Barrier Integrity Report For Gas Terminals - 083233 PDF

Barrier Integrity Report
Gas Terminals
Barrier Integrity Report – Gas Terminals
Document information
Author: DNV and Gassco
Verifier: Jens Eldøy, Gassco

Olav Rasmussen, Gassco
Approver: Trond Nordal, Gassco
Comments:
This document has been electronically signed, hence it contains no signature(s).
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -2-

Table of Contents
Preface ..................................................................................................... 5
1 Introduction ......................................................................................... 6
2 The Gas Terminals ................................................................................ 7
2.1 Europipe Receiving Facilities – Dornum ............................................ 10
2.2 Europipe Metering Station – Emden ................................................. 10
2.3 Norsea Gas Terminal ..................................................................... 11
2.4 Zeepipe Terminal .......................................................................... 11
2.5 Dunkerque Terminal ...................................................................... 12
2.6 Langeled Receiving Facilities - Easington .......................................... 13
2.7 St. Fergus Terminal ....................................................................... 13
3 Understanding Barriers ........................................................................ 15
3.1 Barrier identification and illustration models ..................................... 16
3.1.1 The Swiss Cheese Model ........................................................... 16
3.1.2 The Bow Tie methodology ......................................................... 17
3.1.3 Risk reduction “As Low As Reasonably Practicable” ALARP............. 19
3.2 Relevant governmental requirements............................................... 20
3.2.1 German regulations ................................................................. 20
3.2.2 Belgian regulations .................................................................. 20
3.2.3 French regulations ................................................................... 20
3.2.4 UK regulations......................................................................... 21
3.2.5 Norwegian regulations .............................................................. 21
3.3 Examples of major accidents .......................................................... 23
3.3.1 Texas City .............................................................................. 23
3.3.2 Humber Oil ............................................................................. 24
3.3.3 Ghislengien pipeline accident .................................................... 26
3.3.4 Commonalities between major accidents .................................... 27
4 The barriers and their interfaces ........................................................... 28
4.1 Interface between technical barriers ................................................ 29
5 Description of relevant safety barriers ................................................... 33
5.1 Layout and Arrangement ................................................................ 35
5.2 Containment ................................................................................. 37
5.3 Natural Ventilation and HVAC ......................................................... 39
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -3-

5.4 Gas Detection ............................................................................... 41

5.5 Emergency Shutdown (ESD) ........................................................... 43
5.6 Open Drain ................................................................................... 45
5.7 Ignition Source Control .................................................................. 46
5.8 Fire Detection ............................................................................... 48
5.9 Blowdown and Flare/Vent System ................................................... 51
5.10 Active Fire Protection .................................................................. 53
5.11 Passive Fire Protection ................................................................ 56
5.12 Emergency Power and Lighting..................................................... 58
5.13 Process Safety ........................................................................... 60
5.14 Alarm and Communication System for use in Emergency Situations .. 63
5.15 Escape, Evacuation and Rescue (EER) ........................................... 65
5.16 Human Machine Interface (HMI) ................................................... 67
5.17 Pipeline Protection System........................................................... 70
6 Assurance of barrier integrity ............................................................... 72
6.1 Maintaining the overview - Monitoring and control ............................. 73
6.2 Risk management ......................................................................... 75
6.3 Performance Management in Gassco ................................................ 77
6.4 Barrier Integrity Review ................................................................. 81
6.4.1 Safety Performance Standard .................................................... 82
6.5 Maintenance management.............................................................. 83
6.6 Organisational barrier elements - an example ................................... 86
6.7 Compliance to processes and procedures ......................................... 87
Appendix A: Acronyms and abbreviations .................................................... 88
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -4-

Preface
Safe operations of the gas terminals are a primary concern for all parties
involved in the gas business. Design of terminal facilities employ authority
regulations, industry standards and company best practices which provide for
safe plants. However, operating and maintaining the technical integrity remain a
continuous concern throughout the life time of the terminals.
Several barriers are provided for, to maintain acceptable risk exposure. In a

broad perspective, these barriers embrace technical, human and organizational
elements working together. Our primary goal is to maintain these barriers and
monitor performance to manage the risk.
In addition to a relative large containment of gas in the facilities, our terminals

interface substantial inventory in the subsea pipelines. Robust interface systems,
targeted procedures and clear communication are basic elements to avoid
hazardous operations.
This document is established, to communicate a description of the safety

systems and barriers involved, how they are operated, tested and maintained,
how the integrity status is systemised and reported and how non-conformities
are handled.
This is a reference book targeting personnel involved in the gas business, to

enhance the knowledge of the various measures providing for safe operations of
the terminals operated by Gassco, together with Total as Technical Services
Provider in St. Fergus.
This document has been developed in a common effort by several contributors. I

would like to acknowledge DNV and our terminal organizations for their skilled
contribution and Gassco project leaders Jens Eldøy and Olav Rasmussen for their
firm supervision and organization of the work.
Dr. Svein Birger Thaule

Executive Vice President Asset Management
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -5-

1 Introduction
Gassco is the operator of the integrated gas transport system from the
Norwegian Continental Shelf (NCS) to other European countries. Gas is exported
through a transport network including approximately 8,000 km of pipeline to
receiving terminals located in UK, Belgium, France and Germany. Large volumes
of natural gas are continuously transported to the receiving terminals.
The highly flammable hydrocarbon gas has the potential to cause major
accidents, and the gas terminals are therefore equipped with a number of safety
systems, referred to as ‘safety barriers’. These barriers contribute to safe
operation, and reduce the risk of hazardous events escalating into major
accidents. If the safety systems experience reduced performance, fail, or are
disabled, hazardous events may occur and escalate. The event may then result
in severe consequences, such as injuries or loss of lives, environmental damage
and financial losses. It may also harm the company’s reputation.
This Barrier Integrity Report describes the technical safety barriers in use on the
terminals receiving gas through Gassco’s transport network. Further, the actions
taken to ensure that these barriers are in place and functional are described. It
should be noted that this is not a Gassco governing document, but is written with
the intention of making knowledge about the safety barriers easily accessible to
the reader.
The Barrier Integrity Report is primarily intended for people seeking general
knowledge about the safety barriers currently used on the receiving terminals.
The objective is to give an overview of relevant safety barriers, therefore the
document does not go into detail when describing the barriers and the
description of the barriers’ performance requirements is not exhaustive.
In order to provide the reader with a robust understanding of relevant issues

related to major accidents for the transport network, the Barrier Integrity Report
comprises a short description of the terminals in question (Chapter 2). This is
followed by a description of the barrier concept (Chapter 3), which is vital in the
work to prevent major accidents. An overview of the relevant barriers is given,
along with a description of how the barriers interact (Chapter 4). A short
description of each barrier, including some selected performance requirements, is
presented (chapter 5), before the final chapter describes how the barrier
integrity is maintained (Chapter 6). A list of acronyms is included at the end of
the document.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -6-

2 The Gas Terminals

Gassco is the operator of the Norwegian Transport Network for gas, and is
responsible for the safe and effective transport of gas from the NCS. The gas is
transported from the production sites to processing facilities onshore, such as
Kårstø and Kollsnes, and refined products are transported to consumers in the
UK and continental Europe.
Rich gas, a mix of dry gas (methane) and wet gas (ethane, propane and butane),
is transported through pipelines to processing facilities on shore. After processing
the wet gas is transported by ships, while the dry gas is transported through
pipelines to receiving terminals. In 2011 Gassco exported a total gas volume of
94.2 billion Sm3; the largest amount exported during one 24 hour period was
360.8 million Sm3.
An overview of the transport network from the NCS, including installations and
terminals, is given in Figure ‎2-1. The receiving terminals that are currently part
of this network are Europipe Metering Station (EMS), Norsea Gas Terminal (NGT)
- Emden, Europipe Receiving Facilities (ERF) – Dornum, Zeepipe Terminal (ZPT),
Dunkerque Terminal (DT), Langeled Receiving Facilities (LRF) - Easington and St.
Fergus (VRF).
At all these terminals, except for the Vesterled Receiving Facility (VRF) in St.
Fergus, Gassco is responsible for the daily operation and maintenance. Total UK
is technical service provider (TSP) for the terminal in St. Fergus. Companies
serving as technical service providers (TSPs) on Gassco’s behalf are responsible
for the daily operation and maintenance. However, Gassco retains overall
responsibility for ensuring a safe and efficient operation.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -7-

Figure ‎2-1: Overview of the transport network and the gas terminals described in this
document (red circles).
A simplified illustration of the process scheme at the gas terminals is given in

Figure ‎2-2. The example describes the process at Dunkerque, but the process
utilized at the other gas terminals mainly consists of the same elements as the
one illustrated here. In the process units the gas is filtered and the pressure is
reduced. The gas is heated prior to the pressure reduction, in order to meet the
temperature requirements set for the customer’s grid. Finally the gas is metered,
before it is delivered into the downstream operator’s grid.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -8-

Figure ‎2-2: Simplified process scheme for the Dunkerque Terminal. The box labelled PRF
illustrates the Pig Receiving Facility.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -9-

2.1 Europipe Receiving Facilities – Dornum

The Europipe Receiving Facilities (ERF) are located at Dornum on the north
German coast. The terminal receives Norwegian gas from the Europipe I (EPI)
pipeline which originates from the Draupner-E hub, and from the Europipe II
(EPII) pipeline, which originates from the Kårstø gas terminal. The facility was
developed in two phases; the EPI facilities have been in operation since 1995 and
the EPII facilities since 1999. The facility is located approximately five km
southwest of the landfall.
Gas delivered to the ERF is conditioned for supply to gas markets in Europe. In
this respect the pressure is reduced, the gas is heated up, and, if necessary,
residual water, liquids and solids are removed. Gas designated for the Netra
(Norddeutsche Erdgas Transversale) transportation system is metered and
transferred at the ERF. The remaining gas is routed to the Europipe Metering
Station (EMS) located at Emden where it is metered and transferred to three
downstream operators.
Figure ‎2-3: The Europipe receiving facilities (ERF).
The process facilities require a number of support utilities, most notably the
water-glycol heating medium, fuel gas and venting.
The ERF, EMS and adjacent Norsea Gas Terminal (NGT) make up the German
receiving terminals and are important strategic exit points for gas from the
Norwegian Continental Shelf, with the Gassled shippers currently shipping up to
161 MSm³/d of gas through them.
2.2 Europipe Metering Station – Emden

The Europipe metering station (EMS) at Emden checks gas quality and meters
the volume before transferring it to the downstream transport operators. The
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -10-

EMS is remotely-operated from the control room at the Europipe receiving

facilities (ERF), 48 km away.
Figure ‎2-4: The NGT and the Europipe metering station (EMS).
2.3 Norsea Gas Terminal

The Norsea Gas Terminal (NGT) is located in Emden, and receives gas from
Norpipe. Day to day operations of this terminal was assumed by Gassco as of
July 2007. At this terminal gas pressure and temperature are regulated before it
passes through a treatment plant to remove hydrogen sulphide. The NGT is the
only Gassco operated terminal that has H2S removal on site. After metering and
quality control the gas is delivered to the transport operators downstream of the
terminal. The current plant will be replaced by a new one, with final tie-in in
2016.
2.4 Zeepipe Terminal

The Zeepipe Terminal (ZPT) is located in the port area of Zeebrugge in Belgium,
about five km from the landfall. ZPT has been in operation since 1993, and is
owned 51% by Fluxys and 49% by Gassled. The terminal is in close proximity to
gas markets in Europe and is linked by a 40 inch pipeline to the landfall site. The
terminal receives gas from the Zeepipe Pipeline System which originally comes
from primary suppliers such as Sleipner East, Sleipner West and Troll.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -11-

Figure ‎2-5: Zeepipe Terminal (ZPT).
The ZPT removes possible residual liquids and solids, and regulates gas pressure
and temperature. In addition, the facility meters volume and checks quality
before the gas continues to the transport operator downstream of the terminal,
which is the Belgian Transmission System Operator ‘Fluxys’. To support the
process facilities a number of utilities are required, most notably the water/glycol
heating system, fuel gas and venting.
The Zeepipe terminal also remotely operates the Dunkerque Terminal in France.
2.5 Dunkerque Terminal
The Dunkerque Terminal (DT) is located in the Dunkerque Port Ouest (West)
area. The DT was completed in the summer of 1998, and delivery of natural gas
via Franpipe to Dunkerque commenced in October 1998. Gassco operate the
facility on behalf of ”Dunkerque Terminal DA” which is owned 35% by GDF-Suez
and 65% by Gassled. The terminal receives Norwegian gas via the Franpipe
pipeline which originates from the Draupner-E hub. The DT is located
approximately 3.5 km south of the landfall.
Figure ‎2-6: The Dunkerque Terminal.
DT is remotely operated from the Zeepipe Terminal, but it is also possible to

operate the terminal locally from Dunkerque as a “standalone unit”. The function
of the terminal is to receive gas with dry gas specifications, remove possible
residual liquids and solids, and perform flow, pressure and temperature control,
as well as fiscal metering.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -12-

The natural gas that is processed in the terminal is routed via the Draupner hub,
which is located on the NCS. The design throughput at Dunkerque, with an
arrival pressure and temperature of 78 barg and -0.5°C, is 50 MSm³/d.
2.6 Langeled Receiving Facilities - Easington
The Langeled Receiving Facilities (LRF) are located in East Yorkshire, 30 km east
of the city of Kingston-Upon-Hull. LRF became operational on 1 June 2006. The
facility was previously operated by Centrica who were the TSP on behalf of
Gassco. As of 1 October 2011, day to day operations were assumed by Gassco
UK. The LRF terminal receives gas from the Langeled Pipeline and conditions it
prior to distribution into the UK National Transportation System (NTS).
Gas from the Langeled Pipeline, originating from the Sleipner East hub, arrives at
the LRF inlet facilities from a buried 44” sea pipeline that is reduced to 42” where
the pipeline reaches landfall, upstream of the LRF inlet facilities. After arriving at
the terminal, the gas is regulated to the correct pressure and temperature before
being passed to the downstream transport operator. The current design
throughput at the LRF, with an arrival pressure of 73 barg, is 784 MSm³/d of dry
gas.
Figure ‎2-7: The Langeled Receiving Facilities.
2.7 St. Fergus Terminal
The St. Fergus gas processing plant, which became operational in 1977, is
located 60 km north of Aberdeen. There are 4 separate terminals within the St
Fergus complex, with 4 different operators (National Grid, Shell, apache and
Total). Total is operating as the Technical Service Provider for Vesterled
Receiving Facilities Phase 2 on behalf of Gassco. Phase 2 is an integrated part of
the St Fergus terminal operated by Total. Dry gas is received via the 32”
Vesterled pipeline.
The Norwegian (Vesterled) pipeline is supplied with dew pointed and dehydrated
gas from the Heimdal riser platform located in the Norwegian sector of the North
Sea. The gas is currently conditioned for pressure and temperature at St. Fergus
prior to distribution into the UK National Transportation System (NTS) via the
neighbouring National Grid compression facilities.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -13-

The gas currently received through Vesterled is lean and dry as it is dew pointed
and dehydrated offshore. Consequently, certain Phase II facilities are rarely used
or entirely bypassed. The current capacity of Phase II is considered to be
39 MSm³/d.
Figure ‎2-8: The St. Fergus gas processing plant.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -14-

3 Understanding Barriers
There are several definitions of what a barrier is related to the risk of major
accidents. The meaning of the concept depends on the context, but generally a
barrier can be described as a measure to prevent, mitigate or stop a chain of
events. According to the Norwegian Petroleum Safety Authority (PSA) the
following definitions applies:
Barrier: Technical, operational and/or organisational elements that

individually or together shall prevent a concrete chain of events from occurring,
or influence the events in an intended direction by limiting damages and/or
losses.
Barrier function: The task or role of the barrier. Examples of barrier functions
are to:
 prevent leakage,
 prevent ignition,
 reduce fire loads, and
 secure safe evacuation.
Barrier element: Technical, operational or organisational efforts or solutions

that take part in the realization of the barrier function.
The different measures that can constitute a barrier can be divided into three
types; physical/technical, organisational and human/operational elements.
Examples of physical barrier elements are safety valves and fire walls.
Established procedures on how given situations should be managed is an
example of an organisational barrier element, and how such procedures are
followed is an operational (human) barrier element.
Barrier function
Human‎/‎
Operational‎
Elements
Technical‎ Organisational‎
Elements Elements
Figure ‎3-1: The barrier elements illustrated as separate components within one barrier.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -15-

In relation to the management of major accident risk, barriers are used to

prevent the occurrence, and mitigate the consequences of, undesired events that
may potentially develop into major accidents.
Barriers may be preventive, meaning that the measures are intended to prevent
an undesired event from happening, or they can be consequence reducing. The
consequence reducing barriers are measures to mitigate or eliminate
consequences should the undesired event occur. An example of preventive
technical barrier elements is systems for containment, such as pipes and tanks.
These barriers shall prevent the uncontrolled discharge of hydrocarbons. Fire
detection systems and active fire protection systems are examples of
consequence reducing technical barrier elements in that they reduce the
consequences of a fire.
Normally, a technical barrier element is not able to fulfil an intended barrier

function independently. Technical barrier elements will work together with
organisational, operational and other technical barrier elements in order to fulfil a
barrier function.
People are involved in the design, construction, maintenance and operation of

technical systems and as such operational (human) barrier elements are an
important part of a complete risk management system. Operational barrier
elements comprise the manner in which tasks are performed; examples include
competence, communication and compliance with procedures.
The organisational barrier element reflects the structure of the company and the
strategies and approaches used to prevent major accidents. Examples of such
barrier elements are work processes, procedures, reporting lines and distribution
of responsibility.
In reality several technical, human and organisational barrier elements will often
operate in parallel, since elements of different barriers will be closely linked to
each other. For example, it is necessary to have competent personnel (human
barrier element), robust work processes and clear procedures (organisational
barrier element) in order to plan and execute maintenance work on the fire and
gas detection system (technical barrier element).
3.1 Barrier identification and illustration models

There are several methods that are based on the barrier concept. Over the years
a number of different methods for illustrating barriers by use of models and
diagrams have been developed. Barrier diagram methods have been particularly
popular in major accident risk management due to their ability to demonstrate
the complex relationships of how different barriers interact to ensure that major
accident risk levels are kept at acceptable levels. Barrier diagram methods also
illustrate where in a series of events a barrier is effective, and they can also be
used to illustrate the status of barrier integrity.
3.1.1 The Swiss Cheese Model
One of the most well-known and widely used barrier diagram risk models is the
Swiss Cheese Model, which is illustrated in Figure ‎3-2. In this model, the role of
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -16-

barriers as defences against major accidents is illustrated by slices of cheese.

Each slice of cheese represents a barrier. The holes in the cheese represent the
weaknesses inherent in the barriers, and the model is based on the theory that
no barrier is 100 % available and effective at all times. Considering this situation
it is preferable to have several independent barriers in series. Thus, if one barrier
does not interrupt an unwanted series of events, then the subsequent barriers
should. The model illustrates that the barrier system as a whole fails when holes
in each of the slices momentarily align, so that none of the barriers are able to
stop the initial hazard from developing into a major accident.
Figure ‎3-2 Illustration of the Swiss Cheese Model, with examples of what each of the
barriers may represent.
The Swiss Cheese Model implies that a hole or weakness in a barrier, such as gas
detection, can be generated by poor coverage of gas detectors, detectors being
out for service, or being overridden due to work on other systems. Thus, holes
can potentially develop in the barriers if the system is not designed with
consideration of all the relevant hazards. The reduction in efficiency can be
expressed as the number and size of holes in the barrier. Another example of a
scenario that can generate a hole in a barrier is the incorrect choice of an alarm
limit. If, for instance, a hydrocarbon point detector is set to activate the alarm at
50 % LEL (Lower Explosion Level), then the probability for successful detection of
smaller leaks will be reduced compared to if the limit had been set at 25 % LEL.
3.1.2 The Bow Tie methodology
The Bow Tie model is widely used in the oil and gas industry. The approach
clearly illustrates how hazards can lead to failure or undesired events. In a Bow
Tie diagram a so called ‘top event’ is defined and represents the starting point for
illustrating how proactive barriers are put in place to prevent its occurrence
(illustrated by the left side of the Bow Tie). Reactive barriers are used to mitigate
the consequences if the top event should occur (illustrated by the left-hand side
of the Bow Tie). A high level Bow Tie is depicted in Figure ‎3-3, which clearly
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -17-

illustrates why the barrier diagram is called a ‘bow tie’, making the intuitive
association to the piece of clothing.
Barriers to eliminate & prevent Barriers to control

causes of hazardous event consequences and effects
Cause HAZARD Consequence

1 1
Cause TOP Consequence

2 EVENT 2
Cause Consequence
3 3
Figure ‎3-3: High Level Bow Tie. The terms proactive and reactive are used when
referring to if the barrier comes into effect prior to or subsequent of a top event.
In the centre of the Bow Tie diagram is the top event. The top event is chosen
based on the hazards present in the scenario under consideration. A typical top
event for hydrocarbon production and transport is the release of hydrocarbons,
possibly followed by ignition. The Bow Tie is further built up by identifying
possible causes for such a top event and placing them to the left in the diagram,
with potential consequences similarly placed to the right. Then, for each of the
causes and consequences, all technical, operational or organisational barrier
elements implemented are placed into the Bow Tie according to what preventive
or mitigating effect they are intended to have.
Using the Bow Tie diagram the causal relationship in an imagined chain of events
is illustrated, and the model puts emphasis on clarifying the order in which the
different barriers come into effect. Similarly, as for the Swiss Cheese Model, the
weak points of the barriers can be compared to holes. A hole in the barrier is
generated by actions or conditions that reduce the integrity of the barrier. If
there are several aligned holes in the barriers, the initial causes may develop into
the top event which will lead to some or all of the consequences taking place.
During an in-depth study of a Bow Tie the actions and conditions that produce
weaknesses in the barriers are analysed so that measures can be taken in order
to prevent and control such conditions from taking place.
Using Bow Tie diagrams enhances the understanding of when, during a series of
events, a barrier is fit to take effect and what will happen if it does not function
as intended. The Bow Tie clarifies the order of which the different barriers come
into effect and the principle that if one barrier fails it is necessary to have
another barrier further to the right in the diagram in order to prevent the top
event from taking place, or to mitigate the consequences if the top event has
already been realised. In this way the Bow Tie illustrates the causal relationship
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -18-

in an imagined chain of events, illustrating the interconnected relationship

between hazard, top event, causes and consequences.
In theory this means that a single barrier is sufficient to prevent a major accident,
provided that it is available and intact when required. In reality, holes will form in
the barriers and therefore several independent barriers are implemented in
series in order to reduce the risk of a major accident occurring.
3.1.3 Risk reduction “As Low As Reasonably Practicable” ALARP

All barrier philosophies are founded on a pragmatic approach where no single
barrier can guarantee a perfect performance, i.e. always present and able to
perform its intended function. There will always be a need to assess how many
resources are required to invest in order to secure barrier performance. A
recognised approach for this type of problem is the ALARP-principle. The principle
states that the risk should be reduced to ALARP meaning ‘As Low As Reasonably
Practicable’. The concept originally stems from British law, where it is used to
declare that risk shall be avoided or prevented by implementing measures that
reduce risk, unless the resources required for implementing the measures are
disproportionate in comparison to the effect achieved.
Considering the entire range of possible risk, one end of the scale will be a risk
that is so high that it cannot be tolerated, thus risk reducing measures must be
implemented irrespective of cost. On the other end of the scale is a risk so low
that there is no need to reduce the risk further. Between these extremities there
is a grey area, the so-called ALARP region, where risk is tolerated if the cost of
reducing the risk exceeds the benefit. The principle implies a “reversed onus of
proof” where it is the risk owner (the one generating the risk and thereby being
the one required to reduce it) who has to demonstrate why a measure may not
be implemented. The consequence of this is that a measure shall be
implemented unless an unreasonable cost-benefit ratio can be documented.
Figure ‎3-4 : The ALARP principle.
Viewed in a barrier perspective, the ALARP principle implies that all reasonable
measures to ensure a robust barrier performance must be implemented. Robust
performance related to the barrier models implies that holes should be as few
and as small as practicable. To ensure control of the barrier status, a systematic
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -19-

and regular evaluation of barrier performance is required. If holes in the barriers

are discovered, in the form of discrepancies between the design and current
requirements, an ALARP assessment shall be the basis for a decision on whether
to initiate actions or not.
3.2 Relevant governmental requirements

The gas terminals in question are located in Germany, Belgium, France and the
UK. Each of these countries has their own regulations applicable to such facilities.
In addition to local governmental requirements Gassco has decided to apply the
Norwegian regulations related to barrier management at all their facilities. An
example of this is that the Gassco document Safety Performance Standard
(SPS), that apply to all Gassco operated terminals, is based on the PSA
regulations.
3.2.1 German regulations

In Germany national regulations applying to the onshore oil and gas industry is
presented in the Law on Fuel and Electricity Industries, in German called the
Energiewirtschaftsgesetz. The law aims at ensuring a safe, cost-effective,
consumer-friendly, efficient and environmentally-friendly supply of power and
gas as well as efficient and unrestricted competition and the safeguarding of an
effective and reliable operation of power grids.
According to the Energiewirtschaftsgesetz German facilities have to follow the

generally accepted rules of technology. These are given by the following:
 German Technical and Scientific Association for Gas and Water (Deutsche
Vereinigung des Gas- und Wasserfaches, DVGW)
 Ordinance on Industrial Safety and Health (Betriebssicherheitsverordnung)
 Federal Water Act (Wasserhaushaltsgesetz, WHG)
 Federal Immission Control Act (Bundes-Immissionsschutzgesetz)
 Association of German Engineers (Verein Deutscher Ingenieure, VDI)
 Association for Electrical, Electronic and Information Technologies
(Verband der Elektrotechnik Elektronik Informationstechnik, VDE)
 German Engineering Federation (Verband Deutscher Maschinen- und
Anlagenbau, VDMA)
 German Institute for Standardization (Deutsches Institut für Normung,
DIN)
 Technical Regulation (Technisches Regelwerk)
3.2.2 Belgian regulations

In Belgium, onshore gas facilities are subject to the VLAREM (Vlaams reglement
betreffende de milieuvergunning) regulations. These regulations apply to sites
that have the potential for causing an environmental impact or major accidents.
VLAREM regulations require that the overall safety and the safety of people are
ensured and that protection against environmental and other damage is in place.
VLAREM is regulated via the Flemish parliament and is fully implemented at the
Zeepipe terminal.
3.2.3 French regulations

In France, onshore facilities handling oil and gas are defined as "classified
installation for the environmental protection”. DREAL (Direction Régional de
l’Environment, de l’Aménagement et du Logement) is regulating authority for
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -20-

such facilities. When a site is classified in this manner, the site has to comply
with the various regulations and rules from DREAL to ensure that there is no
damage to installations, surroundings, people or the environment.
3.2.4 UK regulations
For onshore oil and gas production in the Great Britain, Health and Safety
Executive (HSE) and the Environment Agency form a single joint Competent
Authority. HSE is the national independent watchdog for work related health,
safety and illness. They are an independent regulator and act in the public’s
interest to reduce work-related death and serious injury in workplaces across
Great Britain.
The Environment Agency is an executive non-departmental public body. The

principal aims of the Environment Agency are to protect and improve the
environment, and to promote sustainable development. The Environment Agency
presents a number of directives, including the Seveso II Directive. This directive
aims to prevent major accidents involving dangerous substances and limit the
consequences to people and the environment of any which do occur.
In the UK, Seveso II is implemented through the Control of Major Accident

Hazard Regulations (COMAH), 1999. The directive was amended in 2003 to
broaden its scope. The COMAH regulations apply to sites that have the potential
to cause major accidents that may harm people and seriously damage the
environment. COMAH is implemented by the Competent Authority jointly
consisting of the HSE and the Environment Agency (for England and Wales), or
the Scottish Environment Protection Agency (for Scotland).
3.2.5 Norwegian regulations

In Norway the Petroleum Safety Authority (PSA) is the regulatory authority for
technical and operational safety, including emergency preparedness, and for the
working environment. As of 1st of January 2011 a new revision of regulations
relating to Health, Safety, Environment (HSE) and risk control in the petroleum
activities came into force in Norway. The regulations of relevance for onshore
facilities are:
 The Framework Regulations (Regulations relating to health, safety and the
environment in the petroleum activities and at certain onshore facilities)
 The Management Regulation (Regulations relating to management in the
petroleum activities)
 The Technical and Operational Regulations.
The first two of the regulations listed above now apply both at offshore and on
onshore installations, with the purpose of securing a coherent and coordinated
regulation of the activities in the best possible way. The Technical and
Operational requirements are somewhat different offshore and onshore, as they
are adapted to the special needs for regulation depending on where they are
being conducted. The regulations apply to the actual onshore facility for
production and/or utilisation of petroleum and systems, installations and
activities integrated with the onshore facility, or activities that have a natural
connection to it.
These regulations explicitly require that a company’s major accident risk

management is based on a form of barrier risk management, as illustrated in the
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -21-

inserts below. By implementing a systematic approach founded on a barrier

philosophy throughout design and operation, the regulation requirements can be
fulfilled. However, this approach also needs to be followed up in procedures,
maintenance work, culture etc., in order to maintain the required condition.
The Management Regulations
§ 5. Barriers
Barriers shall be established that:
a) reduce the probability of failures and hazard and accident situations

developing
b) limit possible harm and disadvantages.
Where more than one barrier is necessary, there shall be sufficient

independence between barriers.
The operator or the party responsible for operation of an offshore or onshore

facility, shall stipulate the strategies and principles that form the basis for
design, use and maintenance of barriers, so that the barriers' function is
safeguarded throughout the offshore or onshore facility's life.
Personnel shall be aware of what barriers have been established and which
function they are intended to fulfil, as well as what performance
requirements have been defined in respect of the technical, operational or
organisational elements necessary for the individual barrier to be effective.
Personnel shall be aware of which barriers are not functioning or have been
impaired.
The responsible party shall implement the necessary measures to remedy or

compensate for missing or impaired barriers.
In the guidelines to the PSA regulations recognised standards are frequently

referred to as a way to fulfil the functional requirements in the regulation. Among
these standards are NORSOK and API (American Petroleum Institute), along with
international standards such as ISO, IEC and EN.
The NORSOK standards have been developed by the Norwegian petroleum

industry to ensure adequate safety, value adding and cost effectiveness for
petroleum industry developments and operations. The NORSOK standards are, as
far as possible, intended to replace oil company specifications and also to serve
as references in regulations prepared by authorities. The NORSOK standards are
normally based on recognised international standards, adding the provisions
deemed necessary to fill the broad needs of the Norwegian petroleum industry.
The International Organization for Standardization (ISO) is a worldwide

federation of national standard bodies, and it cooperates closely with the
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -22-

International Electrotechnical Commission (IEC). The EN standards are prepared

by the European Committee for Standardization. While using such international
standards, care must be taken to ensure compliance with national regulations.
3.3 Examples of major accidents

Despite both the established safety barrier philosophies described in Section ‎3.1,
and the national regulations and international standards described in Section ‎3.2,
major accidents still occur. In order to provide a clearer picture of what major
accidents are and how failures of safety barriers allow them to happen, some
relevant examples are described in this section.
Barriers are implemented in order to reduce the probability and potential

consequences of major accidents. It is only when several preventive or
consequence reducing barriers are weakened that major accidents can take
place. As a result of this major accidents seldom occur. Historically, about one
major accident takes place each year in the oil and gas industry worldwide.
However, the exact number of major accidents that have taken place is
uncertain, as it depends on how a major accident is defined. Many major
accidents receive massive attention from the media, and in some cases they lead
to an extensive change in regulations and attitudes of various interested parties.
In all cases major accidents will lead to improvements in the industry.
3.3.1 Texas City

The major accident that took place at
the Texas City refinery is among the Texas City Refinery
onshore accidents that have had the
greatest impact on risk management When: 23rd march 2005
within the industry, affecting both the
level of knowledge and the approach to Consequences: 15 fatalities, 185
handling major accident risks. injured
Due to the overfilling of a vented tank a Barrier failures: impaired safety

gas cloud formed as the liquid critical equipment, insufficient risk
vaporised. The gas cloud ignited, most
management, poor safety culture,
likely due to a vehicle, and 15 people
inadequate maintenance and
were killed by the following explosion
and fire. inspection procedures and
insufficient risk analyses.
The accident investigation identified a
high number of weaknesses in the safety barriers. Among these were impaired
safety critical equipment, insufficient risk management, poor safety culture,
inadequate maintenance and inspection procedures, and insufficient risk analyses.
The most important finding was that company management and the employees
were unaware of the important differences between occupational safety and
process safety. These are two markedly different aspects, each with separate
underlying mechanisms, and thus must be handled differently. Proficiency in
handling one type of safety risk is no guarantee for the proper handling of the
other.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -23-

Figure ‎3-5: Damage at the site after the Texas City accident.
3.3.2 Humber Oil

On April 16th 2001 a large explosion occurred on the Humber Oil Refinery in UK.
There were no fatalities, but two people were injured. The explosion caused
widespread damage to houses and businesses within a one kilometre radius of
the plant. In total 180 metric tonnes of flammable liquids and gases were
released during the incident along with just over half a tonne of the toxic gas
hydrogen sulphide. The owner of the refinery, ConocoPhillips, was investigated
and subsequently fined for failing to effectively monitor the degradation of the
refinery’s pipework.
The primary cause of the explosion was the erosion/corrosion of a pipe.
Examination showed that the elbow had failed owing to an erosion-corrosion
damage mechanism which, over time, had reduced the wall thickness at the
outside of the elbow to such an extent that the wall could no longer withstand
the internal pressure within.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -24-

Figure ‎3-6: Damage to the Saturate Gas Plant at the Humber oil refinery after the
explosion (ref. Public report of the fire and explosion at the ConocoPhillips Humber
refinery).
A number of factors contributed to the Humber Oil Refinery accident: The

inspection programme lacked necessary elements, such as proper
implementation of an effective system for the inspection of pipework and an
inspection database. Information from inspections were not adequately recorded
or communicated, and recommended further inspections were never carried out.
There was also inadequate maintenance of equipment, allowing severe corrosion
to take place.
There was a lack of communication

concerning changes in operation, so Humber Oil Refinery
that these were not communicated
outside plant operations personnel. When: 16th march 2005
Safety communication was found to
be largely top-down in nature with a Consequences: 2 injured
focus on instructions on personal
safety, rather than seeking to involve Barrier failures: insufficient
the workforce in preventing a major procedures, lack of structured
accident. Combined with a lack of inspection, inadequate maintenance,
training this led to lack of awareness poor communication, lack of training
of the risks present at the facility.
and weaknesses in the management
system.
An insufficient management system
was the main underlying cause of these factors. There was a lack of
management of pipework inspections, management of change policy and
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -25-

procedures and insufficient maintenance management. Weaknesses in the

management system thereby contributed to the accident.
3.3.3 Ghislengien pipeline accident

On July 30, 2004 a pipeline running from Zeebrugge to the French border
ruptured in Ghislenghien, Belgium. The pipeline was a major underground high-
pressure pipe carrying natural gas, and the accident resulted in 24 deaths and
more than 120 injuries. Most of the victims were police and fire fighters
responding to the reports of a gas leak. The overall costs were estimated at EUR
100 million.
Figure ‎3-7: The fire following the gas leak in Ghislenghien.
This pipeline passed under the car

park of a diamond-cutting factory Ghislenghien pipeline
where construction work recently had
taken place. Early indications When: 30th July 2004
suggested that the construction work
Consequences: 24 fatalities
was the cause of the accident.
According to available information, Barrier failures: Lack of response to
the pipeline was damaged by a power reported third party damage, lack of
shovel more than a month before the emergency response coordination
explosion. The incident was reported (delayed evacuation, not sufficient
but no action was taken. information about the risk of the gas
igniting).
Later, it was stated that previously
inflicted damage could have weakened the pipeline and led to the failure. An
initial leak through the pipeline wall may have caused significant cooling of the
surrounding pipe-wall, and thereby weakening the material strength. The
reduction in the fracture toughness combined with the accompanying pressure
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -26-

stresses is thought to have resulted in fracture growth and rupture of the

pipeline segment.
Left-side pipe General view of the crater Left-side, opposite

Figure ‎3-8: The picture in the middle shows the crater at the explosion site. To view
the left is
a closer picture of the pipe end on the left side of the crater. To the right this pipe end is
viewed from another angle.
3.3.4 Commonalities between major accidents

Common for the major accidents described here is that several barriers failed
and a multi-linear causal relation took place. This implies that some barriers had
been insufficient while others may not have been properly maintained.
Experiences from accidents have led to stricter and more extensive government
regulations. Another learning point is the importance of robust internal
management which includes prioritising funds aimed at maintaining a high safety
standard by means of surveillance, maintenance, modification and follow-up of
the safety barriers.
In the next chapter barriers designed to prevent major accidents at the Gassco
operated gas terminals are listed. The interaction between the barriers is also
described.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -27-

4 The barriers and their interfaces

This chapter gives a general overview of the barriers that are relevant for the gas
terminals in question, and describes the interfaces between the barriers. In the
following section all the relevant barriers are listed and each barrier is identified
as preventive or consequence reducing. As explained in Chapter 3.1.2, some
barrier functions are proactive, which means they have a preventive role and
influence on the chain of events prior to the top event. Other barrier functions
are reactive, meaning that they come into effect after the top event and have a
consequence reducing role. Some barriers will be both proactive and reactive,
and the role will also depend on how the top event is defined. Further details
about the technical elements of each barrier are given in Chapter 5.
Usually, several barriers will interact in order to prevent a major accident. The
barriers have interfaces towards other barriers, and the manner of which they
interact is often complex. Some barriers interact with each other through a
physical interface. This physical interface can be either in the form of input and
output of signals, or in the manner of one barrier functioning as a utility for
another one. This is illustrated by an example in Figure ‎4-1.
Systems the barrier is a utility for
ISC
Output from the barrier

BD, flare/vent
Input to the barrier
HMI
Gas Detection Process Safety
Barrier
Gas Detection
ESD System Alarm & Comm.
Fire Detection
HMI
HVAC
Em. Power & Lighting
Utilities for this barrier
Figure ‎4-1: Illustration of the interaction between the Emergency Shutdown system and
other safety barriers.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -28-

4.1 Interface between technical barriers

At the gas terminals there are different technical barriers in place to prevent
major accidents and to reduce the potential consequences of a major accident
should one occur.
During concept optimisation and design development of the technical barriers,

priority is given to the use of preventive measures/exposure barriers and
inherently safer design principles to reduce risks. A common principle is that
probability reducing measures is given priority over consequence reducing
measures.
The objectives with risk reduction principles and inherent safety design are to:
 Reduce potential hazards
 Reduce probability of hazardous events
 Reduce inventory and damage potential
 Strive for simplicity and reliability
 Escalation prevention
In particular, the separation by distance shall be implemented as a governing

principle when developing the layout and arrangement of new onshore plants.
The layout and arrangement will influence on all other safety systems at an
onshore plant and the design of such systems must be performed based on the
chosen layout.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -29-

Table ‎4-1 gives an overview of all the safety barriers that are currently (2012)
described in the Safety Performance Standards for Gassco. Also given is the
typical position of the safety barrier in a chain of event, when the top event is
defined as a gas leakage.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -30-

Table ‎4-1: List of technical barriers relevant for the gas terminals.
Safety Barrier Role of the safety barrier relative

to the top event
Layout and Arrangement Consequence reducing
Containment Preventive
Natural Ventilation and HVAC Consequence reducing
Gas detection Consequence reducing
Emergency Shutdown (ESD) Consequence reducing
Open Drain Preventive and consequence reducing
Ignition Source Control Consequence reducing
Fire Detection Consequence reducing
Blowdown and Flare / Vent System Preventive and consequence reducing
Active fire Protection Consequence reducing
Passive fire Protection Consequence reducing
Emergency Power and Lighting Consequence reducing
Process Safety Preventive and consequence reducing
Alarm and Communication System for use in Consequence reducing

Emergency Situations
Escape, Evacuation and Rescue (EER) Consequence reducing
Human Machine Interface (HMI) Preventive and consequence reducing
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -31-

The matrix in Figure ‎4-2, gives an illustration of the physical interfaces between
the barriers. Each x marks an interface between two barriers.
Escape, Evacuation and Rescue

Emergency Power and Lighting
Emergency Shut Down (ESD)
Natural Ventilation and HVAC
Human machine interface &

Blowdown and Flare / Vent
Alarm and Communication
Layout and Arrangement

Ignition Source Control
Passive fire Protection

Active fire Protection
Alarm management
T he X s indic a t e a phys ic a l int e rf a c e
be t we e n t he ba rrie rs
Process Safety
Fire Detection
Gas detection
Containment
Open Drain
System
System
(EER)
C ontainment x1 x x
Natural Ventilation and HVAC x x x x x x2 x x
Gas detection x x x x x3 x x x
Emergency Shut Down (ESD) x x x x4 x x x x x
Open Drain x x
Ignition Source C ontrol x x x x x
Fire Detection x x4 x x x x x
Blowdown and Flare / Vent
System
x x x x x x
Active fire Protection x1 x3 x x x5 x x x
Passive fire Protection x x x5 x
Emergency Power and Lighting x x x x x x x x x x
Process Safety x x x x x
Alarm and C ommunication
System
x x x x x x
Escape, Evacuation and Rescue
(EER)
x2 x x x x
Layout and Arrangement x x

Human machine interface &
Alarm management
x x x x x x x x x x
1
Physical Interface if the Active Fire Protection system is actively used for cooling of structures or
equipment during exposure to fire.
2
Physical Interface if HVAC is actively used to keep escape routes or certain rooms free from
gas/smoke.
3
Physical Interface if the Active Fire Protection system is used to mitigate explosions.
4
Physical Interface if there is automatic ESD/BD upon fire detection.
5
Physical Interface if the Active Fire Protection system is actively used for cooling of structures or
equipment during exposure to fire.
Figure ‎4-2: Physical interfaces between technical safety barriers on the gas terminals.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -32-

5 Description of relevant safety barriers

The technical elements of the previously listed safety barriers are further
described in this chapter. In addition the Pipeline Protection System (PPS) is
described, as this system is relevant not only for the pipelines, but also for the
adjoining onshore and offshore facilities. The text is based on documentation
describing Gassco’s safety design requirements for technical systems and
barriers for application on onshore gas terminals.
In the descriptions of each barrier the following standard outline will generally be
followed:
 Purpose
 System description
 Interfaces
 Selected Performance requirements
 Textboxes with illustrative facts concerning the gas terminals
The presented performance standards represent an extract of the generic

company specific requirements. They illustrate the type of requirements that are
defined for the technical barrier elements, and further supplementary information
about barrier requirements can be found in the document “Gassco Safety
Performance Standard” (SPS). This document is based on recognised
international standards and practices, and compliments applicable laws and
regulations in the country where the plant is located, as described in chapter ‎3.2.
The SPS contains company best practice and is intended as a “stretch target” for
barrier performance rather than a minimum safety level that needs to be
complied with at each site. For each of the barrier elements the textboxes
describe solutions that are in use at the terminals and, together with the pictures,
they aim to provide a better understanding of the safety barriers in use.
The oil and gas company “Total” is the TSP for St. Fergus and thus an alternative
company specific approach to handling major accident risks is therefore applied
at this terminal. A list of the relevant technical safety barrier elements for St.
Fergus is given in the following textbox:
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -33-

Safety barriers at St. Fergus as described in the COMAH report

At St. Fergus a number of safeguards and measures are identified that
prevent major accidents. These measures are grouped based on their
functionality into the following categories:
 Inherent safety
 Prevention
 Control
 Limitation
Design features that help ensure safety and reliability include a plant layout
utilising separation and segregation, hydrocarbon containment integrity,
design operating limits pressure and temperature, and utilities such as
emergency power. It also includes the following safety systems:
 Safety Control Systems
 Fire and Gas Systems
 ESD Systems
 Blowdown Systems
 Pressure Relief Systems
 Fire Protection System
 Passive Fire Protection
 Emergency Power and Lighting System
 Communications
 Hazardous Area Management and Ignition Prevention
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -34-

5.1 Layout and Arrangement

Purpose
The layout of an installation shall reduce the probability and the consequences of
accidents through location, separation and orientation of areas, equipment and
functions. This is achieved by minimising the accumulation and spread of
hazardous substances, as well as by reducing the probability of ignition. Further,
the layout shall minimise the risk of escalation and facilitate effective emergency
response, including escape, evacuation and treatment of injured personnel.
System description
The layout and arrangement comprises the location of areas, buildings, roads
and equipment. It includes considerations about process equipment, piping and
pipelines, including pipeline valves. Requirements regarding lifting of equipment
are also included, along with requirements concerning storage of explosives, and
fire and explosion design principles. The layout and arrangement also includes
security considerations. The separation by distance shall be implemented as a
governing principle when developing the layout and arrangement of a new
onshore plant.
Interfaces
The layout and arrangement interface with all of the safety systems/functions.
Performance requirements
The plant shall be divided into main areas;
 Office/administration
 Control room
 Normally manned workshop and storage buildings
 Normally not manned buildings (sub stations, equipment storage, analyser
house)
 Utility areas
 Process area
 Flare
Layout design principles at the gas terminals

At the gas terminals an important safety function is fulfilled by the separation
of different plant components into main areas. The distance between the
defined areas reduces probability of escalation of an event, and thereby
reduces the risk for personnel, environment and material assets. Due to the
availability of space, the use of explosion barriers is not necessarily required
at onshore facilities, as opposed to offshore facilities where they are normally
an important part of the design. At Zeebrugge and St. Fergus no explosion
barriers are used. However, the Main Building at Zeebrugge is blast proof and
at St. Fergus the buildings are designed to be explosion proof.
The performance requirements related to layout and arrangement includes

requirements to consider amongst others, the following aspects:
 Prevailing wind direction and the terrain, including slopes, hills and
vegetation to minimize the likelihood of a gas or liquid release or smoke
drifting or fire spreading towards the office/administration area,
workshop/storage areas and areas with third party activities.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -35-

 Possible events as earthquake, flooding, land slide, excessive rain,

lightening and public transport accidents etc.
 Main areas within the plant shall be separated by distance or, if not
possible, by use of physical barriers as fire and blast divisions.
 Possible areas for further expansions of the plant.
 Positioning of ignition sources such as flares and fired units (furnaces)
relative to process equipment and storage tanks that can be leak sources.
 Access to all main areas by vehicles for inspection/maintenance and access
in emergencies.
 Development of the layout in order to minimise the escalation potential of
fire and explosions.
 Routing of piping containing hydrocarbons or toxic fluids.
 Layout and arrangement of pipelines.
 Lifting zones and protected from dropped objects by physical barriers.
 Storage and handling of explosives and radioactive materials.
 Location of process equipment with respect to explosion design principles.
 Use of explosion panels and weather protection shields.
Figure ‎5-1: Sign at the Zeebrugge gas terminal informing about the required safety
equipment, alarm signals and location at the plant. The layout of the plant can be seen in
the top right corner.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -36-

5.2 Containment
Purpose
The purpose of the containment function is to prevent the release of
hydrocarbons, other flammable fluids, and/or harmful fluids (chemicals, toxic
gases, etc.).
System description
Containment is provided by all pressurised equipment, including:
 Piping, heat exchangers, columns
 Valves, pumps and compressors
 Landfall pipelines
 Flanges and welded connections
 Instrument connections and tubing
Interfaces
The containment function interfaces with the following safety systems/functions:
 Drain systems – reduces exposure to spills and mitigates escalation to
bordering areas.
 Active Fire Protection – mitigates fire in case of leakage.
 Passive Fire Protection – maintains integrity during exposure to fire.
 Layout and Arrangement – including explosion barriers, mitigates the
consequences of loss of containment.
 Process safety – pressure control.
Gas leaks at the Gassco gas terminals

In the period from 2004 to 2012 there have been no registered leaks with
higher leak rate than 0.1 kg/s and 14 leaks with a lower leak rate. This does
not include leaks at St. Fergus, NGT before 2008 or LRF before 2011.
With regard to leaks with rates below 0.1 kg/s, seven leaks have been
registered during the last five years (2007-2011). The number of leaks at
each facility is:
 Norsea Gas Terminal 1

 Europipe Metering Station 0
 Europipe Receiving Facilities 1
 Zeepipe Terminal 2
 Dunkerque Terminal 0
 St. Fergus 3
 Langeled Receiving Facilities (Easington): Not reported in Synergi
before 01.10.2011
Based on experience, both from Gassco and in the industry in general,

several measures have been implemented to avoid gas leaks. Examples of
such measures include the removal of thermo pockets, ensuring that valves
are in the correct position, and requirements concerning torque and
tightening procedures for bolted connections.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -37-

All piping, valves, connections, pumps, rotating machinery, instruments and

other components in the systems handling hydrocarbons, other flammable fluids
and/or harmful fluids (chemicals, toxic gases, etc.) shall be designed,
constructed, maintained and operated with the aim of ensuring that leaks do not
occur.
The use of flexible hose connections in processing systems should be minimised.
The number of flanged connections in systems containing hydrocarbon fluids

shall be kept to a minimum, e.g. by welded connections.
Flanges on the pipeline side of the ESD valve shall not be used. In the case it is
impossible to avoid instrument connections on the pipeline side of the ESD valve
special safety considerations shall be made.
Flanges in hydrocarbon piping to, or through, the utility area should be avoided
to ensure non-hazardous classifications. One flanged connection is permitted on
the fuel line to each combustion engine, turbines and fired units in the utility
area.
Figure ‎5-2: The picture shows the inlet cyclone separator on train 3 at LRF, and also
piping, flanges and other equipment that is used to maintain the containment function.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -38-

5.3 Natural Ventilation and HVAC

Purpose
Natural ventilation shall:
 Dilute and remove flammable gases and reduce the size of flammable gas
clouds.
 Dilute harmful concentrations of smoke or toxic gases.
 Ensure acceptable working and equipment environment.
Mechanical ventilation (HVAC) shall, with respect to accidental events:

 Provide pressurisation of rooms to prevent ingress of smoke or gas.
 Provide smoke ventilation for internal fire conditions.
 Ensure acceptable working and equipment environment.
 Dilute and remove concentrations of hydrocarbon gas, smoke and toxic
gases.
System description
The ventilation system consists of natural and mechanical ventilation. The
mechanical ventilation system consists of fans, ducts, dampers on intakes and
outlets, as well as control equipment. It is important that the ventilation design
is suitable for the hazard classification of the area in question.
Interfaces
The HVAC system has interfaces with the following safety systems/functions:
 Gas Detection – the ventilation affects the positioning of gas detectors; it
will also interact with the Gas Detection system indirectly through the ESD
system.
 Emergency Shutdown – to prevent modules and rooms from acting as
ignition sources during a gas leak.
 Ignition Source Control – acts as a barrier against the exposure of ignition
sources to gas leaks.
 Fire Detection – through active smoke control.
 Layout and Arrangement – through natural ventilation, which provide
continuous ventilation. Stagnant air and areas where gas can accumulate
must be avoided in the layout and design of explosion barriers.
 Emergency Power – in order to maintain mechanical ventilation in the case
of a power outage or during ESD situations.
Ventilation system at Ventilation system at St.

Zeebrugge Fergus
Mechanical ventilation is used in Mechanical ventilation is installed
analyser and instrument buildings, in the control room, metering
as well as in battery rooms (UPS). buildings and laboratories. No over
Fire dampers are installed in the pressuring of room is used.
main building and in all rooms Dampers are installed, but do not
with mechanical ventilation. fulfil a safety function.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -39-

Natural ventilation of hazardous areas is the preferred solution for onshore plants.
Natural ventilation in hazardous areas shall be as good as possible and shall as a

minimum provide an average ventilation rate of 12 AC/h for 95% of the time.
Stagnant zones must be avoided.
Figure ‎5-3: Natural ventilation is ensured by sufficient spacing and careful consideration
to avoid stagnant zones.
For mechanically ventilated hazardous areas a ventilation rate to ensure

minimum 12 AC/h shall be provided. The ventilation rate shall be provided
throughout the area to avoid stagnant zones. Ventilation shall be maintained,
and if practicable, increased, in the event of an internal gas leak.
The ventilation system should ensure high availability using redundant fans, e.g.
2x100% or 3x50% capacity, duty/standby.
Ventilation shall be maintained, and if practicable, increased, in the event of an

internal gas leak for such applications as turbine enclosures, battery rooms and
gas analyser houses.
In non-hazardous areas doors facing directly towards hazardous sources of

release should be avoided. Where such doors cannot be avoided, air locks shall
be provided.
For non-hazardous areas room pressure relative to surrounding classified areas

shall be presented in the CCR and uncritical alarm given at low overpressure (50
Pa). Alternatively, an alarm shall be given in the CCR upon indication of open
door(s).
All ventilation air inlets shall be located in non-hazardous areas, as far as

practicable away from possible hydrocarbon leakage sources and ensuring
compliance with established performance requirements for ignition source control.
Measures shall be taken to avoid the accumulation of ice, snow, etc.
Dampers shall provide quick, reliable and effective means to prevent

ingress/spreading of gas or smoke.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -40-

5.4 Gas Detection

Purpose
The Gas Detection System continuously monitors for the presence of flammable
or toxic gases. When gas is detected the system shall alert personnel and allow
control actions to be initiated manually or automatically so that the probability of
personnel exposure, explosion and fire is minimised.
System description
The gas detection system consists of the following elements:
 Gas detectors, of which some commonly used types are:
1. Point detectors.
2. Optical beam detectors – up to 40 meters distance between
sender/receiver.
3. Acoustic detectors.
 Signal transmission to the control system (by cables connected to the logic
solver(s)).
 Logic solver, programmed to initiate actions (alarms and activation of shut
down) according to where the gas is detected.
Line detectors cover open paths, while additional point detectors are strategically
placed to cover selected areas. Acoustic detectors detect leaks from a
pressurised gas system by registering the ultrasonic sound caused by leaking gas.
Figure ‎5-4: A gas detector in use on the Zeebrugge gas terminal.
Interfaces
The Gas Detection System has interfaces with the following safety
systems/functions:
 Natural Ventilation and HVAC – the Gas Detection System controls shut
down of the HVAC plant.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -41-

 Ignition Source Control (ISC) – input from the Gas Detection System
triggers the shutdown/disconnection of ignition sources in order to reduce
the probability of explosion/fire.
 Active Fire Protection – gas detection activates active fire fighting systems
which can be used to mitigate explosions.
 Alarm and Communication Systems - the gas detection system depends on
the PA and alarm system to alert personnel when gas or fire is detected.
 Emergency Power – provides power supply for gas detection systems
required to be in operation during or after a major hazard incident.
 Emergency Shutdown (ESD) – prevents the escalation of hazardous events
and limits the extent and duration of any such events.
The gas detection function shall provide reliable and fast detection of flammable
and toxic leaks before a gas cloud reaches a concentration and size which could
cause risk to personnel and plant.
Gas detection at Zeebrugge

At the gas terminal there are detectors for H2S, H2 and hydrocarbon gas. CO2
detectors will be installed during 2012.
As of mid-2012 work is on-going in order to achieve SIL 3 certification of the

entire fire & gas detection system. Existing detectors are being replaced,
mainly due to their age, and the number of detectors will be significantly
increased. The detectors include point detectors, open path detectors and one
acoustic detector for testing purposes.
The increased number of detectors ensures that the distance between

detectors can be reduced and a voting system established.
For flammable gases in open hydrocarbon handling areas the detector coverage
should be based on a distance between point detectors of approximately 12
meters. This is a practical approach considering that the target shall be detection
of an explosive gas cloud of 10 meters in diameter. A gas cloud above 17 meters
must be detected anywhere in the area while using a detection level of 20 % LEL.
Gas detectors’ characteristics and calibration shall ensure that the presence of
gas is not underestimated, e.g. gas concentration (point detectors), gas amount
(optical beam detectors) or leakage rate (acoustic detectors).
The main principles for action initiated upon gas detection are as follows:
 Emergency shutdown system (ESD) is activated manually or automatically
upon gas detection in accordance with the Barrier Strategy.
 Ignition Source Isolation, e.g. non-essential equipment isolated on single
low gas alarm.
 HVAC shutdown, e.g. single low gas alarm in air intake.
 Gas warning in field, local visual alarm on low gas alarm and visual and
audible alarm on confirmed gas detection.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -42-

5.5 Emergency Shutdown (ESD)

Purpose
The purpose of the Emergency Shutdown System (ESD) is to prevent escalation
of abnormal conditions into a major hazardous event and to limit the extent and
duration of any such events that do occur.
System description
ESD can be initiated manually or automatically, but once initiated actions should
be automatically executed.
The Emergency Shutdown System includes blow down valves (BDVs),

sectionalisation valves, and ESD valves. Input to the ESD system is either from
the instrumented safety control system (SAS) or dedicated instruments for
selected process conditions requiring ESD Landfall valve stations
shut down. It may also include control units
The Landfall Valve Station for
with an overview of valve status and built-in
shut down levels for different levels of ESD. Europipe I (EPI) comprises an
underground 40 inch ball valve.
The landfall valve stations, which are The Landfall Valve Station for
unmanned stations, are also part of the ESD Europipe II (EPII) comprises an
system. The stations are installed in order to underground 40 inch double
create a physical isolation between the
expanding gate valve.
offshore pipelines and the onshore pipelines.
Interfaces
ESD system has interfaces with the following safety systems/functions:
 Gas Detection - ESD receives input from the Gas Detection System.
 Ignition Source Control - normally an automatic action by ESD but can be
executed through standalone units and/or F&G systems.
 Fire Detection - ESD receives input from the Fire Detection System.
 Blowdown and Flare/Vent System - is manually or automatically activated
through the ESD system.
 Process Safety (PSD) - ESD gives input signals to activate PSD levels, in
addition some selected PSD levels can be input to ESD.
In addition, ESD initiations will activate (directly or indirectly) other safety

systems/functions, such as HVAC, emergency power and lighting and the alarm
and communication system.
Manual activation of the ESD system shall be possible from strategically
positioned stations where accessibility and manning in a hazardous situation is
taken into account.
ESD valves shall have either spring return or local accumulators to ensure fail-
safe function. Spring return types of valves are preferred and shall be used when
the required size is available.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -43-

Figure ‎5-5: Picture of an ESD valve at Zeebrugge. The valve is installed below ground in a
concrete pit..
The ESD functions shall be arranged in a hierarchy.
In addition to shutdown of the flow of hazardous materials, the ignition sources

should be isolated in case of a leakage.
The ESD strategy, defining the shutdown logic, should reflect the overall plant
arrangement, both with regards to arrangement and layout, system design and
operational aspects.
The following typical response times that should be complied with unless other
response requirements are specified:
 Time from activation to start of execution, e.g. de-energised solenoid
valve, should normally be less than 2 seconds.
 Response time of all equipment and components included in the ESD
function shall be defined. Travel time of ESD valves in service should
normally not exceed 2 sec/inch (valve size).
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -44-

5.6 Open Drain

Purpose
Control of spills of hazardous material is realized through the arrangement of an
open drain system, including bunds and dikes for collection of liquid spills. The
purpose of the Open Drain System is to provide measures for containment and
proper disposal of spilled liquids, as well as handling wash-, rain- and fire-water.
System description
The Open Drain System consists of equipment necessary to collect and handle
spillage of hydrocarbon liquids, wash down water, firewater and rain water. The
equipment includes drip trays and bunding, drain pots and liquid seals, a piping
and pumping arrangement, and collection and treatment tanks. The Open Drain
System is divided into hazardous and non-hazardous open drains and these are
physically separated in order to prevent back flow of hydrocarbons from a
hazardous to a non-hazardous area.
Interfaces
The Open Drain System interfaces with the following safety systems/functions:
 Containment – the Open Drain System directs leaks to safe locations.
 Active Fire Protection – the drainage system for each area shall be capable
of receiving the maximum amount of liquid that may be expected in the
area. Full firewater capacity should be taken into account.
 Oily water treatment system
The design of the drainage system shall limit the maximum spread of a spill and
attempt to minimise any escalation arising from the spill by the use of bunding,
scuppers, etc.
Open Drain systems

There are different solutions in use for handling drainage at the terminals. At
Zeebrugge liquid from the open drain system is sent through an oil separation
system, and subsequently to the normal sewage system, while Emden has
more facilities for cleaning the liquid collected by the open drain. At St. Fergus
there is a drainage system that includes both open drains and oily water
drains.
The capacity of the drainage system shall be sufficient to handle whichever is

largest of the following: The heaviest rainfall of one hour duration within a ten
year recurrence period or full firewater capacity together with expected liquid
spill that can potentially be released from equipment that is not readily isolated.
Closed and open drainage facilities shall be arranged so that they do not affect
each other adversely.
The Open Drain System shall provide effective means e.g. liquid seals, to prevent
flammable liquid vapours and gases from spreading to other fire areas via the
drainage facility.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -45-

5.7 Ignition Source Control

Purpose
The ignition probability of flammable liquids and explosive gas atmospheres shall
be minimised, which is achieved by rendering the sources of ignition harmless or
reducing the number of potential ignition sources.
System description
Potential ignition sources include:
 electrical equipment
 flames
 hot surfaces
 rotating machinery and combustion engines
 mechanical sparks
 static electricity
 radio frequency energy
 chemical reaction
 hot works
Ignition Source Control (ISC) is concerned with reducing the number of ignition
sources. Potential ignition sources that cannot be avoided must have an ignition
probability as low as possible, and they should be located in an area where
probability of exposure to flammable atmosphere is low. Examples of possible
measures to improve the Ignition Source Control are:
 Selection of explosion protected (Ex-classified) equipment.
 Electrically isolate (disconnect) equipment that is not Ex-classified upon
loss of ventilation and gas detection in air intakes.
 Shut down of non-essential equipment during gas and fire detection, and
during emergency shutdown.
 Install flame- & spark- arrestors in exhaust ducts.
 Reduce temperature of hot surfaces (insulate surface or reduce heat
source).
Figure ‎5-6: In the Texas City accident the ignition of a gas cloud was most likely caused
by a vehicle. Ref.: U.S. Chemical Safety and Hazard Investigation Board, “Investigation Report
Refinery Explosion and Fire “, report no. 2005-04-I-TX.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -46-

Interfaces
ISC automatic functions are normally realised through other systems such as the
ESD system, and ISC interfaces are incorporated within the following main safety
barriers (systems or functions):
 Natural Ventilation and HVAC - the ventilation shall be such that it

prevents explosive atmospheres occurring.
 Gas Detection – ISC receives input from the Gas Detection System.
 Emergency Shutdown – ISC functions are realised through the ESD system.
 Fire Detection - ISC receives input from the Fire Detection System.
 Emergency Power and Lighting – appropriate Ex class must be selected so
that they do not act as ignition sources.
In addition, ISC functions will affect (directly or indirectly) process and utility
equipment, as well as operations.
Potential ignition sources, equipment and activities shall be identified and
disconnection/isolation described in the Barrier Strategy in accordance with
criticality. All ignition sources shall be disconnected in accordance with assigned
ignition source isolation group and equipment location.
Equipment used in a hazardous area,

i.e. classified zone 0, 1 or 2, will not Hazardous area classification
normally constitute a source of Zone 0: A place in which an explosive
ignition provided that the equipment atmosphere, consisting of a mixture
is constructed, installed, operated and with air of flammable substances in
maintained in compliance with the form of gas, vapour or mist, is
recognised standards’ (IEC, EN) present continuously, or for long
requirements applicable for the periods, or frequently.
relevant hazardous area.
Zone 1: A place in which an explosive
Equipment (electrical and non- atmosphere is likely to occur in normal
electrical) installed in non-hazardous, operation occasionally.
naturally ventilated areas shall, as a
minimum, comply with a level of Zone 2: A place in which an explosive
explosion protection according to atmosphere is not likely to occur in
hazardous area zone 2 unless it is normal operation and, if it does occur,
installed more than 15m from any will persist for a short period only.
hazardous area boundary.
The surface temperature of equipment, piping and exhaust ducts etc. that can be
exposed to leaks from flammable mediums shall not exceed auto-ignition
temperatures.
Both electrical and non-electrical ignition sources (non-explosion protected

equipment) shall be disconnected/shut-down in accordance with the assigned
ignition source isolation groups and equipment location.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -47-

5.8 Fire Detection

Purpose
The Fire Detection System shall monitor continuously for the presence of a fire.
When fire is detected the system shall alert personnel and allow control actions
to be initiated manually or automatically to minimise the likelihood of fire
escalation and the probability of personnel exposure.
In specific areas, where potential smouldering fires in electric/instrument

systems may occur the fire detection system shall also monitor continuously for
the presence of an incipient fire condition in order to alert personnel and thereby
minimise the probability of a fire condition developing.
System description
Different types of fire detectors are used:
 Flame detectors – located in process areas, utilities, generators and gas
turbines.
 Smoke detectors – located in electrical rooms, instrument rooms and CCR
and accommodation.
 Heat detectors – located in process areas, utilities, engine rooms, turbine
hoods etc.
The system also consists of cables from all the detectors to the control and alarm
panels.
AutroSafe optical smoke detectors and

point heat detectors
These are point smoke detectors for detection
of combustion gases mainly consisting of
visible particles. The detectors ensure a high
degree of reliability due to the fact that all
units are tested with a built in test function
once every 24 hours.
The point heat detectors are designed to

detect rises in ambient temperature caused
by a fire. They are often used in areas where
Figure ‎5-7: The type of optical the environment is likely to produce
smoke detectors used at false/unwanted alarms from smoke detectors.
Zeebrugge, AutroSafe 300-BH.
Interfaces
The Fire Detection System interfaces with the following safety systems/functions:
 Emergency Shutdown (ESD) System – prevention of escalation of
abnormal conditions into major hazardous events and limits the extent and
duration of any such events.
 Blowdown and Flare/Vent System - routes gas to safe locations.
 Natural Ventilation and HVAC – controls shut down of the HVAC plant.
 Alarm and Communication Systems - the Fire Detection System depends
on the PA and alarm system to alert personnel when smoke or fire is
detected.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -48-

 Active fire protection - active fire fighting systems can be used to mitigate
explosions in open areas.
 Emergency power and lighting – provides power to systems required to be
in operation during or after a major hazard incident, including the fire
detection system.
In addition, direct or indirect actions will be required for other systems, such as
temporary units and equipment in operation within the plant.
The fire detection function shall provide reliable and efficient detection of a fire
by adequate type, number and location of fire detectors and shall ensure timely
alarm and initiation of control actions.
Measures for the detection of fires shall consider the potential for escalation of
fires in the area and risk to personnel and plant. Detection of incipient fire
conditions shall take into account the possibility for manual intervention and
potential damage to equipment.
Voting principles at Zeebrugge

Confirmed fire detection is defined as:
Smoke (except areas such as accommodation):
 Two out of N (2ooN) detectors to reach specified alarm limit when N ≥ 3
Flame (one of the listed principles):
 1ooN detectors to reach specified alarm limit when N ≥ 2 (basic safety
requirement)
 2ooN detectors to reach specified alarm limit when N ≥ 3 (production
regularity increase)
 Confirmed fire detection on a single flame detector 1oo1 may be used in
exceptional circumstances provided the failure probability is documented
to be sufficiently low and the loss of safety actions and consequences on a
single detector failure is tolerable
Heat:
 1ooN detectors to reach specified alarm limit when N ≥ 2
Detectors shall be provided based on an assessment of fire scenarios within each

area considering potential fire sources and characteristics, consequences, area
and equipment arrangement, and environmental conditions.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -49-

All areas of the plant shall have suitable means of fire detection. Fire detection
shall as a minimum be in accordance with the following:
Area/Room Detector type Comment

Open process area Flame IR (UV detection principle
may exceptionally be
required due to flame wave
characteristic)
Enclosed process area Flame and heat
Instrument rooms, CCR, Early warning smoke
Electrical rooms Smoke E.g. switchgear,
transformer rooms
Machinery spaces Flame E.g. diesel engines.
Additional heat detectors to
be considered in turbine
hood enclosure
Storage room for flammable Heat/Flame E.g. paint or chemical
materials storage
Offices, accommodation, Smoke
HVAC inlets to Smoke
accommodation, offices etc.
Workshops Smoke or heat Type of activity to be
considered
The Fire Detection System shall initiate all actions in accordance with the Barrier
Strategy.
Automatic initiation of actions shall include:

 ESD of plant or selected areas, manual or automatic, as required according
to the Barrier Strategy (confirmed fire)
 HVAC and fire damper shutdown except for areas subject to smoke control
(confirmed fire)
 Activation of Fire Fighting Equipment (confirmed fire)
 General plant alarm (local visual on fire alarm and visual and audible on
confirmed fire)
F&G system status shall be continuously available in CCR, and the system shall
raise alarms in CCR for operator awareness or action in relation to:
 Detection of fire or activation of Manual Call Point
 Failure to execute action upon demand
 Function (sensor, logic solver, final element) defect or failure
The fire detection function for hazardous areas shall be operative after a
dimensioning explosion to ensure the alarm is activated and that the necessary
actions can be executed.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -50-

5.9 Blowdown and Flare/Vent System

Purpose
The purpose of the blowdown and flare/vent system is to:
 Reduce the pressure and remove inventory in a process segment in the
case that it is exposed to fire or a process upset occurs. A reduction in
pressure implies reduced material stress and, hence, reduced risk of
rupture due to heating caused by the fire.
 Reduce the leak rate and leak duration from a leaking process segment
(and, hence, also reduce the associated fire in the case the leak is ignited).
 Avoid leakage in some cases of process upsets.
System description
Several types of blowdown/flare systems are utilised to provide depressurisation
at the different terminals. Both cold and hot flares are utilized, and the systems
include pressure relief valves and blowdown valves (BDV), flaring lines, liquid
removal function (flare KO drums) and flare tower. The vent systems include
vent stacks and vent valves. The system is most commonly used to discharge
gas from continuous sources like purge gas of atmospheric tanks etc. The
releases media is normally not flammable / toxic, however risk of suffocative
atmosphere near the release point.
Blowdown valves are normally controlled by the Emergency Shutdown (ESD)

System, which is part of the Safety and Automation System (SAS). Activation
(closing) of the isolation valves and depressurisation can be undertaken either
automatically or manually. Dividing the process into BD segments allows for
sequential blowdown, which is used to avoid exceeding the capacity of the flare
system.
Flare/Vent systems in use at the gas terminals

At Zeebrugge and Dunkerque cold vent systems are installed. At both sites
there are 10 m high vent stacks with a capacity of 100 tonnes/hour. The size
of the cold vent header is 4 inches. Both plants are divided into three
blowdown sections, these sections BD1, BD2, BD3, can be automatically
depressurized. This is time and pressure controlled. DT also has automatic
blowdown by measures of ESD1. The systems are designed to comply with
API5231.
At St. Fergus both a hot flare and a vent system is installed. Both high and
low pressure flares are used, and a nitrogen purge is utilized to prevent
ingress of oxygen into the systems. At Easington a cold flare system is used.
Automatic ignition of the flare upon depressurization is part of the system.
Interfaces
The Blowdown and Flare/Vent System interfaces with the following
systems/functions:
 Gas Detection System - may activate the EDP system through the
Emergency Shutdown System.
 Fire Detection - fire detection may activate the Blowdown System through
the ESD System.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -51-

 Emergency Shutdown (ESD) - manual pushbutton in CCR activates

blowdown and ESD System.
 Passive Fire Protection - fast and reliable blowdown may reduce the need
for passive fire protection.
In addition, BD depends on an Uninterruptible Power Supply (UPS) to maintain

BD operational if the main electrical power supply fails.
Figure ‎5-8: The picture illustrates a part of the cold vent system at Zeebrugge. The
depicted vent stack is 10 meters high.
As a general rule the blowdown times/de-pressuring rate (after activation) shall
be set to:
 50 % of the vessel design pressure in 15 minutes
 6.9 barg within 15 minutes, if this is lower than 50 % of the design
pressure.
These criteria are based on the wall temperature of the vessel/piece of
equipment versus the stress to rupture, and applies generally to vessels with
wall thicknesses of approximately 25 mm or more.
The objective is generally to avoid shut in volumes without blowdown. In no

event shall segments containing more than 2000 kg of hydrocarbons be without
dedicated blowdown valve(s). The design/valve location should generally aim to
reduce the size of containment segments without blowdown, and particular
attention should be made to gas and destabilised liquefied petroleum gas (LPG).
Segments in this context mean volumes that are isolated by automatic shutdown
valves (PSD/ESD valves) and check valves.
Full Plant blowdown shall be possible from dedicated push buttons in the CCR
(operator station and safety matrix). Use of the dedicated blowdown push
buttons shall also activate ESD. Manual release buttons shall be protected
against inadvertent activation e.g. by the use of protective covers.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -52-

5.10 Active Fire Protection

Purpose
The main purpose of the fire fighting systems is to provide quick and reliable
means for control and extinguish fires. In addition, fire fighting systems may be
used to mitigate explosion effects.
System description
The active fire protection systems consist of some or all of the following:
 Firewater pump arrangement
 Firewater distribution system
 Deluge system
 Sprinkler system
 Manual fire fighting equipment
 Hydrants and hose reels
 Monitors
 Extinguishing systems in enclosed compartments e.g.
o Water mist systems
o Gaseous agents (Inergen etc.)
Figure ‎5-9: Firewater monitor Zeebrugge.
Interfaces
The Active Fire Protection System has interfaces with the following safety
systems/functions:
 Gas Detection – if used to mitigate explosion effects the Active Fire
Protection System receives input from the Gas Detection System.
 Emergency Shutdown (ESD) – sends/receives signals to/from the Active
Fire Protection System.
 Open drain – drains flammable liquid spills to safe locations.
 Fire detection - the Active Fire Protection System receives input from the
Fire Detection System.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -53-

 Passive fire protection – parts of the active fire protection systems may
require passive fire protection.
 Escape, Evacuation and Rescue (EER) – the Active Fire Protection System
may help shield the escape routes.
 Emergency power – provides power supply for the required fire fighting
systems during and after incidents.
Fixed fire fighting equipment shall be installed in areas representing a major fire
risk, with particular attention to equipment containing significant quantities of
hydrocarbons or other flammable material.
The activation of fire water systems shall be automatic where the main purpose
of the fire water is to mitigate explosion effects, act as a substitute for passive
fire protection or where immediate response is required. Manual remote release
of fire water should be implemented for other situations. Automatic release may
be arranged for general fire fighting purposes where the fire water reservoir and
supply capacity is sufficient for such operation.
Firewater (FW) supply system

When evaluating maximum firewater demand the maximum number of systems
expected to operate simultaneously must be determined. Firewater release in a
neighbouring area due to detection (i.e. flame) should also be considered.
The FW ring main shall be water filled and pressurised when in standby mode.
Figure ‎5-10: Firewater pump at Zeebrugge.
Firewater pump arrangement

Each firewater pump engine shall have a starting system with sufficient reliability
to satisfy the integrity requirement for the firewater system. Each engine should
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -54-

have two independent starting systems, which need not be functionally different.
Each system shall have a minimum capacity for six start attempts of a minimum
five seconds, or longer if required by the supplier.
Deluge and water spray system

The discharge time from confirmed fire detection to the release of water at the
most remote nozzle shall be less than 30 seconds.
Sprinkler system
The sprinkler system shall provide a quick and reliable supply of firewater to the
sprinkler distribution system at a rate sufficient to cover the minimum demand
for the applicable area, and at pressures within the recommended nozzle
pressure range requirement.
Active Fire Fighting

The following fire fighting equipment is installed at both Zeebrugge and
Dunkerque:
 A firewater ring main system
 Gaseous agents in electrical rooms: CO2 is used at Zeebrugge and
FM200 at Dunkerque. The FM200 is also used in the control room.
 Fire water pumps:
o Zeebrugge: 2 jockey pumps, 1 main electrical pump and 2 diesel
pumps. The pumps at Zeebrugge are controlled by a pressure
switch and sequential start up is initiated when the pressure
drops.
o Dunkerque: 2 jockey pumps, 1 main electrical pump, and 1 diesel
pump.
At Zeebrugge a sprinkler system is installed and there are monitors located

throughout the plant. At Dunkerque there is a water mist system and fire
hydrants. No deluge is used on either Zeebrugge or Dunkerque.
At St. Fergus there is a firewater ring main, hydrants and deluge. No sprinkler
system, water mist, foam or gaseous agents are installed.
Extinguishing systems in enclosed compartments

A water mist system is the preferred extinguishing system for enclosed
compartments. The water mist system shall provide a quick and reliable
discharge of water mist at a sufficient density and for a sufficient duration for
adequate fire suppression and control.
Gaseous agents
The gaseous fire fighting system shall provide a quick and reliable discharge of
gaseous agents for fire mitigation at sufficient concentration and for a sufficient
duration to achieve adequate fire suppression and control. Inergen shall also, in
addition to this, retain an atmosphere that is harmless to humans.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -55-

5.11 Passive Fire Protection

Purpose
The purpose of passive fire protection (PFP) is to ensure that relevant structures,
piping and equipment components have adequate fire resistance during
accidental loads. This includes ensuring that load bearing properties are
maintained for structures and supports, and that the integrity of pressurized
piping and equipment is maintained until depressurization is completed.
Fireproofing of steel structures shall prevent the unacceptable escalation or

spreading of fires by providing in situ protection until the affected part of the
plant can be evacuated, and the ESD and blowdown systems, in combination
with other fire protection measures, ensure control of the situation in accordance
with the Barrier Strategy.
System description
There are three main types of passive fire protection:
 Separation of main areas and fire divisions to prevent or limit escalation
between main areas and between different fire areas.
 Spray on coatings to protect load bearing structures including:
o Main steel structure
o Secondary structures for large equipment e.g. vessels, compressors
etc.
o Supports for critical piping, such as the blowdown system etc.
 Passive fire protection (insulation material) on safety critical equipment,
such as:
o ESD valves and BDV, and their activation systems.
o Piping used for blowdown and flare and the emergency power
system.
Passive Fire Protection (PFP)

PFP is generally not used on steel structures. In order to protect vital
equipment from fire and explosion some equipment is instead buried
underground, or located in concrete pits. All ESD valves at Zeebrugge and St.
Fergus are located in such pits. At Zeebrugge some PFP is used on
throughputs between rooms in order to prevent escalation between rooms. At
Emden there are some PFP on pipe racks, while at St. Fergus there is very
little PFP with the only PFP limited to piping crossing between different areas of
the plant. However, at the Langeled Receiving Facility PFP is used on some
piping and structures in order to improve fire resistance.
Interfaces
The Passive Fire System is independent of other systems. However, the extent
and requirements for passive fire protection are dependent on the design and
performance of the following safety systems/functions:
 Layout and Arrangement
 Containment
 Emergency Shutdown
 Blowdown and Flare/Vent System
 Active Fire Protection
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -56-

 Escape and Evacuation
Main areas on the plant shall be separated to ensure that the unacceptable
escalation/spreading of a dimensioning fire and explosion from one main area to
surrounding main areas is avoided.
In principle, the separation by distance is preferred over the provision of fire

divisions for this purpose. If fire divisions are used these shall be capable of
resisting a dimensioning fire and explosion.
Where the need for protection of steel structures has been determined, a
minimum of 30 minutes protection against a hydrocarbon jet and/or pool fire
shall be provided; however, longer protection times may be required depending
on the equipment and its function, as well as the availability of fire fighting
measures.
Pressurised vessels, process equipment and piping shall have adequate fire
resistance to prevent escalation of a dimensioning fire scenario. This includes
pipe and vessel supports. Adequate protection of process equipment and piping
in a fire situation can be obtained by either one or a combination of the following
measures: blowdown of equipment, construction material, passive fire protection
and active fire protection.
Figure ‎5-11: At Zeebrugge some of the equipment is buried below ground level to
provide fire protection. The picture shows an ESD valve in a concrete pit, and a flame
detector can also be seen to the right.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -57-

5.12 Emergency Power and Lighting

Purpose
The purpose of the Emergency Power and Lighting is to provide the following:
 Electrical power when main power generation or supply has been shut
down.
 Emergency electrical power supply for a specific period of time for systems
required to be operative during an emergency.
 Sufficient lighting for evacuation and escape in an emergency situation.
System description
The Emergency Power system consists of:
 Uninterruptable power supply (UPS) from batteries. Most UPS systems
have 2 x 100 % power supply.
 Diesel-powered generator for emergency or essential power.
Emergency lighting:
 Lighting with local self-contained batteries.
 Essential lighting with power supply from diesel generators.
The following safety systems are normally connected to emergency/back-up

power during a power outage:
 Mechanic ventilation of safety critical rooms
 Fire and gas detection
 Emergency shutdown
 Active fire fighting
 Blowdown
 Emergency communication
 Process control systems including process shut down
Emergency power
The gas terminals receive their power supply from the respective national
grids, thus ensuring a high reliability of power availability. In addition, the gas
terminals have emergency/essential generators and UPS.
At Zeebrugge there are two main transformers ensuring 100 % redundancy

and the capacity of the diesel back-up generator is high enough to maintain
normal operation during power outages. They also have an UPS that can
deliver 2 x 100 % power supply for essential equipment / safety systems.
Interfaces
The Emergency Power System interfaces with the following safety
systems/functions:
 Emergency Shutdown (ESD) - receives signals from and supplies UPS
power to the ESD system.
 Process Safety System - supplies UPS power to the system.
 Active Fire Protection - supplies UPS power to the fire water system.
 Gas Detection - receives signals from and supplies UPS power to the Gas
Detection System.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -58-

 Fire Detection - receives signals from and supplies UPS power to the
system.
 Alarm and Communication Systems - supplies UPS power to the system.
The UPS shall have a capacity to supply the required emergency power for a
minimum period of 30 minutes.
A reliable emergency power supply, independent of the installation’s main power

supply, shall be available for a minimum of 18 hours at full load. For small,
simple onshore facilities an emergency power supply may be provided with a
minimum capacity of four hours.
The type of emergency power source shall be evaluated e.g. emergency

generator versus second independent plant power supply, ensuring that no single
failure mode in supply or distribution causes the system to fail. For onshore
facilities with limited need for emergency power, supply may be via batteries
only.
Emergency lighting shall be provided with local self-contained batteries or central

uninterruptible power supplies, both with a minimum capacity of 30 minutes or
longer if required by the Barrier Strategy. Emergency escape lighting in outer
open areas may be supplied by emergency generator provided there is adequate
distance from classified areas.
UPS and essential utilities shall be located in protected areas.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -59-

5.13 Process Safety

Purpose
The purpose of the process safety system is to ensure that the process
conditions do not exceed specified process safety limits. By controlling any
abnormal operating conditions possible hydrocarbon releases are prevented or
minimised. Typical actions include:
 Stop hydrocarbon flow
 Shutdown process and utility equipment
 Isolate leaks
 Shut down heat input to the process
 Pressure relief (prevent overpressure)
System description
The process safety system mainly consists of:
 Process Shutdown (PSD) valves - valves that close upon a signal from the
control room.
 Pressure Safety Valves (PSV) - usually spring-loaded valves that open
towards the flare on a given set point. PSVs open to vent pressure and
close automatically when the pressure has been reduced to the design
operating pressure of the equipment.
 Instrument based systems for secondary pressure protection (HIPPS- High
Integrity Pressure Protection System).
Actions by the Process Safety System are normally initiated by minor process
anomalies. The extent of a PSD situation will depend on the type of anomaly, and
may range from equipment shutdown with minimum effect on the production
rate to a total process shutdown.
Figure ‎5-12: Pressure safety valves at the Zeepipe Terminal.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -60-

Interfaces
The process safety function has interfaces with the following safety
systems/functions:
 Emergency Shutdown – the PSD system receives input from the ESD
system.
 Blowdown and Flare/Vent System – used for depressurising equipment
when required.
 Emergency power and lighting – UPS provides power for the PSD system.
 Containment
The Process Safety System also interfaces with the Process Control System and it
is dependent on hydraulic power and instrument air in order to fulfil its function.
Figure ‎5-13: Sketch illustrating the principle behind a pressure safety valve. The spring
is compressed and lets out hydrocarbons as long as the pressure is above the defined
limit.
The process safety functions shall provide a reliable and prompt detection of
process upsets and execution of the actions that are considered necessary to
control the situation and hence avoid escalation.
The process safety function shall be functionally independent of the process

control function, but may be integrated as part of the SAS/PCDA suite. Safety
integrity shall be maintained upon loss of power or any single failure of electronic
parts. Local instrumented safety systems shall be fully independent of any other
safety functions.
Any combined process control and PSD valves shall be provided with a safety
related solenoid connected directly to, and operated from, the PSD system.
Process control valves shall not be used as HIPPS valves.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -61-

HIPPS
At St. Fergus four PSVs are currently used for pressure protection instead of
HIPPS. The current PSV solution is designed to release gas to air when
pressure reduction is required. A project to install HIPPS is on-going as of mid-
2012 and is scheduled to be completed in September 2012.
AT Zeebrugge there are PSVs, rupture discs, transmitters, interlocks and

HIPPS in order to protect the piping. Each process train are provided with a
HIPPS system consisting of two SSV, a flow and pressure control valve and
associated pressure sensors and pressure impulse-line.
An appropriate number of PSVs shall be in operation at all times. An interlock or

car seal system shall be in place, including monitoring and follow up.
Alarms shall support operator decision-making during upsets (process anomalies)

and accidental situations. Actions shall be initiated automatically when process or
equipment protection limits are exceeded.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -62-

5.14 Alarm and Communication System for use in Emergency

Situations
Purpose
The Alarm and Communication Systems for use in Emergency Situations shall:
 Alert, inform and guide personnel as quickly as possible in the event of a
hazardous or emergency situation.
 Provide two-way communication of information regarding emergency
events to the Control Room (CCR) or Emergency Control Centre (ECC).
 Provide communication about required emergency actions to all personnel,
and provide two-way communication between the emergency controller
and the emergency response team.
 Facilitate the co-ordination of rescue, recovery and emergency assistance.
System description
The Alarm and Emergency Communication System may include the following:
 Public address system Communication systems
 Radio communication (UHF)
At Zeebrugge there are UHF
 Telephone systems
radios, and ATEX-rated
 Equipment such as loudspeakers,
telephones. General alarm
megaphones, alarm horns/ sirens, bells,
(GA) and all clear alarm are
alarm lights, portable radios and
initiated manually by the
telephones
CCR operators.
 Means for operator intervention from CCR.
Interfaces
The Alarm and Communication Systems for use in emergency situations interface
with the following safety system/functions:
 Emergency Shutdown – provides input signal concerning alarm area and
level of activation.
 Gas Detection – provides input signal concerning alarm area and level of
activation.
 Fire Detection – provides input signal concerning alarm area and level of
activation.
 Ignition Source Control - the alarm and communication system must be
designed so that it does not act as an ignition source.
 Escape, Evacuation and Rescue (EER) – alerts personnel and initiates
evacuation.
 Emergency Power and Lighting – provides power supply to keep the
system operative.
 Human Machine Interface (HMI) – provides means for operator
interactions and alarm management.
The PA system, loudspeakers, alarm horns/ sirens, bells and alarm lights shall
comply with prevailing regulations and practices to ensure that personnel will be
alerted and informed in the event of an emergency situation.
The layout and location of horns/sirens and bells shall be reviewed during design
and verified during start-up and operation.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -63-

Figure ‎5-14: As part of the communication system phones are placed at strategic
locations at the Zeebrugge gas terminal. To the right one such phone can be seen, to the
left is the fire water reservoir.
The public address (PA) system can be included as part of the alarm system if
required by the plant’s Barrier Strategy.
The plant shall have necessary equipment for internal emergency communication
so that the emergency response team can communicate with each other and with
the Control Room and Emergency Controller.
CCR operators shall be able to communicate to operators anywhere on the plant.
The plant shall have necessary equipment for communications with external
emergency response resources. Police and external fire brigades shall be able to
use the plant emergency radio channel, or dedicated radios shall be made available.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -64-

5.15 Escape, Evacuation and Rescue (EER)

Purpose
In the case of a hazardous incident, the purpose of escape routes is to:
 Ensure that personnel may leave the areas in question by at least one safe
route.
 Enable personnel to safely reach the assigned mustering area from any
point in the plant they are likely to occupy.
 Enable rescue teams to safely bring injured personnel to areas where
medical treatment can be given.
The purpose of the evacuation system is to ensure means of safe evacuation of

the plant for all personnel following a hazardous incident.
The purpose of rescue and safety equipment is to:

 Provide the personnel with personal protective equipment (PPE) to
evacuate safely and enable personnel to reach the muster areas.
 Provide the emergency response personnel with suitable and sufficient
(PPE) to effect the rescue of personnel.
When available, the purpose of the medical treatment facilities is to ensure that
injured personnel are given adequate first aid treatment at the site.
System description
Elements that are typically part of the EER include:
 Mustering areas
EER from gas terminals
 Safe routes to the mustering
areas At Zeebrugge and Dunkerque there
 Signs and markings are two mustering areas, with safe
 Equipment for rescue of injured routes to both muster areas. Further
personnel, such as stretchers, evacuation to a nearby hotel may be
first aid kits etc. arranged if necessary.
Interfaces
The EER systems interface with the following safety systems/functions:
 Natural Ventilation and HVAC
 Alarm and Communication for use in Emergency Situations – alert and
inform personnel of the situation.
 Emergency Power and Lighting - ensure lighting for escape and rescue, as
well as communication with off-site medical professionals if the main
electrical power supply fails.
 Passive Fire Protection – ensure integrity of escape routes.
Escape routes leading to the muster area shall be provided to enable all
personnel to leave an area in case of a hazardous incident.
Escape routes shall be well marked and include signs. Marking shall show the
preferred direction of escape.
The escape route network shall lead to safe areas and facilities as follows:
 Muster areas
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -65-

 Administration building/offices with first aid treatment facilities

 Temporary refuge (TR)/first aid stations in the plant
The dimension of escape routes shall be a minimum of one metre in width (0.9
metres for doors) and 2.3 metres in height (2050 mm for doors). Escape routes
intended for use by more than 50 persons shall be extended to 1.5 meters (1.2
meters for doors) in width.
Figure ‎5-15: The picture shows some of the escape and rescue equipment at Zeebrugge.
To the left there is a breathing apparatus and to the right a stretcher for transport of
injured personnel.
Escape routes inside buildings, including offices and accommodation areas, shall
be provided with low level florescent arrows, and/or low level directional lighting,
showing the correct direction of escape. Other enclosed and regularly manned
utility and process areas should be considered separately.
There shall be no dead end corridors exceeding five metres in length.
Safety showers and eyebaths shall be located at strategic locations. Strategic

locations shall be identified through a separate evaluation with consideration for
the chemicals handled and spillage that may occur, as well as the risk for burns
or personnel exposure to hot fluids.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -66-

5.16 Human Machine Interface (HMI)

Purpose
The Human-machine Interface (HMI) shall provide system information
presentation and means for operator interactions in manned control centres e.g.
the Central Control Room (CCR), Emergency Response Centre (ERC) and other
control stations.
System description
The HMI system includes alarm functions and the systems for control and
monitoring of the process. The alarm functions are handled from the Critical
Action Panel (CAP) in the CCR.
The HMI facilities in the CCR include the following control functions:
 Initiate ESD level
HMI at Dunkerque and Emden
 Initiate PSD level
 PSD level reset The CCR at Zeebrugge is used to
 Inhibit and override monitor both Zeebrugge and
 Initiate manual depressurising Dunkerque. The Europipe metering
 Main ESD level reset station (EMS) at Emden is remotely-
 Initiate F&G operated from the control room at
 F&G reset the Europipe receiving facilities
 F&G and ESD common reset of (ERF) 48 km away.
inhibits and overrides (e.g. per
fire detection area for F&G reset)
 Manual control of ignition sources, according to ISC groups
 Firewater / foam pump start
 Fire fighting release
Interfaces
The HMI is an integral part of the following safety systems/functions:
 Process Safety
 Emergency Shutdown
 Blowdown and Flare/Vent System
 Gas Detection
 Fire Detection
 Ignition Source Control
 Natural Ventilation and HVAC
 Alarm and Communication System for use in emergency situations
 Emergency Power and Lighting
 Active Fire Protection
The HMI means shall include a main operating interface in the CCR. In addition,
a CAP (a simplified safety matrix panel) shall be located in the same room
allowing manual activation of safety-critical functions.
The HMI interface in the CCR shall provide the means for operator awareness
and actions, and be suitable during emergency situations.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -67-

Figure ‎5-16: Excerpt of the available CCR information at Zeebrugge. In this view a plant
overview is provided in the lower left. To the right parts of the security surveillance can
be seen.
The HMI facilities shall present safety system information in the CCR, e.g.:
 ESD hierarchy overview including the status of ESDV’s and EDPV’s
 PSD hierarchy overview
 F&G overview (plant level)
 F&G system details (input/output details, geographical arrangement, etc.)
The HMI facilities shall include safety system input and output status, including
blocking, overrides and suppression, and loop failures.
The CAP shall include the following control functions:

 Selection of firewater/foam pumps for standby/duty
 Manual start of firewater/foam pumps
 Release of automatic fire fighting systems
 Activation of plant ESD shutdown levels
 Activation of blowdown
 F&G and ESD common reset of inhibits and overrides
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -68-

Figure ‎5-17: Detail from the available information in the Zeebrugge CCR, illustrating the
ESD/PSD/BD overview.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -69-

5.17 Pipeline Protection System

Purpose
Although not one of the barriers described in the SPS, the Pipeline Protection
System (PPS) is included in this description of barriers due to its role in
safeguarding the terminals. A combination of the Pipeline Pressure Control (PPC)
and the PPS is applied to the pipelines to safeguard the respective section design
pressure and the receiving facilities. The purpose of the PPC is to ensure that the
local design pressure in the pipeline is not exceeded. The PPS, which is
independent of PPC, ensures that the maximum incidental pressure (MIP) is not
exceeded e.g. in case of PPC failure.
Pipelines with varying design pressures

A pipeline system may be divided into sections with different design pressures.
In such cases, it is particularly important that the pressure protection system
ensures that, for each section, the local design pressure cannot be exceeded
during normal operations, and that the incidental pressure cannot be
exceeded during incidental operation.
The following TN pipelines are divided into sections with different design
pressures: Åsgard Transport (707 km), Europipe II (658 km), Zeepipe IIA
(299 km), Zeepipe IIB (301 km), Statpipe/Norpipe (633 km) and Langeled
North (627 km). These are long trunklines representing significant design
requirements with regard to necessary amounts of steel. For Europipe II,
specification of different design pressures along the pipeline resulted in a
reduction of 60,000 tonnes of steel.
System description
The Pipeline Protection System comprises the pressure control system and the
pressure safety system. Each of these systems comprises sensors, logic solvers,
valves, alarm and communication systems, procedures and qualified personnel.
Figure ‎5-18: Illustration of the components that are part of the PPS.
The pressure control system maintains the operating pressure within acceptable
limits along the entire pipeline system during normal operation. This is normally
a conventional protection system.
The pressure safety system protects the downstream system during incidental
operation i.e. to ensure acceptable local incidental pressure along the entire
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -70-

pipeline system in the event of failure of the pressure control system. The
pressure safety system is a non-conventional protection system. It is sometimes
referred to as the Pipeline Protection System (PPS) even though it is only a part
of the PPS.
All Transport Network (TN) pipelines are monitored and controlled by pressure
protection systems associated with the various installations onshore and offshore.
In addition, all TN pipelines are monitored by operational personnel from the
Gassco control room at Bygnes.
PPS for Langeled

Pressure protection by PPS is required for the Langeled North Pipeline (LLN) to
Easington in normal operation because the second part of LLN has a design
pressure lower than the maximum export pressure at Nyhamna.
During bypass operation, Nyhamna has the potential to over-pressurise both

LLN and the Langeled South Pipeline (LLS). Therefore, pressure protection of
LLN and LLS is required in the bypass operation.
The PPS must be function tested according to the safety requirement in order
to obtain and maintain the SIL certification. The PPS needs to equal SIL3
certified redundant shutdown loops.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -71-

6 Assurance of barrier integrity

A key assumption in the Swiss Cheese and Bow Tie models is that the
established barriers are so complex that they will not all have a 100 % optimal
function at all times. The real life implication of this is that at any given time
impairments will exist in the safety barriers. The challenge is to maintain an
overview of the barrier status and keep the impairments under control at all
times in order to ensure the barrier integrity. A number of systems and
procedures are utilised in order to ensure barrier integrity and these are critical
barrier elements.
In Chapter ‎5 the technical safety barrier elements were described. These are to a
large extent equipment and systems that shall be available for use in case of an
emergency. To ensure that the intended function of each technical barrier is
available when required, procedures, work processes and qualified personnel are
essential. These constitute the organisational and operational barrier elements
that together with the technical barrier elements provide the barrier function.
The most important aspects of these barrier elements are presented in this
chapter.
Section 6.1 outlines the overall monitoring and control process in Gassco.
Section 6.2 briefly explains the process of managing risk and Section 6.3
describes the part of the Gassco KPI system that is related to the safety barriers.
Both Sections 6.1 and 6.2 describe key input elements to the management
concerning monitoring needs. In section 6.4 Gasscos barrier system and a new
verification program, Barrier Integrity Review (BIR) is presented. In Section 6.5
the maintenance management is described. Section 6.6 gives an example of a
specific work procedure that is in place in order to ensure safe operation, namely
the system of work permits. Chapter 6 is rounded off with Section 6.7 which
concerns a particularly important issue, namely compliance with the established
processes and procedures.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -72-

6.1 Maintaining the overview - Monitoring and control

Within Gassco monitoring processes are in place in order to ensure that work is
carried out with the appropriate level of quality. In this respect, the purpose of
monitoring activities is to verify that the organisation has implemented the
management system adequately, and that it also complies with the pre-defined
procedures and requirements. The overall outline and interactions between
procedures are shown in the illustration below.
Monitoring activities and control mechanisms Management of

change
Management Audit and Conformity

review verifications validation
Handling of non-conformities and concessions
Reports, in accordance to document control procedures
Registry and handling
Figure ‎6-1: Outline of procedures and the interactions between them (ref. Monitoring
activities and control mechanisms, CM13-GA.PR-01.030, Rev. 08).
The HSE&Q manager is responsible for planning, managing and coordinating

Gassco’s monitoring activities. The departmental managers are responsible for
conducting monitoring activities and applying control mechanisms, and for
following up the results obtained during monitoring activities.
Monitoring needs are derived from the requirements specified in Gassco’s

management system, in legislation, permits and standards, in agreements such
as the Technical Services Agreement with Total at the St. Fergus Terminal, or in
contracts with relevant stakeholders.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -73-

Procedures for cooperation between Gassco and Total

A formal agreement called the Technical Services Agreement (TSA) describes
the interaction between Gassco as the Operator, and Total as the TSP. The
TSP describes the services that shall be delivered.
A document called the Cooperation Procedure (Samarbeidsprosedyren)

provides details on the general agreements in the TSA, and describes the
nature of interaction between the Operator and the TSP. A single point of
contact is defined in these documents as the Head of Technical Operation at
the Operator, and the Head of Gas Processing at the TSP.
The Operator shall ensure that the TSP complies with requirements and
guidelines provided by the Operator and relevant authorities. The TSP shall
carry out its tasks in accordance with its internal management system and
any additional requirements stipulated by the Operator.
The Gassco management team will also assess monitoring needs on the basis of:
 major accident potential reports or assessments
 identified risks in accordance with the individual department’s risk matrix
 key performance indicators
 identified or registered non-conformities and observations
 identified or registered concessions
 identified undesirable incidents or hazardous conditions
 results from previous monitoring activities carried out by Gassco,
government agencies, or others
 business strategies and plans.
The control mechanisms are based on five basic activities, as specified in the ISO
9000 family of standards, which are audits, verifications, validations, inspections
and reviews.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -74-

6.2 Risk management

Risk management is required by the authorities in order to ensure safe operation
and continuous improvement; a systematic and documented risk management
system must therefore be in place in companies such as Gassco. In addition, it is
required that the risk is reduced to a level ‘As Low As Reasonably Practicable’
(ALARP).
Key elements in the risk management process are:

 Risk identification
 Risk analysis
 Risk evaluation
 Risk treatment
In addition to these elements, other essential parts of the process include

establishing the context, communication and consultation, and monitoring and
review. An illustration of the risk management process is given in Figure ‎6-2.
Figure ‎6-2: Illustration of the risk management process, showing the key elements and
the way they are related to each other and to other important factors affecting the
process (ref. ISO 31000).
In order to ensure safe operation it is it is important to make risk based decisions

when choosing between different alternatives and when prioritising actions. A
sound decision basis is therefore necessary. The authorities require that risk
assessments are carried out in order to gain both a nuanced picture of the risk
situation, as well as an overview of the risks related to operations or phases the
installations are encountering. The analysis shall be performed to identify and
assess the contributors to the risk of major accidents.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -75-

A risk assessment shall:

 Identify hazards and accident situations
 Identify initiating events and map the cause of the event
 Analyse the sequence of events and possible consequences
 Identify and analyse risk reducing measures.
It is required that the risk assessments are updated when changes are made to
the conditions, assumptions, knowledge and delimitations for the analysis that
may affect the level of risk at the gas terminal.
In Gassco, site specific barrier strategies are being developed for the gas
terminals. These barrier strategies describe and clarify which barrier functions
and barrier elements are implemented at the site in order to reduce risk. The
description is established based on the specific risk picture in different areas of
the terminal.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -76-

6.3 Performance Management in Gassco

Performance management in Gassco (PMG) is a management information tool for
recording and following up key performance indicators (KPIs). In order to
prevent major accidents, Gassco has developed new indicators in the KPI system
to help improve knowledge about the condition of the established safety barriers
and thereby prevent major accidents.
The indictors are established to fulfil the following requirements:

 Adaptable to different installations (platforms, pipelines, processing plants
and on-shore terminals).
 Provide useful information both on a plant level and on an aggregated
(company) level.
 Provide opportunities for automatic data gathering.
 Minimise the need for manually generated data.
 Minimise the need for information not currently available in some form.
 Must be possible to implement in PMG.
KPIs are defined for proactive barrier elements, reactive barrier elements and
management elements. Examples of barrier elements included in each group are
listed in Table ‎6-1.
Table ‎6-1: Established KPIs that are relevant for major accident barriers.
KPI
Proactive barrier
Reactive barrier elements Management elements
elements
Inspections Gas detection Deluge valves Inspection backlog
Testing backlog (safety
PSV Fire detection Deluge nozzles
critical equipment)
HIPPS HVAC Fire water pump CM backlog
PPS ESD-valves PA system Critical audit findings
ESD- push Emergency Audit actions past

buttons generator deadline
Safety critical
UPS capacity Overrides
PSD valves
Emergency
Blowdown Degraded condition
lighting
Each KPI has a predefined lower and upper limit. In relation to the reactive
barrier elements these are defined based on the unavailability goals in Gassco
and for the preventive elements and management elements the limits are either
based on the unavailability goals or an agreed installation specific value. An
example of how the KPI model works is given in Figure ‎6-3. The distribution of
indicators on the different levels (colours) will also be given on a system level.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -77-

Figure ‎6-3: Example of KPI input and output for gas detection.
Depending on the current level and the trend, given as the model output
illustrated in the top row of Figure ‎6-3, the need for actions are determined, as
described in Table ‎6-2. Both the illustrated level and trend symbols may appear
in green, yellow or red depending on their status. The colour of the level symbol
describes the actual level, while the colour and inclination of the trend symbol
describes the development profile since the last registered test result.
Table ‎6-2: Colour coding for the model output and corresponding actions.
Colour Level Trend Action (based on level rating)
coding
System level Installation level
Green Satisfactory Improvement No action No action required
required
Yellow Need for Unchanged Cause must be Underlying KPIs must be
improveme identified and evaluated and the trend
nt the trend carefully monitored
carefully
monitored
Red Non- Deterioration Measures shall Consider the need of an overall
satisfactory be implemented risk assessment. Rank
shortly indicators with a non-
satisfactory status and perform
measures to improve them.
(Do not interpret as an
indication to shut down)
The following illustration, in Figure ‎6-4, shows how the barrier KPI for Dunkerque
is displayed. This way of presenting the information gives a clear overview of the
current status and the development trend for reactive, proactive and
management elements.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -78-

Figure ‎6-4: Display of barrier KPIs for Dunkerque.
A positive response was received following pilot testing of the KPI model,
particularly in relation to the fact that it generated an increased focus on the
barriers and gave a clear overview of the current situation. Training was given,
and the model was implemented at all Gassco facilities during 2010. An
illustration of the status on an aggregated level is given Figure ‎6-5.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -79-

Figure ‎6-5: Display of aggregated barrier KPIs for Gassco.
Relevant KPIs at St. Fergus

Total Exploration and Production UK (TEPUK) follow up and monitor sites and
installations through KPIs. For the St. Fergus Terminal, the following KPIs are
relevant in order to prevent major accidents:
 HC leaks (minor, significant, major)
 Progress in reducing integrity threats know at the end of the year
 Progress in reducing all live integrity threats
 Category A piping and vessel inspection
 Verification progress against plan
 Reduction in overdue verification issues.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -80-

6.4 Barrier Integrity Review

The Barrier Integrity Review (BIR) process is a structured approach for the
assessment of major accident related safety barriers at Gassco operated gas
receiving terminals. This process provides a platform for risk informed decision
making. The purpose of the BIR process is to ensure the integrity of safety
barriers. This includes assessing the performance of the major accident safety
barriers and assuring compliance with safety requirements.
The BIR process, as illustrated in Figure ‎6-6, contains elements of planning,

execution and follow-up:
 The planning phase, steps 1 and 2, includes corporate activities required
to ensure a successful implementation of the process across all Gassco
sites, and the local planning required for the review at each specific site.
 Steps 3 and 4 mainly concern the execution of the actual review at site
and the associated quality assurance of its inputs.
 Step 5 details the process of prioritising the actions required to close any
gaps from the review.
 Step 6 defines the process for formally closing the gaps.
 Continuous improvement activities are required in all steps of the process
but are formalised in step 7.
 To ensure that the process is implemented using the appropriate skills, a
dedicated competence and capacity building process is detailed in step 8.
Figure ‎6-6: Overview of the BIR process.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -81-

6.4.1 Safety Performance Standard

The Gassco document Safety Performance Standard (SPS) describes the
principles and requirements for the development of the safety design of onshore
gas terminals. Together with international standards the SPS defines the
requirements for establishing an adequate level of safety.
The SPS describes the requirements for the individual safety systems and
technical barriers, and represents a generic performance standard for the
different safety systems and barriers. It covers all safety critical systems at the
relevant facilities. The document also outlines requirements for the management
of technical safety.
The SPS requirements do not define the required safety level for all facilities, but
indicates the corporate best practice on aspects of the barriers. Since any
existing site is unlikely to meet all best practice requirements, potential gaps are
assessed from an ALARP perspective to decide whether the gap should be closed
or not.
For the purpose of reviewing the status of the barriers, a set of validation
activities is developed for each barrier described in the SPS. The validation
activities identify the Gassco best practice solution for how to achieve the
functional requirements defined in the SPS. The validation activities are used as
a tool in the BIR process.
SPS related upgrade projects

Following the implementation of the SPS, work is on-going to upgrade the
facilities according to the requirements stipulated in this document. Planned
and on-going projects at Zeebrugge and Dunkerque are as follows:
Zeebrugge
 Gas detection: Upgrade of inside and outside system to be finalised
by mid-2013.
 Flame detection system: Upgrade to be finalised in 2015.
 Ignition Source Control: Upgrade of ISC function to be finalised by
2016/2017.
 HVAC project in all buildings of terminal to be finalised in 2017.
 Upgrade PABX to be finalised by end 2016.
Dunkerque
 Gas detection: Upgrade of inside and outside gas detection system,
to be finalised by mid-2013.
 Flame detection system: Upgrade to be finalised by the end 2015.
 Smoke detection system: Upgrade to be finalised by end 2016.
 Ignition Source Control: Upgrade ISC function to be finalised in
2018.
 HVAC project in all buildings of the terminal to be finalised in 2014.
 Upgrade of PABX to be finalised by end 2019.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -82-

St. Fergus Operational Integrity Assurance & Verification Scheme

(OIAVS)
The St. Fergus Gas Terminal operated by Total has Performance Standards
(PS) that can be regarded as a parallel to SPS and an audit/inspection
scheme that can be regarded as a parallel to the BIR process.
OIAVS identifies the Performance Standards for all the St. Fergus Safety
Critical Elements (SCE). The functionality, availability/reliability and
survivability criteria are defined, and the associated means of assurance
activities specified. The means of assurance activities provide a link to the
maintenance and inspection systems and ensure that the Performance
Standards are continually achieved.
The OIVAS details the operational verification activities to be carried out by

an Independent Verification Body (IVB) to monitor and audit the means of
assurance activities and verify that the SCE’s remain compliant with the
Performance Standrads. Modification verification activities are also included
in OIAVS to verify that changes or additions to SCE’s are executed to
achieve the specified Performance Standards.
(In addition to this the same reporting standard for gas leaks that apply
6.5 Maintenance management
offshore is also implemented at St. Fergus, although this is not a UK
requirement.)
The facilities shall be operated and maintained so that the economic value of the
terminals will not deteriorate and that the equipment’s functional requirements
with
(Mer regards
om OIAVSto safety andfinner
inn her- regularity
ikke are secured
OIVAS over
i Total the lifetime of the facility.
dokumentet)
It is an intention that maintenance management shall be continuously improved

with respect to safety, regularity, availability and cost. The management loop
below shows how Gassco intends to ensure that maintenance is planned,
executed, followed-up and improved efficiently and as required.
Figure ‎6-7: The Gassco Maintenance Management Process
Fault modes, failure mechanisms and failure causes that can have a significant
effect on safety and production shall be identified and the risk determined. A
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -83-

maintenance program to manage these risks shall be established. Inspection

activities to prevent external leakage should be developed through a Risk Based
Inspection (RBI) analysis. SAP is the source for maintenance management
information in support of the daily operation. All the maintenance and inspection
work shall be controlled by work orders in SAP.
Selected Maintenance types

Preventive Maintenance (PM): Maintenance carried out at predetermined
intervals or according to prescribed criteria, intended to reduce the probability
of failure or the degradation of the function of an item.
Corrective Maintenance (CM): Maintenance carried out after fault

recognition and intended to put an item into a state in which it can perform a
required function.
Condition Based Maintenance (CBM): Preventive maintenance consisting

of performance and parameter monitoring and the subsequent actions. Note
that performance and parameter monitoring may be 1) scheduled, 2) on
request or 3) continuous.
It is an ambition to minimise the use of Corrective Maintenance, as the failure of

equipment preceding such maintenance may cause personal injuries, damage to
material or environment. Equipment failure may also cause high maintenance
costs and reduced capacity and regularity.
Instead, Condition Based Maintenance shall be applied to minimise both

maintenance costs and downtime on critical systems and equipment. If an
inspection reveals that the condition of equipment has begun to deteriorate, the
next repair can be planned according to the estimated remaining operating time.
Inspection programme for safety critical equipment

Inspection intervals and method shall be determined based on a documented
Risk Based Inspection (RBI) analysis. The RBI process is focused on pressurised
systems and the management of containment integrity. In addition, there are
two main related areas that shall be an integrated part of the RBI methodology,
which are load bearing structures and pipelines connected to the terminals.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -84-

Inspection and audit programme at Total’s gas terminal St. Fergus

At St. Fergus inspections/verification of safety critical equipment is carried
out by an Independent Competent Person (ICP) provided by an
Independent Verification Body (IVB), currently Bureau Veritas (BV). The
ICP shall:
 Demonstrate independence and competence in the execution of the
Verification Schemes.
 Agree the list of equipment to be considered under the Certification
Scheme.
 Review and maintain the Verification Scheme and update as required
in relation to changes to the PSs or associated Means of Assurance
(check-lists)
 Execute the Operational and Modification Schemes which include the
examination and witnessing of tests, auditing of maintenance,
operation and change control records, and assessing the suitability of
modifications, maintenance and performance criteria.
 Prepare and issue verification reports
 Identify, report, track and close out anomalies and non-conformities
within a specified timescale.
 Agree remedial measures, record disagreements and highlight issues
of concern and subsequent resolution by the St. Fergus Terminal.
The aim is to inspect all safety barriers each year by carrying out spot
checks, with focus on one topic at the time during the visits. This results in
8-9 visits during the year with one or two inspectors (ICPs) from BV at each
inspection. The Total organisation in Aberdeen plans the IVB scheme, the
visits, and also participates in the inspections/verification. There are
quarterly reviews of actions which are still open.
Test programme
In order to ensure that safety critical equipment functions as intended, and when
needed, procedures are established that define what specific equipment to test
and the intervals of testing. These requirements are found in the following
Gassco documents:
 Testing and inspection of safety instrumented systems
 Testing of emergency-shutdown and blowdown valves
 Test runs of emergency/essential generators
 Safety Critical Failures
As a part of the maintenance management the test results for safety critical
equipment is reported in the barrier KPI system, and further treated in the PMG
in order to show the failure rate of selected safety critical equipment. These
results are presented as illustrated in Figure ‎6-4 and Figure ‎6-5. The results of
these tests and the follow-up of the findings are vital elements in ensuring the
integrity of the barriers.
Condition and status of maintenance, tests, inspections and modification projects

are reported and followed up regularly to ensure that outstanding maintenance
work does not reduce the level of safety at the installation. For maintenance
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -85-

purposes reporting and analysis may be considered as both reactive and

proactive i.e. it is reactive in relation to the use of historical data and proactive
since it forms the basis of priorities and investments.
6.6 Organisational barrier elements - an example

The system of work permits is an important organisational barrier element and
part of major accident risk management. In order to perform any type of work at
the gas terminal a work permit is required. The purpose of a work permit is to
identify risks related to the specific work process and implement measures to
establish or strengthen relevant safety barriers. The use of work permits is not
only established to help manage major accident risks, but also as an important
initiative related to occupational safety.
Work permits are divided into two categories; work with high risk (level 1,
typically hot work, work at heights etc.) and work with a lower risk (level 2,
typically exchanging valves, equipment etc.) The work permit contains a
systematic review of the work (what shall be done and how), as well as an
analysis of the need for risk mitigating measures. The need of a so-called Safe
Job Analysis (SJA) is always considered as a part of the work permit process.
A work permit is a written permission to perform a specific task, and this shall be
approved and signed before the job is started. After the job is completed the
work permit is signed once more in order to ensure that all instructions have
been followed and that the area where the work was undertaken is cleared and
put back in order. If, in relation to the work, safety critical equipment must be
temporarily overridden or disengaged, compensating measures must be
described before the work permit is approved.
Work permits and LRA

A programme called the Operating Management System (OMS) was initiated
by the Zeepipe Terminal organisation and has been developed in-house with
some external IT support. This programme contains several components,
including a work permit system which fully complies with the Gassco standard.
The advantage of this programme is that by answering some pre-defined
questions, the system determines if a hot or cold work permit is needed. All
extra permits are also included if necessary: drive permit, electrical isolation,
excavation, entry permit, etc. The programme can also be used to determine
the need for a Safe Job Analysis.
A system using a Last Minute Risk Analysis (LRA) is established to further

enhance safety by ensuring that all the required permits and equipment is in
order and that personnel are aware of the risks involved in the work. For each
10th permit a LRA form is printed and forms the basis for a discourse between
the executer of the job and the shift supervisor.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -86-

6.7 Compliance to processes and procedures

One of the most important barriers in the entire Barrier Management System is
the compliance with defined work processes and procedures. At all times the
attitude and behaviour of personnel operating the facilities contributes to
securing a high level of barrier integrity.
A key requirement for achieving a high level of compliance is the appropriate

competence and experience among personnel involved in managing the risk of
major accidents. However, competence in all parts of the organisation is vital to
maintain productivity and safety at a high level. It is also important that
personnel possess justified knowledge i.e. that they are aware of the
consequences of inadequate and incorrect actions. Justified knowledge is also
required in order to acquire new knowledge based on events taking place
externally or internally in the organisation.
ISO 9001/ISO14001/ISO18001
All Gassco terminals are certified according to the ISO standards 9001 –
Quality management systems, 14001- Environmental management systems
and 18001 – Occupational health and safety management systems.
ISO 9001 specifies requirements for a quality management system where an
organisation
 needs to demonstrate its ability to consistently provide products that
meet customer and applicable statutory and regulatory requirements;
 aims to enhance customer satisfaction through the effective
application of the system, including processes for continual
improvement of the system and the assurance of conformity to
customer and applicable statutory and regulatory requirements.
ISO 14001 specifies requirements for an environmental management system

to enable an organisation to develop and implement a policy and objectives
which take into account legal requirements and other requirements to which
the organisation subscribes, and information about significant environmental
aspects.
ISO 18001 is part of the series Occupational Health and Safety Assessment
(OHSAS). It specifies requirements for an occupational health and safety
management system to enable an organisation to improve its performance
related to work environment risks.
Ensuring a high level of compliance is subject to a continuous work effort and

thus there is a persistent focus on compliance through campaigns and
competence development programmes. By continuously asking whether the
procedures, as well as level of compliance with those procedures, are good
enough, and by seeking improvement on all levels, Gassco secures the integrity
of their safety barriers. Consequently, major accidents can be avoided at the gas
terminals.
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -87-

Appendix A: Acronyms and abbreviations
Acronyms
ALARP As Low As Reasonable Practicable
AC Air Changes
API American Petroleum Institute
APS Abandon Platform Shutdown
ATEX Directive that derives its name from the French title: Appareils
destinés à être utilisés en Atmosphères Explosives
BD Blow Down
BDV Blow Down Valve
BIR Barrier Integrity Review
BV Bureau Veritas
CAP Critical Action Panel
CBM Condition Based Maintenance
CM Corrective Maintenance
CCR Central Control Room
COMAH Control of Major Accident Hazard Regulations
DIN Deutsches Institut für Normung
DNV Det Norske Veritas
DREAL Direction Régional de l’Environment, de l’Aménagement et du
Logement
DT Dunkerque Terminal
DVGW Deutsche Vereinigung des Gas- und Wasserfaches
ECC Emergency Control Centre
EDP Emergency Depressurisation
EDPV Emergency Depressurisation Valves
EER Escape, Evacuation and Rescue
EMS Europipe Metering Station
EN European Norm€/European Standard
EPI Europipe I
EPII Europipe II
ERC Emergency Response Centre
ERF Europipe Receiving Facilities
ESD Emergency Shutdown
ESDV Emergency Shutdown Valves
EUR Euro
EV Emergency Valve
FLAGS Far North Liquids and Associated Gas Gathering System
FO Flow Orifice
FW Fire Water
F&G Fire & Gas
GA General Alarm
GDF Gaz de France
HC Hydrocarbon
HIPPS High Integrity Pressure Protection System
HMI Human Machine Interface
HSE&Q Health, Safety, Environment and Quality
HSE Health, Safety, Environment
HSE Concerning UK regulations: Health and Safety Executive
HVAC Heating Ventilation Air Conditioning
ICP Independent Competent Person
IEC International Electro-technical Commission
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -88-

ISC Ignition Source Control

ISDN Integrated Services Digital Network
ISO International Standardisation Organisation
IVB Independent Verification Body
IR Infrared
KIP Key Performance Indicator
KO Knock Out
LEL Lower Explosion Limit
LER Local Electro Room
LIR Local Instrument Room
LLN Langeled North Pipeline
LLS Langeled South Pipeline
LO Locked Open
LQ Living Quarters
LNP Langeled North Pipeline
LRA Last Minute Risk Analysis
LRF Langeled Receiving Facilities
LPG Liquefied Petroleum Gas
MIP Maximum Incidental Pressure
MOB Man Over Board
NAVCO National Coordinator for navigational warnings
NCA Norwegian Coastal Administration
NCS Norwegian Continental Shelf
Netra Norddeutsche Erdgas Transversale
NGT Norsea Gas Terminal
NTS National Transportation System
OHSAS Occupational Health and Safety Assessment
OIAVS Operational Integrity Assurance & Verification Scheme
OMS Operating Management System
PA Public Address
PABX Private Automatic Branch Exchange
PCDA Process Control and Data Acquisition
PFP Passive Fire Protection
PLEM Pipeline end manifold
PM Preventive Maintenance
PMG Performance Management in Gassco
PPC Pipeline Pressure Control
PPE Personal Protective Equipment
PPS Pipeline Protection System
PRF Pig Receiving Facility
PS Performance Standard
PSA Petroleum Safety Authority
PSD Process Shut Down
PSV Pressure Safety Valve
PT Pressure Transmitter
QSV Quick closing Shut of Valve
RBI Risk Based Inspection
ROV Remotely Operated Vehicle
SAP Systems, Applications and Products in Data Processing (a
software solution for business management)
SAS Safety and Automation System
SCE Safety Critical Elements
SFB Statfjord B
SIL Safety Integrity Level
SJA Safe Job Analysis
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -89-

SPS Safety Performance Standard

SSV Slam Shut Valve
TCC Transport Control Centre
TIMP Technical Integrity Management Programme
TN Transport Network
TR Temporary Refuge
TSA Technical Services Agreement
TSP Technical Service Provider
TTS Teknisk Tilstand Sikkerhet (Technical Condition Safety)
UHF Ultra High Frequency
UK United Kingdom
UPS Uninterruptible Power Supply
UV Ultraviolet
VDI Verein Deutscher Ingenieure
VDE Verband der Elektrotechnik Elektronik Informationstechnik
VDMA Verband Deutscher Maschinen- und Anlagenbau
VDU Visual Display Unit
VLAREM Vlaams reglement betreffende de milieuvergunning
VRF Vesterled Receiving Facility
ZPT Zeepipe Receiving Terminal
Abbreviations
d day
h hour
m meter
M million
Pa Pascal (unit for pressure)
S standard
Sm3 Standard cubic meter (1atm and 15 °C)
OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -90-

Barrier Integrity Report For Gas Terminals - 083233 PDF

Uploaded by

Copyright:

Available Formats

You might also like

Barrier Integrity Report For Gas Terminals - 083233 PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Barrier Integrity Report For Gas Terminals - 083233 PDF

Uploaded by

Copyright:

Available Formats

Barrier Integrity Report

Author: DNV and Gassco

Verifier: Jens Eldøy, Gassco

Approver: Trond Nordal, Gassco

This document has been electronically signed, hence it contains no signature(s).

OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -2-

OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -3-

5.4 Gas Detection ............................................................................... 41

OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -4-

Several barriers are provided for, to maintain acceptable risk exposure. In a

In addition to a relative large containment of gas in the facilities, our terminals

This document is established, to communicate a description of the safety

This is a reference book targeting personnel involved in the gas business, to

This document has been developed in a common effort by several contributors. I

Dr. Svein Birger Thaule

OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -5-

In order to provide the reader with a robust understanding of relevant issues

OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -6-

2 The Gas Terminals

OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -7-

A simplified illustration of the process scheme at the gas terminals is given in

OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -8-

OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -9-

2.1 Europipe Receiving Facilities – Dornum

Figure ‎2-3: The Europipe receiving facilities (ERF).

2.2 Europipe Metering Station – Emden

OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -10-

EMS is remotely-operated from the control room at the Europipe receiving

2.3 Norsea Gas Terminal

2.4 Zeepipe Terminal

OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -11-

Figure ‎2-5: Zeepipe Terminal (ZPT).

2.5 Dunkerque Terminal

Figure ‎2-6: The Dunkerque Terminal.

DT is remotely operated from the Zeepipe Terminal, but it is also possible to

OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -12-

2.6 Langeled Receiving Facilities - Easington

Figure ‎2-7: The Langeled Receiving Facilities.

2.7 St. Fergus Terminal

OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -13-

Figure ‎2-8: The St. Fergus gas processing plant.

OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -14-

Barrier: Technical, operational and/or organisational elements that

Barrier element: Technical, operational or organisational efforts or solutions

OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -15-

In relation to the management of major accident risk, barriers are used to

Normally, a technical barrier element is not able to fulfil an intended barrier

People are involved in the design, construction, maintenance and operation of

3.1 Barrier identification and illustration models

3.1.1 The Swiss Cheese Model

OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -16-

barriers as defences against major accidents is illustrated by slices of cheese.

3.1.2 The Bow Tie methodology

OP20-GA.RL-12.66809 - Rev. 01 – 31.10.2012 -17-

Barriers to eliminate & prevent Barriers to control

Cause HAZARD Consequence

Cause TOP Consequence