Formal Safety Assessment

Formal Safety Assessment Services

HSE Design and Safety Case

What is Design/Operation Safety HSE Case?

The HSE Case serves as an official document to manage Major Risks for Upstream facilities located offshore and onshore production wells. The content of the HSE Case is based on the United Kingdom’s Offshore Installations (Offshore Safety Directive) (Safety Case etc.) Regulations 2015. 

Why do Design/Operation Safety HSE Case?

The HSE Case aims to:

  • Demonstrate in relation to the subject site or facility that All Major Accident Hazards (MAH) have been identified in the Hazards and Effects Register and suitable control, mitigation and recovery measures are provided/ implemented.  It also will demonstrate that operation can be achieved within the quantitative criteria for risk tolerability and that risk exposure is within tolerability limits and has been reduced to ALARP.
  • Those activities directly related to the control of MAHs have been identified and management systems are in place to ensure timely execution of the activities.
  • Emergency Response Plans (on-site and off-site where necessary) in relation to Major Accident Hazards have been prepared based on credible emergency scenarios, with the necessary stakeholder consultation.

An HSE Case is a living document that considers the full lifecycle of project, facilities and operations.  As indicated in figure below, it must address the safety impacts in each of the life cycle phases, i.e. project conception, design, tender, construction, commissioning, operation, decommissioning and site restoration of a project.


Typical Operation/Design HSE Case Structure


Bow-Tie Assessment

The bowtie is a model that represents how a hazard can be realised i.e. the threats; escalate to their associated consequences, and how they are controlled. The purpose of the bowtie analysis is to identify and ensure the adequacy of prevention and recovery barriers for the facility hazards. For each MAH associated with a facility, a bowtie diagram shall be developed and presented in the HSE Case.

Matrix of Permitted Operations (MOPO) and Simultaneous Operations (SIMOPS)

The MOPO and SIMOPS are tools designed to assist Supervisors and Line Managers during the planning and co-ordination of operations and activities by providing information on the operation or activity operating envelope and safe operating limits; and actions to be taken if or when certain situations arise that could compromise the safe operation of the asset.

Mitigating / Recovery / ALARP Measures

If the assessed risk and its ranking fall into the unacceptable region, risk reduction measures must be implemented to bring the risk down to a tolerable or ALARP level. All physically available risk reduction measures must be identified, which may include new or improved versions of current measures that have already been installed/implemented.

As a basis for ALARP decision making, to determine those risk reduction measures that are ‘reasonably practicable’, the Risk Related Decision Framework indicated in figure below and associated guidance, may be applied in combination with the test of ‘gross disproportion’.

Critical Activity Task List

Critical Activity Task List comprises comprehensive catalogue containing the following information that is critical to the ongoing management of MAH control and recovery barrier integrity. The list of control and recovery barriers, which may be in the form of hardware or procedures.  The hardware barriers are also known as the Safety Critical Elements (SCE). HSE Critical Activities, which are the activities, including tasks, that ensure the barriers function properly to prevent the top event and associated consequences.

Quantitative Risk Assessment (QRA)

What is QRA?

Quantitative Risk Assessment (QRA) is a structured approach to identifying and understanding the risks associated with hazardous activities such as the operation of an industrial plant.

The assessment starts by taking inventory of potential hazards, their likelihood, and consequences. The quantified risks are then assessed by comparison against defined criteria.

Quantitative Risk Assessment (QRA) provides valuable insights into the features of the industrial plant, highlighting those aspects where failures may result in harm to operators, members of the public, the environment and or the asset itself. QRA provides a basis for decision-making in the design and operation of the plant, and may also be required to legally show ‘fitness to operate’.

Why do QRA?

QRA provides input on safety issues during the design, operation and regulation of hazardous activities.

In addition, QRA provides a rational basis for monitoring risks and providing specific decision-making guidance:

  • Acts as decision aid regarding whether the risks need to be reduced
  • Propose targets for risk reduction measures
  • Design basis for fire and blast protection as well as emergency planning and training
  • Aid in the selection of the most appropriate design concept
  • Find the most cost-effective ways to reduce risk
  • Assist with As Low As Reasonably Practicable (ALARP) demonstrations
  • Identify safety-critical procedures and equipment

Fire and explosion hazard assessment (FERA)

What is FERA?

Fire and explosion hazard assessment is the process of conducting hazard assessments and ensuring all ignition and fuel sources are identified at or adjacent to the proposed work site or industrial process.

FERA involves quantification of the probability of fire & explosion accidental events, their consequences and fire and explosion hazards to the safety critical elements (SCEs). The effects of accidental fires and explosions can be catastrophic in terms of property damage and environmental, impede business continuity, injuries, or even loss of life.

Why do FERA?

The FERA aims to:

  • Identify fire and explosion hazards on facilities.
  • Quantify fire and explosion risks arising from loss of containment.
  • Determine key fire and explosion risk contributors.
  • Determine the escalation potential of fire and explosion events to the identified sensitive receptors in a facility.
  • Assess the benefit of existing inherently safe prevention, detection, control and mitigation measures for identified fire and explosion scenarios.
  • Risk reduction measures where necessary to ensure that the fire and explosion risks are controlled within acceptable limits.
Example: Jet Fire Radiation Contour Impact towards an Onshore Facility


FERA Preparation

The following documents are required for FERA preparation:

  • PFD and P&IDs
  • Heat and Material Balance
  • Design Basis Memorandum
  • Process Design Basis
  • Equipment Layout/ Plot Plan
  • 3D Model
  • Existing Operation HSE Case

Standards & Regulations

  • OGP Risk Assessment Data Directory.
  • CMPT, “A Guide to Quantitative Risk Assessment for Offshore Installations, John Spouge of DNV Technica, 1999.
  • Offshore Standard DNV-0S-A101, April 2011.
  • UKOOA IP Research Report for Ignition Probability Review, Model Development and Look-Up Correlations, January 2006.
  • Offshore and Onshore Reliability Data Handbook, 6th Edition, 2015.
  • SINTEF 2011, “Blowout and Well Release Characteristics and Frequencies, 2011”, Report No. SINTEF F21297.
  • CPR14E, TNO Yellow Book, Methods for the Calculation of Physical Effects due to Release of Hazardous Materials (Liquids and Gases), 1997.
  • UK HSE Technical Background Note on Assessment of Fire, Blast Barriers, Escape Routes and TRs.
  • Control of Industrial Major Accident Hazards (CIMAH) Document.
  • COMPANY’S Standards/ Guidelines.



Escape, Evacuation and Rescue Assessment (EERA)

What is EERA?

Emergency Escape, Evacuation and Rescue (EER) facilities are essential for egress and escape of personnel on board (POB) from an offshore installation in the event of a Major Accident Event (MAE).  Therefore, it is crucial to ensure that the EER facilities are adequate, safe, and capable of protecting POB as intended during EER process.

Escape, Evacuation and Rescue Analysis (EERA) is one of the Formal Safety Assessments (FSA), which helps to evaluate the adequacy and performance of the escape, evacuation, and rescue facilities.  It is undertaken in conjunction with Consequence Analysis, ESSA and TRIA. EERA consists of a structured review of the escape, evacuation and rescue facilities and procedures under various MAE scenarios.  For EERA to be effective, there should be a clear connection between the scenarios used as representative and the conditions that might occur following a hazardous event.

Through EERA, we identify any shortcomings of the emergency response arrangements and suggest improvements in the EER systems to be considered.  It is also very important to setup proper strategies and implement additional measures based on the EERA, throughout the offshore asset life cycle.

Generic EER Stages

Why do EERA?

The objectives of EERA are as follows:

  • To evaluate the adequacy of the Escape, Evacuation and Rescue (EER) provisions.
  • To evaluate whether the EER facilities are reasonably protected from the impacts of MAEs, and practicable measures are in place to ensure the safe means of escape, evacuation, and rescue of personnel from all areas of the installation in the event of emergency.
  • To assess whether personnel can safely escape and evacuate before the MAE escalates and poses significant risk to the overall integrity of the installation resulting in further fatalities.
  • To recommend any additional requirements in the EER systems to establish safe and effective way of evacuation, escape and rescue.


Typical EERA methodology is as shown below:

  1. Identify and describe the details of EER facilities
  2. Define the EER goals
  3. Identify MAEs which may impair EER facilities
  4. Evaluate EER goals and facilities impact of MAEs
  5. Calculate evacuation time and assess its suitability against EER design
  6. Provide findings and recommendations to improve EER

Standards / References

  • DNV, Offshore Standard DNV-OS-A101 Safety Principles and Arrangements
  • International Maritime Organization (IMO), SOLAS Consolidated Edition 2009
  • Oil & Gas UK, Fire and Explosion Guidance, Issue 1, May 2007
  • United Kingdom (UK) Health and Safety Executives (HSE), Appendix 2 Technical Background Note – Title: The assessment of fire, blast barriers, escape routes and temporary refuges (TR).
  • PTS 18.54.10 Offshore Temporary Refuge
  • PTS 16.71.05 Physical Effects Modelling
  • PETRONAS Upstream Escape, Evacuation and Rescue Analysis (EERA) Procedure, WW ALL X X S 05 055 I
  • Centre for Marine and Petroleum Technology (CMPT), “A Guide to Quantitative Risk Assessment for Offshore Installations”, John Spouge of DNV Technica, 1999

Emergency System Survivability Analysis (ESSA)

What is ESSA?

Emergency System Survivability Analysis (ESSA) involves systematic review of the survivability of the platform’s main emergency systems against major accidental events. The following typical emergency systems will be evaluated:

Why Do ESSA?

Temporary Refuge Impairment Analysis (TRIA)

What is TRIA?

Temporary Refuge Impairment Analysis (TRIA) is used to assess the risk of impairment of the TR during a major accident event on an offshore installation.  Impairments of a TR on an offshore installation can result from one of the Major Accidents Events (MAEs) which are Fire Impairment to support structure of TR or TR boundary, Smoke Ingress Impairment, Gas Impairment, and Explosion Overpressure.

Why do TRIA?

Temporary Refuge Impairment Analysis (TRIA) aims to determine the ability of the Temporary Refuge (TR) to remain safe and habitable for the specified endurance time during Major Accident Events (MAEs).



Smoke and Gas Ingress Analysis (SGIA)

What is SGIA?

The purpose of the Smoke and Gas Ingress Analysis is to examine the hazardous occurrences highlighted in the HAZID that will hamper escape and evacuation routes or Temporary Refuge (TR) (if applicable). Smoke or toxic gas engulfment, as well as catastrophic occurrences to the installation that could result in the facility’s loss, can obstruct escape routes. The consequences of these threats are evaluated to see what may obstruct escape routes and TR. The escape routes’ integrity will be assessed using relevant impairment criteria.

The following events will be covered:

  • Toxic release
  • Flash fire
  • Vapour cloud explosion
  • Jet fire
  • Pool fire
  • Boiling liquid expanding vapour explosion (BLEVE)
  • Toxic combustion products

Why do SGIA?

Smoke and Gas Impairment Analysis (SGIA) study is to assess the ability of the critical areas on the facilities to remain safe and habitable for the required endurance time during an emergency.



Dropped Object Study (DOS)

What is DOS?

Dropped Object Study (DOS) is one of the Formal Safety Assessment (FSA),which required to support the design of an onshore and offshore platform. It is to assess the risk involved in the falling object and swinging load impacts during lifting activities in industrial and oil & gas facilities The focus of the study on impacts to platforms, structures, process equipment and subsea pipeline.

Why do DOS?

DOS aims to:

  • Identify areas on the facilities that are vulnerable to damage from dropped objects during lifting activities
  • Identify the causes & consequences, impacts of the event,
  • Specify the requirements of engineering and operational safeguards to control risk

Safety Critical Elements & Performance Standards (SCE PS)

What is SCE&PS?

After any successful Safety Assessment of a design, the facility will now have a set of systems in place to keep all operation in balance (production wise, safety wise, comfort wise and other redeemable feature of a work space). Some of this system can now be identified to be as Critical in the safety of the personnel our surrounding area (public/environment) – this identification can be doe in as few manners such as BOW-TIE Study or Hazardous Effect Register (HER)

The safety critical elements are those components of a system or facility that can fail either; cause towards; contribute to; prevent; stop the escalation of; or aid in the recovery from; – a serious accident danger or event (Major Accident Hazard – MAH).

The development of performance standards for the identified SCEs is critical. SCE life cycle management entails aligning maintenance, inspection, and testing, as well as performance history, in order to keep SCE in good operating order. Continuous monitoring aids in SCE compliance with Performance Standards. The Performance Standard is a statement of the performance required of a system, item of equipment or computer program, expressed in qualitative or quantitative terms, which is used as the basis for integrity assurance throughout the asset lifecycle.


Why do SCE&PS?

SCE&PS aims to:

  • Identify the systems and elements of the facility
  • Review the list of Major Accident Events (MAE) , developed in the HAZID Study and Major Accident Events List, and identify the systems associated with each MAE,
  • Determine the criticality of each system by analysing if its failure may result in an MAE or contribute significantly to one. Any system that is assessed to be safety critical on this basis is also regarded to be safety critical for reasons of integrity, which means that if the integrity of the system is maintained, the MAE cannot occur.
  • Assess whether any system found not to be safety critical above prevents or limits the impacts of an MAE. For the purposes of control and mitigation as an emergency response to an MAE, any system or equipment component assessed to be safety critical on this basis is assumed to be safety critical.