Offshore Safety Studies

Insights into Offshore Emergency System Survivability Assessment (ESSA)

A. Preface:
As offshore HSE consultants, the authors has come across various assessment methodologies of
offshore emergency systems and has found that the assessment has some typical flaws thus
making the assessment process unclear resulting in incomplete assessment. In this short note,
an attempt is made to bring about clarity by suggesting some improvements to enhance the
emergency systems assessment in the ESSA study.

B. Background of ESSA:
In 1988, the Piper Alpha disaster that occurred in North Sea resulted in 167 fatalities and a total
asset loss of £1.7 billion (US$ 3.4 billion) and finally caused Occidental Petroleum to go out of
business in UK. A public inquiry by Lord Cullen was commissioned in November 1988 to
establish the circumstances that led to the accident on Piper Alpha and its causes. In November
1990, the report [1] was concluded and the report revealed that several emergency systems on
the Piper Alpha did not survive the fire/ explosion and hence could perform its intended design
objectives. Among the recommendations that Lord Cullen proposed, was a thorough ‘review of
the ability of emergency systems to survive severe accident be performed’ [1 – R 65] for all
installations.
This recommendation has been transformed into a study known as the ‘Emergency Systems
Survivability Assessment (ESSA)’ and included as one of the Formal Safety Assessment (FSA)
studies as required by UK Safety Case Regulations, 2005.

C. Interesting findings on Piper Alpha:

Lord Cullen investigation report summarized and highlighted issues related to emergency
systems on Piper Alpha. The key flaws associated with emergency systems that were identified in
the Piper alpha disaster are listed below:

• The control room and radio room was both outside the TSR. Hence when the explosion
occurred, both the control and radio room were damaged. There were no facilities in the ERQ
to assess or exercise control over it or to communicate with external parties. They were also
unable to obtain information on status of Fire and Gas (F&G) Detection, Emergency
Shutdown (ESD) or deluge systems [1-19.176];

Technical Safety Note / November 2008

Offshore Safety Studies

• Both the main and emergency power supplies as well as part of the Uninterrupted Power
Supply (UPS) were knocked out after the explosion and hence there was no electrical power
supply on Piper Alpha platform;
• Battery power supplies dedicated to individual equipment mainly performed well;
• It was suspected that the main means of communication to the personnel on the platform, the
PA/GA, (Public Address /General Alarm) was not functioning/ disabled as it was not used;
• The first explosion occurred before signals from the gas detection systems led to either a
manual or automatic ESD [1-19.38];
• ESD of the gas pipelines were not part of the platform ESD system and had to be affected
manually for each pipeline separately from the control room [1-19.38];
• Some of the ESD valves appear not to have closed fully [1-19.38];
• The Piper Alpha had only firewalls retrofitted and not blast walls. [1-19.55] even after the
installation of gas compression module;
• Lord Cullen report inferred that emergency power supply, ESD system and communication
system should possess a high degree the ability to survive severe accident conditions [1-
19.189];
• The vulnerability of the emergency systems to severe accident conditions need to be
reviewed and steps need to be taken to enhance their ability to survive such conditions [1-
19.190]:
o Vulnerability of the ESD and SSIV (Sub Surface Isolation Valve) systems to be
reviewed [1-R48];
o The ability of fire water deluge systems to survive severe accident conditions [1-
R51].
• Design to be fail safe i.e. they can still convey their essential message even on loss of power
[1-19.193]; and
• The initial explosion on the Piper knocked out the control room and disabled power supplies,
communications and firewater deluge systems and caused severe vibration which may have
affected the ESD system [1-19.44].
Note:
[1-19.38]: Reference to specific findings in Lord Cullen Report

Technical Safety Note / November 2008

Offshore Safety Studies

E. Typical Offshore Emergency Systems:

Typically, the following systems are considered as emergency systems in offshore installations:

No. Systems
1. Fire and Gas (F&G) Detection and Alarm System
2. Emergency Shut Down (ESD) System
3. Blow Down & Relief System
4. Active Fire Protection System
5. Passive Fire Protection
6. Heating, Ventilation and Air Conditioning (HVAC) System
7. Emergency Communications System
8. Emergency Power System (Emergency Power Generator & UPS)
9. Emergency Lighting System

F. Issues to Consider:

1. Identification of emergency systems:

Based on the definition of Emergency Systems, these systems mitigate / recover effects of major
accident events such fire / explosion, ship collision, hydrocarbon release, dropped objects, etc.
From this perspective, the safety systems / barriers that are on the right side of the bow tie are
emergency systems. Once the bow ties are constructed for MAEs (major Accident Event) as part
of the HAZID (Hazard Identification), the mitigation and recovery measures should be listed as
emergency systems and assessed for survivability.

MAE
Hazartd
Mitigation &
Prevention Recovery

Bow Tie Diagram

Technical Safety Note / November 2008

Offshore Safety Studies

The identification of emergency systems could be carried by developing a matrix with all offshore
systems (marine, process and utilities) and MAEs. The emergency system definition may be
applied on this matrix to identify emergency systems.

2. Survivability duration of emergency systems:

The duration for which the emergency system (ES) is supposed to function is generally not
discussed in ESSA reports. However duration is a very important criterion while determining
survivability of the ES. Some emergency systems are designed to perform and survive MAEs
while some other emergency systems can get impaired/ fail after performing its intended objective.
For example, the detectors can fail once it has already sent a signal to the F&G panel and the
alarm has sounded and need not survive the whole fire duration. Likewise with the blowdown
system, it can fail once it has depressurized the line. However if the blowdown system is impaired
before it is able to perform its function, then there is a possibility of an escalation of the MAE. As
far as the emergency power system is concerned, this system should be able to withstand fires
(maybe explosions) for the entire MAE duration and it is required for safe personnel evacuation.

3. Location of the Emergency Systems:

The location of the emergency system is critical as it influences the survivability of the system. As
mentioned above, the Piper Alpha control and radio room were not located in a strategic and safe
locations. For example, it is critical that the location of the emergency diesel generators and UPS
systems are away from fire prone areas or high inventory hydrocarbon areas as the emergency
power supply is required to provide power supply for the whole evacuation period.

Emergency lighting with self contained batteries should also be strategically located so that in the
event of the emergency power supply failure, the escape routes will still be illuminated to some
extend so that all personnel will be able to access to the TR (Temporary Refuge) safely.

If the FEA or ETRERA or ESSA assessment justifies the need for a fire / blast wall or layout
change, the same has to be carried out through a risk /performance based approach.

3. Assessment of Fail Safe-design of Emergency Systems;

The assessments of fail safe design for ES are often quite misleading. Generally a fail safe
system is a system that performs its required safe function automatically upon failure of a system
component. For example, in the event a fire impingement occurs on the instrument air supply line
to the ESD valve resulting in the failure of instrument air, then automatically the ESD valves shuts

Technical Safety Note / November 2008

Offshore Safety Studies

or opens, performing its intended fail-safe function. However the fail safe design will not be
applicable most of the emergency systems and hence it is not logical to assess all ES for the fail-
safe design.

4. Vulnerability Assessment:
By definition, vulnerability is the possibility of MAEs impairing emergency systems causing it to be
impaired/ damaged before they perform their intended function. In order to assess the impairment
of emergency systems, studies such as FEA or ETRERA or Dispersion and Radiation
Assessment should be performed as necessary.

Once it is confirmed from the specific assessments that the ES will be potentially impaired, then
the other aspects such as redundancy, etc. are to be assessed as part of ESSA.

5. Assessment of Redundancy:
If the emergency system is found vulnerable to MAEs, then it is logical to assess redundancy
levels for the required systems. The following sequence would help in carrying out redundancy
assessment:
• Are all the sub components for emergency systems provided with redundancy?
• Is the location of the redundant system close to the main system? If so, then there is no
point in having a redundancy as both the components will be affected by the MAEs.
Hence here it is worth mentioning that the Life Saving Plan /Fire Safety Plan or other relevant
drawings need to be assessed to ascertain whether the location of the redundant systems are
appropriate from the survivability point of view.

6. Assessment of all sub systems of Emergency Systems:

Logically, all sub systems for all emergency systems should be identified and then should be
separately assessed for survivability. A functional block diagram could be developed for each of
the emergency systems. For example, the sub systems for PFP on an FPSO (Floating Production,
Storage and Offloading) could be:
• Fire walls;
• Blast walls;
• Heat shields;
• In tumescent coatings on structures; and
• Fire blanket insulation on shutdown valves.

For an F&G Detection and Alarm System, detectors, the Logic Controller, cables and F&G panel
should all be assessed as the components are critical to ensure that whole system functions to

Technical Safety Note / November 2008

Offshore Safety Studies

meet its intended objective. Very often, only the major systems/ components are assessed. It is
recommended that all the sub components of the emergency systems be separately subjected to
the survivability assessment for completeness.

G. Performance Objective and Survivability Issues:

The emergency systems will be designed to meet their performance objectives and it is logical to
expect at least some of them to survive emergency conditions. The performance objective and
survivability requirement for a few emergency systems are provided in the table below.

Emergency system Performance Objectives Checkpoints

F&G Detection and Alarm To detect fires, smoke and gas Is there a possibility that an
System and to provide timely signal explosion will impinge the
(within milli seconds) to PLC detectors before the detectors
for alarm / trip detect a leak etc.

Active Fire Protection
Passive Fire Protection
Emergency Shut Down
Designed to fight fires (and not
explosions), normally with
redundant systems.
Designed to survive fires and
explosions for defined design
conditions. Normally designed
based on quantitative fire and
explosion assessment
Required to provide a reliable
means for safely isolating and
shutting down process
hydrocarbon inventories to a
safe condition. .
• Fire impingement on the
AFP equipment
• Location of the equipment
• Redundancy of equipment
• Duration it is expected to
last
• Fire impingement on the
equipment
• Location of the equipment
• Redundancy of equipment
• Duration it is expected to
last (longer than evacuation
time)
• Firewall ratings
• Blast rating wall
requirement
• Valves fitted with PFP
• Able to withstand fires for a
certain duration
• Fail safe design

Blow Down & Relief System
Heating, Ventilation and Air
Conditioning (HVAC) System
To rapidly depressurize
hydrocarbon gas inventories
and dispose of them at a safe
distance from the installation
usually through the flare
system.
Fire dampers to close on
demand of confirmed gas /
smoke detection at the intake
• Meets API 521 design
criteria?
• Fire impingement on the
equipment?
• Duration it is expected to
last as opposed to time
taken to depressurize
line/tank
• Fire impingement?
• Fail safe design?
• Internal air circulation

Technical Safety Note / November 2008

Offshore Safety Studies

Emergency system Performance Objectives Checkpoints

to TR to avoid ingress of gas

and smoke
Emergency Communications Means of communication with • Fire impingement on the
System personnel on the facility as equipment
well as onshore, emergency • Location of the equipment
response groups, nearby • Redundancy of equipment
vessels etc • Duration it is expected to
last

Emergency Power System Provides power to various • Fire impingement on the

(Emergency Power Generator emergency systems, including
& UPS) emergency lighting,
emergency communications,
etc upon loss of normal power
supply
equipment
• Location of the equipment
• Redundancy of equipment
• Duration it is expected to
last

Emergency Lighting Required to provide adequate • Fire impingement on the

illumination to escape routes,
Muster Area etc that is not
reliant on external power
supplies during an emergency
situation
equipment
• Location of the equipment
• Redundancy of equipment
• Duration it is expected to
last

While carrying out ESSA, the above table may be referred to perform the survivability
assessment of emergency systems.

H. Conclusion:

ESSA is one of the critical safety assessments defined in UK Safety Case Regulations 2005.
Hence this paper IS intended to create awareness as well as provide some details in producing a
comprehensive ESSA report. It is imperative that both the operators and safety consultants
understand and assess the emergency systems in a comprehensive manner taking technically
correct and logical steps to produce a convincing assessment report. If ESSA process is carried
out based on the performance-based survivability criteria, then the assessment will take a logical
route without any confusion.

References:
1. Department of Energy UK, The Public Inquiry in the Piper Alpha Disaster, Lord Cullen, 1991
2. The Offshore Installations (Safety Case) Regulations 2005, No. 3117, UK

Authors:
Pillai Sreejith (pillai_sreejith@hotmail.com)
Alvin Rajan (alvinratnasingam@yahoo.com)

Technical Safety Note / November 2008