insights into essa

Offshore Safety Studies

Technical Safety Note / November 2008

Insights into Offshore Emergency System Survivability Assessment (ESSA)

A. Preface:

As offshore HSE consultants, the authors has come across various assessment methodologies of

offshore emergency systems and has found that the assessment has some typical flaws thus

making the assessment process unclear resulting in incomplete assessment. In this short note,

an attempt is made to bring about clarity by suggesting some improvements to enhance the

emergency systems assessment in the ESSA study.

B. Background of ESSA:

In 1988, the Piper Alpha disaster that occurred in North Sea resulted in 167 fatalities and a total

asset loss of £1.7 billion (US$ 3.4 billion) and finally caused Occidental Petroleum to go out of

business in UK. A public inquiry by Lord Cullen was commissioned in November 1988 to

establish the circumstances that led to the accident on Piper Alpha and its causes. In November

1990, the report [1] was concluded and the report revealed that several emergency systems on

the Piper Alpha did not survive the fire/ explosion and hence could perform its intended design

objectives. Among the recommendations that Lord Cullen proposed, was a thorough ‘review of

the ability of emergency systems to survive severe accident be performed’ [1 – R 65] for all

installations.

This recommendation has been transformed into a study known as the ‘Emergency Systems

Survivability Assessment (ESSA)’ and included as one of the Formal Safety Assessment (FSA)

studies as required by UK Safety Case Regulations, 2005.

C. Interesting findings on Piper Alpha:

Lord Cullen investigation report summarized and highlighted issues related to emergency

systems on Piper Alpha. The key flaws associated with emergency systems that were identified in

the Piper alpha disaster are listed below:

• The control room and radio room was both outside the TSR. Hence when the explosion

occurred, both the control and radio room were damaged. There were no facilities in the ERQ

to assess or exercise control over it or to communicate with external parties. They were also

unable to obtain information on status of Fire and Gas (F&G) Detection, Emergency

Shutdown (ESD) or deluge systems [1-19.176];



• Both the main and emergency power supplies as well as part of the Uninterrupted Power

Supply (UPS) were knocked out after the explosion and hence there was no electrical power

supply on Piper Alpha platform;

• Battery power supplies dedicated to individual equipment mainly performed well;

• It was suspected that the main means of communication to the personnel on the platform, the

PA/GA, (Public Address /General Alarm) was not functioning/ disabled as it was not used;

• The first explosion occurred before signals from the gas detection systems led to either a

manual or automatic ESD [1-19.38];

• ESD of the gas pipelines were not part of the platform ESD system and had to be affected

manually for each pipeline separately from the control room [1-19.38];

• Some of the ESD valves appear not to have closed fully [1-19.38];

• The Piper Alpha had only firewalls retrofitted and not blast walls. [1-19.55] even after the

installation of gas compression module;

• Lord Cullen report inferred that emergency power supply, ESD system and communication

system should possess a high degree the ability to survive severe accident conditions [1-

19.189];

• The vulnerability of the emergency systems to severe accident conditions need to be

reviewed and steps need to be taken to enhance their ability to survive such conditions [1-

19.190]:

o Vulnerability of the ESD and SSIV (Sub Surface Isolation Valve) systems to be

reviewed [1-R48];

o The ability of fire water deluge systems to survive severe accident conditions [1-

R51].

• Design to be fail safe i.e. they can still convey their essential message even on loss of power

[1-19.193]; and

• The initial explosion on the Piper knocked out the control room and disabled power supplies,

communications and firewater deluge systems and caused severe vibration which may have

affected the ESD system [1-19.44].

Note:

[1-19.38]: Reference to specific findings in Lord Cullen Report



E. Typical Offshore Emergency Systems:

Typically, the following systems are considered as emergency systems in offshore installations:

No. Systems

1. Fire and Gas (F&G) Detection and Alarm System

2. Emergency Shut Down (ESD) System

3. Blow Down & Relief System

4. Active Fire Protection System

5. Passive Fire Protection

6. Heating, Ventilation and Air Conditioning (HVAC) System

7. Emergency Communications System

8. Emergency Power System (Emergency Power Generator & UPS)

9. Emergency Lighting System

F. Issues to Consider:

1. Identification of emergency systems: Based on the definition of Emergency Systems, these systems mitigate / recover effects of major

accident events such fire / explosion, ship collision, hydrocarbon release, dropped objects, etc.

From this perspective, the safety systems / barriers that are on the right side of the bow tie are

emergency systems. Once the bow ties are constructed for MAEs (major Accident Event) as part

of the HAZID (Hazard Identification), the mitigation and recovery measures should be listed as

emergency systems and assessed for survivability.

Bow Tie Diagram

Prevention Mitigation & Recovery

MAE Hazartd



The identification of emergency systems could be carried by developing a matrix with all offshore

systems (marine, process and utilities) and MAEs. The emergency system definition may be

applied on this matrix to identify emergency systems.

2. Survivability duration of emergency systems:

The duration for which the emergency system (ES) is supposed to function is generally not

discussed in ESSA reports. However duration is a very important criterion while determining

survivability of the ES. Some emergency systems are designed to perform and survive MAEs

while some other emergency systems can get impaired/ fail after performing its intended objective.

For example, the detectors can fail once it has already sent a signal to the F&G panel and the

alarm has sounded and need not survive the whole fire duration. Likewise with the blowdown

system, it can fail once it has depressurized the line. However if the blowdown system is impaired

before it is able to perform its function, then there is a possibility of an escalation of the MAE. As

far as the emergency power system is concerned, this system should be able to withstand fires

(maybe explosions) for the entire MAE duration and it is required for safe personnel evacuation.

3. Location of the Emergency Systems:

The location of the emergency system is critical as it influences the survivability of the system. As

mentioned above, the Piper Alpha control and radio room were not located in a strategic and safe

locations. For example, it is critical that the location of the emergency diesel generators and UPS

systems are away from fire prone areas or high inventory hydrocarbon areas as the emergency

power supply is required to provide power supply for the whole evacuation period.

Emergency lighting with self contained batteries should also be strategically located so that in the

event of the emergency power supply failure, the escape routes will still be illuminated to some

extend so that all personnel will be able to access to the TR (Temporary Refuge) safely.

If the FEA or ETRERA or ESSA assessment justifies the need for a fire / blast wall or layout

change, the same has to be carried out through a risk /performance based approach.

3. Assessment of Fail Safe-design of Emergency Systems;

The assessments of fail safe design for ES are often quite misleading. Generally a fail safe

system is a system that performs its required safe function automatically upon failure of a system

component. For example, in the event a fire impingement occurs on the instrument air supply line

to the ESD valve resulting in the failure of instrument air, then automatically the ESD valves shuts



or opens, performing its intended fail-safe function. However the fail safe design will not be

applicable most of the emergency systems and hence it is not logical to assess all ES for the fail-

safe design.

4. Vulnerability Assessment:

By definition, vulnerability is the possibility of MAEs impairing emergency systems causing it to be

impaired/ damaged before they perform their intended function. In order to assess the impairment

of emergency systems, studies such as FEA or ETRERA or Dispersion and Radiation

Assessment should be performed as necessary.

Once it is confirmed from the specific assessments that the ES will be potentially impaired, then

the other aspects such as redundancy, etc. are to be assessed as part of ESSA.

5. Assessment of Redundancy:

If the emergency system is found vulnerable to MAEs, then it is logical to assess redundancy

levels for the required systems. The following sequence would help in carrying out redundancy

assessment:

• Are all the sub components for emergency systems provided with redundancy?

• Is the location of the redundant system close to the main system? If so, then there is no

point in having a redundancy as both the components will be affected by the MAEs.

Hence here it is worth mentioning that the Life Saving Plan /Fire Safety Plan or other relevant

drawings need to be assessed to ascertain whether the location of the redundant systems are

appropriate from the survivability point of view.

6. Assessment of all sub systems of Emergency Systems: Logically, all sub systems for all emergency systems should be identified and then should be

separately assessed for survivability. A functional block diagram could be developed for each of

the emergency systems. For example, the sub systems for PFP on an FPSO (Floating Production,

Storage and Offloading) could be:

• Fire walls;

• Blast walls;

• Heat shields;

• In tumescent coatings on structures; and

• Fire blanket insulation on shutdown valves.

For an F&G Detection and Alarm System, detectors, the Logic Controller, cables and F&G panel

should all be assessed as the components are critical to ensure that whole system functions to



meet its intended objective. Very often, only the major systems/ components are assessed. It is

recommended that all the sub components of the emergency systems be separately subjected to

the survivability assessment for completeness.

G. Performance Objective and Survivability Issues:

The emergency systems will be designed to meet their performance objectives and it is logical to

expect at least some of them to survive emergency conditions. The performance objective and

survivability requirement for a few emergency systems are provided in the table below.

Emergency system

Performance Objectives Checkpoints

F&G Detection and Alarm System

To detect fires, smoke and gas and to provide timely signal (within milli seconds) to PLC for alarm / trip

Is there a possibility that an explosion will impinge the detectors before the detectors detect a leak etc.

Active Fire Protection Designed to fight fires (and not explosions), normally with redundant systems.

• Fire impingement on the AFP equipment

• Location of the equipment • Redundancy of equipment • Duration it is expected to

last Passive Fire Protection Designed to survive fires and

explosions for defined design conditions. Normally designed based on quantitative fire and explosion assessment

• Fire impingement on the equipment


last (longer than evacuation time)

• Firewall ratings • Blast rating wall

requirement Emergency Shut Down Required to provide a reliable

means for safely isolating and shutting down process hydrocarbon inventories to a safe condition. .

• Valves fitted with PFP • Able to withstand fires for a

certain duration • Fail safe design

Blow Down & Relief System To rapidly depressurize hydrocarbon gas inventories and dispose of them at a safe distance from the installation usually through the flare system.

• Meets API 521 design criteria?

• Fire impingement on the equipment?

• Duration it is expected to last as opposed to time taken to depressurize line/tank

Heating, Ventilation and Air Conditioning (HVAC) System

Fire dampers to close on demand of confirmed gas / smoke detection at the intake

• Fire impingement? • Fail safe design? • Internal air circulation



Emergency system

Performance Objectives Checkpoints

to TR to avoid ingress of gas and smoke

Emergency Communications System

Means of communication with personnel on the facility as well as onshore, emergency response groups, nearby vessels etc



last

Emergency Power System (Emergency Power Generator & UPS)

Provides power to various emergency systems, including emergency lighting, emergency communications, etc upon loss of normal power supply



last

Emergency Lighting Required to provide adequate illumination to escape routes, Muster Area etc that is not reliant on external power supplies during an emergency situation



last

While carrying out ESSA, the above table may be referred to perform the survivability

assessment of emergency systems.

H. Conclusion: ESSA is one of the critical safety assessments defined in UK Safety Case Regulations 2005.

Hence this paper IS intended to create awareness as well as provide some details in producing a

comprehensive ESSA report. It is imperative that both the operators and safety consultants

understand and assess the emergency systems in a comprehensive manner taking technically

correct and logical steps to produce a convincing assessment report. If ESSA process is carried

out based on the performance-based survivability criteria, then the assessment will take a logical

route without any confusion.

References:

1. Department of Energy UK, The Public Inquiry in the Piper Alpha Disaster, Lord Cullen, 1991

2. The Offshore Installations (Safety Case) Regulations 2005, No. 3117, UK

Authors:

Pillai Sreejith ([email protected])

Alvin Rajan ([email protected])

insights into essa

Documents