas which cannot be exported as
saleable product, i.e.:
gas which is to be disposed of to control upset conditions - emergency depressurisation
excess gas produced by the process.
DEP 80.45.10.10 provides detailed guidance on the design of flare and vent systems (Ref. 15)
The following factors need consideration:

sizing relative to the possible peak flow
noise levels
noise induced resonance
thermal radiation levels
flame stability
method of ignition/provision of pilots
gas dispersion
mist and liquid emissions
provisions for access restriction (control of exposure)
location of ignition sources.

Selection of Vent or Flare - Environmental Considerations

Methane is recognised as a 'greenhouse gas' and several recent studies have identified it to be
potentially more significant in global warming than previously recognised. Relief systems form a large
proportion of the total EP emissions, a substantial proportion of which is methane if a vent or carbon
dioxide if a flare. Since methane is a greater contributor to global warming, in principle flares are
preferred to vents. Report EP 95-1615 Atmospheric Emissions in EP Operations (Ref. 77) discusses the
impact of relief system emissions on the environment and gives guidance on methods to reduce such
emissions.
Selection of the most environmentally benign method of disposing of gas will be location dependent.
The above report discusses the criteria and provides advice on the selection of vent or flare. The report
contains summaries of recent research work which has enabled purge rates to be reduced significantly.
Location of Flares and Vents
Flares
Flares are ignition sources and should be placed at a safe distance (and in a safe direction) relative to
vents and prevailing wind. The trajectory of hot soot particles from the flare needs to be considered
when determining safe separation.
Vents
No sources of ignition (e.g. open flames, uncertified electrical equipment, hot surfaces) shall be placed
within the area around vents where a flammable mixture may exist. This shall be that defined by IP15
code or as determined by dispersion calculations. For dispersion analysis, the distance to the 20% LEL
level should be used, thus providing a margin for uncertainty in the modelling. For small vents these
are usually dealt with by HAC.
A high exit velocity is recommended to improve dispersion.
Ignition by static electricity is a common problem with continuous vents. The probability of ignition
can be reduced if the vent tip is correctly designed. See 6.10.5 of SSHC guide Static Electricity (Ref.
56) which proposes three options.
Vents should be designed for ignition with respect to the effects of radiation on plant and personnel.
Restriction of Access
A fence or equivalent barrier shall be provided to restrict personnel access to the sterile area around a
flare, i.e. where radiation levels might exceed 6.3 kW/m2.
The location of the flare shall be such that it does not interfere with the approach path of helicopters
under the worst flaring conditions. It is recommended to design for maximum radiation levels, on the
helideck and in the approach path, of 1.57 kW/m2 for continuously burning flares. There are limitations
to both the maximum safe ambient air temperature and the maximum safe temperature difference
between the air above the helideck and that surrounding it. The design should clearly identify any
operational restrictions to helicopter movements caused by the presence of the vent or flare. Specialist
advice should be sought on this subject.

Noise and Resonance

Noise levels shall comply with DEP 31.10.00.31 Noise Control (Ref. 78). The Thornton Research
Centre (TRC) computer program BHEP contains a noise prediction routine for flares.
Mist and Liquid Emission

Emission of mists and particularly liquids in flare or vent systems shall be avoided in the design. Relief
valves and vents shall be sited to minimise liquid carryover and all vapours likely to contain liquids
shall be passed through a knock-out facility. A high liquid level in knock-out facilities should initiate
an automatic production shut down.
The flare header system should be designed such that the accumulation of liquids is avoided. Failure to
prevent such accumulations has led to major flare headers being displaced off elevated piperacks when
the accumulated liquid slug accelerated along the system during blowdown. A detailed checklist for
flare systems has been developed which is included in Report MF 92-0130 Technical HSE Reviews
and Fire Safety Reviews - Checklists for Planning and Execution (Ref. 79).
As an additional precaution against burning liquid drop-out, access to the areas below onshore flares
and offshore boom or remote flares shall be restricted. For offshore vertical flares, drop-out can be
minimised only through providing adequate knock-out facilities.
6.7 Emergency Power System

6.7.1 Objective
To provide a reliable source of emergency power to critical systems for a sufficient duration to enable
them to perform their intended function.

Emergency power shall be provided in accordance with the HSE Case or FES.
The capacity of the emergency power system should be determined from an analysis of all systems
necessary to ensure the facility can be safely shut down and evacuated.
The location and design of the emergency power systems shall ensure that they will be able to perform
their function under the conditions which may be experienced when called upon to operate.
Facilities should be provided to allow maintenance of the emergency power system without
significantly reducing the functioning of the system.
The provision of emergency power supplies should be automatic and not rely on operator intervention.
Suitable provisions should be provided to allow the status of the emergency power system to be
monitored from the control room.

6.7.3 Guidelines
Emergency electrical power may be provided by one of the following systems:
an emergency generator
cables from land (local grid) or other installations
battery systems
installation main power generation providing it can be demonstrated to provide reliable power under
emergency conditions
a combination of the above.
The prime mover for the emergency generator should be diesel-fuelled with a reliable and secure diesel
supply sufficient to supply all emergency loads usually for 24 hours. Fuel supplies should preferably be
gravity fed. Where this is not possible the diesel transfer pump should be supplied from the emergency
switchboard.
All equipment associated with emergency power (emergency generator, emergency switchboard,
storage batteries, rectifiers and inverters etc) should be situated in non-hazardous areas, with adequate
protection against fire and explosion.
Start-up and monitoring of the emergency power system shall be possible from the CC facility.
Cabling for systems supplied with emergency power should be of a standard that will allow the system
to operate for long enough to perform its role under the conditions which may be experienced when
emergency power is required and should be routed to minimise damage.
Deluge control valves and other critical valves may be held in the closed position by the instrument air
system. If the integrity of the air supplies cannot be guaranteed (by a suitably sized air receiver) the
need to power the air compressor from the emergency generator should be considered.
The consequences of loss of power during drilling activities should be evaluated to ensure that
emergency power supplies have sufficient capacity to allow for all actions necessary to make the well
safe.
Systems requiring independent battery back-up power supplies, in addition to any emergency generator
power will normally include:
emergency lighting
external communications
navigational aids
the facility alarm and communication system
the platform control, monitoring ESD and fire and gas systems.
The duration of the uninterruptable power supply (UPS) to the systems noted above should provide
power for a period considerably longer than any temporary refuge (TR) endurance time to cater for
those events where immediate evacuation is unnecessary or not practical.
For further details on Emergency Power Systems refer to DEP 33.64.10.10 Electrical Engineering
Guidelines (Ref. 57).

6.8 Drainage Systems

6.8.1 Objective
The objectives of a plant drainage system are to:
cater for accidentally spilled flammable liquids
provide a route for the safe and environmentally acceptable disposal of liquid inventory
handle surface water such as rain water.

The capacity of the drainage system should be such that it can handle the worst case credible spill
coincident with any deluge and/or fire fighting activities.
The system should limit the maximum horizontal spread of a spill and prevent any spills from
accumulating under vessels or equipment.
The system should be such that transmission of spilled flammable materials from one area to another is
precluded. Hazardous and non-hazardous open drains shall be separate with no interconnections.
Hazardous closed drains shall be separate from all open drainage systems.
The system should be such as to minimise the probability of blockage, and enable inspection and
clearance of sediment.
The overall system should take into account the degree of contamination of individual drainage streams
in order to optimise the waste treatment facilities.
6.8.3 Guidelines
General
Drain systems have been involved in a large proportion of accidents within oil and gas processing
facilities. Their design demands careful consideration. The following factors affect the safety and
environmental acceptability of drain systems:
interconnection between different drain systems
effect of blockages
accidental or deliberate misuse
possibility to spread fire or flammable liquids
pollution of the sea, watercourses, ground water and soil
release of toxic materials to the atmosphere
material specifications
provisions to clean and maintain the system.
The design should be optimised based upon an analysis of the following:

the nature of the product (flammable, toxic)
the pressure of the disposal stream

degree of contamination (continuous or accidental)

the hazardous area of the collection point.
Where necessary segregated disposal streams should be provided.
Kerbs or drip pans should be provided around vessels, pumps and other sources of leakage to limit the
spread of small spills.
Codes and Standards

DEP 34.14.20.31: Drainage and Primary Treatment Systems (Ref. 80). Whilst this DEP is primarily
directed towards onshore drainage systems, the principles and categorisation of effluent streams remain
relevant for offshore projects.
For storage tanks the worst case credible spill is associated with tank rupture. In this case suitable
bunding provisions should be made in accordance with the IP Code Part 3 - Refinery Safety Code (Ref.
66). Also provision for bund evacuation needs to be addressed.
The release of pollutants, and hence the design features required for offshore drainage systems, is
subject to the MARPOL convention, to which most countries are now signatory. As yet no specific
codes or standards exist within the Shell Group for offshore drainage systems apart from those
developed by individual operating companies.
Types of Drainage Systems

The design of the drainage system should take into account the characteristics of the individual streams
in order to optimise processing requirements. The following types of effluent categories are recognised:
entirely oil-free water
domestic sewage
accidentally oil contaminated water, e.g.
tank bund drainage
atmospheric drainage from non-hazardous areas.
continuously oil contaminated water, e.g.
closed process drainage
closed maintenance drainage
atmospheric drainage system from hazardous areas.
fire fighting/cooling water.
System Interconnections
Apart from treatment considerations, further separation may be required to reflect drainage pressure
levels and the HAC of the collection points. Open drains are essentially collected from open drip-pans,
tundishes and floors. Closed drainage systems are hard piped from process vessels and equipment. The
possibility therefore exists to transfer flammable material from hazardous to safe areas unless suitable
segregation is applied.
Hazardous and non-hazardous open drains shall be separate with no interconnections. Hazardous closed
drains shall be separate from all open drainage systems.

Existing systems should be upgraded to remove interconnections. In particular, a closed drain system
shall never be connected with atmospheric drains from non-hazardous areas. The use of dip-pipe seals
in the drain caissons may be considered as an alternative for the following two offshore cases:
existing systems with interconnection between closed drains and hazardous atmospheric drains
systems
This situation may be upgraded by making the only point of connection in the collection sump via a
liquid seal of at least 3 metres.
existing systems with interconnection between atmospheric hazardous and atmospheric non-
hazardous area drains
This situation may be upgraded by making the only point of interconnection via a liquid seal of at
least 1 metre.
In such cases the dip-pipe must be corrosion resistant and the sump vent large enough to prevent the
seal being broken when gas blowby occurs from the largest connected pressurised source. Such
connections should be regularly tested to ensure the seal is maintained.
Specific requirements for offshore:

drilling module drain system.
In view of the nature of the fluids care should be taken with the slope provided, and suitable
provisions should be included for clean-out.
helideck drainage system
Helidecks should be designed to quickly remove spills of aviation fuel from the vicinity of the
aircraft. A direct overboard connection is acceptable.
In order to limit the size of drainage recovery systems it may be acceptable to provide firewater drains
which discharge firewater directly to the sea.
6.9 Active Fire Protection

6.9.1 Objectives
Active Fire Protection (AFP) systems, which normally involve the application of a control
extinguishing agent, are provided to reduce the consequences of any fire upon personnel, the
environment and assets so far as is reasonably practicable. An AFP system should achieve the
following:
control fires and prevent escalation
reduce the effects of fire and smoke to allow personnel to undertake emergency response activities
or escape and evacuation measures
extinguish fires where it is considered practical and safe to do so
limit damage to structures, vessels and equipment
meet legislative requirements where these require AFP.

Active fire protection systems shall be provided in accordance with the requirements of the HSE Case
or FES.

Active fire protection systems should have the following functional requirements:
reliability of operation after long periods in a quiescent state
availability when required to operate
suitability for the anticipated duty and environment
ability to operate when exposed to the fire itself where this functional requirement is identified
be tested when the installation is operating
ability to be rapidly re-instated following a fire or other circumstances in which they are actuated
provide adequate information to the control centre on their status for example, isolated, available,
manual or automatic
capability for automatic initiation and/or manual initiation by trained personnel depending on the
location, size and type, the likelihood of escalation, the expected duration of the fire and the
evacuation arrangements for the installation or facility
have a capacity and discharge density (or application rate) determined either by engineering
evaluation or through the use of a relevant recognised standard
acceptability of initiation time when manually initiated
be marked with easily understood operating instructions
be designed, installed, and maintained in accordance with recognised standards such as those issued
by the National Fire Protection Association (NFPA).
6.9.3 Guidelines
General Design Considerations

In all installations and facilities there are a range of hazards that, in the presence of an ignition source,
have the potential to result in a fire. This section gives guidance on active fire protection systems as a
means of recovery from fires.
Fires generate heat and smoke and may have the following consequences:
injury or impairment of personnel for example burns, heat stress, toxic products of combustion and
poor visibility
damage to structures or equipment, possibly leading to escalation
damage to emergency systems.
The location, number and types of active fire protection systems required are normally derived from an
identification and assessment of fire and explosion hazards. Final choices will depend on the following:
the number and location of exposed personnel and their ability to escape
the escalation potential
the impact of any production outage
contractual provisions
impact on corporate image
impact on the environment
legislative requirements
impact on third parties

requirements imposed by insurance restraints.
Assessment of potential fire scenarios (type, size and duration) should be used to define the
performance requirements of an AFP system with the aim of providing recovery. In some cases AFP
systems may be required by legislation.
In some cases it may not be practical or necessary to provide an AFP system to extinguish a potential
fire where for instance extinguishment may create a greater hazard (the potential for an explosion) or
may simply not be practicable. In the case of gas leaks of any significance, early ignition may cause a
jet fire, whereas late ignition may result in an explosion followed by a jet fire.
The most effective way to limit damage is to detect fires at an early stage as possible and control them
whilst they are still small. Adequate and appropriate portable fire fighting equipment can allow rapid
intervention by operations personnel to extinguish a fire without always activating the fixed protection
system.
Where AFP systems cannot be immediately returned to service after operation, procedures should
manage the hazard until the AFP system can be reinstated.
Consideration should be given to the need to release automatic systems from a manual station located
outside the exposed area should the automatic initiation fail for any reason.
Active Fire Protection System Types

There are four main types of active fire protection systems:
fixed systems
These comprise a piping network for the distribution of a specific fire extinguishing or controlling
medium for example a water spray or a gaseous fire extinguishing system.
semi-fixed systems
These comprise a mixture of fixed and mobile elements for example a base injection foam system in
a storage tank.
mobile systems
These have no fixed components and need to be transported to the site of a fire for example a twin
agent dry powder/foam system and monitors for use with hydrants, refer to DEP 80.47.10.32
(Ref. 81).
portable systems
These are usually hand-carried units used for early intervention in a fire situation or to back up fixed
or semi-fixed systems, for example a portable dry powder extinguisher, refer to DEP 80.47.10.32
(Ref. 81).
Fixed Fire Protection Systems

Fixed fire protection systems offer a short response time and should generally be employed where
delays in mitigating the effects of a fire need to be minimised to reduce the risk of escalation.
They are particularly useful for remote or automatic application of fire control agent and minimise the
exposure of operators and fire fighters dealing with the event. They do, however, require some form of
initiation and as a result are considerably less reliable than passive systems.

Although requiring low manning to operate, fixed systems require a high level of maintenance and must
be routinely tested if they are to be available on demand. Design of these systems needs careful choice
of materials to avoid corrosion problems that can block nozzles and impair operation as can occur in
water systems.
Where installations or facilities have the infrastructure to guarantee adequate system testing and
maintenance, fixed fire fighting systems should normally be considered as a first choice in preference
to semi-fixed or mobile systems. However, the likelihood and nature of credible fire scenarios will have
a bearing on this choice.
The following types of fixed system may be employed:
Water based systems

deluge systems
mini-deluge systems
sprinkler systems
hydrants and monitors
fixed fire fighting foam systems
helideck foam systems
water mist systems
Chemical and gaseous based systems

inerting gases (carbon dioxide, Inergen etc)
hydrofluorocarbons (FE 13, FM 200 etc)
powder
potassium carbonate/acetate
Firewater Demand
The fire and explosion analysis will identify major hazardous fire events and assess the probability and
consequences. This study should include an assessment of escalation potential. Fire protection system
design will be determined from this analysis.
The analysis results can be used to assess the design firewater demand and should take into account:
the demand of all systems likely to be initiated by the initial incident
requirements for manual fire fighting
requirements for personnel protection during escape and evacuation
firewater requirements for essential users.
possible escalation to other fire areas
release of protection systems covering other areas
possible manual initiation of additional water based protection systems in order to protect nearby
equipment and facilities.

The fire water system should be capable, when operating at its design conditions, of meeting the design
firewater demand. However, the maximum reasonably foreseeable firewater demand may be met by
allowing the firewater pumps to run out beyond their duty point and taking credit for all sources of
firewater which are likely to be available in the emergency.
Firewater Pump Systems

The design goal of a firewater pump system is to provide a reliable and secure supply of firewater to the
firewater main at the required pressures and flows for all firewater dependent systems in a facility or
installation. The following design criteria should be considered:
firewater supply pumps should be independently driven units installed in non-hazardous areas and
should be protected from adjacent fire hazards.
They should be installed such that a single fire or explosion cannot impair their capacity to meet
firewater demand.
the number of fire water pumps should be based upon a detailed availability analysis.
This should consider the arrangements necessary to provide fire water when a pump is unavailable
due to maintenance or breakdown. On normally manned offshore installations this may require at
least two independent units.
if more than one pump is provided, pump units should be designed to minimise the risk of common
mode failures during emergencies.
Pump inlets should be separated such that in the event of an incident rendering a pump inoperative,
the other pump unit(s) will not be affected.
arrangements should be provided to allow verification of fire water pump performance over the full
range of the fire water pump curve.
pump stop should be local only.
Except during testing, any alarms from pump monitoring systems should not automatically stop the
fire pump.
fire detection at the fire water pump room should not stop the pump or inhibit the pump start.
Confirmed hydrocarbon detection in air inlet of driver should inhibit the pump start.
if not running continuously, the system should be designed to start automatically in a fire
emergency.
In addition facilities should be provided for local and remote manual start.
the firewater pump system should be located or protected so that it is able to supply firewater in a
fire emergency.
Protection against damage of any associated power cables, hydraulics/piping and control circuits
should be considered.
units required to operate when gas is present should be designed to be suitable for hazardous area
operation.
water treatment may be necessary to ensure that marine growth will not impair pump performance.
The requirements for inlet filtration should be considered where debris may damage the pump.
sufficient instrumentation (both local and, where appropriate, remote) should be provided to enable
personnel to ascertain the operational status of any unit
pumps should have status indication provided at a control station
the provision of relief devices or other arrangements may be required at the pumps
These may be needed to prevent damage to pipework or risks to personnel using hoses due to high
startup, operating pressures or surge. Such devices should reset automatically once the excess
pressure has been relieved.

Firewater Mains
The design goal of firewater mains is to reliably and securely distribute firewater to all dependent
protection systems, on demand, at the required pressures and flows and under the conditions which may
be present when there is a demand for firewater.
Firewater mains should be designed such that any user system can be supplied, at its maximum required
water demand, flow and pressure, with one section of the main isolated. This is normally achieved by
designing the main as a ring or loop with sectioning valves to isolate any damaged or blocked sections
of the main.
In order to ensure a timely supply of firewater and reduce pressure surges the firewater main shall be
charged with water and maintained at standing pressure wherever practicable.
The design and routing of the firewater main should take account of the following:
reduce the possibility of damage from fire, explosion or other occurrences
provide access to sectioning valves
prevent freezing (where climatic conditions dictate)
base the hydraulic analysis of this system on a recognised technique and ensure that the design
parameters are fully auditable
recognise that the operation of systems connected to the fire main may lead to significant surge
pressures which may cause damage to pipework and equipment (the need for surge protection should
be considered in the system design)
provide suitable facilities which will permit the pump units and the fire mains to be tested under full
operating conditions to determine any deterioration
recognise that piping and valve materials selection and their proper installation is critical to the
integrity and dependability of a fire water system
Materials readily rendered ineffective by heat should not be used for fire mains and fittings, unless
provided with adequate fireproof insulation or otherwise protected.
Deluge Systems
The goal of deluge system design (so far as is reasonably practicable) is to assist in the recovery from
fire by applying a reliable, secure and effective distribution of firewater:
to limit escalation
to provide cooling to equipment and structures
to protect personnel
to extinguish pool fires (by introducing foam concentrate).
The following points should be taken into account:

jet fires
Limited theoretical and experimental work to date indicates that deluge systems cannot be relied
upon to cool equipment or structures which are engulfed in jet fires.
pool fires
Deluge systems can provide cooling from pool fires although they are not sufficient to extinguish the
fire itself

small fires
Deluge can be effective in cooling equipment in other types of fires and in containing the effects of
small fires.
unconfined environments
Deluge systems are less effective in unconfined environments and in such circumstances are much
less likely to extinguish jet fires and to be effective in cooling pool fire environments.
Deluge system design achieves its goals by providing:

area protection
This is provided by a general array of overhead open sprinklers to enable a uniform application of
water to equipment and pipework within a specified area.
equipment protection
This is provided by dedicated open or directional spray heads to direct water onto specific critical
items such as vessels, well heads, BOPs, pumps etc.
structural protection
This is provided by dedicated specialised nozzles to direct water onto selected structural members
personnel protection
This is provided by an arrangement of nozzles to permit the formation of water curtains or barriers
designed to protect personnel during escape and evacuation.
Deluge systems can be used as a means of applying firefighting foam to areas where there is a potential
for hydrocarbon pool fires. Where this method of extinguishment is chosen, the foam system design
should ensure that distribution is reliable and secure under reasonably foreseeable emergencies.
Consideration needs to be given at the design stage to drainage of deluge water and suitability of
electrical equipment specifications in deluged areas.
DEP 80.47.10.31 (Ref. 82) should be referenced for information on the design, installation and
acceptance testing of deluge and mini-deluge systems.
Water Mist Systems

Recent developments in fire protection have highlighted the potential of using water mist systems.
These systems normally involve discharging very small drops of water (150 to 400 microns) to
extinguish a fire by heat extraction and oxygen displacement from the flame region. Water mist systems
can rapidly extinguish fires in small confined spaces with negligible water damage.
The systems work on a 'local flooding' principle and nozzle numbers and location are important to
ensure that an area is adequately protected. Where the water mist falls below a critical density,
extinguishment will not occur. For this reason work continues to establish the effectiveness of these
systems in larger enclosures, or in the open, where for the present application is limited to well defined
fire scenarios.
Considerations that need to be addressed in the use of water mist systems include:
provision of a suitable water supply and air if this is needed for the particular system
the size of the protected area and the degree of congestion
the fuel type and the nature of the fires which may be expected
the effect on electrical or other sensitive equipment.

Tests have shown that water mist systems can be effective against cellulosic, hydrocarbon liquid, gas
and some electrical system fires. Unfortunately, recognised codes and standards for these systems are
not yet available and designs usually have to be based on experimental/test data from the manufacturer.
Water mist systems are accepted in certain applications as environmentally benign alternatives to
halons and should be considered as one possible option.
Foam Systems
Foam forming additives can significantly increase the effectiveness of water in controlling hydrocarbon
pool fires. Water deluge systems can only achieve cooling and containment of hydrocarbon pool fires.
Extinguishment requires a fixed fire fighting foam system utilising a film forming foam which seals the
vapour layer above the burning hydrocarbon with a water film.
Foams are ineffective for fires where smothering effects cannot be achieved such as pressurised oil/gas
jet fires.
This type of fixed foam system should be considered in all normally manned facilities where there is a
likelihood of a pool fire developing. The only exceptions to this would be where the main hydrocarbon
produced is gas with limited quantities of associated liquids.
Fixed foam system designs can be of the centralised type where the firewater main and deluge system
pipework distribute foam to the required areas. For isolated specific hazards local independent foam
systems could be considered.
Foams may be employed using hose stations, portable extinguishers and fixed monitors as well as fixed
systems. The foaming agent may be applied by directly introducing foam concentrate into the fire water
system in fixed proportions or may be applied as a premixed solution of concentrate and water.

The following design criteria should be followed:

foam proportions
Where foam concentrates are introduced directly into the fire water system, the method of
proportioning should provide sufficient accuracy to ensure that the required performance is obtained
over the full range of flows and pressures which may occur in the firewater system.
foam suitability
The foam concentrate selected should be suitable for use on the flammable liquids present in the
protected area, in the expected environmental conditions and through non-aspirating nozzles if these
will be used.
foam pump
The foam pump, its sources of power supply, foam concentrate and means of controlling the system
should be readily accessible, simple to operate, capable of being put into operation rapidly and
located/protected so that it will be able to operate when required.
foam system design for helidecks
For helidecks the foam system should normally consist of a local dedicated system to ensure
reliability, accuracy of proportioning and a rapid speed of response.
foam use with hand-held systems
Central foam systems should not be utilised as the primary source of supply of foam solution to
hand-held equipment, as the central foam proportioning system cannot accurately proportion an
acceptable firewater/foam solution at the low flow rates being discharged from hand-held
equipment.
foam storage tanks
Foam storage tanks should include provision for refilling the tank from foam storage containers. The
tank, together with its associated pipework, should be designed to provide adequate static head at
the foam pump inlet to comply with the foam pump net positive suction requirements.
proportioner protection on no firewater flow
The foam proportioner should be designed so that it will not introduce foam into the water stream if
fire water is not passing through the proportioner.
foam pump protection on no foam flow
To prevent the foam pump from being damaged by running while no foam is being proportioned into
the fire water main, a minimum flow by-pass valve should be installed downstream of each foam
pump discharge outlet.
foam pump minimum bypass
Each minimum flow by-pass valve should be of the self-contained minimum flow sensing design.
The minimum flow by-pass line should be sized to avoid over-heating of the foam and to minimise
the amount of frothing in the foam tank caused by the aeration of the foam.
For high expansion foams, provision should be made for venting the protected space while foam is
being introduced. Provision should be made for testing high expansion foam generators by discharging
foam outside the protected space.
Specific advice on the fire protection for storage tanks is given in 5.3.8.
Details of the design, testing and acceptance of foam systems can be found in DEPs 80.47.10.30, (Ref.
83), 80.47.10.31 (Ref. 82) and 80.47.10.10 (Ref. 84).

Sprinkler Systems
The goal of a sprinkler system is to contain small fires involving mainly cellulosic materials by
applying a reliable, secure and effective distribution of water.
Sprinkler systems are automatic wet-pipe fixed water spray systems and are used mainly in
accommodation, storage, workshops and laboratories where cellulosic materials present the major fire
hazards. They are not normally suitable for hydrocarbon fires.
The standing charge in the sprinkler system should not normally be sea water as this causes potential
corrosion problems. The pressure of the standing charge should be indicated to alert personnel.
Where an automatic sprinkler system is connected to an unpressurised main it should be provided with
a reliable interim water supply with sufficient capacity to maintain protection of the area until the main
is pressurised. Automatic supply from a pressurised fire or deluge main which activates upon drop of
pressure in the sprinkler system is often an acceptable supply arrangement.
Sprinkler heads should be of an approved type and manufacturer otherwise their performance
characteristics cannot be assumed with confidence. The spacing, location, design discharge density and
area intended for protection should be clearly established in response to assessed fire scenarios.
Sprinkler systems should be installed with care in galley/cooking areas and measures taken to prevent
direct impingement of water onto hot cooking fat or oil. Electrical systems in cooking areas should be
isolated if the sprinkler system operates. Galleys are better protected with dedicated liquid chemical
agent protection systems which seal the surface of hot fat or oil.
Systems should be provided with test and drain facilities so all air can be removed when a system is
primed ready for use. Larger systems can sometimes benefit from being divided into sections and
monitored so the section which has operated can be identified and the location of the fire identified.
Monitors and Hydrants

The goal of monitors and hydrants is to provide a reliable means for personnel to supplement deluge
and sprinkler systems, if required, by directing water at specific areas or equipment.
Monitors may be required at strategic locations and utilised for the application of water or foam. They
can be manually oscillated or operate automatically.
Monitors should be:

located such that the effects of radiant heat on operators are tolerable
provided with capability for locking in the optimum position once the application area has been
established.
capable of discharging in both jet and spray modes and have local manual override controls
located so as not to impede escape routes or be a hazard to personnel when set up to operate in the
automatic mode.

Hydrants should use the following design criteria:

positioning
Hydrants should be distributed so that water can be brought to bear on any location by application of
water jets supplied from two separate hydrants, via two separate hoses, both kept as short as
practicable.
connections and couplings
They should have two valved outlets complete with instantaneous couplings. Hoses, couplings and
branch pipes should be stored in cabinets mounted adjacent to the hydrants.
hydrant system design pressure
Where hydrants and hose reels are supplied by a fire main, the hydrant system should be designed so
that the equipment can be operated safely at the maximum pressures which may be present in the
main.
location as source for supplementary protection
Location is important where hydrants provide supplementary fire protection. If ignition occurs high
levels of radiant heat may be emitted. Hydrant positioning should take into account the need for
safe operation and be located outside the predicted 5 kW/m2 radiation boundary.
Dry Chemical Extinguishing Systems

Dry chemical systems' goal is rapid knockdown of hydrocarbon fires, eliminating escalation due to
thermal radiation effects.
Dry chemical systems provide little security against re-ignition and the potential exists for an explosion
due to subsequent build up of a flammable atmosphere following the extinguishing of a jet fire or one
involving volatile liquids. Application frequently needs to be backed up with film forming foam where
pool fires need to be sealed to eliminate the possibility of burn back and re-ignition of the original
release.
Dry chemical for fixed system application should be a last choice for facility protection. Service
requirements and the need to keep the chemical agent dry and suitably fluid during application mean
that this type of system does not have the inherent reliability normally expected.
Application can be from hand hose or fixed nozzle systems. To cover several areas with a single supply
of agent, remote hand hose lines with remote actuators are connected by rigid piping to a single supply.
A major disadvantage of a single supply unit for protection is the loss of capability if the unit
malfunctions (e.g. due to compaction of the powder or nozzle blockage) or is damaged. This
disadvantage may be overcome by using several smaller units.
The discharge of chemical and expellant gas is two phase, and the flow characteristics depend upon the
particular chemical, gas and equipment being used. Therefore, it is important to use the manufacturers'
data when designing the piping. The most effective agent in current use is 'Monnex'.
When chemical and foam agents are to be used at the same location, compatibility should be
confirmed. Combined self-contained systems are available for simultaneous or sequential use. Such
systems offer the advantages of a rapid knockdown by dry chemical and the securing ability of foam as
previously mentioned.

Gaseous Extinguishing Systems

The main goal of a gaseous fire extinguishing system is to flood an enclosure with a gaseous
extinguishing agent at a concentration that will extinguish a fire.
Gaseous systems can also be designed to inert an enclosure where flammable gas has been detected by
total flooding with an agent. This will prevent ignition of the flammable gas and possible explosion.
Gaseous systems have traditionally been used for electrical or electronic equipment areas which could
be damaged by water or other agents. In many cases however, it is possible that such areas do not need
extinguishing systems due to the low fire hazards in the area.
Hazards and potential consequences should be assessed to determine whether prevention and detection
measures are sufficient removing the need for a fixed system. Examples are high sensitivity smoke
detection, isolation of the electrical power supply and rapid manual intervention usually with portable
appliances.
Halogenated hydrocarbons (Halons 1301, 1211 and 2402) have been the most effective class of
fluorochemical based gaseous extinguishing and inerting agents. These are, however, now being phased
out due to environmental concerns about ozone layer depletion. They shall not be used for new
protection systems. Refer to Shell HSE Committee booklet: Recommendations for Alternatives to Fire
Fighting Halons, 1994 (Ref. 60).
New fluorochemical gaseous extinguishing agents have been introduced based on hydrofluorocarbons
(for example HFCs FE-13 and FM-200) which do not deplete the ozone layer. In practice these should
be a last choice for gaseous fire protection systems and environmentally benign agents given
preference. HFCs are not effective inerting agents and should not be employed in this application.
Inert gas extinguishants can be used. Argon or argon/nitrogen mixtures provide an effective and
environmentally benign alternative to halons. Carbon dioxide can also be used but measures to protect
personnel from inadvertent exposure are essential. These agents are not really suitable for inerting
enclosures where gas has been detected.
The use of gaseous agents in enclosed areas can produce an oxygen deficient atmosphere which will not
support life. Such an atmosphere will quickly produce dizziness, unconsciousness and eventually death
if personnel are not removed.
When designing systems the choice of automatic or manual operation should be made based on the risk
to personnel from fire balanced with the risk from the extinguishing agent and any decomposition
products it may generate.
Gaseous systems design should take the following into account:

accessibility
The means of initiating the gaseous systems should be readily accessible and simple to operate.
operation
Where systems are arranged for remote and/or automatic release they should also be capable of
manual operation with manual release points located strategically, generally at the control valves
and at entries to the protected space.
fault detection
Where appropriate, the system should be monitored to detect faults.

audible and visual alarms

Clear audible and, if necessary, visual warnings should be automatically given within the space
prior to and during injection of the extinguishing agent.
system status indication
Visual indication of system status should be provided at each entry point to the protected space.
maintenance of extinguishing concentration
Enclosure boundaries should be designed and integrity tested to ensure that an extinguishing
concentration can be maintained for a minimum period. Where high volume concentrations (for
example 30%v/v) of extinguishing gas are discharged in sealed enclosures, venting should be
considered to avoid overstressing the enclosure.
discharge period extension
Where gas flooding is provided for ventilated machinery rooms, the discharge period should be
extended to allow for losses during the shutdown of the machinery and automatic gas tight dampers
should be provided on all ventilation ducts.
shutdown interlocks
Means should be provided for automatically stopping all ventilation fans and closing openings
serving the protected space before the agent is released.
extinguishing gas distribution
Discharge nozzles should be so positioned that an uniform distribution of the medium is obtained.
static electricity hazards and grounding
A static electricity hazard may exist when discharging a gaseous agent (such as carbon dioxide) and
consideration should be given to grounding nozzles and objects exposed to the agent.
6.10 Passive Fire Protection

6.10.1 Objectives
The goal of passive fire protection (PFP) is, so far as is reasonably practicable, to limit the effects of
fire for a pre-determined period (usually determined by fuel depletion and personnel evacuation times)
by providing a reliable, secure and effective system of thermal insulation/barriers for critical
equipment, modules and structural elements.

Passive Fire Protection (PFP) shall be provided in accordance with the HSE Case or FES.
The functional requirements of PFP are as follows:

to prevent or delay the transfer of heat from a fire to adjacent areas, modules, escape and evacuation
routes, structural members and equipment
to maintain the load bearing capacity of a structural member or a fire barrier for a predetermined
time
to maintain the integrity of a fire barrier by preventing the transmission of flame, smoke, hot and
toxic gases
to keep the unexposed side of a fire barrier below a defined temperature when the other surface is
exposed to a fire
to remain effective even if deformed due to explosion

to minimise the risk of any accelerated corrosion of the protected surface.
Selection of the PFP systems must take into account the duration for which protection is required, the
type of fire and the limiting temperature for the structure or equipment to be protected.
6.10.3 Guidelines
PFP is utilised where it is essential that equipment or system integrity be maintained during a fire.
Predicted fire scenarios and the potential for escalation must be evaluated. Based on this study, areas
requiring PFP are identified taking into account the AFP systems available.
PFP is normally applied:

to prevent escalation of fire due to progressive release of inventory, by separating the different fire
risk areas and if necessary by protection of critical components such as separators, risers and topside
ESD valves.
to minimise damage by protecting the critical structural members, essential to the support of the
TR(s), the evacuation routes and other critical equipment
to protect personnel in the TR until safe evacuation
to protect the escape routes for a predetermined time to cater for safe escape from the area and
allow for emergency response
to protect the evacuation routes to the evacuation locations
to protect safety critical equipment.
Screening of the worst case fire scenario may be sufficient to determine the PFP requirements without
detailed calculations of all fires scenarios within an area. These evaluations may show that certain
scenarios are beyond the capability of safety systems. It may be necessary to undertake risk assessment
to evaluate whether it is reasonably practicable to provide additional PFP for these cases or to use some
other approach to prevent, control or mitigate the identified hazardous events.
Fire Resistant Test Criteria

The fire resistance test should be based on exposure to an established fire time/ temperature curve or a
simulated test, appropriate for the expected type of fire. The following factors should be taken into
account:
type of fire
The expected fire may be a jet, pool or cellulosic fire. A recognised standard for testing PFP
performance in cellulosic or pool fires is ISO 834 (Ref. 85). There is no recognised test at present
for jet fires but a small-scale interim test procedure is given in OTO 93 028 (Ref. 86).
test limits
The standard tests for cellulosic and hydrocarbon fire are limited by the size of the furnace in which
they are tested.

test standard range of fire situations

The standard tests represent a variety of fire situations and normally give the tested object a more
severe test of performance than many accidental fires, although the limited scale of the test means
that caution should be used when extrapolating to large applications where failure modes not
revealed by the test may occur.
test standard application
Some important fire types such as jet fires with high momentum and efficient combustion are likely
to exceed the conditions experienced in a standard test. Test procedures for jet fire impingement are
now being developed to include small structural sections and bulkheads.
actual versus test standard characteristics
An actual fire may have different characteristics from those reproduced in a test. It is necessary to
evaluate this and, if found critical to safety functions, develop an alternative approach to
demonstrate that a system is adequate. This may require 'ad hoc' tests or demonstrations.
fitness of PFP materials
Many important parameters concerning the fitness of PFP materials or systems are not taken into
account in the standard tests and the reporting of the test. Such parameters include resistance to
different environmental conditions, ageing and mechanical impact.
Performance ratings for PFP material are usually measured as the period of resistance, expressed in
time, to a given fire exposure before a defined critical point in behaviour is observed. The performance
of PFP barriers may be defined as the ability of the material to meet three different criteria as follows:
stability to maintain the load bearing capacity of a structural member or a fire barrier
integrity to maintain the integrity of a fire barrier by preventing the transmission of flame, smoke,
hot and toxic gases
insulation to keep the unexposed side of a barrier at a defined temperature when the other surface is
exposed to a fire.
Consideration should also be given to resistance to explosion when establishing the performance
criteria.
Selection of Materials
The selection of materials should consider the type and size of fire, the duration of protection, the
environment (including the exposure to UV), application and maintenance, and smoke generation.
Materials should be verified as fit for purpose. Where general approvals from recognised third party or
governmental bodies are not available, performance under fire conditions should be documented by test
reports from a recognised fire test laboratory.
Documentation for material according to application may include:

verification of temperature and humidity requirements
installation time and method
inspection and control requirements
surface preparation
method of construction/fabrication
material certification including essential chemistry.

Mechanical test information required is as follows:

abrasion and impact damage
destructive compression ensuring length to width ratio is scaled correctly
sea water absorption
flexure
adhesion and vibration
deluge and hose stream resistance
tensile tests.
Corrosion protection information required for design selection:

corrosion protection properties and inspection requirements for protected surface
effects of temperatures and thermal shocks
cathodic disbondment
ozone and ultra-violet ageing
ease of re-instatement following inspection of the protected surface.
Fire resistance test results that should be considered:

cellulose fire performance
hydrocarbon fire performance
jet fire performance
fire spread characteristics
combustion products.
Stability and durability requirements for design acceptance:

long-term performance/weathering
explosion resistance
full-scale experiments where limitations of tests are obvious.
occupational health aspects.
The need for each type of test data should be based on judgement and expected usage. For example,
sea water absorption may need only be considered for PFP materials submerged or transiently exposed
to sea water.
Further detailed design information on PFP systems is contained in DEP 34.19.20.11. (Ref. 87), ISO
834 (Ref. 85) and BS 476 (Ref. 88).
6.11 Evacuation, Escape and Rescue Provisions

6.11.1 Objective
The objective for Evacuation, Escape and Rescue (EER) is to ensure the safety of personnel when they
have to, or decide to, move to another location to avoid the effects of a hazardous event. This objective

applies equally to the localised effects of minor incidents as well as to major incidents which may
require total abandonment.

EER arrangements shall be provided in accordance with the objectives of the HSE Case or the
Evacuation, Escape and Rescue Strategy.
The means should be provided:

to enable personnel to safely leave any area where they may be affected by an incident
to enable personnel to get from any part of a facility that they are likely to occupy, to TR or muster
areas
to create an area or structure which is insulated from the effects of any potential incident for as long
as is necessary for evacuation to take place
for secure communication to summon external assistance
to enable evacuation from the facility.
The engineering of the above should be based upon a review of the likely scenarios, their duration and
severity, and should take into account the predicted response of individuals under emergency
conditions.
6.11.3 Guidelines
General
The strategy for EER, which will dictate the hardware required should be based upon a review of the
following:
the normal means of access to the installation
the fire and explosion scenarios which might lead to the requirement for escape and evacuation
the number and distribution of personnel
the layout of the installation and arrangement of equipment
the environment in which the installation is located
the level of assistance available from external sources
any regulations and guidance which are applicable.
The challenge of providing a strategy for EER is less onerous onshore than offshore because of the
greater availability of space and escape routes. These can be used to:
segregate safe havens (e.g. accommodation block) from hazards by distance
provide a large number of escape routes.
DEP 37.17.10.11 Design of Offshore Temporary Refuges (Ref. 70) provides requirements and
guidelines for the design and performance of an Offshore TR and the associated means of escape and
evacuation.

Emergency Escape and Access Arrangements

In addition to the provision for normal operations, the layout shall take account of access requirements
in an emergency.
Safe means of escape shall be provided on a facility to and from all enclosed spaces and open areas
whether or not these are regularly manned. This shall include all work areas, accommodation,
recreation areas and TRs.
Escape routes should be designed such that escape may be achieved under emergency conditions
without risk of serious injury or loss of life. As a general principle, the escape routes available to
personnel should be the same routes they would use during normal access to the areas because, during
times of increased stress, personnel will incline towards familiar patterns of behaviour.
Escape routes from regularly manned areas should be straightforward, comprising only walkways and
stairs.
In general there shall be a choice of at least two exits with separate routes from any enclosed or open
area of a facility to common escape routes, and from all points on these common escape routes to all
muster areas, embarkation areas and means of escape (e.g. to the sea). Some exceptions to this do
however arise due to physical and practical limitations e.g. concrete platform legs, and the procedures
for entry into such areas should be carefully reviewed and controlled.
The design shall ensure that all escape routes from areas likely to be occupied, (including the TR), are
capable of handling the maximum flow of personnel. For common escape routes designed for use by
personnel who may be transferring to/from different locations on the installation, the effect of any
restrictions and crossflows must be considered and eliminated or reduced as necessary. Wider and/or
additional exits shall be provided where more than 50 persons may be present, such as in dining or
meeting rooms. Where no local regulations exist the NFPA 101 Life Safety Code
(Ref. 89) should be followed.
All escape routes shall permit the transfer of injured personnel including those who may require to be
moved by stretcher. Access ways and stairways must be negotiable by stretcher teams.
In offshore locations wherever practicable, escape routes should form a ring external to the perimeter of
an enclosed area to enable choice of route. Similarly a choice of stairways should be available between
levels. Common escape routes should be located, wherever practicable, external to modules and
accommodation.
Marking and Lighting

Marking and lighting of escape routes should be provided to ensure that the routes from manned areas
of the facility are readily identifiable by personnel in an emergency. The following should be
considered:
route plans with aids to orientation
direction and destination signs at route start and junctions
sufficient emergency lighting
luminescent and photoluminescent markers in corridors, escape stairs, muster areas, embarkation
areas.

Protection of Escape Routes

Escape routes should, wherever practicable, be designed such that their integrity is ensured by position
rather than protection. To achieve this, common escape routes should be physically separated from
hazards including explosion panels, sacrificial walls and open hazardous modules. As far as
practicable, escape routes should be open.
Where enclosed routes are unavoidable, ventilation systems should be designed, as far as practicable, to
maintain enclosed routes at a higher pressure relative to adjacent areas to help control the flow of
smoke, gases or other airborne contaminants. However as these systems may be shutdown under
emergency conditions this should be taken into account.
Where appropriate passive shielding and fire/explosion protection should be specified to protect escape
routes along with active means, e.g. water curtains.
Temporary Refuge and Muster Areas

A safe area shall be provided where personnel muster so that they can be accounted for and any
hazardous situation assessed. This area should be protected from any likely fire, blast, toxic fumes, etc.
Access doors and routes to these areas shall be protected or sufficiently distant from potential hazards
to allow personnel to reach this area safely. The effect of smoke on the ability of personnel to escape
from the plant should be evaluated. For onshore facilities this area will normally be outside the plant
boundary. Unlike offshore, there is no further need for escape and evacuation provisions.
For offshore locations a designated muster area, the TR shall be provided which is capable of
accommodating all personnel on board. The TR is a concept, not a prescribed physical facility. It is an
area in which personnel may seek refuge whilst a hazardous event is occurring. The TR provides shelter
whilst hazards are monitored and assessed to allow a decision to be made on whether to evacuate.
Depending on the size and configuration of the platform and the orientation of the escape routes, it may
be necessary to provide more than one TR. On normally manned installations, the permanent living
quarters may provide a suitable location for a TR.
System Requirements
(a) Life support

This relates to the ability to provide an environment that is not hazardous to personnel, and which
allows the ability to take rational action. The main threats to life support will come from smoke ingress,
gas ingress (flammable and toxic), oxygen deficiency, carbon dioxide accumulation, internal
generation of toxic fumes and excessive heat stress.
(b) Structural support

This relates to members and components whose failure would result in impairment of the TR structure,
bulkheads and decks, collapse of supporting structure, or loss of buoyancy/stability.

(c) Command support functions

Suitable provisions should be made to be able to:
inform all personnel on board of the requirement for mustering or abandonment and the current
status.
Wherever practicable, all personnel should be immediately advised by the general alarm and a
public address system of the need to muster or evacuate. In addition, status lights should be
available where personnel are likely to be present. Where audible communications are not possible,
additional visual signals are required to alert personnel of the need to muster.
communicate with external parties
monitor the presence of fire, smoke and flammable gases and the status of evacuation routes.
(d) Escape and evacuation routes

An analysis should be undertaken of the escape routes :
from all parts of the installation, that are likely to be manned, to the TR
for evacuation routes from the TR to the embarkation areas
for the integrity of the embarkation areas themselves.
For all of the above, acceptance criteria should be established in relation to the scenarios applicable for
the installation. It should be noted that the survival criteria for escape routes from the TR to the
embarkation areas, and the embarkation areas may exceed those for the routes to the TR.
Offshore Evacuation
General
In principle, three methods of abandonment should be provided from offshore installations:
primary method
The preferred primary method for evacuation is the normal means of access. The default primary
methods are bridge links to other installations and helicopters.
secondary method
For manned installations a secondary method for evacuation shall be provided. The default
secondary means is by Totally Enclosed Motor Propelled Survival Craft (TEMPSC).
tertiary method
A tertiary method of escape shall be provided to permit direct access to the sea. The tertiary method
should be used only if the primary or secondary methods are not possible.
Bridge Link
A bridge link to an adjacent platform is the preferred primary evacuation method. The following shall
be recognised in the design of the bridge link:
the location of the bridge termination with respect to fire/explosion scenarios
the number of personnel using it during an emergency
the configuration of escape routes at either end of the bridge.

Helicopter
Evacuation by helicopter shall preferably be from the helideck. In siting the helideck due consideration
should be given to prevailing winds and the effects of smoke and gas plumes. It may be appropriate to
nominate alternative landing or winching areas.
(i) TEMPSC Capacity

Normally Manned Installations
For normally manned installations guidance on the provision of TEMPSC is given in DEP 37.17.10.11
(Ref. 70).
Not Normally Manned Installations
Not normally manned installations should normally have a minimum of one TEMPSC.
In some cases it may be possible to justify not providing TEMPSC. The criteria for determining this are
very low man-hours occupation and limited hazard potential. This is likely to apply to simple
installations having little or no processing facilities. To justify the absence of a TEMPSC it must be
demonstrated that the risks associated with testing, checking, inspecting and maintaining the TEMPSC
are higher than those associated with not having a TEMPSC.
If a TEMPSC is not installed there shall still exist a primary method of evacuation, together with
appropriate tertiary methods of escape.
(ii) TEMPSC Positioning and Orientation

The following shall be considered when positioning TEMPSC:
how personnel access them
the effects of accident scenarios
the distance from the structure (during lowering and launching)
the likely weather directions
the distance between TEMPSC
TEMPSC should be oriented to point away from the installation, if practicable.
TEMPSC should be positioned to provide a minimum clearance of at least 5 metres from any part of
the installation or other TEMPSC during descent in calm conditions.
TEMPSC shall be located at the lowest level reasonably practicable, taking consideration of the other
constraints.
TEMPSC should be located outside hazardous areas.
(iii) TEMPSC type

Two versions of TEMPSC are available - Conventional davit launch and Freefall.

Freefall versions do not automatically present the overall preferred solution that is sometimes claimed.
The advantages and disadvantages are listed below.
Advantages:
speed of passing through a fire zone both while airborne and in the water
directional thrust away from the installation
lower probability of injuries in bad weather.
Disadvantages:
time and care to embark and strap in occupants prior to release
risk of striking wreckage, rescue boats etc upon entry into the water
greater risk of further injuring already injured persons
increased topsides weight
up to five times more expensive, per occupant than a conventional boat fitted with add on devices to
head the boat away from the structure.
(iv) TEMPSC Embarkation Areas

Embarkation areas should be sufficient to allow assembly of the full complement of the survival craft.
Emergency lighting should be provided.
Where it is envisaged that personnel will be required to don protective clothing at the embarkation
area, the area provided should be no less than 0.56m per man, based on the full survival craft
complement.
Where analysis shows it to be necessary to reduce evacuation times, walkways should be provided
along each side of the survival craft to allow boarding from both sides. The area of the walk-ways
should be in addition to the area calculated above.
Walkways should incorporate non-slip surfaces and guard rails.
Gates should be provided in the handrail adjacent to boarding hatches.
Tertiary Methods for Escape
(i) Methods for escape

Tertiary methods for escape are intended for use only in circumstances where evacuation by the
primary or secondary means is not possible. Tertiary methods should be provided on all installations to
permit access to the sea. The equipment should be prescribed based on the evaluation of fire / explosion
scenarios. The following principles should be used:
there must be a variety of methods
methods must be available from several locations on the installation
liferafts are required to protect personnel who enter the sea
systems must be such that personnel who enter the sea can realistically use the liferafts.

The chosen methods should be selected from the following:

stairways
ladders
personal abseil devices
chutes
knotted ropes
rope ladders
scrambling nets.
Where reasonably practicable, fixed stairways and ladders should be included.
The provision of tertiary methods for escape must be considered in conjunction with the provision of
liferafts. The only current methods which allow direct access to liferafts are the chute and personal
abseil devices. One or more of these devices should be selected as part of the tertiary methods.
The following should be considered:

the location should take account of accident scenarios and weather conditions
devices should be available on all sides of an installation
continuous systems (e.g. ladders or chutes) should be considered in locations where there could be
many people escaping
personal devices should be sited where individuals may need to escape or portability is required
ladders should be capable of withstanding wind and waves and provided with intermediate landings
and cages.
(ii) Liferafts
Liferafts are provided for personnel who use the tertiary methods for escape.
Liferafts with sufficient minimum capacity to accommodate half of the maximum personnel on board
should be provided. The liferafts must be positioned on the installation considering the likely situations
leading to their use in conjunction with the tertiary methods for escape available. If life rafts are the
only provision on an installation then capacity must be for the maximum personnel on board.

Appendix I Fire and Explosion Strategy
APPENDIX I
FIRE AND EXPLOSION STRATEGY
I.1 The Fire and Explosion Strategy

A Fire and Explosion Strategy (FES) is defined in ISO/CD/13 702 'Control and Mitigation of Fire and
Explosion in Offshore Installations' as the results of the process that uses information from the fire and
explosion evaluation to determine the measures required to manage these hazardous events and the role
of these measures.
An FES will be different for each facility or installation although the framework and some components
may be similar. In Shell, the FES may be a 'stand-alone' document but it is more likely to be an integral
part of an HSE Case.
The starting point for the development of a FES is the Opco HSE MS which sets the policy and
strategic objectives of the business. It will also cover organisation, responsibilities, resources, standards,
documentation and the management of hazards.
The management of hazards through the HEMP is fully described in EP 95-0300 and includes the
basic steps of identifying and assessing hazards and effects. Controls for each threat which may cause
the release of a hazard are selected as required together with recovery measures which reduce the
consequences should the hazard be released.
The FES records the conclusion of the HEMP as it applies to fires and explosions and summarises the
key aspects of the following:
a) the physical effects of representative fire and explosion hazardous events
b) the risks associated with fires and explosions
c) how the facility has been designed to minimise the consequences of fires and explosions
d) the measures to prevent fires and explosions arising
e) the assumptions used in risk assessments regarding the measures provided to control and to recover
from fires and explosions
f) the role of recovery measures and the essential systems and performance criteria of these
measures (performance criteria for systems on a complex facility may be described elsewhere and
referenced in the FES).
I.2 Level of Detail in FES

The level of detail in the FES will vary depending on the scale of the installation and the stage in the
installation life cycle when the hazard management and risk assessment process is undertaken, For
example:
complex facilities
For example, a large production platform incorporating complex facilities, drilling modules and
large accommodation modules are likely to require detailed studies to address major hazards and
fire and explosion hazardous events.
for simpler facilities
For example, for a wellhead platform or simple onshore plant with limited process facilities, it may

be possible to rely on application of recognised codes and standards as a suitable base for hazard
management which reflects industry experience for this type of facility.
for facilities which are a repeat of earlier designs
Evaluations undertaken for the original design may be deemed sufficient to determine the measures
needed to manage hazards and fire and explosion hazardous events.
for facilities in the early design phases
Evaluations will necessarily be less detailed than those undertaken during later design phases. The
FES will be progressively refined as a design for a new installation develops but the conclusions and
information will always be recorded in the Hazards and Effects Register for the project.
The FES should be updated whenever there is a significant change to the facility which may affect the
management of the fire and explosion hazardous event.
I.3 Determination of Risk

The risks may be determined in either a quantitative or qualitative manner. For a complex manned
offshore structure the assessment of risk will usually be rigorous and quantitative. In other environments
risk will be assessed in a more subjective manner.
As with other risks, risk due to fire and explosion can be presented on a Risk Matrix (refer EP 95-
0300) by plotting the probability of events which could result in fire or explosion on one axis against
the severity of the expected consequences in terms of people, assets, environment and reputation
including cost on the other axis. The tolerability of risk can be displayed on the matrix and here factors
such as the strategic criticality of uninterrupted operation of the facility can be reflected.
More often than not it is impractical to determine the total risk by examining the risk presented by
every conceivable scenario which might result in a fire or explosion. However in identifying most of
the threats and scenarios it will become apparent where the main risk contributors are.
I.4 Objectives and System Performance Criteria

To reduce the risks so that they are ALARP it must be established what, if any, measures are required
to reduce the probability or consequences arising from a fire or explosion. The FES records how this is
to be done and sets out the high level goals for control and recovery measures. Cascading from these
are the goals and objectives for the various systems which will be required and the performance criteria
for these systems and their sub-systems. These performance criteria include reliability and availability
requirements. An example of how such a cascade is defined for one particular system can be found in
the DEP on Fire Water Systems for use on offshore facilities.
Many of the control measures used on a hydrocarbon plant, to reduce the probability of hazardous
events involving fires and explosions are common with those used to prevent unplanned hydrocarbon
releases.
These include for example:

corrosion allowances/monitoring
limiting small bore connections
avoidance of screwed fittings
lifting procedures over live equipment

Appendix I Fire and Explosion Strategy
location of risers to avoid impact.
In developing the FES, there are a wide range of issues which should be considered to ensure that the
measures selected are capable of performing their function when required to do so. These issues
include:
nature of fires and explosions which may occur
the environment
the nature of the fluids to be handled
the anticipated ambient conditions
the temperature and pressure of fluids handled
the quantities of flammable materials to be processed and stored
the amount, complexity and layout of equipment on the installation
the location of the installation with respect to external assistance/support
the production and manning philosophy
human factors.
I.5 Specification of Systems and Procedures

The FES should describe the essential systems that have been selected to meet the overall objectives
and their role in the management of fires and explosions. These systems comprise both hardware and
procedures. They include:
installation layout
emergency shut down systems
control of ignition
control of spills
emergency power systems
fire and gas detection
active fire protection
passive fire protection
explosion mitigation and protection systems
evacuation, escape and rescue
inspection testing and maintenance.
In describing the functional requirements and performance criteria of these systems and their elements
the following should be considered:
the essential duties that the system is expected to perform and the parameters within which it must
operate
the integrity, reliability and availability of the system
the survivability of the system under the emergency conditions which may be present when it is
required to operate

the dependency on other systems which may not be available in an emergency.
Consideration of the above will form the basis of the specification of each of the systems and their
elements. To maintain the integrity of the FES throughout the life of the installation, the means to
verify the performance criteria of the systems and their elements must be defined. This is equally true
of operating procedures and systems such as PTW systems, emergency procedures and Manual of
Permitted Operations (MOPO) which must be fully defined such that their effectiveness can be
periodically confirmed.

Abbreviations
ABBREVIATIONS
AFP Active Fire ProtectionALARP As Low as Reasonably Practicable
ANSI American National Standards Institute
API American Petroleum Institute
ASME American Society of Mechanical Engineers
BHEP Blowout Hazard Evaluation Program
BS British Standard
CITHP Closed In Tube Head Pressure
CC Control Centre
DEP Design and Engineering Practice
DCS Distributed Control System
DP Differential Pressure
EA Environmental Assessment
EEMUA Engineering and Equipment Users Association
EER Evacuation Escape and Rescue
EP Exploration and Production
EPBM Exploration and Production Business Model
ESD Emergency Shutdown
F&G Fire and Gas
FES Fire and Explosion Strategy
FRED Fire, Release, Explosion and Dispersion
GRE Glass Reinforced Epoxy
GRP Glass Reinforced Plastic
HAC Hazardous Area Classification
HAZID Hazard Identification
HAZOP Hazard and Operability
HEMP Hazards and Effects Management Process
HIPP High Integrity Process Protection
HF Human Factors
HRA Health Risk Analysis
HSSD High Sensitivity Smoke Detection
HVAC Heating Ventilation and Air Conditioning
IP Institute of Petroleum
IPF Instrumented Protective Function
IR Infra-Red
IRPA Individual Risk of Death Per Annum
ISO International Standards Organisation
LEL Lower Explosive Limit
LPG Liquefied Petroleum Gas
MARPOL Marine Pollution Convention
MESC Materials and Equipment Standards and Codes
MOPO Manual of Permitted Operations

MOS Maintenance Override Switch

NFPA National Fire Protection Association
NGL Natural Gas Liquid
NPSH Net Positive Suction Head
PEFS Process Engineering Flow Scheme (Note 1)
PFP Passive Fire Protection
PFS Process Flow Scheme
PLL Potential Loss of Life
PPM Parts per Million
PSD Process Shutdown
OCMA Oil Companies Materials Association (now EEMUA)
QA Quality Assurance
QRA Quantitative Risk Assessment
SAFOP Safety and Operability
SCADA Supervisory Control and Data Acquisition
SCOPE Shell Code for Overpressure Prediction in gas Explosions
SSSV Sub-Surface Safety Valve
SDS Safety Data Sheet
SHSEC Shell Health Safety and Environment Committee
SIEP Shell International Exploration and Production
SQAIR Shell Quality and Inspection Requirements
TEMA Tubular Exchanger Manufacturers Association
TEMPSC Totally Enclosed Motor Propelled Survival Craft
TLV Threshold Limit Value
TR Temporary Refuge
TRC Thornton Research Centre
TVP True Vapour Pressure
UPS Uninterruptable Power Supply
UV Ultra-Violet Light
Note 1: P&ID is used commonly for Shell PEFS.

Glossary
GLOSSARY
A glossary of commonly used terms in HSE is given in both EP 95-0100 HSE Management Systems
and EP 95-0300 Overview Hazards and Effects Management Process.


References
REFERENCES
1 EP 95-7000, EP Business Model (Version 3), SIPM, August 1995.
2 Health Risk Assessment, SHSEC, September 1994.
3 Chemical Hazards: Health Risk Assessment and Exposure Evaluation, SHSEC, September
1995.
4 DEP 32.37.00.33-Gen., Mounting of plant instruments, MFTX/51, 1984.
5 DEP 30.46.00.31-Gen., Thermal insulation for hot surfaces, MFEC/1, 1988.
6 Area classification code for petroleum installations (Model Code of Practice Part 15),
Institute of Petroleum, March 1990.
7 DEP 01.00.01.30-Gen., Definition and determination of temperature and pressure levels,
MFEO/1, 1985.
8 DEP 32.80.10.10-Gen., Classification and implementation of instrumented protective
functions, MFTX/51, 1994.
9 DEP 01.00.02.12-Gen. Preparation of safeguarding memoranda and process safety flow
schemes, MFEO/1, 1994.
10 DEP 32.31.00.32-Gen., Instrumentation for measurement and control, MFTX/51, 1988.
11 DEP 32.31.09.31-Gen., Instrumentation for equipment packages, MFTX/51, 1987.
12 DEP 32.31.00.10-Gen., Instrument engineering procedures, MFTX/51, 1985.
13 DEP 32.37.20.31-Gen., System cabling, MFTX/51, 1986.
14 DEP 32.80.10.30-Gen., PLC-based instrumented protective systems, MFTX/53, 1993.
15 DEP 80.45.10.10-Gen., Pressure relief and flare systems, MFEM/1, 1988.
16 API RP 520, Guide to pressure-relieving and depressuring systems, API, November 1990.
17 API RP 521, Sizing, selection and installation of pressure-relieving devices in refineries
(Part I - Sizing and selection), API, July 1990.
18 API RP 521, Sizing, selection and installation of pressure-relieving devices in refineries
(Part II - Installation), API, November 1988.
19 EP 95-1745, Instrumentation for ultimate safeguarding protection, EPD/42, August 1995.
20 Production Handbook Volume 9 Facilities and Maintenance, SIPM, 1991.
21 Production Handbook Volume 8 Pipelines, SIPM, 1991.
22 DEP 31.40.00.10-Gen., Pipeline engineering, EPD/61, 1993.
23 DEP 31.38.01.10-Gen., Piping class - basis of design, MFEO/5, 1994.
24 DEP 31.38.01.11-Gen., Piping - General requirements, MFEM/1, 1992.
25 DEP 31.38.01.15-Gen., EP Piping classes, EPD/622, 1992.
26 ASME B31.3, Chemical plant and petroleum refinery piping, ASME, Latest Edition.
27 DEP 31.40.10.14-Gen., Pipeline overpressure protection, EPD/61, 1994.
28 DEP 31.40.10.31-Gen., Glass fibre reinforced plastic pipe and fittings,
(Amendments/Supplement to API Spec 15HR), EPD/63, 1992.
29 DEP 31.40.10.13-Gen., Design of pipeline pig trap systems, EPD/61, 1992.

30 DEP 31.22.10.32-Gen., Pressure vessels (Amendments/Supplements to BS 5500), MFEM/1,

1994.
31 DEP 31.22.20.31-Gen., Pressure vessels (Amendments/Supplements to ASME VIII),
MFEM/1, 1994.
32 DEP 31.22.05.11-Gen., Gas/liquid separators- type selection and design rules, MFTB/2,
1991.
33 DEP 31.21.01.30-Gen., Shell and tube heat exchangers (Amendments/ Supplements to
TEMA), MFEE/4, 1991.
34 DEP 31.24.00.30-Gen., General-type furnaces, (incl. waste heat boilers), MFEE/5, 1982.
35 MF 92-0410, Basic requirements for safe operation of fired-heaters, SIPM-MF, 1992.
36 DEP 31.29.00.10-Gen., Installation of rotating equipment, MFEE/1, 1984.
37 DEP 31.29.02.11-Gen., Pumps - selection, testing and installation, MFEE/1, 1983.
38 DEP 31.29.02.30-Gen., Centrifugal pumps (Amendments/Supplements to API Std 610),
MFEE/1, 1990.
39 DEP 31.29.12.30-Gen., Reciprocating positive displacement pumps and metering pumps
(Amendments/Supplements to API Stds 674 and 675), MFEE/1, 1983.
40 DEP 31.29.40.10-Gen., Compressors - selection, testing and installation, MFEE/1, 1984.
41 DEP 31.29.40.30-Gen., Centrifugal compressors (Amendments/Supplements to API Std 617),
MFEE/1, 1992.
42 DEP 31.29.40.31-Gen., Reciprocating compressors (Amendments/ Supplements to API Std
618), MFEE/1, 1988.
43 DEP 31.29.40.32-Gen., Rotary-type positive displacement compressors
(Amendments/Supplements to API Std 619), MFEE/1, 1983.
44 DEP 31.29.40.33-Gen., Packaged integrally geared centrifugal plant and instrument air
compressors (Amendments/Supplements to API Std 672), MFEE/1, 1983.
45 DEP 31.29.70.11-Gen., Combustion gas turbines - selection, testing and installation,
MFEE/1, 1985.
46 DEP 31.29.70.31-Gen., Combustion gas turbines (with reference to API Std 616 2nd edn
1982), MFEE/1, 1985.
47 DEP 31.29.80.30-Gen., Diesel fuelled compression ignition engines, EPD/622, 1994.
48 DEP 31.29.90.30-Gen., Spark ignited gas fuelled engines, EPD/622, 1994.
49 API Std 617, Centrifugal compressors for general refinery service, API, 1988.
50 API Std 610, Centrifugal pumps for general refinery service, API, 1989.
51 EP 90-0575, Information Note Dry gas seals for centrifugal compressors, EPD/62, 1990.
52 EEMUA 107, Recommendations for the protection of diesel engines in Zone 2 hazardous
areas, EEMUA.
53 Noise guide, SSHC, December 1991.
54 DEP 34.51.01.31-Gen., Standard vertical tanks - design and fabrication, MFEC/4, 1992.
55 API Std 2000, Venting atmospheric and low-pressure storage tanks (non-refrigerated and
refrigerated), API, 1987.
56 Static Electricity, SSC, June 1988.

References
57 DEP 33.64.10.10-Gen., Electrical engineering guidelines, MFEE/3, 1992.

58 DIN 22118, Conveyor belts with textile plies for use in coalmining : fire testing, DIN, 1991.
59 DIN 22100, Synthetic materials for use in underground mines; Part 1 : textile reinforced
conveyor belts : safety requirements, testing, marking, DIN, 1992.
60 Recommendations for Alternatives to Firefighting Halons, SSHC, November 1990.
61 DEP 80.00.10.10-Gen., Hazardous Area Classification (Amendments/
Supplements to IP Model Code of Practice Part 15), EPD/62, TBA.
62 ISO/CD 13 702, Petroleum and Natural Gas Industries: Control and Mitigation of Fires and
Explosions on Offshore Installations, 1995 (in preparation).
63 DEP 30.10.05.11-Gen., Model construction for processing units, MFEM/1, 1988.
64 EP 90-2500, Layout considerations for offshore topsides facilities, EPD/1, 1990.
65 DEP 30.06.10.12-Gen., LPG bulk storage installations, MFTP/3, 1986.
66 IP Model Code of Safe Practice (Part 3 Refining), IP, 1981.
67 DEP 34.17.10.30-Gen., Reinforced control buildings/field auxiliary rooms, MFEC/1, 1990.
68 DEP 34.17.00.32-Gen., Minimum requirements for design and engineering of buildings,
MFEC/1, 1992.
69 DEP 31.17.10.10-Gen., Design of offshore living quarters, EPD/62, 1993.
70 DEP 37.17.10.11-Gen., Design of offshore temporary refuges, EPD/62, 1994.
71 API RP 14C, Recommended practice for analysis, design, installation and testing of basic
surface safety systems on offshore production platforms, API, 1986.
72 DEP 32.30.20.11-Gen., The selection, specification and installation of gas, smoke and fire
detection systems, MFTX/51, 1987.
73 ANSI B17.104, Control Valve Seat Leakage, ANSI, 1991.
74 DEP 32.45.10.10-Gen., Instrumentation of depressuring systems, MFTX/51, 1994.
75 DEP 30.10.02.31-Gen., Metallic materials - Requirements for prevention of brittle fracture
etc, MFEM/5, 1987.
76 ASME VIII, Boiler and Pressure Code (Pressure Vessels), ASME, Latest Edition.
77 EP 95-1615, Atmospheric Emissions in EP Operations, SIPM, 1995.
78 DEP 31.10.00.31-Gen., Noise Control, MFEM/1, 1992.
79 MF 92-0130, Technical HSE Reviews and Fire Safety Reviews - Checklists for Planning
and Execution, 1992.
80 DEP 34.14.20.31-Gen., Drainage and primary treatment systems, MFEC/2, 1993.
81 DEP 80.47.10.32-Gen., Portable and mobile equipment for firefighting, MFEO/1, 1984.
82 DEP 80.47.10.31-Gen., Active Fire Protection systems and equipment for onshore facilities,
MFEO/1, 1992.
83 DEP 80.47.10.30-Gen., Requirements for fire protection in onshore oil and gas processing
and petrochemical installations, MFEO/1, 1985.
84 DEP 80.47.10.10-Gen., Firefighting agents, MFEO/1, 1991.
85 ISO 834:1975, Fire-resistance tests - Elements of building construction, ISO, 1975.

86 OTO 93 028 Interim jet fire test for determining the effectiveness of passive fire protection
materials, Health and Safety Executive, December 1993.
87 DEP 34.19.20.11-Gen., Fire hazards and fireproofing/cold splash protection of steel
structures, MFEC/1, 1991.
88 BS 476, Fire test on building materials and structures (various parts), BSI.
89 NFPA 101, Code for Safety to Life from Fire in Buildings and Structures, NFPA, 1991.

HSE Manual: Design

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HSE Manual: Design

Uploaded by

Copyright:

Available Formats

Shell International Exploration & Production B.V.

Revision 0: 27 October 1995

Section Number: EP 95-0230

Section Title: Design

Rev Chapter Description to amendment Date Amended by

1 Introduction 1 3.6.1 Activities and tasks 16

3.3.2 Management representative 10 4.2 Hazard Assessment 21

EP 95-0230 Revision 0 27 October 1995 i

5.3.1 Overview 42 6.7 Emergency Power System 89

5.3.2 Piping and pipelines 42 6.7.1 Objective 89

5.3.3 Pig launchers and receivers 45 6.7.2 Functional requirements 89

5.3.4 Pressure vessels 46 6.7.3 Guidelines 90

5.3.5 Heat exchangers 47 6.8 Drainage Systems 91

5.3.7 Machinery 49 6.8.2 Functional requirements 91

5.3.8 Atmospheric storage tanks 54 6.8.3 Guidelines 91

5.3.9 Electrical systems 56 6.9 Active Fire Protection 93

ii EP 95-0230 Revision 0 27 October 1995

EP 95-0230 Revision 0 27 October 1995 iii

This page intentionally left blank

iv EP 95-0230 Revision 0 27 October 1995

This can be achieved in a number of ways. In order of preference these are:

EP 95-0230 Revision 0 27 October 1995 1

This page intentionally left blank

2 EP 95-0230 Revision 0 27 October 1995

2.2 Area of Coverage

The principal activities undertaken during this period include:

EP 95-0230 Revision 0 27 October 1995 3

2.3 Organisation of the Document

4 EP 95-0230 Revision 0 27 October 1995

EP 95-0230 Revision 0 27 October 1995 5

This page intentionally left blank

6 EP 95-0230 Revision 0 27 October 1995

3 HSE MANAGEMENT SYSTEM

Leadership and Commitment

Policy and Strategic Objectives

Hazards and Effects

Audit Corrective Action &

Review Corrective Action &

EP 95-0230 Revision 0 27 October 1995 7

3.1 Leadership and Commitment

Demonstration of commitment to HSE includes:

3.2 Policy and Strategic Objectives

8 EP 95-0230 Revision 0 27 October 1995

3.2.2 Strategic objective

The strategic objectives of a design should therefore include:

3.3 Organisation, Resources and Documentation

Single Point Responsibility

EP 95-0230 Revision 0 27 October 1995 9

Specialist HSE input

3.3.2 Management representative

10 EP 95-0230 Revision 0 27 October 1995

3.3.5 Contractor HSE management

These should include formal procedures for:

3.3.7 Documentation and its control

EP 95-0230 Revision 0 27 October 1995 11

Regulatory and Legal Requirements

12 EP 95-0230 Revision 0 27 October 1995

Details are provided in EP 95-0310 of how to formulate acceptance criteria.

3.4 Hazards and Effects Management (HEMP)

EP 95-0230 Revision 0 27 October 1995 13

implement suitable risk reduction measures (control and mitigate)

3.4.2 HEMP in design

Make Basis for Design A-12.01.01