Process Safety Management

1 | 2015
What is Process Safety

Process Safety is
The proactive identification, analysis, and
evaluation of the releases of hazardous
substances and process accidents.
It applies to the management of hazards
associated with the chemical and physical
properties of the substances handled in our
oil, gas and energy activities.
It aims to:
Minimize the risk of a major accident event
MAE
Ensure that the necessary mitigation and
emergency preparedness mechanisms are
in place

2|
 Intolerable
Risk Occupational Safety

Process Safety

Tolerable
Risk

Likelihood of occurrence

3|
What Process Safety is about

Preventing
MAJOR
ACCIDENTS
4|
 What is a Major Accident & Major Accident Hazard?
Major Accident (realisation)
This is an accidental event which has major or severe consequences for
people or environment. The definitions of major and severe
consequences in this context, are provided in the risk matrix.
Major Accident Hazard (potential)
Any substance or energy which if not contained could seriously harm
people or the environment, either directly or by initiating events which could
lead to a major accident.

Major Accidents exclude:

- Occupational health and personal safety hazards
- Business critical hazard severity categories

Major Accidents are defined by their consequences

5|
Definition of Major Accident

Consequence People Environment

Serious long term environmental

1 fatality of public
damage. Significant impact on highly
5 Severe >1 fatality of workforce
valued or sensitive species, habitat
> 6 people of workforce and/or public hospitalised
or ecosystem

1 fatality of workforce
> 3 people on-site hospitalised Very severe, persistent
1 person of public hospitalised environmental damage extending
4 Major
1 person of workforce with onset/signs of severe irreversible over large area. Long term
health effect impairment of ecosystem function
>1 person of public with reversible health effect
1 person of workforce >2 days lost
1 person of workforce with onset/signs of moderate irreversible Serious mid-term environmental
3 Moderate
health effect impacts
1 person of public with moderate reversible mid-term health effect

1 person of workforce 1 or 2 days off work

Moderate reversible environmental
1 person of workforce with moderate reversible mid-term health
2 Minor damage extends beyond site
effect
boundary
1 person of public with minor reversible short term health effect

1 person of workforce injured, able to continue work but first aid

Slight reversible on-site
1 Slight needed
environmental damage
1 person of workforce with minor reversible short term health effect

6|
 Summary of Process Hazards

7|
Major Accidents

8|
Cyclohexane Release & Explosion 28 fatalities
Flixborough, England June 1, 1974

20 bypass piping fabricated on-site from

shop stock. This pipe ruptured and released
Cyclohexane which exploded.

On June 1, 1974 the Nypro Co. site at Flixborough, England was severely damaged by a
large explosion. Twenty-eight workers were killed and a further 36 suffered injuries. It is
recognized that the number of casualties would have been more if the incident had
occurred on a weekday, as the main office block was not occupied.

9|
Methyl Isocyanate Tank Rupture and Release
Bhopal, India Dec. 2-3, 1984

Source: United Nations Environment Programme Photo Source: Indian state government of Madhya Pradesh

On the night of December 2-3, 1984, a sudden release of about 30 metric tons of methyl isocyanate
(MIC) occurred at the Union Carbide pesticide plant at Bhopal, India. The accident was a result of poor
safety management practices, poor early warning systems, and the lack of community preparedness.
The accident led to the death of over 2,800 people (other estimates put the immediate death toll as
high as 8000) living in the vicinity and caused respiratory damage and eye damage to over 20,000
others. At least 200,000 people fled Bhopal during the week after the accident. Estimates of the
damage vary widely between $350 million to as high as $3 billion.

10 |
Gas Release & Explosion 167 fatalities
Piper Alpha, North Sea July 6, 1988

On the day the disaster occurred, the day shift maintenance crew was working on the condensate
pumps which compressed gas. One of the pumps was removed for routine maintenance and the
condensate pipe was temporarily sealed with a flat metal disk. Because the work could not be
completed before the next shift change-over, the metal disc was left in place as the day shift went off
duty. The shift coming on duty was unaware of this. Later in the evening, when the other condensate
pump stopped working, the pump under maintenance was started up. Gas leaked out at high pressure,
ignited and exploded.

11 |
Condensate Release & Explosion 15 fatalities
BP Texas City Refinery, Texas March 23, 2005

On March 23, 2005, during the startup of an isomerisation unit, the associated raffinate splitter tower
was overfilled and overheated. A substantial volume of hydrocarbon liquid and vapour were forced into
an adjacent blowdown stack, rapidly exceeding its capacity. Ignition of the resulting vapour cloud
caused an explosion that extended to nearby temporary trailers and resulting in 15 deaths, more than
170 injuries, and significant economic losses.

12 |
Deepwater Horizon oil spill
20 April 15 July 2010, Gulf of Mexico, US
Oil Spill (up to 4.9 mln barrels), 11 people died, 17 injured

13 |
Fukushima Daiichi
11 March 2011, Fukushima 1 Nuclear Power Plant, Japan
Release of radioactive materials, 37 injured

14 |
When will the next Major Accident occur?

15 |
 PROCESS SAFETY
MANAGEMEMENT

16 |
 What must we focus on?
Asset Integrity Management Plan
SCE inspection, testing & maintenance
Deviation analysis and close-out
Design Maintenance
Integrity Integrity
Design reviews: ALARP; engineering
codes; standards Process
SCE Safety Critical Elements (and
Safety

performance standards)
Operating Operate within operating envelope
MOC Management of Change Integrity Alarm management
(with technical authorities)
Process control and procedures
Robust Assurance
(WSE - Written Schemes of
Incident investigation and close-out
Examination) Competencies and Capabilities
17 |
PSM Elements
OSHA PSM Elements (14)

Process Safety Information Mechanical Integrity

Process Hazard Analysis Hot Work Permit

Operating Procedures Management of Change

Employee Participation Incident Investigation

Training Emergency Planning and

Contractors Compliance Audits

Pre-Startup Safety Review Trade Secrets

18 |
PSM Elements
CCPS Risk-Based Process Safety Elements (20)
Process safety culture
Compliance with standards
Process safety competence
Workforce involvement
Stakeholder outreach
Process knowledge management
Hazard identification and risk
analysis
Operating procedures
Safe work practices
Asset integrity and reliability
19 |
Contractor management
Training and performance
Management of change
Operational readiness
Conduct of operations
Emergency management
Incident investigation
Measurement and metrics
Auditing
Management review and
continuous improvement
 PROCESS SAFETY
ENGINEERING

20 |
 Safety Life Cycle

21 |
 Safety Life Cycle

22 |
 Safety Life Cycle & Risk Assessment

23 |
 Safety Life Cycle & Risk Assessment

24 |
 Risk Assessment steps & toolkits

25 |
 What should we do about it?

Hierarchy of control for Process Safety

Inherent Safety reduce the hazard
Prevention measures keep it in the pipe
Control measures minimise size and duration of
hazardous event
Mitigation protect people, the environment and assets

Layers of defence

Risk Control systems

26 |
 Hierarchy of control for Process Safety

27 |
 Inherent Safety

1. Substitute - Replace material with a less hazardous

substance.

2. Minimize/Intensify - Use smaller quantities of dangerous

substances.

3. Moderate/attenuate Change the conditions to reduce

hazard severity in the event of accidental release.

4. Simplify Strive to eliminate unnecessary complexity

which increase the potential for incorrect operation,
particularly in the event of abnormal operating conditions.

28 |
 Bow Tie Defence in Depth

29 |
 How & Why defences fail

30 |
 Key risk control systems classification

31 |
 SAFETY CRITICAL ELEMENTS
MANAGEMENT

32 |
 What is a Safety Critical Element?

Safety Critical Element any part of the facilities, the failure of which could
cause or contribute substantially to a major accident, or the purpose of
which is to limit the effects of a major accident

So, there are two distinct types of SCE

Prevent: Those, the failure Mitigate: Those required to

of which could cause a intervene passively or actively
major accident, and to limit the effects of a major
accident

33 |
 Management systems, people & processes

SCEs are hardware-only

But:

Management systems, people, processes, are

important parts of the Integrity assurance process used
to manage the hardware barriers/SCE

34 |
 Safety Critical Activities
Are management systems, procedures, people/competence safety critical?
Yes, but as safety critical activities, not SCEs
SCEs = hardware (& associated software)

How are safety critical activities dealt with?

They are inherent to the SCE assurance process

Examples of safety critical activities/tasks

Permit to work system
Management of change
Risk assessment
Competency training
Quality assurance
Operating envelopes
Defeats register

35 |
 How SCEs fit into hazards management
Management of major accident consequences is based on a hierarchy

Hierarchy of Risk Reduction

Prevention Systems to control the primary initiating events

Detection Systems to detect the primary safeguards have

failed
Control Systems to prevent the event from escalating
and bring plant to a safe state
Mitigation Systems to minimize the effects of an event
Emergency Response Systems to allow you to safely muster and
& Lifesaving evacuate
Industry has evolved models to support/demonstrate this
The Integrity Barrier or Swiss Cheese diagram is one

36 |
How SCEs fit to hazards management barriers concept

GAS

Inspection, maintenance and testing are activities to prevent barrier degradation.

37 |
 Barrier Concept for Hazards Management
Prevention
Safe
Detection Control &
Operation Mitigation Emergency
Response
Lifesaving

Escalating
Consequences
PROCESS CONTAINMENT

- Pressure vessels
- Heat exchangers DETECTION SYSTEMS SHUTDOWN SYSTEMS LIFESAVING
- Rotating equipment
- Tanks - Fire detection - ESD system - Personal survival
- Pipelines / piping - Gas detection - Depressurisation syst equipment
- Relief system - H 2 S detection - HIPPS - Rescue facilities
- Well containment - Corrosion detection - Well isolation - TEMPSC / lifeboats
- Gas / oil fired heaters - Pipeline isolation - Tertiary escape
- Gas tight floors / walls valves systems
- Tanker loading systems - Process ESDV
- Wireline equipment - SSIVs
- Oily water control - Well control eqpt

STRUCTURAL INTEGRITY IGNITION CONTROL PROTECTION SYSTEMS EMERGENCY RESPONSE

- Drilling systems
- Structural supports for
safety critical equipment
- Lifting equipment in
wellhead /HC process areas
- WHP jacket & foundations
- Vessel hull , mooring &
ballasting systems
- Haz area HVAC
- Non - haz area HVAC
- Certified electrical
equipment & instruments
- Inert gas blanketing
- Earth bonding
- Fuel gas purge system
- Ignition control eqpt
- Flare tip ignition
system
- Deluge system
- Fire & expl protection
- Firewater main & pump
- Gas , foam & spray fire
extinguishers
- Corrosion protection e .g .
sand filters & chemical
injection
- Passive fire protection
- Navigation aids & collision
avoidance
- Temp refuge /muster
- Escape / evac routes
- Escape lighting
- Emergency comms
- UPS
- Helicopter facilities
- Emergency power
- Hazardous & non -
hazardous open drains

38 |
 What are the benefits?

Achieve & sustain acceptable level of major accident management

Focus & prioritise resources on the aspects of systems and

equipment that manage major accidents
Not how many, but how you manage them

Ensure this is achieved by

Defining the critical functions, and

Aligning inspection and maintenance with these functions

39 |
 How to identify SCEs
System Level Tag Level

List of systems and Major

equipment to reduce accident hazard
risk (plant barriers) identification

SCE Screening

Could
This item is a
failure of this
Yes SAFETY CRITICAL
element cause a
ELEMENT
MAE?

Is the
purpose of this
No Yes
element to prevent
a MAE?

Could
failure of this Yes
No Yes
element contribute
substantially to a
MAE?
Is the
purpose of this
This item is not No element to limit
a Safety Critical the effects of a
Element MAE?

No

40 |
Performance Standard Key requirements
Performance Standards (PSs) are parameters that are measured or set so that the
suitability and effectiveness of SCEs can be assured and verified.
Performance criteria:

Functionality Reliability & Survivability Dependency

Availability

The intended purpose The probability that The ability of the Identification of other SCEs
and fundamental the system will work SCE to survive the performance of which
design performance on demand and be loadings from major the SCE is dependent on
requirements of the available when accidents it is
SCE (relative to
required intended to manage
major accidents)

SCE integrity assurance activities

Independent Verification Body (IVB) activities

41 |
 Generic Performance Standard Structure

Presentation title November 15

42 |
 WHY DO IT?

What happens when the SCE integrity assurance

process is either not in place or not implemented
effectively

43 |
 EXERCISE

44 |
 SCE Identification Practical

System or Equipment SCE? Prevents or Why

Yes/No Mitigates?

Crude oil export pump

Diesel oil storage day tank

Glycol storage tank

Sales gas booster

compressor

NGL piping manual

isolating valves

45 |
 SCE Identification Practical

System or Equipment SCE? Prevents or Why

Yes/No Mitigates?

Pressure transmitter
instrument

Electrical equipment in
classified hazardous
areas

Main power
generation/distribution

HVAC system

46 |
 SCE Identification Practical

System or Equipment SCE? Prevents or Why

Yes/No Mitigates?

Compressor seal oil

system

Pump lubricating oil

system

Flare System

Instrument air system

47 |
 SCE Identification Practical

System or Equipment SCE? Prevents or Why

Yes/No Mitigates?

Oil Wellhead

Closed drain
system

Firewater ring-main
isolation valve

Permit to Work
system

48 |
 PROCESS SAFETY EVENTS
&
PSPI

53 |
Performance Monitoring System

54 |
Type of indicators

Quantitative
Numbers recorded on scale and tracked over time
Ensure statistically valid interpretation
Most relevant to regularly occurring activities
Qualitative
Descriptions typically inspection and audit observations
Can be quantified using ratings and ladder assessments
(comparative definition of bad to good)
Objective
Independent of assessors personal judgement
Subjective
Influenced by those measuring

55 |
Type of indicators

56 |
Example leading & lagging indicators

57 |
Example leading & lagging indicators

58 |
Example of Key board

59 |
 PROCESS SAFETY EVENTS

60 |
 Terminology

loss of An unplanned or uncontrolled release of any material from a

primary tank, vessel, pipe, truck, rail car etc., including non-toxic and non-
containment flammable materials (e.g. steam, hot condensate, nitrogen,
LOPC compressed CO2 or compressed air).

Challenge to A demand on a safety system designed to prevent a LOPC or to

safety system mitigate the consequences of a LOPC.
CTSS

Process An unplanned or uncontrolled release of any material from a

safety event process or an undesired event or condition that, under slightly
PSE different circumstances, could have resulted in a release of a
material.

61 |
Safety Critical Barriers

GAS

62 |
 2011 OGP Guidance Report 456

63 |
PSPI & Barriers
Process Safety Performance Indicators
E.g.
Hi-Hi level Tier 1
alarm incidents
LOPC Events of
activated. Greater
Defect below Consequence

minimum wall
thickness Tier 2
LOPC Events of lesser
consequence

E.g.
Relief valve
fails bench Tier 3
test. Challenges to Safety Systems
Loss of
experience in
operations Tier 4
team.
Operating Discipline & Management System
Performance Indicators

64 |
 Process Safety Events:
Accidents, Incidents, Near Miss, etc.
A Process Safety Event is:
Incidents
The actual or potential loss of
control or containment of
hazardous materials (flammable,
Accident Near Miss
toxic, corrosive, etc.)
Harm to humans or Just luck that no
Failure or substandard environment, damage of accidental consequences
performance of one or more equipment occurred

barriers resulting in the potential

or actual operation of the highest all LOPC events Demands on
Safety System
safety barrier (e.g. opening of incl. LOPC to secondary
Development of incident
safety valve to flare) containment
scenario prevented by a
planed barrier
The presence of hazardous PS related
material in systems which are production loss
not designed to contain it e.g. due unavailability
of barriers or
equipment

65 |
PSPI types of indicators
Tier 1 LOPC exceeding threshold not yet all LOPC without environment
LOPC* events with human harm due LOPC consequences registered
greater consequence asset damage after fire / explosion due LOPC

Tier 2 LOPC exceeding threshold not yet all LOPC without environment
LOPC events with human harm due LOPC consequences registered
lesser consequence asset damage after fire / explosion due LOPC

Tier 3 small fires / explosions many of these events are not

Challenge to safety minor LOPC events
system primary containment inspection outside limits
demands on safety system
safe operating limits excursion
critical operational deviation
registered; some are in other systems
(e.g. shift logs, computerized
maintenance systems)

Tier 4 focusing on:

Operating Discipline & Management of Change (MoC) events
Management System Process hazard and risk analyses (PHA) find the right leading indicators to
Performance Action follow up improve your (lagging) PSE
Inspection of safety critical systems performance
PS audits
PS related training
Pre-startup safety review (PSSR), etc.
PTW failures

66 |
 Tier 1 & Tier 2

67 |
Decision Logic Tree for Tier 1 & 2
An unplanned or uncontrolled release of any
material, including non-toxic and non-
flammable materials (e.g., steam, hot No An employee, contractor, or subcontractor Yes
Not a Tier 1 or Tier 2 PSE
condensate, nitrogen, compressed CO2, or recordable injury
Tier 2 PSE
compressed air) from a process that results
in one or more of the consequences listed
below: No
Yes
A fire or explosion resulting in greater than or
An employee, contractor or subcontractor
Yes equal to $2,500 of direct cost to the Company
days away from work injury and/or fatality; Tier 1 PSE
or A hospital admission and/or fatality of a
third-party No

No

An officially declared community evacuation or A pressure relief device (PRD) discharge to

community shelter-in-place atmosphere whether directly or via a
downstream destructive device that results in
No one or more of the following four
consequences:
A fire or explosion resulting in greater than or liquid carryover; or
equal to $25,000 of direct cost to the discharge to a potentially unsafe location; or
Company an on-site shelter-in-place; or
No public protective measures (e.g., road
closure);
A pressure relief device (PRD ) discharge to and a PRD discharge quantity greater than the
Atmosphere whether directly or via a threshold quantities Table 2
downstream destructive device that results in
one or more of the following four No
consequences:
liquid carryover; or
discharge to a potentially unsafe location; or A release of material greater than the
an on-site shelter-in-place; or threshold quantities described in Table 2 in
public protective measures (e.g., road any one-hour period
closure);
and a PRD discharge quantity greater than the No
threshold quantities Table 1
No A Company may choose to record a Tier 3
other LO PC
A release of material greater than the
threshold quantities described in Table 1 in
any one-hour period
No
68 |
 Tier 3 Consequences
A Tier 3 PSE typically represents a challenge to the barrier system that progressed
along the path to harm, but is stopped short of a Tier 1 or Tier 2 LOPC consequence.
Indicators at this level provide an additional opportunity to identify and correct
weaknesses within the barrier system.

Safe operating limit excursions

Primary containment inspection outside limits

Demands on safety systems

Critical operational deviation

LOPC event below Tier 1 & 2 threshold

69 |
Safe Operating Limit Excursion Tier 3

The process has an excursion

beyond the normal high or low alarm
limits.

A single initiating event may result in

multiple SOL excursions (e.g. site-wide
failure of a utility) and each excursion
should be counted as a separate Tier 3
PSE.

A process condition that hovers near

the SOL value may result in multiple
excursions. These excursions should
be counted as a single Tier 3 PSE.
Abbreviations
NEL Never Exceed Limit.
RV Relief Valve
PAH Pressure Alarm High

70 |
Primary containment inspection outside acceptable
limits Tier 3
This is a test or inspection where the
result is outside the acceptance criteria
and triggers some form of remedial action
(such as replacement in kind, repair,
modification, increased inspection/ testing
or de-rating of the equipment).

Examples include:
A penetrating corrosion defect beyond
the corrosion allowance of a pipe.
Subsidence of a pressure vessel support
outside acceptable limits.
Excessive vibration of a small bore
instrument tapping on a larger diameter
process pipe.
Missing flange bolts on a process
pipework joint.

71 |
Demands on safety systems - Tier 3
Safety Systems are ones which prevent a LOPC
or detect, control or mitigate the effects of an
LOPC.
Demand means they are activated by a valid
signal from the process. The system does not
have to activate.
Where multiple devices constitute one system
then activation of that system counts as one PSE.
Examples include:
Where a vessel has a number of relief
valves to provide suitable flow, activation of
one or more of these valves constitutes one
PSE as they represent a system.
Activation of a Safety Instrumented System
Activation of Mechanical Shutdown System

The count of Demands on Safety Systems is typically segregated by system type (e.g. SIS,
PRD, and Mechanical Trip).

72 |
Critical operational deviation Tier 3

This represents operational activity outside

good operating practice and/ or non
compliance with company Procedures.

Examples include:
Operating without adequate
measurement of critical process
parameters.
Operating with inoperable safety
systems.
Operating with uncontrolled
modifications / repairs to the process
plant.

73 |
 Tier 4: Operating Discipline & MS Performance

Tier 4 indicators typically represent performance of individual components of

the barrier system and are comprised of operating discipline and
management system performance.
Tier 4 indicators are indicative of process safety system weaknesses that
may contribute to future Tier 1 or Tier 2 PSEs. In that sense, Tier 4
indicators may identify opportunities for both learning and systems
improvement.

Examples include:
Process Safety Action Item Closure
Training completed on schedule
Safety Critical Equipment Inspection
Management of Change (MoC) Compliance
Completion of Emergency Response Drills

74 |
 EXERCISE
PSE CATEGORISATION

75 |
 Classification of PS Events
Has a person been injured by a release of hazardous substances?
Event Class Comment
A blow out of a gas well occurred during cement plug. An Tier 1 due to the fact of1hospital treatment; additionally the
Tier 1
operator was hit by mud and gas and needed hospital treatment. release amount may also have resulted in a Tier 1 event
While stealing a piece of pipework the gas released from that Even though the reason 2 for the injuries is a malicious act it
Tier 1
pipe ignited and the thefts suffered severe burns. is counted.
LPG from leaking pipework ignited and blasted the retail service Tier 1 event due to the 3injuries and the asset damage. This
station causing injuries and damage of the building. Tier 1 event will not be included in external reporting since the
retail station is not operated by OMV.
An operator slipped and fell while responding to a small spill of The operator was responding
4 to a LOPC
liquid with a flash point < 23 C spill resulting in a days away Tier 1
from work injury.
A scaffold builder experiences a days away from work injury 5
after falling from a scaffold ladder while evacuating from a LOPC Tier 1
on nearby equipment.
An operator walks past a steam trap that discharges to an Even though the LOPC6 was steam (vs hydrocarbon or
unsafe location. The steam trap releases and the operators chemical), the physical state of the material was such that it
ankle is burned by the steam, resulting in a days away from caused a day away from work injury and it was an
Tier 1
work injury. uncontrolled release (i.e. unsafe location). Nontoxic and
non-flammable materials are within the scope of this
recommended practice.
A contractor enters a vessel and dies because nitrogen Fatality associated with7 an unplanned or uncontrolled
Tier 1
inadvertently leaked into the enclosure. LOPC
A maintenance contractor opens a process valve and gets Unplanned or uncontrolled
8 LOPC that resulted in a days
sprayed with less than the Tier 1 or Tier 2 quantity of sulfuric Tier 1 away from work injury. If this incident had resulted in a
acid resulting in a severe burn and days away from work injury. recordable injury, it would be a Tier 2 PSE.
A PRD release of sour gas less than the Tier 1 threshold Multiple Tier 1 consequences:
9 Human and unsafe PRD
quantity is routed to a flare which exposes two personnel to toxic Tier 1 release
SO2/SO3 vapors resulting in a LWDI.

76 |
 Has a person been injured by a release of hazardous substances?
Event Class Comment
There is a 100 kg spill of liquid with a flash point < 23 C (73 F) This is a Tier 1 PSE. The 10 site would record a single event with
that ignites and results in damages to other equipment, a toxic gas multiple consequences (e.g., one fatality, three day away from
release above the reporting threshold, along with three days away Tier 1 work injuries, fire, and threshold quantity of liquid with a flash
from work injuries and one fatality. point < 23 C and toxic gas).
During routine tour an operator suffered burns on his foot by Tier 2 due to the need of 11medical treatment. The release of hot
leaking condensate from a steam tracing which required medical Tier 2 condensate itself would not be a PSE.
treatment.
A short circuit occurred in switchgear panel and caused burns of a Following industry recommendations
12 we consider electrical
Tier 2
contractor requiring medical treatment incidents in internal PSE reporting.
An operator walks through a process unit and slips and falls to the Personal safety slip/trip/fall
13 incidents that are not directly
ground and suffers a days away from work injury. The slip/fall is no PSE associated with evacuating from or responding to a LOPC are
due to weather conditions, chronic oily floors and slippery shoes. specifically excluded from PSE reporting.
An operator slipped and fell on a spill several hours after the Personal safety events 14that are not directly associated with
incident had concluded. This would not be a reportable PSE. onsite response to a LOPC are excluded. Slips/trip/falls after
no PSE the LOPC has concluded (such as after-the-fact clean-up
and remediation) is not directly associated with onsite
response.
A vessel has been intentionally purged with nitrogen. A contractor This is not a PSE because
15 there was no unplanned or
bypasses safety controls, enters the enclosure and dies. no PSE uncontrolled LOPC, but it would be recorded on the
companys injury and illness log.
An operator disconnected a steam hose which was still under The injury required only16
first aid, and the steam is no counted
no PSE
pressure and suffered light burns. as LOPC of hazardous substance.
A maintenance technician is turning a bolt on a process flange with No unplanned or uncontrolled
17 LOPC involved with the injury
a wrench. Due to improper body positioning, the wrench slips and
hits the employee in the mouth, requiring dental surgery and two no PSE
days off work.
An operator takes a sample. On the way he falls, the sample LOPC is from a piece of18ancillary equipment not connected to
container breaks and he suffers injury of the exposure to the no PSE a process is not considered as PSE
product.
An employee suffered burns by a spill of hot coffee. no PSE Office incidents are not19PS related
While cleaning a joint screw a piece of frozen mud broke off and hit This is not a loss of primary
20 containment.
no PSE
the operator causing injury.

77 |
 Has a fire or explosion occurred by a release of a hazardous substance?
Event Class
Hot vacuum residue was released from a left open drainage, self-
ignited and damaged a pump. Tier 1
An electrical fire impacts the operation of the process resulting in an
acute release of 1500kg of light crude. Tier 1
A pump lube oil system fire from a leak causes damage greater than
25,000, but does not create a LOPC greater than the threshold Tier 1
quantity or cause a fatality or serious injury.
A forklift truck delivering materials inside a process unit knocks off a
bleeder valve leading to the release of (HC) condensate and a
Tier 1
subsequent vapor cloud explosion with asset damage greater than
25,000.
A bearing failure of a turbine causes high vibration and eventually
leads to damage of the turbine > 100.000. Tier 1
There is a loss of burner flame in a fired heater resulting in a fuel rich
environment and subsequent explosion in the fire box with greater
Tier 1
than 25,000 in damages to the internals of the heater. There was
no release outside of the fire box.
There is a tube rupture in a fired heater causing a fire (contained in the
heater) resulting in greater than 25,000 in damages to the heater Tier 1
internals (beyond that of replacing the failed tube).
A third-party truck loaded with a flammable product is traveling on
Company premises and experiences a leak and subsequent fire and
property damages of 75,000 (direct costs). Tier 1
A steam injection well fails with an explosion resulting in release of 10t
of fluids, a mixture of hydrocarbons and water. The direct cost
Tier 1
replacing and repairing damaged equipment was estimated over
300.000 and a worker was injured, needing medical treatment.
The release of a hot steam from safety valve ignited wooden planks of
Tier 2
scaffolding and damaged the scaffolding.
Hydrocarbon fumes migrate into the QA/QC laboratory located within
the facility and results in a fire with 5000 damage. The source of Tier 2
the hydrocarbon fumes is the oily water sewer system.
78 |
Comment
The immediate damage caused by the fire was above 25.000
21
This is a Tier 1 PSE since the LOPC exceeds the 1000 kg
22
reporting threshold for light crude.
23
24
Following industry recommendation we consider unplanned
25
release of mechanical energy under PS in internal reporting.
This would be a Tier 1 PSE since after the flameout the
26
continuing flow of fuel gas is now an uncontrolled release. The
intent is for combustion of the fuel gas at the burner and not for
fuel gas to be contained in the fire box.
The tube failure is a loss of primary containment of the process
27
fluid and combined with the additional damages greater than
25,000 makes this a Tier 1 PSE.
The event will not be included in external reporting since truck
28
incidents are excluded except when they are connected to the
process for the purposes of feedstock or product transfer or
being used for temporary onsite storage.
Unplanned release causing fire and resulting in over 25.000
29
direct costs. The injury would result into Tier 2 but the higher
consequence counts.
The immediate damage was higher than 2.500 but lower than
30
25.000
This incident is a Tier 2 PSE since the LOPC was from the
31
process and resulted in a Tier 2 consequence (a fire which
results in a direct cost greater than 2500).
 Has a fire or explosion occurred by a release of a hazardous substance?
Event Class
A pump seal fails and the resultant loss of containment catches on
fire. The fire is put out quickly with no personal injuries. However, the
fire resulted in the need to repair some damaged instrumentation and Tier 2
replace insulation. The cost of the repairs, replacement, cleanup and
emergency response totaled 20.000.
A vacuum truck outfitted with a carbon canister on the vent is loading
a spill of hydrocarbons. The carbon canister catches fire which
Tier 2
escalates to the point of creating more than 10,000 in damage to the
vacuum truck.
Product from a small flange leakage dropped on a hot steam pipe
and started smoldering Tier 3
There is a tube rupture in a fired heater. The operator detects the
tube cracking with only a small flame from the tube and subsequently
Tier 3
shuts down the heater with no resultant damage from the tube flame.
During a hot work the sparkles ignited the vapor of an atmospheric
slop inlet. The fire damaged insulation material. no PSE
A vacuum truck caught fire while standing in the hangar for repair.
no PSE
A scaffold board is placed near a high pressure steam pipe and
subsequently begins to burn, but is quickly extinguished with no
further damage. The investigation finds that the board had been no PSE
contaminated by some oil, but there is no indication of an oil leak in
the area.
An internal deflagration in a vessel causes equipment damage >
25,000, but there was no loss of containment.
no Tier 1 or
2 PSE
Tier 3 COD
An electrical fire, loss of electricity, or any other loss of utility may no Tier 1 or
occur that causes a plant shutdown and possibly incidental 2 PSE
equipment damage greater than $25,000 (e.g. damage to equipment
due to inadequate shutdown). Tier 3 CTSS
There is a boiler fire at the Main Office complex, and direct cost
damages totaled 75,000.
no PSE
79 |
Comment
Only the costs for repair and replacement of the equipment
32
damaged by the fire are to be considered. The cost for the repair
of the equipment which led to the fire must not be considered.
This is a Tier 2 PSE since the original spill of hydrocarbons
33
constitutes the LOPC and the response to the LOPC results in
one of the Tier 2 consequences.
Negligible damage from a fire involving LOPC
34
The LOPC did not result in any of the defined Tier 1 or 2
35
consequences. However, it was a fire resulting from an
unplanned LOPC.
The fire does not involve an unplanned, uncontrolled LOPC.
36
(see above) If the fire threatened the installation it may be
reported as Tier 3 Critical Operational Deviation
Fire in offices, shops, warehouses, etc. are not related to PS
37
no unplanned or uncontrolled LOPC
38
if the burning scaffolding threatens the process installation and
there is an increased risk of LOPC the event should be reported
under Tier 3 Critical operational deviation (COD)
Does not meet the definition of a Tier 1 or Tier 2 PSE because
39
there was no LOPC involved.
The deflagration had critical potential for a LOPC event and will
thus reported under Tier 3 Critical operational deviation (COD)
Does not meet the definition of a Tier 1 or Tier 2 PSE because
40
there was no LOPC involved.
The event needs to be reported under Tier 3 Challenge to Safety
System (CTSS)
Fire in offices, shops, warehouses, etc. are not related to PS
41
 Was there an unplanned release of hazardous substances?
Event
A gas pipe broke and ~300m3 natural gas with 10% H2S was released
Ten bbl of gasoline (1400 kg) leak from piping onto concrete and the
gasoline doesn't reach soil or water. Site personnel estimate that the
leak occurred within one hour.
A faulty tank gauge results in the overfilling of a product tank
containing liquid with a flash point < 23 C. Approximately 50 bbl (7000
kg) of liquid overflows into the tanks diked area. This incident is a Tier
1 PSE since it is a
An operator is draining water off a flammable crude oil tank with a flash
point of 60 C or less into a drainage system designed for that
purpose. The operator leaves the site and forgets to close the valve.
Twenty bbl of crude oil are released into the drainage system within an
hour.
A process vessel low level cutout fails to close a valve allowing 550kg
of a flammable gas to a floating roof tank resulting in a minor damage
to the tank roof.
An operator discovers an approximate 10 bbl liquid spill of aromatic
solvent (e.g. benzene, toluene) near a process exchanger that was not
there during his last inspection round two hours earlier.
A leak on a high pressure hydrochloric acid line results in a spill of
860kg of hydrochloric acid. Flash calculations indicate that greater than
100kg of hydrogen chloride would be released as a vapor.
A pipe fitting in a specialty chemicals plant fails, releasing 1800kg of a
mixture of 30% formaldehyde, 45% methanol, and 25% water in less
than one hour.
Calculations show that 450kg formaldehyde and 850kg methanol is
released.
80 |
Class Comment
For mixtures the highest category counts. From given data
42
Tier 1 ~45kg H2S have been released. The amount of natural gas
would classify as a Tier 2 event.
LOPC of 7 bbl (1000 kg) or more of liquid with a flash point < 23
43
C in any one-hour period.
Tier 1
If the spill had been less than 1000kg, but equal to or greater
than 100kg, it would be a Tier 2 PSE.
Release of 1000kg or more within any one-hour period,
44
regardless of secondary containment.
Tier 1
Release of crude oil is unplanned or uncontrolled and it is
45
greater than the release criteria of 14 bbl. If the drainage system
Tier 1 goes to an API separator and the oil is recovered (secondary
containment), this would still be a Tier 1 event because the
crude oil was released from primary containment.
Unplanned release above the Tier 1 threshold.
Tier 1
46
Since the actual release duration is unknown, a best estimate
47
should be used to determine if the TQ rate has been exceeded
(it is preferred to err on the side of inclusion rather than
Tier 1 exclusion). This incident is a Tier 1 PSE because the solvents
involved are Packing Group II materials and the threshold
quantity of 7 bbl is exceeded if the time period is estimated to be
less than one hour.
Tier 1 The 860kg release of hydrochloric acid would not a reportable
48
Tier 1 PSE since this liquid is categorized as a Packing Group
II corrosive liquid with a 1000kg reporting threshold. However,
since the liquid flashed or was sprayed out as an aerosol,
producing more than 100kg of hydrogen chloride, the event is be
a reportable Tier 1 PSE due to exceeding the 100kg or more of
toxic chemical within 1 hour.
Tier 1 This mixture is not classified by the UN Dangerous Goods/U.S.
49
DOT protocols; therefore, the threshold quantity mixture
calculation is applied. The pure component reporting threshold
of formaldehyde is 2000kg and methanol is 1000kg. For the
current release formaldehyde is 27% of the Tier 1 threshold and
methanol corresponds 85% of the Tier 1 threshold. In total 112%
of Tier 1 is achieved
 Was there an unplanned release of hazardous substances?

Event Class Comment

A pipeline leaks and releases 900kg of flammable vapor above ground Remoteness is not a consideration
50 and it exceeds a Tier 1
within one hour; however, the release occurred in a remote location Tier 1 threshold quantity. For R&M operated pipelines the PSE will not
outside the facility fence. be included in external reporting (see Chapter IV).
A pipeline leaks and releases 900kg of flammable vapor above ground Although the leak technically occurs off-site, this is a Tier 1 PSE
within 1 hour. A public road bisects the main facility and its marine
51
since the facility owns and operates the entire segment of
docks. This pipeline originates in the facility and goes to the docks. Tier 1 pipeline.
The leak site happens to be off the sites property in the short segment
of piping that runs over the public road.
A DOT covered pipeline that is owned, operated, and maintained by This is not a PSE for Company B since the pipeline is not
Company A crosses through Company Bs property. The DOT covered
52
owned, operated or maintained by Company B. This would be a
line has a 700kg release within an hour from primary containment of Tier 1 transportation incident for Company A.
flammable gas and causes a fire resulting in greater than 25,000
damage to Company As equipment.
A third-party barge is being pushed by a tug and hits the Company The event is not included in external reporting since the barge
dock. A barge compartment is breached and releases 50 bbl of diesel
53
was not connected to the process for the purpose of feedstock
Tier 1
to the water. or product transfer.
A third-party truck/trailer on Company Premises has a spill of gasoline The incident is included in external reporting since the truck was
greater than 7 bbl in less than an hour while loading. Tier 1
54
connected to the process for the purpose of feedstock or product
transfer.
A pipe containing CO2 and 10,000 vppm H2S (1 % by volume) leaks If the H2S concentration is 50 vppm, then the calculated release
and 7000 kg of the gas is released within an hour. Calculations show
55
quantity would be 0.3 kg of H2S and would be counted as Tier 3.
that the release involved about 55 kg of H2S (TIH Zone B chemical). Tier 1
The release is a Tier 1 PSE because it exceeded the threshold
quantity.
A drilling subsurface blow-out comes to surface (along the casing path
to the surface) resulting in release of over 10t of flammable gas to Tier 1
56
atmosphere
During and extended well test at slug of liquid extinguished the flare Uncontrolled release because the flare failed to operate as
flame resulting in a release of combusted natural gas as 250.000 SCF
57
designed after the flame out. The released amount is above
per hour until the flare was reignited 10 min later. Tier 1 500kg within one hour.

While drilling a well, a shallow gas pocket was stuck, causing a loss of
well control. Mud, cuttings, and 100 barrels of oil wer released to the
58
environment and over 64.000kg of gas were discharged to Tier 1
atmosphere.

81 |
 Was there an unplanned release of hazardous substances?

Event Class Comment

A bleeder valve is left open after a plant turnaround. On start-up, an Unplanned or uncontrolled release
estimated 15 bbl of fuel oil, a liquid with a flashpoint above 60 C, is
59
If the release temperature would be above the flashpoint; thus, it
released at 38 C (below its flashpoint) onto the ground within an hour Tier 2 would be a Tier 1 PSE
and into the plants drainage system before the bleeder is found and
closed. This is a Tier 2 PSE.
An operator opens a quality control sample point to collect a routine Unplanned or uncontrolled release
sample of product and material splashes on him. The operator runs to
60
Tier 2
a safety shower leaving the sample point open and a Tier 2 threshold
quantity is released.
A Company railcar derails and spills more than 7 bbl of gasoline while The incident is not included in external reporting since it is not
in transit. Tier 2
61
connected to the process for the purpose of feedstock or product
transfer.
During loading a truck was overfilled and 150l heating oil spilled on the Unplanned release of a category 7 substance (see Table 2)
paving.
62
regardless whether the release is mitigated by secondary
Tier 2
containment.
A valve leak occurred in a gas turbine acoustic enclosure. The quantity The quantity released exceeds the threshold quantity for an
of gas released was 40kg. Tier 2 63
indoor release of flammable gases.
While troubleshooting a higher-than-expected natural gas flow rate, This is not a Tier 1 PSE as the release rate (~100 kg per hour)
operating personnel find an open block valve on the natural gas line
64
did not exceed the threshold quantity of 500 kg or more within
releasing to an elevated vent location. Upon further investigation, it is Tier 2 one hour); however, it is a Tier 2 PSE because it did exceed the
determined that a total of 1 million lb of natural gas was relieved at a threshold of 50 kg or more within 1 hour.
steady rate over a 6 month period.
An underground pipeline operated by the facility leaks and releases The spill results in contaminated soil that is subsequently
450kg of diesel (flash point > 60 C) at a temperature below its flash Tier 2
65
remediated. This is a Tier 2 PSE since the leak rate was greater
point within the facility over a period of three days (6.5kg/hr). than the Tier 2 threshold quantity.
A Company operated Marine Transport Vessel that had just The event will not be included in external reporting since Marine
disconnected from the process has an onboard 10 bbl spill of material
66
Transport Vessel incidents are specifically excluded, except
with a flash point > 60 C released at a temperature below its flash Tier 2 when the vessel is connected to the process for the purposes of
point. feedstock or product transfer.
A third-party survey boat is pulling a tube screen for seismic survey The event will not be included in external reporting because
and a shark bites into the tube releasing 7 bbl of hydraulic fluid into the Tier 2
67
exploration activities are not in the scope.
water.

82 |
 Was there an unplanned release of hazardous substances?

Event Class Comment

100kg of diesel spills within an enclosed area during a period of 30min
while transferring fuel to a drilling platform while in-hole. Tier 2
An underground gasoil pipe was found leaking over several months.
Soil was contaminated and the loss was calculated 10l per hour. Tier 3
A rupture of a flow line created a spill of 1000 l saltwater (oil fraction
negligible) Tier 3
There is a 10 bbl spill of gasoline that steadily leaks from piping onto
soil over a two week time period. Simple calculations show the spill
Tier 3
rate was approximately 0.03 bbl per hour.
Infrared scans identified that the separator floatation treater was
leaking 10.000 SCFD (standard cubic feet per day) from an agitator
Tier 3
seal. The separator continued to operate for 10 days until the treater
was taken out of service and its seals replaced
After collecting a load from an adjacent unit, a vacuum truck is parked
at the wastewater treatment facility awaiting operator approval to
Tier 3
discharge. While waiting the vacuum truck malfunctions and vents a
small amount of process material to the atmosphere.
A low pressure steam pipe broke in winter and freezing condensate
caused icing of the pathway no PSE
An operator purposely drains 20 bbl of material with a flash point > 60
C (140 F) at a temperature below its flash point into an oily water
collection system within one hour as part of a vessel cleaning no PSE
operation.
Routine monitoring of waste water indicates increased load of H2S but
below maximum allowable tolerance. no PSE
The spill exceeds the indoor threshold and occurred during
68
transfer of fuel to a MODU (e.g., jack-up or drill ship).
Here the amount released in any one-hour period is below the
69
Tier 2 threshold even though the total loss is higher.
Unplanned release of saltwater shall be recorded as Tier 3 PSE
if the exceeded 100l.
70
This is not a Tier 1 or Tier 2 PSE since the spill event did not
71
exceed the threshold quantity in any one-hour period. A
Company may choose to count this as a Tier 3 other LOPC
event.
unplanned release below the thresholds for Tier 1 and 2 in any
one hour period
72
This event will not be reported externally since vacuum truck
73
operations are excluded unless loading, discharging, or using
the trucks transfer pump.
Steam is considered as LOPC of hazardous substance unless
74
there is injury caused by the release.
The drainage is planned and controlled and the collection
75
system is designed for such service, this is not a reportable Tier
1 or 2 PSE.
Emission within the allowable permits are not PSE
76

83 |
 Was there a release of a pressure relief device to atmosphere?
Event Class
There is a unit upset and the PRD fails to open, resulting in
overpressure of the equipment and a 10-minute release of 900kg of Tier 1
butane from a leaking flange before it can be blocked in.
A relief valve operates and vents 250kg of a flammable gas directly to
atmosphere with a small liquid carry over estimated at 10kg Tier 1
hydrocarbons
The flare system is not functioning properly due to inactive pilots on the
flare tip. During this time, a vapor load is sent to the flare due to an Tier 1
overpressure in a process unit.
A PRD activates resulting a substantial release exceeding Tier 1
thresholds on an offshore platform causing precautionary down-
Tier 1
manning or platform abandonment.
100 bbl of naphtha liquid are inadvertently routed to the flare system
through a PRD. The flare knockout drum contains most of the release;
Tier 1
however, there is minimal naphtha rainout from the flare.
During a routine procedure of bleeding off of casing pressure the well
operators accidentally fully opened the valves. The bleeding off release Tier 2
was estimated higher than 500kg.
There is a unit upset and the PRD opens to an atmospheric vent that
has been designed for that scenario, resulting in a release of 150 of Tier 2
propane to the atmosphere requiring on-site shelter in place.
A process upset caused a low pressure safety valve to open to
atmosphere no PSE
A sour gas vessel has a PRD that was identified in a recent PHA to be
undersized. In the process of making a transfer, the vessel
overpressures. A release of 30kg sour gas (TIH Zone B material)
occurs through this PRD to a safe location over a period of 25 minutes. no PSE
84 |
Comment
77
The total mass exceeded the thresholds and there was a small
liquid carryover 78
The volume of the vapor through the PRD is greater than the
79
Tier 1 threshold and it results in the formation of a flammable
mixture at grade to be considered as unsafe release.
This is equivalent to an onshore situation resulting in an onsite
shelter in place.
80
This is a Tier 1 PSE since the volume released from the PRD to
81
a downstream destructive device does exceed the threshold
quantity in Table 1 and resulted in one of the four listed
consequences (i.e. liquid carryover).
Unplanned release of a category 5 substance (see Table 2)
82
This is a Tier 2 PSE because it both exceeded the threshold
83
quantity and resulted in one of the defined negative
consequences.
blow off is on a safe location, steam not considered as
84
hazardous substance unless nobody is injured
This would not be a Tier 1 or Tier 2, regardless of the HAZOP
85
finding, so long as it did not result in a liquid carryover, on-site
shelter-in-place, public protective measure or other indication of
discharge to an unsafe location. It is not counted as a Tier 1
LOPC since the system the overpressure opening is included in
normal operations design (although it is not a recommended
design).
 Was there a need of community evacuation or shelter in place due to the release of
hazardous substances?

Event Class Comment

A leakage of a gas system which contains up to 10% H2S requires Unplanned release of a category 2 substance requiring
86
evacuation of neighbors. Tier 1 evacuation
A PRD discharges to a srubber that vents to atmosphere. The The release quantity is estimated less than the Tier 1 threshold.
scrubber is overwhelmed by a flow rate greater the its design resulting
87
However, the need for shelter in place classifies to Tier 1 PSE
Tier 1
in a discharge that is detected by fence-line monitoring system and a
publich shelter in place order is issued
A small quantity of very odorous material enters a cooling water This is not a Tier 1 or Tier 2 PSE because of no official declared
system via tube leak. The material is dispersed into the atmosphere at shelter in place.
88
the cooling tower. An elementary school teacher decides not to no PSE
conduct recess outside due to a noticeable odor even though officials
deemed no shelter-in-place was necessary.
Less than 0.5kg of Hydrogen Sulphide gas is released while unloading This is not an officially declared evacuation or shelter-in-place
89
a truck at a refinery. The release is detected by a local analyzer and no Tier 1 because in this situation the officer is acting as a private citizen
triggers a unit response alarm. An off-duty police officer living in a PSE Tier suggesting a precautionary measure; therefore this is not a Tier
nearby home advises his neighbors to evacuate because an alarm 3 LOPC 1 or Tier 2 PSE.
like that means theres a problem at the refinery.
Evacuation because of bomb threat or other crime act Robbery, assault, crime acts (if not associated with hazardous
no PSE 90
substance) are not PS related.

85 |
 Have the safe operations limit of a process installation exceeded?
Event Class Comment
A sealing of the pump was damaged after the pump pressure The shut off head of the pump is obviously higher than the
increased due to a blocked valve downstream of the pump Tier 3 91
design pressure of the sealing
A nozzle rated 16bar was accidentally installed at a 60bar pipeline. It The 60bar is well above the safe operating limit of the nozzle.
was found out during testing. No release created. Tier 3 92
Overfilling of a fuel tank but not creating a spill.
Tier 3 93
In the overhead section of a process installation product stared to
freeze because of very cold winter. Tier 3 94
A faulty pump bearing was identified by a temperature high alarm. The If the operation could have been continued with a spare pump it
system was shut down to avoid further damage to pump and process. Tier 3 95
will not be counted as PSE.
While drilling a well there was a loss of hydraulic overbalance resulted The release is planned and does not count under LOPC PSE.
in a well kick. The standard procedure to reestablish the well resulted
96
The event counts under demand of safety system.
Tier 3
in a planned venting of the kick through the rig's choke and kill system
and de-gasser.
The car wash needs to be stopped because of lack of cleaning Not relevant for safe process.
97
substance. no PSE

Have been inspection or testing results of primary containment found outside

acceptable limits?
Event Class Comment
Routine inspection of fuel tank yield critical degradation of the wall 98
thickness. Tier 3

A moving truck squeezes the fuel hose which suffers cracks.

Tier 3 99
During routine testing of a flow line a leaking flange has been identified The leak is considered as fugitive emission and does not count
Tier 3 under LOPC
100
Parts of the metal cover of control cabinet loosened. Not relevant for safe process.
no PSE 101

86 |
 Was there an unplanned shutdown of a process installation or of its subsystems?
Event Class Comment
A technical failure of the LNG compressor causes the unit to shut-
down. Tier 3 102
Customer forgot the fuel hose in the car after filling and drove away. T3 Challenge to safety system: demands on safety systems
The hose broke and the dispenser shut down automatically. Tier 3 103
designed to prevent or mitigate a LOPC event.
A propane tank over-pressures through a PRD to the flare system. The Even though the PRD release exceeded the Tier 1 threshold
pilots on the flare system are not working properly, and the flare does
104
quantity, this is not a Tier 1 PSE since the discharge was routed
not combust the vapors. The event transpires over a period of 45 to a downstream destructive device with no consequence listed
Tier 3
minutes. The volume of propane release was estimated to be 600kg under Tier 1 PRD.
and the release dissipated into the atmosphere above grade and
above any working platforms.
An upset causes a PRD to open and release fuel gas to the facility This is not a Tier 1 or Tier 2 PSE since the PRD release was
flare system. The flare system works properly and combusts the vapor
105
routed to a downstream destructive device that functioned as
Tier 3
release which came from the PRD. intended (i.e. did not cause one of the four listed
consequences).
A short circuit stopped power supply of the station. The shut-down is not cause for safety reasons.
no PSE 106
A faulty flame detector triggered fire alarm. Firefighting checked the No shut-down of the system.
situation and confirmed faulty alarm. no PSE 107

Was there an event within the process area which has no immediate PS consequence
but had critical potential for a PS event?
Event Class Comment
On a hot, dry summer day bushes close to a well site caught fire. The fire threatened the installation and had thus the potential for
108
Firefighting services could prevent flash over to the installation. Tier 3 a severe process accident.
While refueling a customer car caught fire. Tier 3 The fire threatened the retail station.
109
A sewer pit exploded due to electrostatic ignition of the hydro-carbons The explosion does not involve an unplanned, uncontrolled
contained in the waste water. The sewer cover flew several meters Tier 3
110
LOPC. Acc. definition Tier 1 & 2 explosions and fires need to
and damaged windows. result from LOPC.
A theft was stealing cables from the cathodic protection system. Tier 3 111
A truck damaged the support structure of a pipe rack. Tier 3 112
An internal leakage of a water cooler was identified by increased HC in
Tier 3 113
Marginal release. The unmanaged leak could have ended in
backflow cooling water. The unit had to shut down for repair. more severe consequences.
87 |crashed into the shop window.
A car not PS No risk to end up in a PS event.
114
 Does the finding or hazard indicate an increased likelihood of a PS event?
Event Class Comment
Earthing cables found loosened / degraded / missing during inspection. Tier 4 115
Critical operating parameters changed without proper management of
change (e.g. increased H2S content) Tier 4 116
Slippery / icy paving. not PS Not relevant for PS
117

Are Process Safety relevant barriers missing or failing?

Event Class Comment

Missing emergency response devices (e.g. firefighting, oil spill, 118
Tier 4
emergency numbers)
A safety instrumented function is bypassed without appropriate
compensation measures and communication
Tier 4 119
A safety valve did not pop at the set pressure at the test bench.
Tier 4 120
Missing first-aid box First-aid box and PPE have only limited PS relevancy.
not PS 121

Is there a deficiency of a management procedure related to PS

Event Class Comment
PS related docs not up to date (e.g. emergency plan for LOPC,
explosion protection documentation) Tier 4 122
Design data for equipment not available. Tier 4 123
A subcontractor entered the site using the access card of his
colleague. not PS 124

88 |
 INTRODUCTION TO
OFFSHORE SAFETY CASE

89 |
 Offshore regulatory regime

The Offshore regime is

based around the Safety
Case Regulations (2005)
which requires operators to
have a safety case for fixed
and mobile installations
accepted by the Health and
Safety Executive (for UK
operators)

The safety cases need to be

maintained and submitted to
the HSE at various times
throughout the life cycle of
the installation.

90 |
 Offshore regulatory regime

The contents of a safety case are detailed in the Safety Case

Regulations (2005) and should include:

Description of installation (with drawings)

Location plan of installation

Operational parameters

Maximum number of persons on installation

Well control arrangements

Description of pipelines including contents, dimensions and layout

91 |
 Offshore regulatory regime

Description of compliance with PFEER regulations which include

description of risk assessments and the performance standards
for safety critical elements.

Arrangements for protection against toxic gas

Measures or arrangements for protection from hazards of explosion,

heat, smoke, toxic gas or fumes including provision for temporary
refuge.

Specification for design of installation/plant and description of

suitability of safety critical elements.

92 |
 Hazard and Risk

HAZARD
A situation which poses a
threat to life, health,
property or environment

RISK High Risk

The probability that an

hazard will cause a given
damage under given Low Risk
circumstances

93 |
 Hazard and Risk

94 |
 Risk Assessment General Tolerability Criteria

95 |
 Risk Assessment Individual Risk

96 |
 Safety Case Hazard Identification

The Safety Case has to consider the hazards that can occur in the
field, from both external and internal origin:

Internal
Loss of Containment:
Fire, Explosion
Gas and Smoke Dispersion
Process Hazards (HAZOP Review)
Workplace hazards
Transportation hazards (Helicopter)

External
Marine Hazard (impacts)
Dropped Objects

97 |
 Safety Case Study Structure

Dropped Object Study Fire & Explosion Analysis

Gas & Smoke Dispersion Analysis
Marine Hazard Analysis
Emergency Systems Survivability Analysis

HAZID
SIL Analysis QRA
HAZOP MAE SCEs
Performance Standards
Escape, Evacuation and Rescue Analysis

98 |
 Safety Case Activities

As part of the Safety Case the following studies have to be developed.

HAZOP Review
Safety Integrity Level (SIL) Review
Marine Hazard Analysis
Dropped Object Study
Fire and Explosion Analysis
Gas and Smoke Dispersion Analysis
Emergency Systems Survivability Analysis (ESSA)
Escape, Evacuation and Rescue (EER) Study
Performance Standards & Verification Scheme for SCE
QRA Report
HSE Management System Review Report
Operational Safety Case

99 |
 Safety Case Engineering studies Marine Hazards

Purpose:
to assess quantitatively the incidental collision frequencies between ships
passing in the vicinity of the field facilities, shuttle tankers visiting the field,
supply vessels and fishing vessels in the area.

Collision Scenarios:
Passing vessels (commercial, passenger, recreational boat) powered
and drifting;
Shuttle tankers;
Supply vessels (powered and drifting);
Fishing ships.

The parameters considered to assess the impact frequency are:

Ship breakdown frequency;
Probability of human error;
Emergency response.

100 |
 Safety Case Engineering studies Marine Hazards

101 |
 Safety Case Engineering studies Marine Hazards

Damage:
Ships with tonnage higher than 5000 DWT are considered to cause major
damage to the impacted installation

Results

Total frequency of collision

Frequency of collision causing major damage

102 |
 Safety Case Engineering studies Marine Hazards

DWT <1500

DWT > 1500

DWT > 5000

DWT>15000

103 |
 Safety Case Engineering studies Marine Hazards

It is recommended that the supply vessel

approaches the platform away from the risers and to
create a limitation zone around the risers.

Exclusion area of 7.1 km around the facilities;

Signalisation and inscription on the maritime maps
of the field facilities;
Marine radar system;
Navigational aid systems on the platforms;
Installation of an AIS (Automatic Identification System);
Installation of a Radar anti-collision;
Fog horn installed on each platform;
Visual signals;
Presence of supply vessel warning vessels entering the exclusion area;
Supply vessel are forbidden to approach the facilities in case of bad weather;
Shuttle tankers approach assisted by tug boat and only during the day.

104 |
 Safety Case Engineering studies Dropped Objects

Purpose:
To evaluate quantitatively the dropped objects hit frequency on decks,
jackets and on oil and gas sealines.
The analysis covers the operation, drilling and work-over working
phases performed on the platforms and the storage barge.

Scenario:
dropped objects from monorails impacting on main deck;
dropped objects from cranes impacting on main deck;
dropped objects from cranes impacting on the jacket structure;
dropped objects from cranes impacting on the sealines.

The parameters considered to assess the impact frequency are:

Drop frequency (from statistical data);
Excursion in water.

105 |
 Safety Case Engineering studies Dropped Objects

Calculation technique (examples)

Assess the impact energies

106 |
 Safety Case EER Analysis

Purpose:
Objective of the Escape, Evacuation and Rescue (EER) study is to
assess if successful evacuation from the manned facilities of the field
can be achieved.

Steps:
The EER study is a qualitative assessment of the performance of the
EER systems in response to the major accident events, which may or
may not require personnel to evacuate the platform in an emergency.

The analysis could be done by means of an EER HAZOP

107 |
 Safety Case Fire & Gas explosion

108 |
 Safety Case Fire & Gas explosion

The analysis of the fire and explosion risks is performed in accordance

with the following steps:
Identification of Credible Fire and Explosion Scenarios; (example)
Release diameter for Minor release: 7mm (1/4);
Release diameter for Significant release: 25mm (1);
Release diameter for Major release: 100mm (4).
Evaluation of Random Rupture Frequencies;
Each identified section has been analysed in order to evaluate the
expected rate of failure
Assessment of Consequences of Fire and Explosion Scenarios.

109 |
 Safety Case Fire & Gas explosion

Frequency result
Release Initial event Frequency consequences [event/year]
diameter frequency
[mm] [event/year] Jet Fire Explosion Flash-Fire Dispersion
7 5.90E-05 5.66E-08 0 2.36E-09 5.89E-05
25 8.86E-05 5.41E-07 0 2.98E-08 8.80E-05
100 2.95E-05 7.38E-07 1.33E-08 1.19E-07 2.86E-05

Consequences result
Pool fire Location Equipment
Hole Pool Distance to Heat Radiation
diameter diameter [m]
37.5 12.5 5
[mm] [m] 2 2
kW/m kW/m kW/m2
7 3 3.5 5.4 7.8
- - 25
6 5 11 15.6
100

Explosion Hole Explosive Peak Overpressure distance

Location Equipment
diameter mass [m]
[mm] [Kg] 0.5bar 0.35bar 0.1bar
7 0 - - -
- - 25 0 - - -
100 17 122 126 147

110 |
 Safety Case QRA

All the numerical results of the engineering safety studies have to be

summarized in a Quantified Risk Assessment report, to demonstrate if the
Company Risk tolerability criteria are met.

Targets

IRPA (Individual Risk Per Annum)

PLL (Potential Loss of Life)
TRIF (Temporary Refuge Impairment Frequency)

The above values are calculated for the groups of people in the facilities:
Group 1: personnel in the living quarter / offices most of the time;
Group 2: personnel in the control rooms (or other technical rooms)
most of the time;
Group 3: personnel in the process areas (maintenance, etc.).

111 |
 Safety Case QRA

The QRA SUMS all the risks deriving from each of the hazards assessed
individually in the Engineering Safety Studies.

In formula:

All the hazards identified

n
IRPAGroup f i vi pi
i

Probability that an individual will

Frequency of one of the hazards assessed be present in the location,
in the safety studies at the moment of an accident

Vulnerability. The probability that an individual will die

due to the consequence associated to the hazard

112 |
 Safety Case QRA

The calculation of risk requires an high number of calculations to be

done:

113 |
 Safety Case QRA

Total IRPA

P1 IRPA

P2 IRPA

P3 IRPA

114 |
 Safety Case QRA

Potential Loss of Life: PLL

115 |